Benefiting from Code Inspections Kevin W. Wall 2009-04-29 Copyright © – Kevin W. Wall – Some Rights Reserved. This work is made available and licensed.

Slides:

Advertisements

Similar presentations

Damian Gordon.  Static Testing is the testing of a component or system at a specification or implementation level without execution of the software.

Advertisements

Copyright (c) 2003 Howard E. Dow1 Results from Inspecting Test Automation Scripts Howie Dow

Software Project Management Lecture # 11. Outline Quality Management ( chapter 26 - Pressman )  Software reviews  Formal Inspections & Technical Reviews.

Copyright © 1994 Carnegie Mellon University Disciplined Software Engineering - Lecture 1 1 Disciplined Software Engineering Lecture #7 Software Engineering.

Static Technique. Static Technique - Review  A way of testing software work products  Program code, requirement spec., design spec.  Test plan, test.

Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.

Code Inspections CS 414 – Software Engineering I Donald J. Bagert Rose-Hulman Institute of Technology January 23, 2003.

Week 7: Requirements validation Structured walkthroughs Why have walkthroughs When to have walkthroughs Who participates What procedures are helpful Thoughtless.

Fall, 2006SW Eng Standalone Progs, Univ of Colorado Boulder 1 Wk 11 Glass Box Testing, Flow Graphs, Test Coverage SW Engineering of Standalone Programs.

SE 555 Software Requirements & Specification Requirements Validation.

COMP8130 and 4130Adrian Marshall 8130 and 4130 Test Management Adrian Marshall.

 QUALITY ASSURANCE:  QA is defined as a procedure or set of procedures intended to ensure that a product or service under development (before work is.

Design, Implementation and Maintenance

12 Steps to Useful Software Metrics

Verification and Validation

1 Software Inspections and Walkthroughs Author: A. Frank Ackerman Presented by Cynthia Johnson EEL6883.

Design Reviews Peer Reviews. Agenda Peer Reviews Participants of Peer Review Preparation for a Peer Review Session The Peer Review Session Post-peer Review.

1CMSC 345, Version 4/04 Verification and Validation Reference: Software Engineering, Ian Sommerville, 6th edition, Chapter 19.

OHT 4.1 Galin, SQA from theory to implementation © Pearson Education Limited 2004 Software Quality assurance (SQA) SWE 333 Dr Khalid Alnafjan

Introduction to Network Defense

Software Engineering Process I

Software Inspections and Walkthroughs By. Adnan khan.

Test Organization and Management

Software Quality Assurance Lecture #4 By: Faraz Ahmed.

Software Reviews. Introduction/Motivation When creating written documents, it is a good idea to have someone else proof read your work. Oftentimes an.

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 10: Testing and Inspecting to Ensure High Quality Part 4:

Software Inspections. Defect Removal Efficiency The number of defects found prior to releasing a product divided by The number of defects found prior.

Lecture 16 Formal Technical Reviews (FTRs) (also know as inspections) FOR0383 Software Quality Assurance 9/19/20151Dr Andy Brooks Don´t review in your.

Software Inspection A basic tool for defect removal A basic tool for defect removal Urgent need for QA and removal can be supported by inspection Urgent.

Formal and Informal Peer Reviews

Phil Cronin Anne Hill Allen Schones CIS841 Summer on Campus 1998 IN-PROCESS INSPECTIONS FOR OBJECT ORIENTED DESIGNS.

Copyright © 2005 QA Insight, Inc. All rights reserved. 1 A Review of Software Inspection Techniques Getting Higher Returns from Your Review Processes Karina.

Disciplined Software Engineering Lecture #7 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department.

Formal Technical Reviews Matt Graham 18 November 2004 EECS 814 University of Kansas.

From Quality Control to Quality Assurance…and Beyond Alan Page Microsoft.

Jump to first page (C) 1998, Arun Lakhotia 1 Quality Assurance: Reviews and Walkthroughs Arun Lakhotia University of Southwestern Louisiana Po Box

CHAPTER 9 INSPECTIONS AS AN UP-FRONT QUALITY TECHNIQUE

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © 1994 Carnegie Mellon University Disciplined Software Engineering - Lecture 7 1 Design and Code Reviews - Overview What are design and code.

Software Testing and Maintenance 1 Code Review  Introduction  How to Conduct Code Review  Practical Tips  Tool Support  Summary.

© 2012 IBM Corporation Rational Insight | Back to Basis Series Chao Zhang Code Review.

College Reviews An Overview Presented by Howard Lutwak, CIA Director of Internal Audit January 2004.

Code Reviews James Walden Northern Kentucky University.

Inspection and Review The main objective of an Inspection or a Review is to Detect Defects. (Today -there may be some other goals or broader definition.

W 3 L 1 sh 1 TCTI-V2CCPP1-10 C en C++ Programmeren Week 3, les 1 : Inspection (Fagan style)

Software Quality Assurance SOFTWARE DEFECT. Defect Repair Defect Repair is a process of repairing the defective part or replacing it, as needed. For example,

Inspection and Review The main objective of an Inspection or a Review is to detect defects. This activity and procedure was first formalized by Mike Fagan.

Project management Topic 8 Quality Review. Overview of processes Prepare for Quality Review Questions list Meeting Agenda Review Meeting Sign-off Product.

© Michael Crosby and Charles Sacker, 2001 Systematic Software Reviews Software reviews are a “quality improvement process for written material”.

OHT 1.1 Galin, SQA from theory to implementation © Pearson Education Limited 2004 The uniqueness of software quality assurance The environments for which.

Advances In Software Inspection

Management of Software Project CSM Review By:Nafas.

Inspections - Page P3-L14-1 MEF-TRANSITION-P3-L14-1 Dr. M.E. Fayad Lesson 14: Inspections SoftwareEngineeringII.

Software Project Management Lecture # 12. Outline Quality Management ( chapter 26 - Pressman )  SQA  Who does it?  SQA Activities  Software reviews.

Verification vs. Validation Verification: "Are we building the product right?" The software should conform to its specification.The software should conform.

PREPARED BY G.VIJAYA KUMAR ASST.PROFESSOR

Software Quality Control and Quality Assurance: Introduction

CIS 375 Bruce R. Maxim UM-Dearborn

System Testing Antares Rocket Test Launch ( HQ) System Testing.

CSC 480 Software Engineering

Verification and Validation

Verification and Validation

Verification and Validation

Inspection and Review The main objective of an Inspection or a Review is to detect defects. (Not for Giving Alternative Solutions) This activity and procedure.

Applied Software Project Management

QA Reviews Lecture # 6.

Chapter 11 Quality Control.

© Oxford University Press All rights reserved.

Code Reviews Assignment Each team should perform a code review

Presentation transcript:

Benefiting from Code Inspections Kevin W. Wall Copyright © – Kevin W. Wall – Some Rights Reserved. This work is made available and licensed under the Creative Commons® Attribution-ShareAlike 3.0 License. To view a copy of this license, visit

Who is this stranger and why is he here? BS in physics/math; MS in CIS 30 yrs in IT (17 - Bell Labs, 3 - independent consultant, 10 - Qwest) and way-too-many code inspections Last 10 yrs in computer security, where as team lead, I've mandated code reviews

Agenda Terminology Goals of Code Inspections Benefits of Code Inspections Code Inspection Roles Inspection Process Pragmatic Tips Why Inspections Fail Variation: Security Code Inspections

Terminology Fagan inspections Inspection vs. review vs. walk-through Entrance criteria Exit criteria

Goals of Code Inspections Identify defects Improve code maintainability Ensure conformance  To design  To coding standards  To security policies

Benefits of Code Inspections Improved efficiency at defect removal More readable code Mentoring / training opportunities Learn strengths / weaknesses of individual developers Ensure policy conformance

Code Inspection Roles Moderator – 1 Author(s) – 1 or more Reader – 1 Recorder / scribe – 1 Inspector(s) – multiple

Inspection Process Planning Overview meeting Preparation Inspection meeting Rework Follow-up PlanningOverviewPreparationMeetingReworkFollow-up

Example of Forms Used in Code Review (1 of 2)

Example of Forms Used in Code Review (2 of 2)

Pragmatic Tips Get management buy-in Moderator must maintain control Keep review team sizes small Ensure adequate preparation Use tool support, especially in preparation step Have something to review the code against Don't rush to completion Be smart in what & how you inspect Do what works

Why Inspections Fail (1 of 2) No management buy-in  Too expensive; not enough time in the schedule  No obvious / apparent ROI  Quality control issues: Procrastination: “Never time to do it right, but always time to do it over.” Advanced lip-service: QC is just a check-box. Misunderstanding your customers (business says everything is time-to-market driven so “schedule is king”)

Why Inspections Fail (2 of 2) Developer feuds  No defined process  What are we inspecting against?  Fear of criticism / peer review  Religious wars  Moderator fails to maintain control

Variation: Security Code Inspections Goal: Find potential vulnerabilities in source code without inspecting all source How?  Use tool assistance (e.g., security code scanners like flawfinder, RATS, ITS4, etc.)  Go after the low hanging fruit: Focus on high risk components

Identifying High Risk Components Those with history of vulnerabilities or high bug rate Examine where data flows across trust boundaries Those with broadest attack surface  Attack surface: Set of (possibly unintended) functionality available to potential attackers  Input parameters, services used, foreign databases or files, unrestricted directories, environment variables, protocols, etc.

Questions??? (If you think of something later, OK to me.)