Everything starts with code quality
Most companies would agree that the quality of their products and their customers’ experience using the products are very important. But equally important—and sometimes maybe even more so—is to launch the products on time and at the lowest cost possible. This might seem like an impossible equation but it doesn’t have to be. Both these goals can be achieved at the same time by implementing a focus on code quality. So why is code quality the key? There are actually several reasons.
By working continuously to improve code quality, you can isolate defects quickly, before they make it into a formal build and before you spend hours or days on debugging. In addition, high quality code that follows good software engineering principles is easier to maintain because of fewer defects and will also be easier to extend, meaning that you can reuse parts and in that way save time on your next project.
An additional benefit of ensuring code quality is that you are setting a baseline for security. If your code contains bugs that may be exploited by a hacker, you need to make sure those bugs are corrected and your application is updated in a secure way with minimal risk of tampering. An even better approach is to follow a coding standard to make sure the bugs never make it into your application in the first place. If you can prove that you have been following a coding standard, it’s also easier to get safety certifications if your application requires it.
Healthy code is future-proof code
When we talk about making your code future proof, there are really two aspects to it. The first aspect is about being able to reuse your code base for future projects. Interestingly enough, most software estimation models claim that almost half of the effort in software maintenance involves simply understanding the software that needs to be modified. Of course, the more complex your code is, the harder it can be to understand, and the larger your project is, the more time you can save on reducing the efforts of understanding what you already have.
The second aspect is to improve your code’s quality so that the software stands the test of time, meaning that it is defect-free, or as close to defect-free as possible. Coding standards such as CERT, CWE and MISRA have defined rules to help you avoid common issues and make sure you write your code in a way that will limit the number of hidden bugs and enhance code readability to boost understandability and therefore maintainability. By following these coding standards, you can obtain code that is both healthy and efficient. Luckily, there are tools to help you achieve that by performing code inspections and enforce these standards.
Functional safety certification requires best-practice coding
Coding standards can help you improve your code’s overall quality by preventing you from doing strange things in your source code. In addition, if you’re developing a functional-safety certified application, you’re required to use at least static analysis and most standards recommend runtime analysis as well.
Languages such as C contains a huge number of undefined behaviors that can cause one compiler to interpret your line of source differently from another compiler and you get into the nightmare of compiler-specific behavior, especially if your company requires that you be able to cross-compile your code. Coding standards help you see when you have branched into uncharted territories of the language so that you can re-write your code in a standard way to eliminate these compiler-specific issues. Aside from lowering the defect injection rates, the standards also help you avoid code structures that are error-prone and difficult to understand. Automated code reviews and testing reports can prove the maturity of your development organization and show that your results are repeatable with a process in place to find and fix defects. All in all, if you are working with safety-critical applications, ensuring that your code is of high quality is absolutely essential.
Code quality sets a baseline for security
The pressure to improve the level of security in connected products is rapidly increasing, from the market as well as from legislative authorities. To be effective, security must be designed into a product from its inception and continue to operate in products until they are taken out of service so that both you and your customers remain protected.
How can you get started securing your products? Returning to the headline – everything starts with code quality. That is true for security as well. An important aspect of security is to reduce the potential attack surfaces, and this requires you to ensure that the code that makes it to your end-product is of high quality and that you know what is going on when the application is running. The SEI CERT C Coding Standard provides rules for secure coding in the C programming language and there are tools available to help you enforce it.
Both static and runtime analysis are essential activities during the development of high-quality code to ensure that vulnerabilities are found and eliminated. The goal of these rules and recommendations is to develop safe, reliable, and secure systems, for example by eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. Once you have set up a good process for ensuring the quality of your code, your efforts to add effective security measures to your process will be more straightforward and give you a much higher return on investment for those efforts.
Integrated code analysis tools are an easy path to code quality
If you use coding standards, you will be forced to write high-quality code, which will make your code both safer and more secure. Coding standards also have the added benefit that it can reduce the amount of time in the test-and-fix phase of your software development life cycle.
So, how can you easily implement coding standards? The fastest way is to use integrated code analysis tools. These types of tools help you find the most common sources of defects in your code, but they also help you find problems that you might not think of or worry about when you’re writing your code. By including code quality checks in the daily work of each developer, companies can find issues early and minimize the impact on the finished product as well as on the project timeline. Integrated code analysis tools let you take full control of your code and improve code quality during development and deployment, securing the quality of your products and focusing on your customers’ positive experience.
Article written by Tora Fridholm, CMO and code nerd at IAR Systems.