SlideShare ist ein Scribd-Unternehmen logo
1 von 11
Downloaden Sie, um offline zu lesen
Turning software risk measurement into business value
June 2013
Konstantin Berger – Regional Sales Consultant
Standardized Risk Measurement for IT Executives 101
CAST Confidential
Agenda
1. Who We Are
2. What We Do
3. Why We Do This
CAST Confidential
Who We Are: Driving software measurement in the industry
2
Key Influencers Recognize CAST
250 Global Leaders Rely on CAST
Institutions Engage CASTSIs Resell CASTSIs Use/Resell CAST
• 20+ years in SAM industry
• $100M+ of R&D investment
• Largest Benchmarking DB
CAST Confidential
Who We Are: How Customers Use Us
3
“We measure software quality at a structural level, in addition
to the functional level through testing, to make the right tradeoffs
between delivery speed, business risk, and technical debt.”
Thaddeus Arroyo
CIO, AT&T
“Now we can show our business constituents the ROI from quality
improvement.”
Peter de Boel
Head of Global Shipping IT, FedEx
“We got feedback from our clients noticing that our quality has gone up.”
Gene Baker
Director of Application Development, Wells Fargo
“CAST makes the relationship with the suppliers very transparent.”
Lester Thomas
Head of Architecture, Vodafone
“I have to continue to deliver the same level of functionality and innovation,
at the same quality, but with a significantly lower budget. That’s where CAST
helps us.”
Gil Hoffman
CIO, Maritz
“The architectural assessment of design consequences (on software
performance, stability, adaptability, maintainability, and security
vulnerabilities) is an area in which CAST excels and successfully
differentiates from static analyzers”
Melinda Ballou
ALM Research Director, IDC
CAST Confidential
What We Do: Structural Quality vs. Functional Quality
Functional Quality (not us)
 That which we can see
 10 to 20% of app dev cost
Structural Quality (what we do)
 Architecture Analysis
 Standardized SW Characteristics
 App Reliability
 App Performance Efficiency
 App Security
 App Changeability
 App Size (Function Points)
CAST Confidential
What We Do: A natural complement to testing
Design Develop
QA
Deploy Maintain
NEW
Functional
Testing
Performance
Testing
CAST:
Structural
Testing
CAST Confidential
What We Do: Standardized Risk Management for Execs
CAST Quality Score Scale
Description Grade
Low Risk 4
Moderate Risk 3-4
High Risk 2-3
Very High Risk 1-2
Benchmark
Low
Risk
High
Risk
Health Factors Current Grade Last Delivery Since Baseline
Performance 2.38 0.5% 0.7%
Robustness 2.72 0.2% 0.4%
Security 3.14 0.1% 0.2%
Changeability 3.04 0.2% 0.3%
Transferability 2.77 0.2% 0.3%
Consortium for IT
Software Quality
r1 r2 r3 r4 r5 r6
S
R
P
Ongoing Risk Monitoring
CAST Confidential
Why We Do This: Not just quality for quality’s sake
UNIT LEVEL FLAWS
Downtime caused
by system-level flaws!
Of all
code
defects
Of total
repair
effort
92%
8%
52%
48%
90%
10%
SYSTEM LEVEL FLAWS
Software Risk Prevention:
 Focus on critical violations
that matter
 Focus resources on areas
of highest impact rather
than pursuing hygiene
“Tracking programming
practices at the Unit Level
alone may not translate into the
anticipated business impact,[…]most devastating
defects can only be detected at the System Level.”
- OMG
8CAST Confidential
Confidential
Why We Do This: Better Communication with Business
Data Storage
Application
Business Questions
•Why does it always take so long to
make small improvements?
•Why does every new release take
weeks to stabilize no matter how much
it was tested? Why can’t it just work?
•Why do we have to scrap timelines to
fix critical defects every time we get
close to project completion?
•Why are we late again?
IT’s Struggle to Answer
Because the environment is so complex, IT
does not have answers that business can
easily understand. This causes frustration
and trust issues.
9CAST Confidential
Confidential
Why We Do This: Structural risk requires a 3-tier approach
ArchitectureCompliance
 Intra-technology architecture
 Intra-layer dependencies
 Module complexity & cohesion
 Design & structure
 Inter-program invocation
 Security Vulnerabilities
Module Level
 Integration quality
 Architectural compliance
 Risk propagation
simulation
 Application security
 Resiliency checks
 Transaction integrity
 Function point & EFP
measurement
 Effort estimation
 Data access control
 SDK versioning
 Calibration across
technologies
System Level
Data FlowTransaction Risk
 Code style & layout
 Expression complexity
 Code documentation
 Class or program design
 Basic coding standards
Program Level
Propagation Risk
Java
JSP
EJB
PL/SQL
ASP.NET
Oracle
SQL
Server
DB2
T/SQL
Hibernate
Spring
Struts
.NET
C#
VB
COBOL
C++
COBOL
Sybase IMS
Messaging
Java
Web
Services
APIs
1
2
3
CAST Confidential 10
Why We Do This: Quality impact at a major services brand
Measured impact in a complex enhancement-heavy environment
304
222 196
385 401
231 198 242 279
167
112
258 274
149 140
245
188
61 56 78 97 62 57 81 75 87 40
260
181
167
225
265
220
151
195
232
154
150
295
385
228
163
223
186
148
84
121
136
96 38 11 10 8 11
0
100
200
300
400
500
600
700
R1
R1.1
R1.2
R2
R2.1
R3
R3.1
R4
R5
R6
R7
R7.1
R8
R9
R9.1
R9.2
R10
R10.1
R10.2
R10.3
R11
R11.1
R11.2
R11.3
R12
R13
R14E
Code No RC Non Code Projected Count
StructuralqualitySystemtestdefects
Trend line
Before CAST implementation
0
500
1000
1500
2000
2500
3000
3500
R1
R1.1
R1.2
R2
R2.1
R3
R3.1
R4
R5
R6
R7
R7.1
R8
R9
R9.1
R9.2
R10
R10.1
R10.2
R10.3
R11
R11.1
R11.2
R11.3
R12
R13
R14E
Order Management Inventory Management Billing Customer Service
New critical violations
CAST Analysis starting point
CLIENT STUDY OVER 24 MONTHS
$2.7 million payback after 12 months

Weitere ähnliche Inhalte

Was ist angesagt?

The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021DevOps.com
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
[Europe merge world tour] Coverity Development Testing
[Europe   merge world tour] Coverity Development Testing[Europe   merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development TestingPerforce
 
Software Testing in a Digital Transformation Journey
Software Testing in a Digital Transformation JourneySoftware Testing in a Digital Transformation Journey
Software Testing in a Digital Transformation JourneyAlan Cafruni Gularte
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and PredictionsDevOps.com
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementWhiteSource
 
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...FINOS
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Operationalize all the network things
Operationalize all the network thingsOperationalize all the network things
Operationalize all the network thingsLori MacVittie
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
Scaling AppSec through Education
Scaling AppSec through EducationScaling AppSec through Education
Scaling AppSec through EducationGrant Ongers
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementSonatype
 
Distributed Teams Infographic
Distributed Teams InfographicDistributed Teams Infographic
Distributed Teams InfographicBairesDev
 
How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..Sprintzeal
 

Was ist angesagt? (20)

The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Natalie Markert
Natalie MarkertNatalie Markert
Natalie Markert
 
[Europe merge world tour] Coverity Development Testing
[Europe   merge world tour] Coverity Development Testing[Europe   merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development Testing
 
Software Testing in a Digital Transformation Journey
Software Testing in a Digital Transformation JourneySoftware Testing in a Digital Transformation Journey
Software Testing in a Digital Transformation Journey
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
 
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Operationalize all the network things
Operationalize all the network thingsOperationalize all the network things
Operationalize all the network things
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
 
Scaling AppSec through Education
Scaling AppSec through EducationScaling AppSec through Education
Scaling AppSec through Education
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
 
Distributed Teams Infographic
Distributed Teams InfographicDistributed Teams Infographic
Distributed Teams Infographic
 
How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..
 

Andere mochten auch

A tanodaplatform keretében feltárt jó gyakorlatok
A tanodaplatform keretében feltárt jó gyakorlatokA tanodaplatform keretében feltárt jó gyakorlatok
A tanodaplatform keretében feltárt jó gyakorlatokmatelencse
 
Characterizing and contrasting kuhn tey-ner awr-kuh-streyt-ors
Characterizing and contrasting kuhn tey-ner awr-kuh-streyt-orsCharacterizing and contrasting kuhn tey-ner awr-kuh-streyt-ors
Characterizing and contrasting kuhn tey-ner awr-kuh-streyt-orsLee Calcote
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 RecapLee Calcote
 
Carlo Michelini - F2i Presentation, Yielco, March 2014
Carlo Michelini - F2i Presentation, Yielco, March 2014Carlo Michelini - F2i Presentation, Yielco, March 2014
Carlo Michelini - F2i Presentation, Yielco, March 2014Carlo Michelini
 
Dicas de viagem dubai sokan
Dicas de viagem dubai sokanDicas de viagem dubai sokan
Dicas de viagem dubai sokanchinaturismo
 
Capitulo 10 10 09_2008_11_54_42
Capitulo 10 10 09_2008_11_54_42Capitulo 10 10 09_2008_11_54_42
Capitulo 10 10 09_2008_11_54_42carolina andrea
 
Make the Most of Your Business Travels: Things to do in Dallas, TX
Make the Most of Your Business Travels: Things to do in Dallas, TXMake the Most of Your Business Travels: Things to do in Dallas, TX
Make the Most of Your Business Travels: Things to do in Dallas, TXKing of Maids
 
Make the Most of Your Business Travels: Things to Do in Houston, TX
Make the Most of Your Business Travels: Things to Do in Houston, TXMake the Most of Your Business Travels: Things to Do in Houston, TX
Make the Most of Your Business Travels: Things to Do in Houston, TXKing of Maids
 
Neil Dhillon - Policy Manager
Neil Dhillon - Policy ManagerNeil Dhillon - Policy Manager
Neil Dhillon - Policy ManagerNeil Dhillon
 
бессмертный полк в Туле
бессмертный полк в Тулебессмертный полк в Туле
бессмертный полк в ТулеAlexander Shneiderman
 
El correo electronico
El correo electronicoEl correo electronico
El correo electronicoaldop3
 
Endangered animals
Endangered animalsEndangered animals
Endangered animalsMarta Diaz
 
New hotel in china
New hotel in chinaNew hotel in china
New hotel in chinachinaturismo
 

Andere mochten auch (20)

A tanodaplatform keretében feltárt jó gyakorlatok
A tanodaplatform keretében feltárt jó gyakorlatokA tanodaplatform keretében feltárt jó gyakorlatok
A tanodaplatform keretében feltárt jó gyakorlatok
 
Characterizing and contrasting kuhn tey-ner awr-kuh-streyt-ors
Characterizing and contrasting kuhn tey-ner awr-kuh-streyt-orsCharacterizing and contrasting kuhn tey-ner awr-kuh-streyt-ors
Characterizing and contrasting kuhn tey-ner awr-kuh-streyt-ors
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 Recap
 
Carlo Michelini - F2i Presentation, Yielco, March 2014
Carlo Michelini - F2i Presentation, Yielco, March 2014Carlo Michelini - F2i Presentation, Yielco, March 2014
Carlo Michelini - F2i Presentation, Yielco, March 2014
 
Milliárdok 4 évente
Milliárdok 4 éventeMilliárdok 4 évente
Milliárdok 4 évente
 
Dicas de viagem dubai sokan
Dicas de viagem dubai sokanDicas de viagem dubai sokan
Dicas de viagem dubai sokan
 
Sonia Ramirez III-2
Sonia Ramirez III-2 Sonia Ramirez III-2
Sonia Ramirez III-2
 
POWER POINT
POWER POINTPOWER POINT
POWER POINT
 
Capitulo 10 10 09_2008_11_54_42
Capitulo 10 10 09_2008_11_54_42Capitulo 10 10 09_2008_11_54_42
Capitulo 10 10 09_2008_11_54_42
 
Make the Most of Your Business Travels: Things to do in Dallas, TX
Make the Most of Your Business Travels: Things to do in Dallas, TXMake the Most of Your Business Travels: Things to do in Dallas, TX
Make the Most of Your Business Travels: Things to do in Dallas, TX
 
Hijrah Nabi
Hijrah NabiHijrah Nabi
Hijrah Nabi
 
Kyriazis Athanasios Thesis
Kyriazis Athanasios ThesisKyriazis Athanasios Thesis
Kyriazis Athanasios Thesis
 
Make the Most of Your Business Travels: Things to Do in Houston, TX
Make the Most of Your Business Travels: Things to Do in Houston, TXMake the Most of Your Business Travels: Things to Do in Houston, TX
Make the Most of Your Business Travels: Things to Do in Houston, TX
 
Neil Dhillon - Policy Manager
Neil Dhillon - Policy ManagerNeil Dhillon - Policy Manager
Neil Dhillon - Policy Manager
 
бессмертный полк в Туле
бессмертный полк в Тулебессмертный полк в Туле
бессмертный полк в Туле
 
El correo electronico
El correo electronicoEl correo electronico
El correo electronico
 
Artful Pools Design and Consulting
Artful Pools Design and ConsultingArtful Pools Design and Consulting
Artful Pools Design and Consulting
 
Endangered animals
Endangered animalsEndangered animals
Endangered animals
 
New hotel in china
New hotel in chinaNew hotel in china
New hotel in china
 
Ems sri lanka
Ems sri lankaEms sri lanka
Ems sri lanka
 

Ähnlich wie Standardized Risk Measurement for IT Executives 101

Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CASTCAST
 
CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)
CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)
CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)CISQ - Consortium for IT Software Quality
 
Get Smart About Technical Debt
Get Smart About Technical DebtGet Smart About Technical Debt
Get Smart About Technical DebtCAST
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleRishi Kant
 
The Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs PublicThe Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs PublicDavid Solivan
 
Cigniti Independent Software Testing Services
Cigniti Independent Software Testing ServicesCigniti Independent Software Testing Services
Cigniti Independent Software Testing ServicesCigniti Technologies Ltd
 
Embedded software validation best practices with NI and RQM
Embedded software validation best practices with NI and RQMEmbedded software validation best practices with NI and RQM
Embedded software validation best practices with NI and RQMPaul Urban
 
Future of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CASTFuture of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CASTCAST
 
Lunch and Learn and Sneakers
Lunch and Learn and SneakersLunch and Learn and Sneakers
Lunch and Learn and SneakersBill Zajac
 
Software Quality Architecture And Code Audit
Software Quality Architecture And Code AuditSoftware Quality Architecture And Code Audit
Software Quality Architecture And Code AuditXebia IT Architects
 
CAST for Vendor Monitoring and Control
CAST for Vendor Monitoring and ControlCAST for Vendor Monitoring and Control
CAST for Vendor Monitoring and ControlCAST
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Scope master introduction presentation feb 2020 w vid
Scope master introduction presentation feb 2020 w vidScope master introduction presentation feb 2020 w vid
Scope master introduction presentation feb 2020 w vidColin Hammond
 
굿 소프트웨어 컴퍼니로의 여정(Journey To Be a Good Software Company)
굿 소프트웨어 컴퍼니로의 여정(Journey To Be a Good Software Company)굿 소프트웨어 컴퍼니로의 여정(Journey To Be a Good Software Company)
굿 소프트웨어 컴퍼니로의 여정(Journey To Be a Good Software Company)VMware Tanzu Korea
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutionsguest609a5ed
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And SolutionsHannan Ahmed
 
David Adams - Linkedin Information Architect Business Analyst - Web / Social ...
David Adams - Linkedin Information Architect Business Analyst - Web / Social ...David Adams - Linkedin Information Architect Business Analyst - Web / Social ...
David Adams - Linkedin Information Architect Business Analyst - Web / Social ...David Adams
 
BALASAINMA_RESUME
BALASAINMA_RESUMEBALASAINMA_RESUME
BALASAINMA_RESUMER Every
 

Ähnlich wie Standardized Risk Measurement for IT Executives 101 (20)

Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CAST
 
CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)
CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)
CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)
 
Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It
Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It
Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It
 
Get Smart About Technical Debt
Get Smart About Technical DebtGet Smart About Technical Debt
Get Smart About Technical Debt
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development Lifecycle
 
The Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs PublicThe Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs Public
 
Cigniti Independent Software Testing Services
Cigniti Independent Software Testing ServicesCigniti Independent Software Testing Services
Cigniti Independent Software Testing Services
 
checkmateq.com-services-brochure.pdf
checkmateq.com-services-brochure.pdfcheckmateq.com-services-brochure.pdf
checkmateq.com-services-brochure.pdf
 
Embedded software validation best practices with NI and RQM
Embedded software validation best practices with NI and RQMEmbedded software validation best practices with NI and RQM
Embedded software validation best practices with NI and RQM
 
Future of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CASTFuture of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CAST
 
Lunch and Learn and Sneakers
Lunch and Learn and SneakersLunch and Learn and Sneakers
Lunch and Learn and Sneakers
 
Software Quality Architecture And Code Audit
Software Quality Architecture And Code AuditSoftware Quality Architecture And Code Audit
Software Quality Architecture And Code Audit
 
CAST for Vendor Monitoring and Control
CAST for Vendor Monitoring and ControlCAST for Vendor Monitoring and Control
CAST for Vendor Monitoring and Control
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Scope master introduction presentation feb 2020 w vid
Scope master introduction presentation feb 2020 w vidScope master introduction presentation feb 2020 w vid
Scope master introduction presentation feb 2020 w vid
 
굿 소프트웨어 컴퍼니로의 여정(Journey To Be a Good Software Company)
굿 소프트웨어 컴퍼니로의 여정(Journey To Be a Good Software Company)굿 소프트웨어 컴퍼니로의 여정(Journey To Be a Good Software Company)
굿 소프트웨어 컴퍼니로의 여정(Journey To Be a Good Software Company)
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
David Adams - Linkedin Information Architect Business Analyst - Web / Social ...
David Adams - Linkedin Information Architect Business Analyst - Web / Social ...David Adams - Linkedin Information Architect Business Analyst - Web / Social ...
David Adams - Linkedin Information Architect Business Analyst - Web / Social ...
 
BALASAINMA_RESUME
BALASAINMA_RESUMEBALASAINMA_RESUME
BALASAINMA_RESUME
 

Kürzlich hochgeladen

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 

Kürzlich hochgeladen (20)

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 

Standardized Risk Measurement for IT Executives 101

  • 1. Turning software risk measurement into business value June 2013 Konstantin Berger – Regional Sales Consultant Standardized Risk Measurement for IT Executives 101
  • 2. CAST Confidential Agenda 1. Who We Are 2. What We Do 3. Why We Do This
  • 3. CAST Confidential Who We Are: Driving software measurement in the industry 2 Key Influencers Recognize CAST 250 Global Leaders Rely on CAST Institutions Engage CASTSIs Resell CASTSIs Use/Resell CAST • 20+ years in SAM industry • $100M+ of R&D investment • Largest Benchmarking DB
  • 4. CAST Confidential Who We Are: How Customers Use Us 3 “We measure software quality at a structural level, in addition to the functional level through testing, to make the right tradeoffs between delivery speed, business risk, and technical debt.” Thaddeus Arroyo CIO, AT&T “Now we can show our business constituents the ROI from quality improvement.” Peter de Boel Head of Global Shipping IT, FedEx “We got feedback from our clients noticing that our quality has gone up.” Gene Baker Director of Application Development, Wells Fargo “CAST makes the relationship with the suppliers very transparent.” Lester Thomas Head of Architecture, Vodafone “I have to continue to deliver the same level of functionality and innovation, at the same quality, but with a significantly lower budget. That’s where CAST helps us.” Gil Hoffman CIO, Maritz “The architectural assessment of design consequences (on software performance, stability, adaptability, maintainability, and security vulnerabilities) is an area in which CAST excels and successfully differentiates from static analyzers” Melinda Ballou ALM Research Director, IDC
  • 5. CAST Confidential What We Do: Structural Quality vs. Functional Quality Functional Quality (not us)  That which we can see  10 to 20% of app dev cost Structural Quality (what we do)  Architecture Analysis  Standardized SW Characteristics  App Reliability  App Performance Efficiency  App Security  App Changeability  App Size (Function Points)
  • 6. CAST Confidential What We Do: A natural complement to testing Design Develop QA Deploy Maintain NEW Functional Testing Performance Testing CAST: Structural Testing
  • 7. CAST Confidential What We Do: Standardized Risk Management for Execs CAST Quality Score Scale Description Grade Low Risk 4 Moderate Risk 3-4 High Risk 2-3 Very High Risk 1-2 Benchmark Low Risk High Risk Health Factors Current Grade Last Delivery Since Baseline Performance 2.38 0.5% 0.7% Robustness 2.72 0.2% 0.4% Security 3.14 0.1% 0.2% Changeability 3.04 0.2% 0.3% Transferability 2.77 0.2% 0.3% Consortium for IT Software Quality r1 r2 r3 r4 r5 r6 S R P Ongoing Risk Monitoring
  • 8. CAST Confidential Why We Do This: Not just quality for quality’s sake UNIT LEVEL FLAWS Downtime caused by system-level flaws! Of all code defects Of total repair effort 92% 8% 52% 48% 90% 10% SYSTEM LEVEL FLAWS Software Risk Prevention:  Focus on critical violations that matter  Focus resources on areas of highest impact rather than pursuing hygiene “Tracking programming practices at the Unit Level alone may not translate into the anticipated business impact,[…]most devastating defects can only be detected at the System Level.” - OMG
  • 9. 8CAST Confidential Confidential Why We Do This: Better Communication with Business Data Storage Application Business Questions •Why does it always take so long to make small improvements? •Why does every new release take weeks to stabilize no matter how much it was tested? Why can’t it just work? •Why do we have to scrap timelines to fix critical defects every time we get close to project completion? •Why are we late again? IT’s Struggle to Answer Because the environment is so complex, IT does not have answers that business can easily understand. This causes frustration and trust issues.
  • 10. 9CAST Confidential Confidential Why We Do This: Structural risk requires a 3-tier approach ArchitectureCompliance  Intra-technology architecture  Intra-layer dependencies  Module complexity & cohesion  Design & structure  Inter-program invocation  Security Vulnerabilities Module Level  Integration quality  Architectural compliance  Risk propagation simulation  Application security  Resiliency checks  Transaction integrity  Function point & EFP measurement  Effort estimation  Data access control  SDK versioning  Calibration across technologies System Level Data FlowTransaction Risk  Code style & layout  Expression complexity  Code documentation  Class or program design  Basic coding standards Program Level Propagation Risk Java JSP EJB PL/SQL ASP.NET Oracle SQL Server DB2 T/SQL Hibernate Spring Struts .NET C# VB COBOL C++ COBOL Sybase IMS Messaging Java Web Services APIs 1 2 3
  • 11. CAST Confidential 10 Why We Do This: Quality impact at a major services brand Measured impact in a complex enhancement-heavy environment 304 222 196 385 401 231 198 242 279 167 112 258 274 149 140 245 188 61 56 78 97 62 57 81 75 87 40 260 181 167 225 265 220 151 195 232 154 150 295 385 228 163 223 186 148 84 121 136 96 38 11 10 8 11 0 100 200 300 400 500 600 700 R1 R1.1 R1.2 R2 R2.1 R3 R3.1 R4 R5 R6 R7 R7.1 R8 R9 R9.1 R9.2 R10 R10.1 R10.2 R10.3 R11 R11.1 R11.2 R11.3 R12 R13 R14E Code No RC Non Code Projected Count StructuralqualitySystemtestdefects Trend line Before CAST implementation 0 500 1000 1500 2000 2500 3000 3500 R1 R1.1 R1.2 R2 R2.1 R3 R3.1 R4 R5 R6 R7 R7.1 R8 R9 R9.1 R9.2 R10 R10.1 R10.2 R10.3 R11 R11.1 R11.2 R11.3 R12 R13 R14E Order Management Inventory Management Billing Customer Service New critical violations CAST Analysis starting point CLIENT STUDY OVER 24 MONTHS $2.7 million payback after 12 months