This Article 
 Bibliographic References 
 Add to: 
Measuring the Value of Static-Analysis Tool Deployments
May-June 2012 (vol. 10 no. 3)
pp. 40-47
Paul Anderson, GrammaTech
For optimum success, static-analysis tools must balance the ability to find important defects against the risk of false positive reports. A human must interpret each reported warning to determine if any action is warranted, and the criteria for judging warnings can vary significantly depending on the analyst's role, the security risk, the nature of the defect, the deployment environment, and many other factors. These considerations mean that it can be difficult to compare tools with different characteristics, or even to arrive at the optimal way to configure a single tool. This article presents a model for computing the value of using a static-analysis tool. Given inputs such as engineering effort, the cost of an exploited security vulnerability, and some easily measured tool properties, the model lets users make rational decisions about how best to deploy static analysis.

1. P. Anderson, "90% Perspiration: Engineering Static Analysis Techniques for Industrial Applications," Proc. 8th IEEE Working Conf. Source Code Analysis and Manipulation, IEEE CS, 2008, pp. 3–12.
2. A. Bessey et al., "A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World," Comm. ACM, vol. 53, no. 2, 2010, pp. 66–75.
3. W. Pugh, Defective Java Code: Mistakes That Matter, 2009;
4. G.J. Holzmann, "The Power of 10: Rules for Developing Safety-Critical Code," Computer, vol. 39, no. 6, 2006, pp. 95–97.
5. G. Tassey, The Economic Impacts of Inadequate Infrastructure for Software Testing, RTI project 7007.011, Nat'l Inst. Science and Technology, 2002.
6. R.P. Jetley, P. Anderson, and P.L. Jones, "Static Analysis of Medical Device Software Using CodeSonar," Static Analysis Workshop (SAW 08), ACM, 2008, pp. 22–29.
7. E.N. Adams, "Optimizing Preventive Service of Software Products," IBM J. Research and Development, vol. 28, no. 1, 1984, pp. 2–14.

Index Terms:
static analysis, software security, software quality
Paul Anderson, "Measuring the Value of Static-Analysis Tool Deployments," IEEE Security & Privacy, vol. 10, no. 3, pp. 40-47, May-June 2012, doi:10.1109/MSP.2012.4
Usage of this product signifies your acceptance of the Terms of Use.