Do you want to make your systems more reliable and resilient before your organization becomes the next headline? View the slides from our recent webinar with Melinda Ballou, Program Director for IDC's Application Life-Cycle Management & Executive Strategies research.
Melinda discusses the trends driving recent high-profile outages with increasing frequency, and gives practical advice on adapting your strategy for quality analysis and improving architectural design upfront. To view the recording, visit http://www.castsoftware.com/news-events/event/avoid-system-failure-idc?gad=ss
20. CAST Confidential 19
Industry starting to pay attention to code quality
But code quality & hygiene, things traditional safe
guards identify are only a small part of the solution.
Sources: Li, et al. (2011). Characteristics of multiple component defects and
architectural hotspots: A large system case study. Empirical Software Engineering
“Tracking programming practices at the Unit Level alone may not translate into the
anticipated business impact,…most devastating defects can only be detected at the
System Level.”
8%
90%
Unit-Level
Flaws
System-
Level Flaws
% of
apps
defects
% of
repair
effort
92%
8%
52%
48% of downtime caused by
8% of system-level defects!
21. CAST Confidential
Business
Characteristic
Good Coding Practices
@ Unit-Level
Good Architectural Practices
@ Technology/System Levels
RELIABILITY Protecting state in multi-threaded environments
Safe use of inheritance and polymorphism
Resource bounds management, Complex code
Managing allocated resources, Timeouts
Multi-layer design compliance
Software manages data integrity and consistency
Exception handling through transactions
Class architecture compliance
PERFORMANCE
EFFICIENCY
Compliance with Object-Oriented best practices
Compliance with SQL best practices
Expensive computations in loops
Static connections versus connection pools
Compliance with garbage collection best practices
Appropriate interactions with expensive or remote resources
Data access performance and data management
Memory, network and disk space management
Centralized handling of client requests
Use of middle tier components vs. procedures/DB functions
SECURITY Use of hard-coded credentials
Buffer overflows
Missing initialization
Improper validation of array index
Improper locking
Uncontrolled format string
Input validation
SQL injection
Cross-site scripting
Failure to use vetted libraries or frameworks
Secure architecture design compliance
MAINTAINABILITY Unstructured and duplicated code
High cyclomatic complexity
Controlled level of dynamic coding
Over-parameterization of methods
Hard coding of literals
Excessive component size
Duplicated business logic
Compliance with initial architecture design
Strict hierarchy of calling between architectural layers
Excessive horizontal layers
Excessive multi-tier fan-in/fan-out
NUMBER OF ISSUES 90% of violations 10% of violations
BUSINESS IMPACT
52% of repair workload
10% of production downtime
48% of repair workload
90% of production downtime
Industry must focus on the flaws that matter
22. CAST Confidential
CAST Software Risk Prevention
CAST solutions expose the weaknesses in complex multitier systems by identifying
the high severity engineering flaws undetectable by testing. CAST insures the
confidence that critical systems are free from vulnerabilities, either intentionally
designed into the software or accidentally inserted at anytime during its lifecycle.
1. Define the business-relevant software characteristics:
stability & resilience, performance efficiency, & security
important to your business.
2. Identify structural weaknesses and architectural hotspots
based on initial of applications.
3. Baseline and benchmark key risk indicators
against industry norms.
4. Monitor to ensure system do not degrade over time.
SOFTWARE RISK PREVENTION PROCESS
PEACE OF MIND - FROM THE INSIDE OUT.
23. CAST Confidential
Analysis strategy for typical IT application portfolio
22
Effort(ManDays/Year)
Importance to
Business
Highest Lowest
Critical Apps
Entire Application Portfolio
CAST AIP
Deep Structural
Analysis
Risk Detection
Lean Application
Development
Function Points &
Productivity
Vendor Management
Continuous
Improvement
CAST Highlight
Fast Cloud-based
Delivery
No source code
aggregation
Key Metrics on Entire
Portfolio
Size, Complexity and
Risk analytics
Annual/Quarterly
Benchmark
25. CAST Confidential
ArchitectureCompliance
Enterprise IT applications require depth of analysis
24
Intra-technology architecture
Intra-layer dependencies
Module complexity & cohesion
Design & structure
Inter-program invocation
Security Vulnerabilities
Module Level
Integration quality
Architectural compliance
Risk propagation
simulation
Application security
Resiliency checks
Transaction integrity
Function point & EFP
measurement
Effort estimation
Data access control
SDK versioning
Calibration across
technologies
System Level
Data FlowTransaction Risk
Code style & layout
Expression complexity
Code documentation
Class or program design
Basic coding standards
Program Level
Propagation Risk
Java
EJB
PL/SQL
Oracle
SQL
Server
DB2
T/SQL
Hibernate
Spring
Struts
.NET
C#
VB
COBOL
C++
COBOL
Sybase IMS
Messaging
Java
Web
Services
1
2
3
JSP ASP.NETAPIs
26. CAST Confidential
CAST AIP - well beyond static analysis
Static Analysis
DependenciesCode
Pattern
Scanning
Data Flow Rule
Engine
Transaction
Finder Intelligent
Configuration
Content
Updater
The architectural assessment
of design consequences (on
software performance, stability,
adaptability, maintainability, and
security vulnerabilities) is an
area in which CAST excels and
successfully differentiates from
static analyzers.”
Architecture
Analysis
Behavioral
Simulation
Function
Points
27. CAST Confidential 26
Making risk management actionable
Identify and stabilize are the tactical steps
To harden and optimize is a move towards proactive
risk management that requires actionable processes
into the application lifecycle
Quickly spot the riskiest applications
in your portfolio
View overall Technical Quality
Risk Score
View total number of critical
violations discovered.
28. CAST Confidential
• Upload Source Code
and documentation
• Complete a Technical
Survey
Application Assessment Process
TRANSFER
VALIDATE
INSIGHT
• CAST Consultant verifies
completeness of source code ,
artifacts, and technical survey.
• Verifies application boundaries.
• Results are published
to a private, secure portal
• Assessment report delivered
and presented to client
Results by application
Code Quality performance
Benchmark across industry
Day 1 Day 2 – 4
Day 8
ANALYZE
• CAST Consultant performs the analysis.
• Using highly-sophisticated language
analyzers and more than 1000 industry-
best-practice rules, CAST assessment
identifies weakness in the application and
provides guidance on how to fix them.
• Verifies results with Client application
owner/SME
Day 4 – 7
29. CAST Confidential
Contact Information
Pete Pizzutillo
p.pizzutillo@castsoftware.com
www.castsoftware.com
blog.castsoftware.com
linkedin.com/company/cast
@OnQuality
slideshare.net/castsoftware