Soft Audit overview・Target 5: Auditing design / implementation capabilities (2/2)

08/01/202121/10/2021Audit for soft-Develop..

Check the review checklist, source code analysis tool, and automated test for development technology / design and implementation capabilities.

In the previous article, when confirming the technical capabilities related to software design and implementation as the target of software development audit, we introduced the points to check regarding the existence of a technical expert team and development process improvement team and the mechanism for sharing technical information and bug information. bottom. In this article, I will introduce the points to check about the design review and code review checklist of the remaining three check points, the static / dynamic analysis tool of the source code , and the automatic test .

Do you use checklists for design reviews and code reviews?

The deliverables of software development work, or output in English, are design documents and source code . And important work to ensure the quality of these deliverables is a design document review and a source code code review . Since the design and implementation of software is greatly influenced by the competence of the engineer in charge, the quality of the deliverable cannot be kept constant without review. This is also a major difference from quality control of products mass-produced at factories.

I think your company also has frequent design reviews and child reviews. There are various review methods, such as a meeting format or a circulation format, and the reviewer is also a colleague or a team leader, depending on the review method adopted.

By the way, from what point of view do reviewers (reviewers) look at design documents and source code to identify problems? Since software design and implementation is done in the mind of the software engineer, it is not possible to know in detail what the engineer was based on and what judgment was used to write the current design document or code.

Actually, the same is true for pointing out reviews, and the person doing the review (reviewer) is looking at the design document and source code and identifying the problems in light of his own experience and knowledge . It is not possible to know what kind of judgment was originally pointed out.

Therefore, the content of the indication often changes greatly depending on the reviewer . It is good that different reviewers point out different points from various perspectives, but on the other hand, if the number of reviewers is small, there is a risk that points will be missed .

Therefore, when conducting design reviews and code reviews, many companies make review checklists that require attention to these points . There are various types of checklists, but in many cases , software design technical areas and test technical areas are classified, and points to note when conducting reviews for each classification are prepared as checklists. Then, when conducting a design review or code review, the reviewer will refer to this checklist in advance, and this time, the review will be conducted after deciding what points to pay attention to when conducting the review.

By creating a review checklist and sharing it with reviewers in this way, you can expect effects such as reducing omission of confirmation items when reviewing and accumulating know-how on what to pay attention to in reviews. increase. Therefore, what you have as a checklist for reviews is one of the important points of software development auditing.

Status of static and dynamic commentary roots of source code

Code review of source code is a confirmation of the quality of source code by a software engineer different from the implementer . This is effective in preventing inadvertent introduction of bugs in newly implemented or modified source code . Code review is effective, but it is enormous to carry out code review and check the quality of all source code used as a baseline for software development , purchased source code, adopted OSS, etc. It is not realistic because it takes a lot of man-hours.

So how do you check the quality of these source codes? As software development has become larger in recent years, the ratio of newly developed or modified source code to the whole has become smaller and smaller. On the contrary, the ratio of source code brought in from others as a baseline is increasing, and if the quality of the source code of this baseline is not good, it is not possible to make software of good quality.

In such a case, the only option is to use a static / dynamic analysis tool of the source code to check the quality as much as possible. Since each static / dynamic analysis tool has its own technical field, it is difficult to make a comprehensive check as much as a code review by a software engineer, but the speed of check makes up for that weakness. You can also use the static / dynamic analysis tool to narrow down the areas where problems were often pointed out and perform code reviews by software engineers.

It is very important to use the static / dynamic analysis tool of the source code well in the current software development on a large scale, but a good tool is quite expensive . In one software development project, it is often difficult to purchase a license for a static / dynamic analysis tool, so whether or not a system is in place to introduce and operate the analysis tool as a company or as an organization. , It is one index to judge the software development ability as an organization.

How automatic testing works and how to use it

After designing and implementing the source code, it is built into an executable image, and it is finally in the testing stage. It is necessary to look at testing from various perspectives, but from the perspective of organizational development technology, it is also an important perspective to check how the efforts for automated testing are going.

As a method of testing, continue to perform the test manually in accordance with the test item that was created manual testing and, using some kind of test tools and test scripts, continue to perform the test in automatic automatic test can be divided into I can.

Manual testing and automated testing are not the best, and each has its advantages and disadvantages, so you need to use them properly. The advantages and disadvantages are a bit rough, but manual testing is good at finding bugs but it takes time, and automatic testing can confirm that there are no bugs, but it is not good at finding new bugs. It can be said that there are few tests.

Considering the life cycle of software, in the early stages of development, the software itself to be tested changes steadily due to the addition of functions and bug fixes, so manual testing is more efficient and better. However, as the development of new functions converges and the number of bug-fixed versions released increases, the main focus is on checking for secondary bugs due to bug fixes, so automated testing will be more efficient. ..

In this way, the appropriate ratio of manual testing and automated testing changes depending on the life cycle of the software, but in order to be able to respond flexibly to such changes, how to use automated testing and how to use it It is necessary to accumulate policies and know-how. Such a part is also one of the indicators when judging the software development ability as an organization. “

Next, I will introduce from the perspective of software development audit method.

In the articles so far, we have introduced the outline of the audit from the four perspectives of development process, test technology, requirement grasping technology, and design / implementation technology regarding the target of software development audit . How was it? Software development auditing is a method that Gutara’s father makes on his own, so I think there are some parts that are difficult to understand. In the next article, I will continue to introduce the outline of software development auditing from the perspective of auditing methods .