UK lags US, India, France and Italy in measuring code security and quality: major research findings. But what are the mistakes being made?
Dr. Bill Curtis, Cast Software’s SVP & chief scientist, director of the Consortium for IT Software Quality and co-author of the Capability Maturity Model (CMM).
The UK has a worryingly lax approach to measuring the security, performance and efficiency of its enterprise application code. That’s according to a new study, the ‘2011 Appmarq Benchmark of IT Application Structural Quality and Technical Debt’.
The study, conducted by software analysis firm Cast Software, is yet to be published in full but CBR was given a sneak preview, mostly of the UK and European findings.
The study analysed 686 applications (406 EU, 12 UK); and 145 companies (93 EU) in 14 countries (6 EU). It analysed a total of 321 million lines of code, already being used to help underpin businesses around the world.
The study found a total of 60 million violations of good architectural and coding practice, Cast Software said.
The study looked for structural quality health factors such as robustness (availability, avoidance of outages); performance efficiency (speed of response, especially with increasing load) and security. It also looked at transferability – the speed with which a new team can understand the app – and changeability, which is about the ease of making changes to the application.
Dr. Bill Curtis, co-author of the report and Cast Software’s SVP & chief scientist, told us that the UK is, "On the rim of a technical cliff," because it is failing, for the most part, to measure let alone address code quality problems.
The research found that the UK lags France, the US, India, and Italy in measuring structural quality. It found that changeability is lowest in the public sector, while apps in public sector also tend to be hardest to maintain or enhance. Applications in energy, finance and retail tend to be highest in changeability.
Curtis, who is also director of the Consortium for IT Software Quality and co-author of the Capability Maturity Model (CMM), told us that it is actually COBOL code that scored highest on security measures in the study. However it is not all good news for the ageing language, as COBOL modules tended to be much more complex, with more complex logic.
Older languages, such as COBOL, were also found to be higher in ‘technical debt’ – this is a term now being used to describe the consequences of slapdash software architecture. While COBOL apps have been tuned for transaction performance over many years, they also tend to score badly on code transferability and changeability.
Curtis said that although Cast’s software finds problems in static code, rather than running applications, "A static problem will be a dynamic problem five years from now," because structural problems in code usually come to light when there is a performance or security problem as the app gets higher loads. However he agreed that companies should also use other application performance management technologies that look for faults at run-time: "You do need both," he said.
Versus other static code analysis tools, Curtis argued that Cast’s differentiator is the ability to analyse from the user interface right down to the database layer, regardless of the language the app is written in.
Now have your say: do you agree with the findings, think code quality is a problem? Which languages give you the most headaches? Add your comments below.