What You Didn't Buy When You Bought That Static Analysis Tool

When you are buying things, be it at the store or through a vendor for your company, you are really buying results. The tool or object you purchase is just a means to an end. Like the old adage goes, you don't go to a hardware store to buy drills, you go there to buy holes. Static source code analysis solutions are great tools for helping software development organizations find defects earlier in the development process. However, because they are a technology entering the mainstream, most organizations don't have the experience to know entire effort required to effectively use static analysis.

When you purchase a static analysis solution you are really buying the defects that are valuable enough for you to take action to fix. A good measure of the value of the tool is the number of defects that you indeed fix. What you aren't purchasing are:

• the set up and customization required to get the tool set up, tuned and integrated into the toolchain
  
• the management and administration needed to keep the tool running
• the additional hardware required to run it with good performance
  
• the training and rollout required to bake the tool into the process
• the political process required to get people to change their behavior
  
• the additional steps required for each user to change their process
  
• the defects that were reviewed and put in the 'not fix' bucket. These include false positives, don't care alerts, low priority reports and ones that haven't been reviewed.
• the time and expertise required to further improve upon the tool or take advantage of features and capabilities not yet used

Even with all of this effort taken together, it's hard to beat the value that a good static analysis tool can bring. Just remember that buying the tool is just the first in a series of steps that need to be taken to get to success. Sometimes you have to pay a little bit to get the big payoff.