Shin-Ming Liu from Xcalibyte: Make software development safer and more efficient!

7 Apr 2021 Author: Zhao Lijing Credit: 51CTO - translated from the original Chinese article

In China, IT professionals are often given nicknames like “program ape”, “code farmer”, and “engineering lion”, which are somewhat self-deprecating. As they get older, they are facing a narrower and narrower career path. It seems that programmers over 40 years old are rarely seen, and 35 years old has become a threshold for them.

Shin-Ming Liu, the co-founder and Chief Architect of Xcalibyte, has more than 30 years of software development experience. From compiler optimisation, risk architecture, mobile devices, IoT and of course, cloud computing.


After more than ten years of front-line development work and more than ten years of management in companies such as SGI and HP, Shin chose to start a business. “Starting a business has two purposes, one is to continue business innovation and the other is to find the right people, train them well, and then organize a high-performance team. This is to serve employees and maximize the potential of all employees. ” Shin said.

The original intention of establishing Xcalibyte: Find bugs and remediate them!

 Software is everywhere. Nowadays, software has entered into all aspects of our work, life, and entertainment. Software is changing the world. Objectively speaking, all software has big or small problems. According to statistics, there will be at least one bug for every 1,000 lines of code, and there will be a security problem every 1,400 lines. In the 1980s, a large software program consisted of about 10,000 lines of code. In the 1990s, it was hundreds of thousands of lines of code. After 2000, it was a million lines of code. Now it is tens of millions of lines of code. That is to say, there are about 10,000 bugs in a 10,000,000 LOC software program. These bugs are often not discovered until too late when they are attacked by hackers.

What Xcalibyte has to do is to proactively discover these bugs. Shin explained that these problems are actually in the process of software development, and the thinking is not thorough enough, and the connection is not smooth enough. Therefore, a good environment must be fault-tolerant, and at the same time, it must be able to automatically correct errors. This is exactly what Xcalibyte has to do.

Make static code analysis perfect!

 Currently, there are three main methods for software application security testing: dynamic code analysis, static code analysis, and interactive code analysis. Static code analysis is to analyze the code semantics and behavior, without actually executing the program, so as to find out the abnormal program semantics or undefined behavior in the program due to the poor quality code. In layman’s terms, static code analysis is to find out the coding errors of the code while writing the code. Static code analysis does not need to wait for all the code to be written, nor does it need to build a running environment and write test cases. It can find various problems in the code early in the software development process, thereby improving development efficiency and software quality.

Xcalscan is a next-generation source code analysis tool for static application security testing, using deep compiler-level technology to check data flow and analyze software applications to improve the accuracy of defect detection.

Xcalscan improves production efficiency for enterprises through integration into the software development process. Through analysis and identification of source code that may cause defects, problems such as improper memory management, core dumps, buffer overflows, illegal operations, and null pointers can be avoided. Xcalscan algorithms include data flow analysis, control flow analysis, context-sensitivity analysis, object sensitivity analysis, cross-program analysis, and cross-file analysis. At the same time, it minimizes the number of false positives to ensure the efficiency of debugging.

Shin explained this in a simple way: software bugs often appear when they are “cross-boundary”, such as jumping from one function to another and jumping from one module to another. If the problem of interaction is not well detected and the execution status cannot be accurately judged, accurate data will not be obtained, and it will not be possible to accurately analyze where there may be a potential security hazard. This kind of cross-function assignment tracking is the biggest advantage of Xcalibyte’s static code analysis tool.

More professional interactive code analysis will be delivered in the future!

 The disadvantage of static code analysis is that with the increasing scale of modern software systems, the complexity of the system is getting higher and higher, from the traditional stand-alone system to the distributed system and the homogeneous system to the heterogeneous system. To add to this, the development of software programming languages have also evolved from using a single language to collaborative development of multiple languages. These changes have brought huge challenges to static code analysis tools. “Not getting all the source code” is the biggest challenge faced by static code analysis tools.

Shin revealed that interactive code analysis will be a direction for Xcalibyte’s future development. The interactive code analysis tool is to build a firewall at the place where it is connected to the library, and do various tests: “Does the program meet the design specifications, the company’s specifications, and security specifications.” Of course, the interaction is not necessarily perfect, because if the defense is extremely rigorous, it will become closed, and if it is too loose, it will not serve as a security defense. The next step of Xcalibyte is to “know clearly where you can loosen it, where it needs to be strict, so as to achieve smooth interaction.

Make software development more efficient!

 Back to the engineering environment mentioned at the beginning, in addition to the necessary code analysis tools, corporate culture is also a very important part of it. The architecture of most enterprises in China today is that the person responsible for software development is a development engineer, and the person responsible for testing is a test engineer. Development and testing are separate. Most developers do not test the code they write. This way of working leads to the separation of development and testing. And it wastes a lot of time and energy in finding and fixing bugs. The development and testing work must be combined, that is, the development engineer will test the code by himself after writing the code. Since the developer is more familiar with the code written by himself, this method of work will be more efficient. “I hope Xcalibyte will change this status quo in the future and make the software development of Chinese companies more efficient!” said Shin.


Want to find out more about SAST? Click here.