Organizations ask a lot from their developers; they demand not only increasingly complex software but also tighter deadlines. For this reason, developers are unlikely to embrace SAST tools that disrupt development workflows. Rather, they prefer static analysis with a minimal impact on their normal workflow—which informs them about the quality and security of their code without distracting them.
Google’s static analysis implementation demonstrates the importance of convenient development workflow integration. Initial attempts to integrate static analysis into Google’s development process failed because their SAST tool reported information on a separate dashboard. Developers felt that switching between the dashboard and their IDEs was a hassle, so they dismissed static analysis. In response, the Google SAST team created multiple integration points within the SDLC—giving developers the flexibility to debug where it was easiest for them. This simple change significantly influenced its adoption.
Ultimately, Google’s developers embraced static analysis because it made debugging efforts easier when integrated into their existing development workflows. As Google’s static analysis team said, “For a static analysis project to succeed, developers must feel they benefit from and enjoy using it.”
“For a static analysis project to succeed, developers must feel they benefit from and enjoy using it.”
—Google’s static analysis team