Study finds software 'termites' -- the hidden costs of careless coding
Business and governmental organizations are not budgeting for costs to fix hidden problems that remain in applications after they are operational, according to a report on software quality released by CAST, a company specializing in software analysis and measurement.
The CAST Report on Application Software Health highlights trends in five system quality characteristics — security, performance, robustness, transferability and changeability — across technologies and industry segments. Structural quality refers to the engineering soundness of the architecture and coding of an application rather than how well it meets a customer’s requirements.
These characteristics are critical because they are difficult to detect through standard testing, yet they are the defects most likely to cause operational problems such as outages, performance degradation, breaches by unauthorized users or data corruption, said Bill Curtis, chief scientist and senior vice president of the CAST Research Labs and director of the Consortium for IT Software Quality.
Modernize, leapfrog or stay the course
Enterprise architects must prove their worth
Government applications tend to score lower in the areas of transferability and changeability because their internal logic tends to be more complex with more components linked to parts of other applications, Curtis said. As a result, “there are much higher maintenance expenses [for applications] within government,” he added.
Transferability refers to the ease with which a new team can understand the application and quickly become productive working on it. Changeability refers to an application’s ability to be easily and quickly modified.
“The purpose of the 2011 Worldwide Applications Software Quality Study is to provide an objective, empirical foundation for discussing the structural quality of IT applications and the extent to which they suffer from structural flaws,” Curtis said.
“What we found were numerous problems that should have been addressed prior to deployment," he said. "It’s little different from ignoring termites that are destroying the structure of your home."
The study is the largest ever conducted and used automated analysis to measure the structural quality of 365 million lines of code within 745 IT applications used by 160 companies throughout 10 industries, Curtis said.
Big technical debts
Using data drawn from the automated structural analysis, CAST made a conservative estimate of what should be fixed, focusing only on those issues critical to business cost and risk.
“Our findings, although conservative, revealed an average technical debt of $3.61 per line of code,” Curtis said. “A significant number of applications examined in the study — nearly 15 percent — had over a million lines of code, which means even the smallest of those contains over $3.6 million in technical debt.”
Technical debt represents the effort required to fix violations of good architectural and coding practices that remain in the code when an application is released. Technical debt is calculated only on violations that the organization intends to remediate.
Curtis said that more than one-third (35 percent) of the violations discovered in the study result in damage to business by adversely affecting the security, performance and up-time of application software.
Winners and losers
Other notable findings from the study included:
- Despite assumptions to the contrary, outsourced and in-house developed applications didn’t show any difference in structure quality. The same was true for onshore and offshore applications.
- Java Enterprise Edition applications received significantly lower performance scores in addition to carrying greater technical debt than other languages.
- Established development methods such as agile and waterfall scored significantly better in structural quality than custom methods, while waterfall scored the highest in transferability and changeability.
- COBOL applications scored the highest in security, while .NET applications received the lowest security scores.
The executive summary of the 2011 CRASH Study is available online here.