It is becoming increasingly common for companies to pay close attention to code security issues. In software development, if source code defects that can lead to security issues are found earlier, the more they will save development costs, effort and the faster the product can get to market.
With this in mind, companies have started to use static code analysis tools to address the need for delivering high quality and secure code. A lot of feedback has been gathered from users around the world about how these tools can be improved to increase efficiency and give higher productivity. In a report produced by Gartner, Magic Quadrant for Application Security Testing May 2021, the user feedback gathered through surveys identifies that static code analysis tools still have a lot of room for improvement. The opinions from users vary, but most are regarding the application functionality and the limitations in the analysis. Some comments include:
- The cost of learning and using the tools is high in terms of time and effort, whilst vendor customer support is relatively weak. For example, there is insufficient user training from the vendor and their support response times are slow.
- Static code analysis tools are complicated in terms of the initial setup process, project configuration as well as maintenance and upgrades.
- User interfaces are still not robust and require further improvement.
- Lack direct and effective integration with IDEs.
- Scan times are not as fast as expected.
- Scan results and reports do not contain sufficient detail to allow the user to easily remediate the defects.
- There are often a large number of unfiltered results which leads to significant time wastage.
Xcalibyte’s goal is to improve software quality by creating easy-to-use tools that help users build and deploy reliable and secure code. Xcalscan, Xcalibyte’s static code analysis tool, was designed with customers in mind and to help them tackle the challenges they face. Xcalibyte puts customers first and works collaboratively to deploy Xcalscan in the customer’s development environment. By understanding the customer’s application development processes in detail and by continuously listening to their feedback based on their experiences, the Xcalibyte team constantly improves its tools. This includes：
- Improving the integration of Xcalscan into a customer’s DevOps CI/CD processes
- Making sure that the scanning process is simple and does not require extra complicated steps
- By continuously improving the user interface, the users can quickly find the information they need to locate and remediate each defect.
The case study below is where Xcalibyte had to meet some very specific requirements for one customer who we’ll call Company A.
Company A’s main requirements were:
- Hundreds of scan tasks were continuously triggered under the same scan project through the CI/CD process every day and they needed to see historic results of all scans, not just the results from the most recent scan.
- Developers need to check incremental results after each submission to quickly locate defects in the code that they are working on.
- Simplify the process of configuring scan tasks through their own company’s CI/CD process.
After gathering the specific needs of Company A, the Xcalibyte team documented and analyzed the requirements, and then started to customize Xcalscan. To balance the product quality and delivery time, the new bespoke features were delivered in phases. The key to ensuring success was constant collaboration and transparency between Xcalibyte and the customer. This ensured that the end solution would satisfy the needs and provide the expected capabilities. Xcalibyte continuously invests time and resources for product development and meeting individual customer needs.
The solution for Company A:
- Phase 1 solution: each scan task provided a summary of the scan results directly into the CI/CD interface and in an email. Phase 2 solution: the results of each separate scan task were displayed on the results page and sorted according to the scan submission time. The user can click the relevant scan task according to the time and view the corresponding scan task result. The user can also search the commit ID to view the scan results so they do not need to go back to the CI/CD interface or email, to search for it.
- Xcalscan provides not only the full view of the scan results but also the delta view of the results so that users can view and compare different scan results. An improvement was made to allow the user to see which defects were new or outstanding and which ones had been fixed in each defect category. The delta view also added information on when the defects were first detected and when they had been fixed. This kind of information can help quickly guide users to the commit that generated or fixed the defects.
- Xcalscan supports the use of Jenkins to trigger scans, but the projects still need to be configured before starting the scan. The scan configuration and setup process was adapted so the majority of the task could be achieved via command-line input, removing the need for users to fill in information in several sections in the Jenkins interface, thus providing convenience and speed.
After implementing the solution in stages, Company A’s needs were met by the Xcalibyte team. Xcalibyte expected significant increase in the use of the code analysis tool given that the processes had been simplified to reduce usage friction. In addition, the scan result display had been enhanced which motivated Company A’s software development team to use the tool, thus delivering high-quality and secure code.
Xcalibyte will continue to prioritize customer satisfaction by actively maintaining communication with them, listening to their experiences, and taking their feedback seriously. This enables Xcalibyte to deliver static code analysis tools that truly meet the expectations of and provide value to the customers.
Reference: Gartner: Magic Quadrant for Application Security Testing (May 2021)
About the Author:
Yanwen Lu, Product Manager of Xcalibyte. Received MBA from UCLA and MSc in Computer Science from HKU. Has years of experience in finance, strategy, and digital product management. Her key responsibilities at Xcalibyte include product design, development, and release.
Click here to read more case studies.