It’s a given in today’s market that the quality of a company’s products and the customers’ experience using those products are very vital. Equally and sometimes more important is to launch a product on time and at the lowest cost possible. While seemingly impossible, that doesn’t have to be the case. Both goals can be achieved simultaneously by focusing on code quality. There are several reasons why code quality is the answer.
Working continuously to improve code quality helps isolate defects quickly, before they’re inadvertently incorporated into a formal build and before hours or days are devoted to debugging. In addition, high-quality code that follows good software engineering principles inherently has fewer defects, making it easier to maintain and extend. The ability to reuse superior parts saves time on future projects.
Maintaining a clear focus on code quality sets a baseline for security. Code that contains bugs may be exploited by hackers. Those bugs must be corrected and the application updated to ensure security and minimize the risk of tampering. Ideally, developers should follow a coding standard to ensure bugs never make it into an application. Creating and following a code standard makes it easier to obtain safety certifications if an application requires it (see figure).
Healthy Code is Future-Proof Code
There are two aspects to consider when talking about future-proofing code. The first is about being able to reuse the code base for future projects. Interestingly, most software estimation models claim that almost half of the effort in software maintenance involves simply understanding the software that needs to be modified. Of course, the more complex the code, the harder it can be to understand. And with larger projects, more time can be saved on reducing the efforts of understanding what already exists.
The second aspect is to improve the code’s quality so that the software stands the test of time, meaning that it’s defect-free or as close to defect-free as possible. Coding standards such as CERT, CWE, and MISRA have defined rules to help avoid common issues and make sure code is written in a way that will limit the number of hidden bugs. They also enhance code readability to boost understandability and therefore maintainability. Following these coding standards results in code that’s both healthy and efficient. Luckily, there are tools that help by performing code inspections and enforcing these standards.
Functional Safety Certification Requires Best-Practice Coding
Coding standards help improve the code’s overall quality by ensuring the integrity of the source code. In addition, a functional-safety certified application requires the use of at least static analysis. Most standards recommend runtime analysis as well.
Languages such as C contain a significant number of undefined behaviors that can cause one compiler to interpret a line of source differently from another compiler. This leads to the nightmare of compiler-specific behavior, especially if your company requires that you be able to cross-compile code.
Coding standards help identify when code branches into uncharted territories of the language so that it can be rewritten in a standard way to eliminate compiler-specific issues. Aside from lowering the defect injection rates, the standards also help avoid error-prone code structures that are difficult to understand. Automated code reviews and testing reports can prove the maturity of the development organization and show that the results are repeatable with a process in place to find and fix defects. All in all, for safety-critical applications, it’s essential to ensure that code is of high quality.
Code Quality Sets a Baseline for Security
The pressure to improve the level of security in connected products is growing rapidly from the market and legislative authorities. To be effective, security must be designed into a product from its inception and continue to operate in products until they’re taken out of service so that a company and its customers remain protected.
How is this done? It goes back to the premise that everything starts with code quality. This is true for security as well. An important aspect of security is to reduce potential attack surfaces. This requires developers to ensure that the end-product’s code is of high quality and that it’s known what happens when the application is running. The SEI CERT C Coding Standard provides rules for secure coding in the C programming language. In addition, tools are available to help enforce it.
Both static and runtime analysis are essential activities during the development of high-quality code. They ensure vulnerabilities are found and eliminated. The goal of these rules and recommendations is to develop safe, reliable, and secure systems. For example, they eliminate undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. Once a good process for ensuring the code quality is established, efforts to add effective security measures to the process will be more straightforward and result in a much higher return on investment.
Take the Easy Path to Code Quality with Integrated Code-Analysis Tools
Using coding standards forces developers to write high-quality code, which will make the code both safer and more secure. Coding standards have the added benefit of reducing the amount of time needed for the test-and-fix phase of the software-development lifecycle.
So, how are coding standards easily implemented? The fastest way is to use integrated code-analysis tools. These types of tools help find the most common sources of defects in code and help identify problems that might not be considered when code is written. By including code-quality checks in the daily work of each developer, companies can find issues early and minimize the impact on the finished product as well as on the project timeline.
Integrated code-analysis tools let organizations take full control of their code and improve code quality during development and deployment. This secures the quality of their products and better ensures that customers have a positive experience.
Tora Fridholm is Chief Marketing Officer at IAR Systems.