IT due diligence, software audit and software quality standards are very important for startups that want to sell to or partner with large companies and corporates. In this invited talk the importance of quality is discussed from a startup perspective.
5. SZ
www.softwarezaken.nlwww.startupjuncture.com
1. Corporates and IT quality
• Enron: went from $ 70 billion to zero in a
couple of months
• Biggest accounting scandal in history,
second biggest bankruptcy
• Caused a change in regulations:
Sarbanes-Oxley
senior executives take individual
responsibility for the accuracy and
completeness of corporate financial
reports
requires that the company's "principal
officers" (typically CEO and CFO) certify
and approve the integrity of their company
financial reports
6. SZ
www.softwarezaken.nlwww.startupjuncture.com
Legacy problems
Then:
• Computer systems are not
developed to run forever.
• Before 1990, taking 4 digits to
store a year seemed a waste
of space
Now:
• It is incredibly hard to migrate
data out of live systems
• It is incredibly hard to replace
old COBOL systems: systems
from 1980 are still running in
banks!
1956: IBM harddrive
7. SZ
www.softwarezaken.nlwww.startupjuncture.com
IT failure happens often...
LOS ANGELES (AP) — Flights to and from airports in the
Los Angeles area were grounded for more than an hour
Wednesday due to a computer failure at an air traffic control
facility in the region, the Federal Aviation Administration
said. The problems rippled nationwide. […]
The ERAM system is critical to the FAA's plans to transition
from a radar-based air traffic control system to satellite-
based navigation, but its rollout is years behind schedule
and hundreds of millions of dollars over budget.
May 1, 2014 8:51 AM
http://news.yahoo.com/computer-issues-delay-flights-los-angeles-234300027.html
8. SZ
www.softwarezaken.nlwww.startupjuncture.com
... And is caused by legacy software
ERAM is replacing another computer
system that was so old that most of
the technicians who understood its
unique computer language have
retired.
May 1, 2014 8:51 AM
http://news.yahoo.com/computer-issues-delay-flights-los-angeles-234300027.html
Image: IBM 3070
9. SZ
www.softwarezaken.nlwww.startupjuncture.com
Another case: Denver airport
The airport's computerized baggage system, which was supposed to reduce
delays, shorten waiting times at luggage carousels, and cut airline labor costs,
was an unmitigated failure.
The airport opening was originally scheduled for October 31, 1993, with a
single system for all three concourses. Issues with the baggage system
delayed the opening to February 28, 1995, with separate systems for each
concourse and varying degrees of automation.
The system's $186 million original construction costs grew by $1 million per day
during months of modifications and repairs.
11. SZ
www.softwarezaken.nlwww.startupjuncture.com
Maintenance cost matters more than
development cost for companies
Conservative example:
• The system needs 15% maintenance per year
• The system grows 10% per year
• System lasts 10 years
Result: maintenance costs are 140% higher than development cost
- 15
17
18
20
22
24
27
29
32
35
239
100
0
25
50
75
100
125
150
175
200
225
250
275
build Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 Year 8 Year 9 Year 10 Total
15. SZ
www.softwarezaken.nlwww.startupjuncture.com
A good assessment process includes context
System
context and
business
strategy
Risks
Quality
Economics
Is the input for
determining …
Are the basis
for…
Conclusions
Code
Review and
factfinding
Recommen-
dations
16. SZ
www.softwarezaken.nlwww.startupjuncture.com
How not to deal with an assessment
Develop a system as fast as
possible at minimal cost
OK, here it is
Can you audit the system?
What quality standards did you
demand?
What quality standards did you
use?
None, we focused on cost and
speed
We asked nothing special, but
we expect a fit for use system
conforming to industry best
practices
Client SupplierAssessor
Let’s report a lot of findings to
show that we worked really
hard
17. SZ
www.softwarezaken.nlwww.startupjuncture.com
A better way to deal with assessments
Develop a system as fast as
possible at minimal cost Here is our own standard, is that good enough
for you?
What quality standards did you use?
We agreed on this standard. We checked to
code and it complies. Let us know if you find
any issues
We worked really hard and have
these findings
Well done! We do not see major risks, but if
needed we have a quality process and can fix
these in the next release.
The quality is what has been agreed,
and will be even better in the next
release
Client SupplierAssessor
18. SZ
www.softwarezaken.nlwww.startupjuncture.com
How to deal with due diligence
1. You cannot determine the outcome directly but you can influence the
process: you can set conditions before you provide your data.
2. Keep it short by starting late: Do not start the assessment before the other
deal details are sorted out
3. Ensure the goal is limited: For instance to determine whether the software
has issues that cannot be fixed and cause major risks
4. Ensure involvement: Auditors should listen to your side, share and discuss
findings before reporting any issues.
20. SZ
www.softwarezaken.nlwww.startupjuncture.com
ISO 25010 is the official standard for software
quality
ISO 25010:
Software
product quality
Functional
suitability
Reliability
Performance /
efficiency
Operability
Security
Compatibility
Maintainability
Portability
Visible Invisible
23. SZ
www.softwarezaken.nlwww.startupjuncture.com
Step 2: quality process
• Know and use agile, scrum and SAFe
• Build a working system at least every two weeks
• Agree on code quality standards
Structure
Tools
Mindset
• Create a fully automated daily build process
• Use automated tools (checkstyle, FxCop, Simian, PMD, Sonar)
• Monitor issues daily
• Address root causes of issues in retrospectives:
• Training needs for new and current developers
• Important refactoring actions
• Adjustments to quality standards
27. SZ
www.softwarezaken.nlwww.startupjuncture.com
Measure, measure, measure: Duplication
Found 185 duplicate lines in the following files:
Between lines 29 and 235 in /java/jabref-2.9.2/src/java/net/sf/jabref/export/layout/format/FormatChars.java
Between lines 31 and 239 in /java/jabref-2.9.2/src/java/net/sf/jabref/oo/OOPreFormatter.java
Found 194 duplicate lines in the following files:
Between lines 130 and 397 in /java/jose-144-source/java/de/jose/util/Metaphone2.java
Between lines 129 and 396 in /java/jose-144-source/java/de/jose/util/Metaphone.java
28. SZ
www.softwarezaken.nlwww.startupjuncture.com
Measure, measure, measure: Complexity
Source: SweetHome 3D, fileOBJWriter.java
Best: less than 7
decision points per
method (128 paths)
Mediocre: less than 10
(1024 paths)
This code: 36 decision
points (
68,719,476,736 paths)
public boolean equals(Object obj) {
if (obj instanceof ComparableAppearance) {
Appearance appearance2 = ((ComparableAppearance)obj).appearance;
……..
if (!color1.equals(color2)) {
return false;
} else if (material1.getShininess() != material2.getShininess()) {
return false;
} else if (material1.getClass() != material2.getClass()) {
return false;
} else if (material1.getClass() == OBJMaterial.class) {
OBJMaterial objMaterial1 = (OBJMaterial)material1;
OBJMaterial objMaterial2 = (OBJMaterial)material2;
if (objMaterial1.isOpticalDensitySet() ^ objMaterial2.isOpticalDensitySet()) {
return false;
} else if (objMaterial1.isOpticalDensitySet() && objMaterial2.isOpticalDensitySe
&& objMaterial1.getOpticalDensity() != objMaterial2.getOpticalDensity(
return false;
} else if (objMaterial1.isIlluminationModelSet() ^ objMaterial2.isIlluminationMo
return false;
} else if (objMaterial1.isIlluminationModelSet() && objMaterial2.isIlluminationM
&& objMaterial1.getIlluminationModel() != objMaterial2.getIllumination
return false;
} else if (objMaterial1.isSharpnessSet() ^ objMaterial2.isSharpnessSet()) {
return false;
} else if (objMaterial1.isSharpnessSet() && objMaterial2.isSharpnessSet()
&& objMaterial1.getSharpness() != objMaterial2.getSharpness()) {
return false;
}
}
}
}
}
}
29. SZ
www.softwarezaken.nlwww.startupjuncture.com
Other important aspects
• Missing exception handling
• TODO comments
• Long ‘do-it-all’ files
• Memory actions and leaks
• Safe use of user strings
• Complex queries
• Code copyrighted by others
• Queries as strings
• URL manipulation
• Input validation