Understanding and Deploying Static Analysis

By Dick Slansky

Technology Trends

At the recent ARC Industry Forum in Orlando, ARC’s Senior Analyst Dick Slansky had  the opportunity of interviewing Mark Hermeling, Senior Director Product Marketing, GrammaTech. The main topic of discussion was static analysis - its definition, why customers use it, GrammaTech’s solution and its multiple benefits explained through real-life examples.  This blog captures the key points and quotes of the interview.  You can watch the interview here and/or on YouTube.

Defining Static Analysis

Mark explained that static analysis is a technology that people use to find defects in source code. “It is a completely automated process that gives you a list of problem areas in your source code that you can then go and fix,” he said.  Typically, the company’s embedded industry customers have a lot of source code in the entire IoT value chain - from devices to the enterprise, from embedded to the enterprise -  and static analysis is a really efficient way of making the source code quality higher across that entire value chain.

Why Customers use Static Analysis

The reasons why customers use static analysis are:

  • Adherence to standards: Very often there are standards that they have to adhere to, be it security standards or functional safety standards that require validation of coding standards etc.
  • Problem detection: To find problems/bugs in the source code.  Things, such as buffer overruns in a piece of C or C++ code, or maybe SQL injection in a piece of Java code.


Explaining this further, Mark said that when the source code is written for these important devices, defense-in-depth is essential.  “You start with security from the bottom up.  On top, you have a piece of source code.  If that source code is bad, everything underneath it is pretty much worthless.  So, you have to make sure that even your source code is strong enough to sit on top of that technology stack.”

Case Studies of how Static Analysis Works

Citing the example of an industrial manufacturing equipment customer that builds very expensive machines, Mark said that a software upgrade was delivered to their end customer that was operating a manufacturing line, and the software crashed.  So, the manufacturing line came to a standstill for many days, and that proved to be very expensive.  Subsequently, the problem was located and fixed.  But, when a root-cause analysis was done, they were wondering how this had not been detected during the quality assurance process.  It was then that they started looking at static analysis tools.  They used GrammaTech’s tool and got a little warning with a red flag on it, saying, "Hey, there's a null pointer to your reference right over here," and that's what indeed crashed the machine.

“If they had used our software beforehand, they would have avoided this problem and avoided losing credibility with their end customer, and in the end, lots of dollars,” said Mark.

GrammaTech CodeSonar

“GrammaTech CodeSonar is our static analysis tool, and it's a really deep static analysis tool,” said Mark.  According to their customers, this tool finds up to five times more defects than some of their competitors’ tools.  So when the cost of failure is high, their customers like using CodeSonar to get the maximum amount of defect resolution in their source code.

He explained, “We do static analysis on source code, but also on binary.  So we span a little bit of the development to operations type of use cases.  So, if you are either a software developer, or you're deploying third party code, you can use our tool to find defects in both of those different scenarios.”

How is it Deployed?

Mark said that deploying static analysis is fairly easy.  If you have a software development lifecycle where you go through a DevOps or DevSecOps type of workflow, you can add GrammaTech CodeSonar to that process, press a button, and you get the results.  After that you can start fixing the defects.

Concluding the interview, Dick thanked Mark for providing clarity about static analysis and its multiple benefits. 

Engage with ARC Advisory Group