case study Coverity Maintains Software Integrity of Sun Microsystems Award-Winning Storage Products



Similar documents
Cinda Daly. Who is the champion of knowledge sharing in your organization?

Adopting Agile Testing

3 keys to effective service availability management. Visibility. Proactivity. Collaboration.

White Paper 6 Steps to Enhance Performance of Critical Systems

The greatness gap: The state of employee disengagement. Achievers 2015 North American workforce survey results

Cash Flow Exclusive / September 2015

Coverity White Paper. Effective Management of Static Analysis Vulnerabilities and Defects

Managing Java EE Performance with Embarcadero s J Optimizer Request Analyzer

Using the Cloud for Business Resilience

REDUCE YOUR OPEN SOURCE SECURITY RISK: STRATEGIES, TACTICS, AND TOOLS

10 Reasons Why Project Managers Need Project Portfolio Management (PPM)

Exceptional Customer Experience AND Credit Risk Management: How to Achieve Both

The Evolution of Load Testing. Why Gomez 360 o Web Load Testing Is a

Implement a unified approach to service quality management.

Controlling Risk Through Software Code Governance

The Proven ROI of Development Testing: An in-depth analysis of Coverity customer experiences

Lifecycle Performance Management (dynatrace) Description

Agile Development and Testing Practices highlighted by the case studies as being particularly valuable from a software quality perspective

Average producers can easily increase their production in a larger office with more market share.

Elevating the Customer Experience in the Mobile World

Voice solutions for e-business. Speech recognition delivers ROI to contact centers. Here s how you can prove it

WHITE PAPER. The Five Fundamentals of a Successful FCR Program

Managing Agile Projects in TestTrack GUIDE

Smarter Balanced Assessment Consortium. Recommendation

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

Business Agility SURVIVAL GUIDE

Clarity Assurance allows operators to monitor and manage the availability and quality of their network and services

Proactive Performance Management for Enterprise Databases

How To Test For Security On A Network Without Being Hacked

Could a Managed Services Agreement Save Your Company Tens of Thousands of Dollars Each Year?

ISTQB Certified Tester. Foundation Level. Sample Exam 1

The Dirty Little Secret of Software Pricing

Best Practices for Network Monitoring

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives

IBM Rational AppScan: Application security and risk management

Software Process Improvement Software Business. Casper Lassenius

True Stories of Customer Service ROI: The real-world benefits of Zendesk

TEST MANAGEMENT SOLUTION Buyer s Guide WHITEPAPER. Real-Time Test Management

Select the right configuration management database to establish a platform for effective service management.

An Oracle White Paper February Oracle Human Capital Management: Leadership that Drives Business Value. How HR Increases Value

360 feedback. Manager. Development Report. Sample Example. name: date:

Become A Paperless Company In Less Than 90 Days

Creating Business Value with Mature QA Practices

Top 5 best practices for creating effective dashboards. and the 7 mistakes you don t want to make

How To Protect Your Network From Attack From A Network Security Threat

The ROI of Test Automation

How to Avoid an Attack - Security Testing as Part of Your Software Testing Process

Simplify Software as a Service (SaaS) Integration

Predictive Intelligence: Identify Future Problems and Prevent Them from Happening BEST PRACTICES WHITE PAPER

HP Data Protection. Business challenge: Resulting pain points: HP technology solutions:

The AppSec How-To: Achieving Security in DevOps

Address IT costs and streamline operations with IBM service desk and asset management.

Landings Credit Union

Whitepaper. Advanced Threat Hunting with Carbon Black

AUTOMATED PENETRATION TESTING PRODUCTS

Coverity Services. World-class professional services, technical support and training from the Coverity development testing experts

Code Review Best Practices. With Adam Kolawa, Ph.D.

Continuous Network Monitoring

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

Reduce IT Costs by Simplifying and Improving Data Center Operations Management

Why Alerts Suck and Monitoring Solutions need to become Smarter

Financial Coaching: Understanding the Skills Needed to Become a Successful Coach

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

NCR APTRA Suite. The world s leading financial self-service software portfolio

Development Testing for Agile Environments

Why Corporations Need to Automate IT Systems Management

INTRODUCING TALEO 10. Solutions Built for the Talent Age. Powering the New Age of Talent

Static Analysis Best Practices

A blueprint for an Enterprise Information Security Assurance System. Acuity Risk Management LLP

SAP Customer Success Story Consumer Products Cargill. Cargill: Using SAP Technology to Help Feed the World

IT Security & Compliance. On Time. On Budget. On Demand.

Fidelity National Financial Drives Improvements in Software Development and Reuse with IBM Rational Software Development Platform and Flashline

Six Drivers For Cloud Business Growth Efficiency

Table of contents. Automated testing ROI: fact or fiction? A customer s perspective: What real QA organizations have found.

ANY SURVEILLANCE, ANYWHERE, ANYTIME

Seven Practical Steps to Delivering More Secure Software. January 2011

COPY. The Critical Role of Investment Management Reporting. PORTFOLIO Richard Bloch

Application Security in the Software Development Lifecycle

ALM/Quality Center. Software

DELL BACKUP ADMINISTRATION & MANAGEMENT SERVICES

Transcription:

case study Coverity Maintains Software Integrity of Sun Microsystems Award-Winning Storage Products 25% of the defects identified by Coverity would have stalled a product launch and delayed time to market if not caught by Coverity early in the development cycle. This is a very conservative estimate because it s the developers themselves that are judging the risk of these defects. Usually that rating is determined by Test/QA, who always has a much higher severity priority rating on bugs than Engineering does. I suspect if Test/QA saw all of the bugs Coverity has found, they would say the percentage is even higher. Dan Rose, Systems Engineering Manager Business Benefits Time to market 25% of defects identified by Coverity would have stalled the product launch if not detected Developer efficiency < 1% false positive rate across all products with over 2 million lines of code Competitive advantage Solution of choice for the four-time recipient of Storage Magazine s Quality Award Business Overview and Challenge For customers of Sun Microsystems long-term storage products, quality is rarely an issue. Sun is a global leader in network computing infrastructure solutions with well-known brands such as Java, Solaris, MySQL, and StorageTek. The StorageTek-branded products, including the T10000 and T9840 tape drives and the SL8500, SL3000, and SL500 tape libraries, are particularly noteworthy as it relates to product reliability and quality. Product quality and reliability has never been more important to customers given the rising importance of data retention in recent years. With the emergence of regulatory compliance governing information management and the role of electronic information in legal discovery, some companies must keep multiple petabytes of data for several years. To put it in perspective, a petabyte is the equivalent of 125,000 eight gigabyte ipod Nanos. In addition, data and applications must be highly available and accessible. The only cost effective way to manage such a large amount of data is with tape drives and libraries. In addition, the cost of downtime for a customer is measured in the millions of dollars per incident, so when Sun s entire line of tape libraries win Storage Magazine s Quality Award for the past four consecutive years, customers take notice.

Increased cost and risk is not just a problem for Sun s customers, but for Sun as well. Sun s internal cost for fixing a significant problem identified in the field is conservatively estimated at $100,000 per incident. As a result, Sun always faces the temptation to over test, but thanks to Sun s highly respected Systems Reliability Engineering (SRE) team, Sun has been able to walk the tightrope of maintaining its award-winning quality without sacrificing time to market. The SRE team developed a fact-based product launch decision capability to give the go/no go decision. Based on years of experience with software development and growth modeling, Sun s storage group can accurately predict the software failure rate in the field. While Sun s position seems envious, Sun realized it could be even more efficient, and it realized the most effective way to achieve this was to find defects earlier in the product development cycle. According to Dan Rose, Systems Engineering Manager, the earlier we find defects, the better off we are. We can measure the cost of a bug found early in the design phase in dollars. When that same defect goes undiscovered until system-level testing it costs thousands of dollars, and it only gets worse if it s found after the product is released. If we can eliminate any of the bad costs of quality then we reduce our development costs, and in the process increase our speed and pace so that we can get to market quicker and widen the gap on the competition. In order to achieve this objective, Sun knew they needed to improve their manual code analysis process, as its inefficiencies not only posed a threat to quality but also impacted developer productivity. For example, with a portion of the code in one of the tape drive programs the development team invested as much time in their test harness as they did in developing the code, doubling the development activity and related development costs. To avoid the inefficiency and risk of manual processes, Sun realized they needed an automated solution to meet the challenge. Taking the advice of Gartner, who cited static analysis as one of the top three initiatives development teams should invest in to improve code quality, Sun decided to evaluate static code analysis solutions. Solution Evaluation Sun s storage group evaluated many different source code analysis tools to scan over 2 million lines of Java and C code in its various products and find the bugs that could lead to failures. While there are free Java analysis tools available today, C code is largely embedded code, and is the most critical, highly complex code. Consequently, the reliability and quality requirements for C code are much higher, requiring the static analysis solution to meet these stringent requirements. In addition, Sun needed a single solution to analyze both C and Java code while maintaining low overhead for the developer. Developer adoption was critical. According to Rose, if the engineers didn t see value in this tool, we wouldn t be successful. The developers themselves became an integral part of the evaluation, because if they became excited about using the solution then half of the internal adoption objective was already accomplished. In order to get developers excited, the solution had to be able to scale to applications with millions of lines of code to avoid the risk of negatively impacting the development process, systems, and build time. In addition, it was apparent that false positive rates would be an important metric. According to Rose, the false positive rate has always

been the Achilles heel of previous static code analysis solutions. A lot of static code analysis solutions find syntax errors and other defects that really don t manifest themselves as defects to the customer. We needed to find the real bugs that, for example, only emerge when our products interoperate with other systems. Among the static analysis solutions in the evaluation, Coverity Static Analysis was the most robust solution capable of meeting Sun s requirements. The Sun product development teams agreed. When running Coverity, some of the developers comments included: We never would have found that one during test. An intensive week-long code review with senior developers might have found one-third of these bugs. Coverity Deployment and Benefits Realized Currently, 12 products within the Sun storage group are using Coverity Static Analysis to maintain high software integrity, including a product with 580,000 lines of code. Scans range from nightly to once a month depending on the product. Rapid adoption is partially attributed to the way the solution is leveraged in the development organization. Rose s team is integrated with the development teams so instead of static analysis becoming a policing tool, it s focused on helping to make the developers successful and to improve the probability of success. With so many different teams implementing the solution, inevitably some of the teams were initially skeptical about the value over free tools and false positives. However, once the teams started using the tool and the solution found some significant issues, they quickly became supporters. They also realized that many of the defects originally thought to be false positives were actually real bugs. Coverity has had less than a 1% false positive rate across all products, increasing developer efficiency by allowing them to focus only on the defects that are real and relevant. Enhancing the code exception handling process: Most of the time customers use Sun s products in a similar way, so certain code paths are heavily used. However, the vast majority of Sun s code is on code paths that are less travelled. The code is necessary for exception handling, which brings the product back into the happy path from a seemingly endless series of possible combinations of errors. Because it s difficult to anticipate every possible combination, complete testing of the exception handling code is almost an impossible task. One of the benefits of Coverity s solution is that it doesn t care whether the code is happy path or exception handling in nature. This results in real benefits to Sun s internal process. According to Rose, we re highly confident that we are doing a much better job at testing, and are feeling comfortable with the exception handling code of our products. Defects identified and success measurements: Some of the defects found by Coverity are the big pain points Sun deals with during system-level test, such as memory leaks and concurrency issues, which bring system-level testing to a halt and are difficult to reproduce. Before Coverity, performing root cause analysis was extremely difficult, but after implementing the solution Sun

realized a significant improvement in product time to market by identifying these issues before they reached system-level testing. Sun tracks success based upon the developer impact on triage, and resolution time, with metrics such as: Number of defects found Percent of defects fixed Number of open defects False positive rate Intentional defect rate Priority and complexity of the bugs identified Number of times/last time static analysis was run Sun then uses this information to focus on the high-risk modules while monitoring other metrics such as code churn, code complexity, and code coverage. This helps to identify which areas of the code are more troublesome, and enables more effective risk-based testing. A single development program realized the following benefits within the past year: 99% of defects triaged 93% of defects fixed 0% false positive rate 5.6% intentional defect rate Across all products, 25% of the defects identified by Coverity s solution would have stalled a product launch and delayed Sun s time to market if they were not caught by Coverity. According to Rose, this is a very conservative estimate because it s the developers themselves that are judging the risk of these defects. Usually that rating is determined by Test/QA, who always has a much higher severity priority rating on bugs than Engineering does. I suspect if Test/QA saw all of the bugs Coverity has found, they would say the percentage is even higher. Improving developer knowledge and coding skills an intangible benefit: Additional benefits of Coverity aren t just the reactions to finding the defects. There are also proactive benefits by improving the knowledge and skill level of the developers. Static analysis creates coding best practices and raises the bar for quality of work within the development organization. Rose s philosophy and analogy sums it up nicely: I correlate code development with driving a car. Almost everyone assumes they re an above average driver, but simple statistics say 50 percent of us are below average, and it s no different when it comes to developing software. When driving, there is no consistent, objective real-time

feedback available to tell you when you made a mistake. However, static code analysis comes close to being that instant feedback system to help developers. This feedback greatly improves their craft because they learn what defects they are susceptible to committing. Because they are more aware of that, they are more conscious about the quality of code they re producing. Conclusion In a highly competitive market, companies like Sun constantly need to increase quality and reliability, speed delivery, and reduce costs just to stay even with its rivals. Coverity Static Analysis is a great addition to help not only achieve these objectives, but also surpass them. It has proven to be a tool that can find defects earlier, which reduces development costs and accelerates time to market. Using Coverity Static Analysis also results in higher quality products in the field because there is more complete coverage of exception handling code in testing. Finally, the real-time feedback improves software developers coding skills resulting in fewer testers needed relative to the number of developers. These benefits help Sun and its already award-winning products to not just stay on par with the competition, but widen the gap between Sun and its challengers. About Coverity Coverity is the trusted standard for companies that have a zero tolerance policy for software failure, problems, and security breaches. Coverity s award-winning portfolio of software integrity products enables customers to prevent software problems throughout the application lifecycle Coverity Inc. Headquarters Coverity Inc. Headquarters 185 Berry Street, Suite 1600 San Francisco, CA 94107 USA www.coverity.com sales@coverity.com (800) 873-8193 2010 Coverity, Inc. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information