Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis can uncover the kinds of errors that lead directly to vulnerabilities and in this talk, Brian Chess frames the software security problem and shows how static analysis is part of the solution.
The transcript of Steve Yegge’s presentation on dynamic languages in Stanford University, which he posted on his blog, triggered many reactions in the blog sphere. Cedric Beust, Ted Neward, Ola Beni and Greg Young provided their viewpoints and arguments on different tradeoffs involved in dynamic vs. static debate.
Unhandled exceptions are the bane of any application, especially those that run without user interaction. Red Gate has developed a product to detect and alert developers to these potential issues, but does it measure up?
The use of dynamic type-checking in static languages is often perceived as unavoidable on complex projects, even though workarounds necessary to enforce it tend to negatively impact the quality of code. According to Debasish Ghosh, features in static languages, i.e. Java generics, offer an opportunity to avoid runtime type checking and optimize the advantages of static typing.
In this panel from QCon San Francisco, Joshua Bloch, Chet Haase, Rod Johnson, Erik Meijer and Charles Nutter discussed and debated the future of the Java language and APIs based upon the lessons we have learned from the past. Topics included static versus dynamic languages, removing code from Java, forking the JVM, and the next big programming language.
Static code analysis (SCA) tools like those offered by FindBugs, PMD, CheckStyle, IntelliJ IDEA can help a development team track down problems and keep quality high. But when an SCA tool flags a problem, how should a team react? Vikas Hazrati's Static Code Analysis is just the Tip of the Iceberg suggested: look deeper.
Ruby gains another tool to ensure code quality: dcov analyses Ruby code and determines the documentation coverage. We caught up with dcov developer Jeremy McAnally to talk about his plans.
The Java static-analysis defect detection space got a new entrant this week with Coverity's release of Prevent SQS, a code analysis tool that analyzes byte code, and builds an interal map of all possible execution paths upon which interprocedural defect analysis is done to find problems that lead to runtime exceptions, security vulnerabilities, unpredictable behavior, and performance degradation.