Aiming at the Chinese software security market, Xcalibyte develops static code analysis tools to help companies improve code quality
11 Sep 2019 Author: Ru Qing Credit: 36Kr - translated from Chinese
Colin Giles, the co-founder and chief operating officer of Xcalibyte, accepted the 36Kr media interview, and conducted an in-depth discussion on the importance of static code analysis tools in software development and the unique advantages of Xcalscan.
In the software development process, finding and fixing code defects requires a lot of time and effort from the development team. The traditional code reviews, peer reviews, are conducted manually, which is not only time-consuming but often misses details which may result in further mistakes. Static code analysis tools have emerged to help developers quickly and effectively locate code defects and correct these problems in a timely manner during the development process.
Static code analysis refers to the analysis of source code, bytecode, and binary code without running the software program, to find coding errors, verify whether they conform to standards, and whether there are vulnerabilities. At present, there are some open source static code analysis tools, and some commercial ones such as Fortify, Checkmarx and CodeSecure. Some domestic China companies include Shanghai Zezhong Software and Xuanji Technology.
The company, Xcalibyte, that 36Kr recently contacted has also developed a static code analysis tool called Xcalscan, for in- depth source code defect detection . The company was founded in 2018 and has offices in Shenzhen, Beijing, Shanghai and Hong Kong.
Xcalscan can be integrated into the software development process. It can scan for defects, analyze and identify potential code quality and security issues in the source code. It can also help to speed up the code review work performed by QA and the IT security team. In addition, it can also be important for team leaders and corporate executives by showing the progress of company software projects.
Xcalscan supports C, C ++ and Java programming languages. Once the developer commits the source code, the scan can be triggered which is then followed by the resulting defects highlighting vulnerabilities, severity levels and trace paths. Remediation tasks can then be assigned to members of the working group. It will also output a results for non- compliance to company or software standards for stakeholder attention and remediation.
In depth compiler optimisation technology and analysis at the Intermediate Representation (IR) layer, allows Xcalscan to identify deep rooted defects through data flow analysis. This improves the accuracy of defect identification and reduces the number of false positives which are common in other static analysis tools. “This is one of Xcalscan’s core strengths” said Colin, “the scans are divided into different levels: pattern analysis and data flow analysis, where the data flows can be seen as you go deeper into the compiler technology.”
Another advantage of Xcalscan, is to understand and become familiar with the software for global security. Xcalibyte has seen the rapid development of Chinese companies in emerging fields such as smart phones, AI, the Internet of Things, and autonomous driving. These developments are inseparable from the support of high-quality and high-security code. “When these Chinese companies are going overseas, the code quality and safety standards of China will also face many challenges, such as regulations from CERT, MISRA and GDPR. They need to improve code quality, improve stability and security, and this is our opportunity.” Said Colin. According to a survey by Forrester, the market size of the global application security field has been continuously expanding and is expected to reach USD7.5 billion by 2023, which also reflects the increasing importance of enterprises on code quality and security.
At present, Xcalscan will be mainly commercialized through B2B direct and partner sales.
In terms of team, Xcalibyte’s co-founder and CEO Liang Yuning has led software development work in Fortune 500 companies, including Samsung, Nokia, Huawei, as well as start-up technology companies. He has more than 20 years of software development and management experience and has a strong understanding of global technology with deep industry insights into software security. The company’s CTO, Sun Chan, has more than 30 years of working experience in compiler optimization technologies. He has served as the director of the “Intel-Tsinghua University Joint Laboratory” and as the head of the Intel laboratory, focusing on research in the direction of embedded systems. He has more than 20 patents in the field of programming analysis. Co-founder and chief architect Shin-Ming Liu has decades of experience in the development and delivery of high-performance computing system (HPC) compilers and performance analysis tools. He has served as the director of HP’s Java Compiler Technology Lab and led the development and delivery of HP Compiler development work. Colin himself has served as the global sales executive of Nokia, the global sales executive of Lenovo and Motorola, and the executive vice president of Huawei. He is fluent in Mandarin and has an understanding of both China and global business markets.