Last week, CAST, a global leader in software analytics, invited more than 100 IT professionals to participate in a software risk and analytics roundtable in New York, NY. The daylong exchange included CIOs, industry analysts, systems integrators and IT advisory firms. As an outcome of this gathering, CAST published an IT Trends 2016 Report. The following post attempts to capture some of the exchange between participants and key takeaways.
Executive Visibility – Topping the list of IT Trends 2016 is helping CIOs take advantage of Big Data for themselves, while cutting through the clutter. Accelerating the time from data to decision requires analytics that highlight areas of risk and opportunity in support of business decisions, not technical ones. Proactive, predictive insight arms CIOs with the ability to ask the right questions, to challenge the status quo and surface technical risks that jeopardize revenue, reputation or brand. Real-time solutions that improve the signal-to-noise ratio top the CIO’s wish list for 2016.
Risk detection is about identifying any threat that can negatively and severely impact the behavior of applications in operations, as well as the application maintenance and development activity. Then, risk assessment is about conveying the result of the detection through easy-to-grasp pieces of information. Part of this activity is about highlighting what it is you’re seeing while summarizing a plethora of information. But as soon as we utter the word “summarizing,” we risk losing some important context.
Application split impact as a strength in risk assessment
An application can be considered as a whole in its purpose of servicing one area of the business, yet it is composed of multiple technical and functional parts. In other words, an application is not about one single feature.
The ability to split an application into its main features, or groups of features or functional domains, is critical to map the occurrences of risky situations. Indeed, considering that every single piece of code or software construct is equivalent with regards to the risk an application incurs is valuable for objective comparison. Yet it misses the point that they serve different features and that these features are not equal, would they fail in operations. For instance:
The very location where the violations occur is key as it might be in a piece of code or in a construct that is supporting a non-critical feature that does not handle any sensitive data. Or, on the contrary, is supporting a mission-critical feature that does handle sensitive data with a customer-facing front-end over the Internet.
Likewise, a piece of code or software construct that is involved in many such critical features creates a much higher risk even though it is still occurring in one location.
Taking the context into account will help provide a better assessment than a purely objective one.
The same issue holds true when dealing with application upgrades as well. I faced a situation where the team in charge of evolving the application would complain about the huge difficulties to perform their task, saying it was, “terrible to maintain.” Paradoxically, the compliance ratio with applicable coding and architectural practices were pretty good. Issues related to less than one tenth of a percent of the code. The real issue is that the few occurrences of non-compliance were located in the very part of the application they had to evolve regularly in response to business requirements. It all made sense once they knew that this small fraction of the code was the one that mattered.
As it is critical to know the kind of application we are dealing with to adapt the risk assessment accordingly, this mapping ability will provide context to the findings; it will — or should I say must — change the resulting risk level assessment.
A walk through
Let’s look at the following situation of four applications composed of 10 components each:
The color is designed to provide you with a risk assessment of each component of these applications, with green being the right place to be and red being the wrong one. Would you say the risk level is the same in these four cases?
Then, let us look at another situation:
And now this one:
They all look different and I assume you would like to be responsible for the application showing in the first row, and dread the responsibility for the application in the third row.
All of them are based on the same number of defects (10 percent)
Sample #1 uses a linear scale from green to red to show defect percent from 0 to 100
Sample #2 uses a linear scale from green to red to show defect percent from 0 to 50, then a red plateau when more than 50 percent of defects
Sample #3 uses a linear scale from green to red to show defect percent from 0 to 50, then a red plateau when more than 50 percent of defects with 3 modules that are more critical than the others
The economy, the complexity and pace of business, and an ongoing lack of resources have created a perfect storm for IT departments worldwide. As wave after wave of IT failures litter the press, there’s no question that the storm is here. In its wake, businesses are faltering, careers are shattering, and stockholders are left wondering “How could this happen … again?”
The key to preventing your business and career from landing on the rocks is the aggressive identification and elimination of risk. This document provides some tactics designed to identify risks across vast application portfolios and eliminate risk within critical business systems.
Red sky at morning, sailor take warning
With years of experience in exposing risks in IT systems, CAST provides a suite of offerings that yield the insight necessary to identify what can lead to high-profile production failures and cyberattacks. We also provide the remediation plans to eliminate the root cause of these issues.
Rapid Portfolio Analysis (RPA) creates transparency into vast application portfolios to identify risk. RPA derives measurements such as production failure potential and software complexity and maintainability. It also profiles portfolios to highlight short-term and long-term risks in critical systems.
CAST’s Application Intelligence Platform (AIP) provides a robust DNA-level analysis of individual enterprise systems with specific guidance for eliminating business risk caused by structural and technical quality issues. It does this either on applications you know are in trouble, or by using the insight delivered by RPA to create a prioritized list of applications to unleash AIP.
Highlight Latent System Risks
Rapid Portfolio Analysis (RPA) creates technical and business risk profiles based on automated analysis and insight to support application portfolio analysis, portfolio rationalization, or technical assessments.
RPA analyzes source code against a set of engineering rules and principles to identify potential production defects, maintenance or modification issues, and excessive complexity. These are some issues that contribute to potential failures and real business risks. RPA rounds out this assessment by generating software maintenance estimates of applications, as well as estimates of the technical debt.
A Dive Deep in to Critical Systems
Using highly sophisticated code analyzers and more than 1,000 rules based on engineering principles, AIP dives deep into an application from the largest modules down to individual methods, classes, and components. AIP analyzes and semantically understands source code, scripting, and interface languages across all layers of an application.
The resulting analysis identifies quality lapses in an application’s source code, and provides precise guidance on how to fix the problems. Additionally, AIP validates architecture, ensures adherence to frameworks, and automates sizing such as function points. Doing so provides a robust view of the systems size, complexity, and quality.
Measure the Business Impact of Quality
Through extensive research and industrial experience, CAST has identified five areas of structural software quality that most impact business risks and outcomes. Each of these five areas can be assessed by measuring numerous attributes of the software that can summarize structural software quality at a level that can be related to business value.
Navigate Risk with Actionable Insight
Identifying the root cause of system risk is only the first step. CAST assessment with AIP not only identifies these issues, it provides rationale as to which violations have been recorded and which are most critical. IT also creates action plans that lead technical teams in the remediation effort.
You Can’t Stay in the Harbor to Wait Out the Storm
As a leader, you need to ensure your team has the time and resources needed to root out and eliminate risks that can potentially damage the business. The key to effectively managing risks in an application portfolio is early detection of issues and the ability to quickly mitigate them.
With the detailed information provided by AIP in hand, application development executives and business leaders can map out and monitor aggressive remediation efforts that drive out system-level risk, resulting in more resilient and reliable applications.
Whether you need a macro-view of your portfolio risks or a micro-view of a specific application, CAST’s suite of assessment solutions can help. Contact your CAST representative now to learn how we can create the visibility needed to navigate through these troubled waters.