Why is static source code analysis necessary?
The longer a bug goes undetected the more costly it can be to identify and eradicate. A problem identified during integration can stop development and can take hundreds of developer hours to identify and correct. If a latent problem is identified by end-users it not only can cost them significant expense and dissatisfaction, it can also threaten a company's profitability. If the media identifies a latent bug in a company's new software product it could damage the company's reputation and it could threaten the ultimate success of the product.
To reduce the risks of continuing development of or shipping software with latent problems the software development organization needs to implement procedures that allow it to easily identify and eradicate problems as early as possible, preferably prior to compiling on the source code itself. While the programmer should perform code reviews, relying entirely on this manual process is time consuming, is only as reliable as the skills of the individual programmer, and will likely be conducted differently for each programmer on the team. In other words, manual pre-compile analysis can slow development, is subject to human error, and is difficult for managers to monitor and control.
By conducting static source code analysis and successfully identifying and correcting problems prior to compiling code, software developers reduce the risk and potential costs that grow exponentially in proportion to how long it takes to identify as a problem continues to go undetected.