Assessing the effectiveness of static code analysis

For complex systems identifying and mitigating a gap between suppliers provided software and customer certification needs is difficult. Getting it wrong can cause program delays or even project failure. A mitigation strategy is to carry out additional assurance analysis such as static code analysis (SCA). This can add significantly to the procurement expense and may require repeating with new software upgrades. The purpose of this paper is to present an analysis of the effectiveness of nearly 10 years efforts of additional independent SCA assurance on a large software intensive project. The evidence presented also is supported by SCA findings on other projects conducting additional SCA. The analysis work was carried out for a Ministry of Defence Integrated Project Team as part of their continual assessment and improvement of safety.