|
MAGIC LAMP'S SOLUTION
AUTOMATED STATIC TESTING (SOFTWARE AUDIT)
Static Testing identifies critical reliability/security/performance defects missed by traditional (dynamic) testing and enforces compliance with rules and best practices. Magic Lamp Software provides technologies and services for automating Static Testing or Software Code Audits. Using its patent- pending Software Simulation technology and deep Java expertise, its Static Testing solutions have:
Helped over 15 enterprises including Silicon Valley technology majors, top banks, E- Commerce portals, software product vendors and top IT services vendors to reduce downtime, avoid security vulnerabilities, prevent data corruption and improve performance
Helped software engineering organizations enhance efficiency by identifying defects pro-actively and faster, and automating time-consuming code review
Assessed the quality of code-bases in internal application portfolios as well as out-sourced applications developed by IT services vendors
Automatically detected critical errors in applications that use core Java and Java EE, based on an expert knowledge base of thousands of rules, including security, performance, concurrency, resource leakage, Core Java/Java EE/open source API usage, and SQL query analysis rules
Enforced application-specific design and interface rules between services/modules/frameworks
STATIC TESTING TECHNOLOGY
Simulation is key enabler for automated Static Testing. By simulation it investigates software code behavior by exercising all paths through software code, for all inputs, without running the code like automatic code review using algorithms and heuristics of human code reviewers, but fast, accurate and scalable to large programs by using only the binary code.
It complements testing/run-time scanning/profiling
Proven to detect many errors missed by testing
Testing: shooting at a fort v/s Simulation: Inspecting its walls
Testing can't exercise exponential #input combinations/#paths
Testing often does not pin-point error at code level
Finds critical defects, fewer false alarms, using data-flow analysis.
Global inter-procedural simulation on binary code
"Simulation Virtual Machine": executes program for all paths/inputs
Programmers are good at reviewing code within a method
Bugs happen across methods in call graph/inheritance hierarchy
Localized code scanning (“static analysis”) is insufficient
BROAD CATEGORIES OF ERRORS DETECTED
Security (web applications: SQL Injection, XSS, User-ID forging)
Penetration testing/scanning alone misses many vulnerabilities, need “white-box” audits
Performance/Resource management
Leakage of files, database connections, network connections, transactions, memory, etc., redundant/excessive locking
SQL query and Java code: inconsistencies/performance issues
Reliability/Concurrency
Data-race conditions, crashes due to run-time exceptions, functional errors
For Core Java, J2EE, 3rd Party/Open Source frameworks
Thousands of rules for various APIs
Even experts don't know all the rules, automated review is critical
Application-specific rules
- E.g. Pre-condition rules - E.g. Sequential ordering rules: A → B |
BENEFITS
It reduces costs and increases productivity especially for fixed-price/outcome-based projects.
Pro-active error detection leads to less rework, on-time delivery.
Compensate for lack of skills at bottom of skill pyramid.
Reduce attrition impact codifying audit rules.
   |