Study finds software 'termites' -- the hidden costs of careless coding

Business and governmental organizations are not budgeting for costs to fix hidden problems that remain in applications after they are operational, according to a report on software quality released by CAST, a company specializing in software analysis and measurement.

The CAST Report on Application Software Health highlights trends in five system quality characteristics — security, performance, robustness, transferability and changeability — across technologies and industry segments. Structural quality refers to the engineering soundness of the architecture and coding of an application rather than how well it meets a customer’s requirements.

These characteristics are critical because they are difficult to detect through standard testing, yet they are the defects most likely to cause operational problems such as outages, performance degradation, breaches by unauthorized users or data corruption, said Bill Curtis, chief scientist and senior vice president of the CAST Research Labs and director of the Consortium for IT Software Quality.

Related coverage:

Modernize, leapfrog or stay the course

Enterprise architects must prove their worth

Government applications tend to score lower in the areas of transferability and changeability because their internal logic tends to be more complex with more components linked to parts of other applications, Curtis said. As a result, “there are much higher maintenance expenses [for applications] within government,” he added.

Transferability refers to the ease with which a new team can understand the application and quickly become productive working on it. Changeability refers to an application’s ability to be easily and quickly modified.

“The purpose of the 2011 Worldwide Applications Software Quality Study is to provide an objective, empirical foundation for discussing the structural quality of IT applications and the extent to which they suffer from structural flaws,” Curtis said.

“What we found were numerous problems that should have been addressed prior to deployment," he said. "It’s little different from ignoring termites that are destroying the structure of your home."

The study is the largest ever conducted and used automated analysis to measure the structural quality of 365 million lines of code within 745 IT applications used by 160 companies throughout 10 industries, Curtis said. 

Big technical debts

Using data drawn from the automated structural analysis, CAST made a conservative estimate of what should be fixed, focusing only on those issues critical to business cost and risk.

“Our findings, although conservative, revealed an average technical debt of $3.61 per line of code,” Curtis said. “A significant number of applications examined in the study — nearly 15 percent — had over a million lines of code, which means even the smallest of those contains over $3.6 million in technical debt.”

Technical debt represents the effort required to fix violations of good architectural and coding practices that remain in the code when an application is released. Technical debt is calculated only on violations that the organization intends to remediate.

Curtis said that more than one-third (35 percent) of the violations discovered in the study result in damage to business by adversely affecting the security, performance and up-time of application software.

Winners and losers

Other notable findings from the study included:

  • Despite assumptions to the contrary, outsourced and in-house developed applications didn’t show any difference in structure quality. The same was true for onshore and offshore applications.
  • Java Enterprise Edition applications received significantly lower performance scores in addition to carrying greater technical debt than other languages.
  • Established development methods such as agile and waterfall scored significantly better in structural quality than custom methods, while waterfall scored the highest in transferability and changeability.
  • COBOL applications scored the highest in security, while .NET applications received the lowest security scores.

The executive summary of the 2011 CRASH Study is available online here.

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

inside gcn

  • Google Map of free sandbags in Los Angeles

    When simple is best: Google Maps for disaster prep

Reader Comments

Fri, Dec 9, 2011

The irony is overwhelming. Several years ago i heard the saying - "If carpenters built houses the way software people wrote software, thew first woodpecker to show up would have destroyed civilization". and now the software has 'termites'. It shows that most software 'engineering' is nothing like engineering. It's back yard mechanics pretending to be engineers.

Thu, Dec 8, 2011 Walter Washington

This is not news. The Government has a bad habit of developing proprietary, custome built applications when an off the shelf item will work as well, or many times even better. They have rigid and overly complicated structures. If they do any further work on the software after it is deployed, it is usually to add some features that Management has decided they want, and very seldom are there any bug fixes involved. At least within the Navy, they also have DOS and Cobol based applications they want new systems to interact with. They rarely phase out dated applications, but instead add new ones and try to make them work together. They have at least 4 different financial systems that I am aware of, some of which don't communicate with each other, requiring the same data to be manually input multiple times.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group