Shifting QA Left: Emerging Trends in Code Quality and Security Automation

What will be covered

Historically, static analysis has been widely used to identify defined sets of security issues via overnight runs across entire codebases as part of a separate "quality assurance (QA)" phase.

A recent trend has been the evolution of static analysis methods and tools to: 1) become much more scalable and 2) broaden their scope to include searching for performance and reliability issues in addition to security-relevant bugs. These improvements allow a much tighter integration into modern agile development processes, shifting left the detection of reliability and security issues. Google and Facebook have pioneered this new model of static analysis that involves broad deployment of extremely scalable analysis tools (billions of lines of code/thousands of commits per day) and have collected and published extensive data on its impact on code quality. Amazon has also used static analysis to streamline certification and compliance tasks. With development teams more distributed than ever, tools like static analysis become increasingly critical for development organizations to overcome the loss of productivity and risk to code quality.

This talk will review these recent developments as well as the history of static analysis in commercial software development and its evolution in the academic world. It will provide an overview of the current open source tool landscape and conclude with best practices for organizations looking to bring static analysis into their development environment.