Code Quality as a Service

by

As the product manager for CAST Highlight, it’s refreshing to see a shift in discussions about the “quality of cloud solutions” to “cloud quality solutions.” Recently, there have been an increasing number of cloud-based static code quality analysis tools, or should I say services. A few that I’ve been watching include:

  • Code Climate consolidates the results from a suite of Ruby static analysis tools into a real-time report, giving teams the information they need to identify hotspots, evaluate new approaches, and improve code quality.
  • Codeq imports your Git repositories into a Datomic database, and then performs language-aware code quality analysis. By doing so, Codeq allows you to: track changes at the program unit level (e.g. function and method definitions); query your programs and libraries declaratively, with the same cognitive units and names you use while programming; and query across repos.
  • HP Fortify on Demand is a Security as a Service (SECaaS) testing solution that allows any organization to test the security of software quickly, accurately, affordably, and without any software to install or manage.

A couple things jump out as I watch this market evolve.

  • Two types of providers: There are code quality solutions that are bolted onto GitHub and other cloud development environments with the goal of inline code quality support during development. Some providers are leveraging cloud platforms to extend the reach and to increase the adoption of code quality solutions through easy deployment and reduced cost.
  • Specialists: Some providers focus on a single technology, such as Code Climate for Ruby, and some that focus on a characteristic of the code, such as quality or security. Static analysis tools that are specific to a language or platform require organizations to use several vendors to cover all their technology platforms, which means that projects with mixed technologies can't have a single view of issues and metrics.
  • Source code location: All the solutions must analyze the source code and therefore figure out how to gain access to it. Those solutions that plug into GitHub have brought their analysis to the source code. However, these solutions cannot service developers not using GitHub. Some services require that you upload source code to their server; however, transferring possession of source code always has its own challenges and risks.

These are all personally relevant to me as we’ve tackled each issue over the past two years. I’ve attempted to provide our approach to Code Quality as a Service below.

  • Cloud as a distribution channel: We are certainly leveraging the cloud to extend across geographies and reduce the cost of analysis. Many of our clients are global organizations with system integrator partners, captive centers, or dispersed development, and an accessible solution that’s available 24/7 has helped increase adoption of code quality practices while creating visibility across geographies that has sorely been missing.
  • Generalist: Unlike some of the upstart services, Highlight has the benefit of a big brother, CAST Application Intelligence Platform (CAST AIP). My team benefits from the all the research produced by CAST Research Labs over the years. As such, Highlight analyzes several technologies along several software characteristics.
  • Source code: Highlight is designed to support developers and IT management and therefore, it didn't make sense to create a plugin to GitHub and embed Highlight into the development workflow. We also wanted to avoid transfer of source code discussions/issues and focus on the speed of analysis. That’s why we’ve created the Highlight Analyzer that contains all the code quality analyzers and is downloaded from the website. This approach promotes distributed analysis to the application owners while accelerating the process, enabling hundreds of applications to be analyzed in a week.

CAST-Code-Quality-as-a-Service

Summary

Regardless of which code quality service suits an organization best, it’s exciting to see a growing focus on improving code quality, removing adoption barriers and making analysis more accessible to development teams. ZeroTurnaround even comments on the growing trend of code quality in its 2012 Developer Productivity Report. This year it has added research into the state of code quality tools in the Java developer space, reporting that “…all these tools are complementary of each other, (and) used by a nearly quarter of our respondents.”

If you’ve used any of the mentioned code quality solutions, I’d be interested in your feedback. I also invite you to try out Highlight and would love to hear what you think.

Filed in: Software Quality
Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Pete Pizzutillo VP Corporate Marketing at CAST
Pete Pizzutillo is Vice President of Corporate Marketing at CAST. He is responsible for leading the integrated marketing strategies (digital and social media, public relations, partners, and events) to build client engagement and generate demand. He passionately believes that the industry has the knowledge, tools and capability such that no one should lose customers, revenue or damage their brand (or career) due to poor software. Pete also oversees CAST’s product marketing team whose mission is to help organizations understand how Software Intelligence supports this belief. Prior to CAST, Pete oversaw product development and product management for an estimating and planning software company in the Aerospace and Defense market. He has worked in several industries in various marketing roles and started his career as an advertising agency art director. He is a graduated of The Pennsylvania State University with degrees in Business Administration and Art. Pete lives in New Jersey with his wife and their four children. You can connect with Pete on LinkedIn or Twitter: @pizzutillo.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|