Prism in Depth

What it is

The Prism 1000 Source Code Analyzer is an automated software security and code quality assurance testing device designed to support high-performance software application testing. Prism is offered on a monthly subscription basis as a service or on a per use project basis.

Most customers use Prism to:

  • Provide objective detail and measurements as to the compliance of code with software quality benchmarks set by the customer
  • Assess code for quality regardless of where it’s developed
  • Determine readiness of an application for the next stage in the development lifecycle, particularly QA readiness
  • Establish automated, consistent, and repeatable code checks to determine the real time status of applications in the development portfolio
  • Reduce the cycle time for developers to write code that both functions properly and is more secure
  • Develop corporate standards for use of Java or Open Source code in enterprise applications and to insure developer compliance with those standards is maintained
  • As a C and C++ monitoring function to insure that no new issues are introduced into the application during maintenance updates

Prism is purposefully designed to be easy to use and to fit within virtually any build environment. The user need only identify the location of the source code, select the tests to run and then initiate the Prism testing procedures. Capable of running multiple tests from the same platform, Prism generates clear, concise and actionable software quality reports as well as metrics that the enterprise can use for code quality compliance programs. Since Prism is an automated source code testing device, there are no software seats to license, people to train or enterprise deployments to manage.  And because Prism is offered on a subscription basis, there are no capital budget issues to wrestle with.

What it does

Prism checks C, C++, Java, Perl, Python and PHP code for quality and security issues by integrating four important elements:

  1. Multiple analysis modules (quality, security, metrics, etc.)
  2. Automated dynamic tests generated at the unit and function level
  3. An integration framework to reduce duplication, false positives and to provide inferences on issues found
  4. An easy to use web-driven user interface

Together, these technologies enable Prism to provide a fast and comprehensive means for automated testing of code for quality issues.

Why it matters

Reflective’s Prism platform is designed for seamless integration into multiple development environments. New Prism appliances can be added to a customer’s testing infrastructure without disruption to current installations or existing metric data. All Prism output can be referenced across different product configurations and new rules and instance data can be updated seamlessly into the system.

         

             The Prism 1000

Significant Advantages of Prism Include:

  • Full Automation – Prism is designed specifically for the needs of enterprise-level software quality and security analysis (versus a developer tool). Since it is an appliance that can sit in-line in the build environment or virtually anywhere the user chooses to deploy it, Prism can be invoked automatically as part of the QA test cycle and can scan large code bases or multiple build projects without any human interaction. A fully automated enterprise-level code analysis capability has important benefits for large organizations with multiple software projects who cannot afford the cost and time to use a developer-based tool for scanning all their code. With Prism, developers do not have to be trained or forced to use a code scanning tool in order for code to be tested. With Prism, this process can be automated and built into the development or code compliance process. Code can be checked without imposing new testing requirements on developers.

 

  • Consistent Metrics, Enterprise-wide Baselines and Meaningful Measurement - Regardless of the tools a developer uses to fix code, Prism can generate consistent, specific, repeatable enterprise-wide metrics. The data Prism generates helps the enterprise manage development processes with relevant and objective information. Prism can be run on a server in the client’s data center, remotely as a service or on a project basis. When all code can be easily tested for quality and compared with objective historical data, the enterprise gains immediate visibility into its application portfolio quality overall and can set realistic and achievable goals for improving the efficacy and safety of its software.

 

  • Multiple Algorithmic Assessment - Since the product integrates multiple algorithms on one device Prism can check for a wider range of software issues than any single code scanning tool available today. Most code scanning tools use a single algorithm as the core of their checking technology. Current academic research and user experience indicates that no single algorithm is capable of finding the wide variety of issues that should be checked for in code. Prism uses 10 different algorithms for assessing software. More algorithms means Prism can find a wider range of issues. In addition, as new algorithms are developed, they can easily be added to the Prism platform thereby immediately enhancing the product’s capability. This means an investment in Prism can be leveraged into the future increasing the ROI for the development organization.

 

  • Speed - Since Prism runs up to 4,000 lines a second, test reports are delivered in minutes instead of weeks. This speed factor is especially important in rapid build environments where time and volume of code change are critical in managing resources and keeping projects on schedule and on budget.

Since the Prism platform is completely automated, the need for human expertise to run tests and generate results is eliminated. Once Prism is configured, the engineer simply loads the code, selects the tests to run and the reports are created. Updates to the rules and instances knowledgebase as well as the vulnerability database are handled centrally by Reflective or the customer can choose to manage their own rules libraries and testing templates internally.