The Software Intelligence Blog

Lev Lesokhin - EVP, Strategy and Analytics at CAST
Lev spends his time investigating and communicating ways that software analysis and measurement can improve the lives of apps dev professionals. He is always ready to listen to customer feedback and to hear from IT practitioners about their software development and management challenges. Lev helps set market & product strategy for CAST and occasionally writes about his perspective on business technology in this blog and other media.
  • The Forrester Wave™: Static Application Security Testing, Q4 2017 - Forrester Names CAST Among the 10 Top For SAST

    The Forrester Wave™: Static Application Security Testing, Q4 2017 - Forrester Names CAST Among the 10 Top For SAST
    CAST is proud to announce that we have been included among the 10 most significant SAST vendors and named a “Strong Performer” in “The Forrester Wave™: Static Application Security Testing, Q4 2017
  • QA Financial Forum Reviews the Impact of New Regulations on Software Risk Management

    QA Financial Forum Reviews the Impact of New Regulations on Software Risk Management
    As banks, financial services and insurance organizations increase their reliance on software-based digital capabilities, they have big decisions to make on how they will protect business operations with effective software risk management.
  • Lessons from Equifax: Get a Software Risk Scorecard

    Lessons from Equifax: Get a Software Risk Scorecard
    The biggest lesson learned from the Equifax breach is that executives and application owners need a software risk scorecard that clearly outlines KPIs around software structural quality and security.
  • A Good Look at Open Source Frameworks: Avoiding Another Equifax

    A Good Look at Open Source Frameworks: Avoiding Another Equifax
    Open source is the lifeblood of modern software development, but it's not without risks, especially when it comes to application security.
  • Netflix Envy

    Netflix Envy
    Everyone wants to do DevOps like Netflix, but is it really right for your organization?
  • Recap: Software Risk & Innovation Summit 2017

    Recap: Software Risk & Innovation Summit 2017
    Harvard Business Review has reported that digital leaders succeed in large part due to their ability to recognize and scale innovation across their business – seeing beyond transformation hurdles and IT complexity. They never lose sight of the end goal.
  • CISQ Is Helping CIOs Master Digital Transformation

    CISQ Is Helping CIOs Master Digital Transformation
    At the upcoming Software Risk and Innovation Summit, CIOs address challenges around DevOps and the next big tech innovation trends.
  • Following Best Practices to Achieve Application Security & Reduce Risk

    Following Best Practices to Achieve Application Security & Reduce Risk
    The key to security is to ensure that your most sensitive data is handled with proper controls in place. This should include working with your architects to explore the architecture of applications that handle the most critical data, starting from the data elements themselves and fanning out via impact diagrams (for example, CAST does this with the Application Intelligence Platform). Over time, your team will be able to establish secure architecture components that should handle all sensitive data.
  • The Insurance Industry Challenge: Improve Software Risk Management

    Insurance organizations have reached a tipping point. Historic institutions, with in some cases hundreds of years of service, they are being forced to transform due to changing consumer demands and nimble, technology-centric startups bringing innovative products to market. No stranger to regulatory and privacy concerns, Insurance carriers have overcome many roadblocks throughout their lifetime of doing business. Now they must tackle their legacy IT systems and improve software risk management to deliver the value today’s market is after.

  • CAST’s NYC User Group – Driving Quality and Speed at Scale

    At CAST user group meetings, which we conduct annually in key regions, I’m always amazed by what our customers are doing with software analytics. Something so foundational – the measurement of software performance – yields such powerful results for Fortune 200 companies that are on a constant hunt to meet business demands and beat out the competition. This year’s user groups are special, because CAST is celebrating our 25th anniversary. That’s how long we’ve been helping make software a little less invisible to developers, architects and business executives whose livelihood depends on software quality.

  • Fintech Wakes Up From Thirty Year Slumber

    Fintech is the hot new thing. It’s the industry that will carry the UK through Brexit. It’s the latest wave of startup mania in NYC. It’s becoming the darling of Silicon Valley. Chinese tech investors are all over it. It’s fresh. It’s sexy. But, wait a minute. What is Fintech?

    Recently I attended MIT’s Fintech conference (#MITFinTech). We heard Brad Peterson, CIO of NASDAQ, talk about his firm as the original Fintech founded 45 years ago. Brad told us that NASDAQ no longer thinks of itself as an exchange, but as a Fintech company. A couple MIT professors told us there are 1800 Fintech companies out there today, and that number is quickly growing. There are some that promote robo-advisors as autonomous correctors for investor freak-out during volatile markets, and others that collect live market data from the web in order to predict real economic indicators, as opposed to statistics collected by government technocrats. Blockchain, we were told, is like the Internet was back in 1993.

  • Recap: Software Risk Summit 2016

    Software risk has historically been overlooked as a security concern by business leaders, and companies have paid a high price as a result. Remember the JPMorgan hack of 2014? That cost the bank more than $6 billion. RBS has paid £231 million for their IT failures as of two years ago. The Target breach? The retailer posted a write down of $152 million. Or, more recently, Jeep controls being taken over by hackers, and a similar incident with Toyota-Lexus having to fix a software bug that disabled cars’ GPS and climate control systems? That costs the manufacturers valuable consumer confidence points and can seriously damage sales.

  • Application Security in the Internet of Things

    High-capacity network bandwidth has become more widely available, and we have quickly tapped into every last inch of its capacity. More devices are built with wi-fi capabilities, the costs of mobile devices are going down and smartphones are in the hands of more people than ever before. In fact, Apple might have already exhausted the market and is seeing drastically lower sales forecasts for the iPhone.

    We are moving into an era in which virtually any device will connect to the Internet. Phones, fitness trackers, dishwashers, televisions, espresso machines, home security systems, cars. The list goes on. Analyst firm Gartner estimates that over 20 billion connectable devices will exist worldwide by 2020. Welcome to IoT—the Internet of Things. A giant network of connectable things.

  • What Went Wrong at Google - Software Robustness Remains a Struggle

    In April, Google experienced a fairly significant cloud outage, but it was hardly news at all. In fact, it was likely the most widespread outage to hit a major public cloud to-date. The lack of coverage is strange, considering the industry’s watchful eyes like Brian Krebs and others. The even more recent Salesforce service outage seems to have received more attention. But despite the fact that Google seems to have gotten away with a “pass” this time, the glitch brings renewed attention to the fact that tech players large and small are continuing to deal with software robustness issues.

  • 4 Keys to Successful Digital Transformation

    Recently, CAST co-authored a paper with The Boston Consulting Group titled, Will Your Software Help or Hinder Digital Transformation? Navigating the digital transformation journey is a challenge, often wrought with roadblocks and IT complexities related to technical debt, disparate application development techniques and more. So how can CIOs help their company achieve digitization goals?

  • CISQ & IT Risk Management: Minimizing Risk in Government IT Acquisition

    6On March 15, CISQ hosted the Cyber Resilience Summit in Washington, D.C., bringing together nearly 200 IT innovators, standards experts, U.S. Federal Government leaders and attendees from private industry. The CISQ quality measures have been instrumental in guiding software development and IT organization leaders concerned with the overall security, IT risk management and performance of their technology. It was invigorating to be amongst like-minded professionals who see the value in standardizing performance measurement.

  • Supporting Our Global Community

    As we come together to help those affected by recent global tensions, we have made a charitable donation of $10,000 to Doctors Without Borders/Médecins Sans Frontières (MSF) on behalf of the CAST community. We believe that our citizenship transcends geography and political borders as we are united within one, universal community.

    CAST is proud to support an organization that values people and upholds their right to medical care regardless of gender, race, creed, religion or political affiliation. In over 60 countries around the world, MSF saves lives by providing medical aid where it is needed most — in armed conflicts, epidemics, natural disasters and other crises.

  • Predicting the Future of IT Risk Management with Melinda Ballou

    We currently live in a futuristic world that past generations could only dream of. News, weather, updates from friends all over the world come pouring into our computers and smart devices and we don’t even think twice about the IT risk. Whether we’re at home with family, socializing with friends, or even working, technology is constantly surrounding us in one way or another.

    Our reliance on technology is so heavy in fact, we often forget about the science behind it and how much goes into the IT risk management to support it. Beneath the surface of our most frequently used apps, social media accounts, games, and programs, highly complex software and code is constantly operating to maintain a satisfied user experience. Even non-tech businesses now realize they would not be able to function in today’s world without effective technological resources.

  • BCG Webinar Q&A Discussion

    We just finished up the 30-minute webinar where Andrew Agerbak, Associate Director from BCG, described some of the ways IT executives use software measurement in driving transformational programs. Andrew cited four case studies, where output metrics helped drive transformation, or at the very least measure its results. We had a number of questions come up in the webinar, so we couldn't get to them all, and not all of you could get to the Q&A session. We went 15 minutes over the 30 minute time slot for Q&A. The main point of this post is to document some of the more important questions and my summary of the answers provided by Andrew, especially for those of you who could not stay on past the half hour.

  • The Best Software Analysis and Measurement Engine Just Got Better

    In this era of big data, analytics has become an invaluable tool for IT organizations to succeed. Not only for ensuring a high quality product, but also keeping your customers safe from malicious hackers and application crashes. Despite the obvious need, some executives struggle with the business case for proper software analytics and opt for skunk-work metrics that are less accurate and more expensive.

  • CAST Research Links Consumer Data Breaches Directly To Poor Code Quality

    CAST-heartbleed-linked-to-poor-code-qualityYou’d think that after news of the Heartbleed bug broke, every IT organization worth their salt would have immediately moved to start monitoring their structural robustness and code quality to protect their sensitive consumer data. And while many did, two months after Heartbleed was announced, more than 300,000 servers were still vulnerable.

    Now, three months later, CAST Research Labs has found there is a direct link between the growing number of data breaches and security incidents, and poor code quality in consumer applications. The data reveals finance and retail industry applications are the most vulnerable to data breaches, with 70 percent of retail and 69 percent of financial services applications shown to have data input validation violations.

  • CAST Tries To Save the Planet with Green IT Index

    It’s simple physics: a piece of application code gets caught in a logic loop, the CPU heats up as the increased throughput tries to make sense of the commands, the computer reacts by pumping more power to the motherboard and cooling system to keep everything up and running, and your electricity bill goes up.

  • Webinar Q&A Follow Up: Quality and Velocity in Large IT Set-up

    Last Thursday we had a fascinating discussion with Suresh Bala, the head of Application Management at Wipro, Diego LoGiudice of Forrester, and Dr. Bill Curtis, the Director of the Consortium for IT Software Quality. Diego presented the latest trends in IT organizations in reference to splitting their activities and applications into systems of engagement and systems of record. This has been the Forrester view on IT, or what they call Business Technology (BT), for some time now. The systems of engagement being the fast-moving, often mobile-based, applications that are meant to disrupt competition and engage the customer in new ways. The systems of record being the traditional backbone IT systems that manage the core enterprise data and business processes.

  • Technical Debt Measurement Webinar: Reversal Strategy Q&A Follow Up

    Last Wednesday we had an excellent and very interactive webinar discussion with David Sisk and Scott Buchholz, Directors at Deloitte Consulting, LLC. David and Scott are experts regarding technical debt -- both at a technical hands-on level as well as the strategy and governance topics in IT. So, we talked about the symptoms and causes of technical debt in large IT environments, as well as the organization and processes that need to be put in place in order to reverse the normal trend of technical debt accrual.

    One of the topics that came up a lot is how to get the business onboard. Our guest presenters gave us some very interesting approaches to making the case, even when the immediate symptoms of the debt are not evident to business stakeholders. I think this discussion by itself is valuable to listen to.

    Another topic that came up a lot in the Q&A was different ways of asking how to set up a technical debt measurement program.  As in our last webinar, we wound up going a couple minutes over our timeslot to address some of the questions, but we had to leave many unanswered due to time. The goal here is to try and answer some of those questions in our blog. If anyone wants to get into a more detailed discussion on any of these points, please contact us and we’ll be happy to talk to you. So, here goes:

  • CRASH Webinar: Code Quality Q & A Discussion

    We just finished up the 30-minute webinar where Dr. Bill Curtis, our Chief Scientist, described some of the findings that are about to be published by CAST Research Labs. The CRASH (CAST Research on Application Software Health) report for 2014 is chock full of new data on software risk, code quality and technical debt. We expect the initial CRASH report to be produced in the next month, and based on some of the inquiries we’ve received so far, we will probably see a number of smaller follow-up studies come out of the 2014 CRASH data.

    This year’s CRASH data that we saw Bill present is based on 1316 applications, comprising 706 million lines of code – a pretty large subset of the overall Appmarq repository.  This means the average application in the sample was 536 KLOC. We’re talking big data for BIG apps here. This is by far the biggest repository of enterprise IT code quality and technical debt research data. Some of the findings presented included correlations between the health factors – we learned that Performance Efficiency is pretty uncorrelated to other health factors and that Security is highly correlated to software Robustness. We also saw how the health factor scores were distributed across the sample set and the differences in structural code quality by outsourcing, offshoring, Agile and CMMI level.

  • CISQ Aims to Bring Software Quality Sanity Back to Federal Outsourcing

    The current state of outsourced application development is a sorry state of affairs because of myriad software quality issues causing unprecedented glitches and crashes. It’s not that all outsourcers are making terrible software, rather, it’s that governments and organizations have no way of accurately measuring the performance, robustness, security, risk, and structural quality of the applications once they’ve been handed the keys.

  • Software Risk Infographic: The Biggest Software Disasters of 2013

    Reducing software risk is at the top of every CIOs’ agenda this year -- just like it was last year, and the year before that. And like the old saying goes, “Those who cannot remember the past are condemned to repeat it.” If CIOs are trying to reduce their software risk the same way they did in 2013, they’re setting themselves up for another year of crashes, outages, and angry customers.

  • AIP 7.2 Gives CIOs Software Risk Assessment at a Glance

    For many CIOs, reporting on software risk is a complex problem. The reports are usually compiled once a quarter, and can take days if not weeks to complete. But worse than that, they often fail to deliver actionable insight to answer simple business questions. Which of my critical systems are most vulnerable? Are my IT vendors delivering as promised? How can we improve customer satisfaction? Are my development teams under-performing? How can we improve time-to-market for new projects?

  • A UK Regulator Confirms Software Risk Very Real In UK Financial Sector

    Pay attention US financial sector, because the UK is one step ahead of you … sort of. They’re at least willing to admit they have a problem with software risk and IT system resiliency, which is on the path to recovery.

  • Stating the Obvious: Big Software Projects Fail

    In the spirit of Yogi Berra, I’ve decided to list of the obvious things that I know in life: water is wet, the sky is blue, and big software projects fail.

    I’m sure that you are aware of the very public failure of the centerpiece of Obamacare, Healthcare.gov, and by now have heard enough of the public interrogations of this project, the system, its agency, and policy.

    Rather than adding to that, I’d caution that instead of staring too long and too closely at this incident, we should allow it to serve as a simple reminder that there are more and bigger failures lurking.

  • Haste Makes Waste Again: Healthcare.gov Faces a Long and Expensive Recovery

    We’re less than a month into the launch of HealthCare.gov, and as each day passes we’re finding out about more glitches, shoddy code quality, a lack of end-to-end testing, and rushed changes made days before the healthcare exchange was to go live. All of which are symptomatic of a software project being rushed to completion to meet a deadline without considering the implications of a botched launch.

  • Software Risk Goes to Washington

    As technology increasingly becomes the backbone of business, it is also becoming the single most expensive asset within any organization—bringing the topic straight to the boardroom. What most of us may not appreciate is that the custom software being built for enterprises has surpassed a threshold of complexity that would allow for any one person to understand an entire mission-critical system. And, unlike any other part of our critical infrastructure, there is no single manager who is responsible and accountable for the integrity of a company’s software backbone.

  • TD Bank shows CIOs anything can happen during a system upgrade

    Ever wonder what reality looks like when your external IT systems crash? Well here you go. This might be of particular interest to CIOs and business stakeholders who push IT to meet unrealistic deadlines without managing their software risk.

    TD Bank's credit and debit card systems went offline for approximately 45 minutes yesterday as the result of a supposed system upgrade. Immediately, Twitter exploded with angry customers.

  • Maintaining software quality on the bleeding edge

    From IT’s perspective, the business is always asking for new applications -- apps to innovate, or simply make their jobs a little easier. The problem is, it always want them done quickly and be up and running perfectly at launch.

  • American Airlines computer glitch: The day AA customers stood still

    Here we go again. You probably have heard, since it’s been reported everywhere, that American Airlines was grounded Tuesday, leaving passengers stranded for several hours due to a “computer glitch” in the reservation system. Because of the glitch, gate agents were unable to print boarding passes; and some passengers described being stuck for long stretches on planes on the runway unable to take off or, having landed, initially unable to move to a gate.

  • When the software fails, first blame the hardware

    We’ve made it a point on our blog to highlight the fact that software glitches in important IT systems -- like NatWest and Google Drive -- can no longer be “the cost of doing business” in this day and age. Interestingly, we’re starting to see another concerning trend: more and more crashes blamed on faulty hardware or network problems, while the software itself is ignored. It’s funny that the difference in incidents can be more than 10 times between applications with similar functional characteristics. Is it possible that the robustness of the software inside the applications has something to do with apparent hardware failures? I think I see a frustrated data center operator reading this and nodding violently.

  • Introducing Security into Mainstream Development – Part 1

    We held a webcast last week with Mark Wireman of OpenSky, who is an expert in application security and has worked in this space for 15 years. We appreciate Mark taking the time to share his experience securing applications in the enterprise and responding to the onslaught of mobile-based entry points in the application development process.

  • C-suite: It’s time to get techy

    If you’re snickering at the idea of your CIO talking Java (or any programming language for that matter), trust us, you’re not alone. However, CIOs can no longer afford to be in the dark about their IT team’s choice of programming language and tools.

  • Lev Sits Down with ComputerWeekly to Discuss the Outsourcing of Software Testing

    Did the press club have a meeting? Because this is the second time in two weeks that we’ve been in the press.

  • Business Insider Features CAST Software on the SEC’s Kill Switch Proposal

    If you were to stand outside of our building right as The Wall Street Journal dropped a story about kill switches, you’d hear our teeth gnashing. As anyone in our business knows, the kind of work that we do for our customers is not exactly front page news. (But it should be!)

  • Why Performance Engineering Isn't Enough

    I’ve been asked time and again how CAST is different from performance engineering. And here’s my answer: The CAST discipline of software analysis and measurement versus performance engineering couldn’t be more different. And I’ll explain why and how in a moment. But along with that, it should be noted that they also are like peanut butter and chocolate -- they can go very well together.

  • The Gold Medal for Last Place

    Who hasn’t been waking up early and staying up late to catch every second of action at the 2012 Summer Olympics in London?

  • The Federal Government’s Dark Cloud

    I wrote before about the time bombs that exist in the government’s cloud migration strategy. And while I was reading an article on Wired Cloudline about this very issue, those same points were running through my head.

  • Let The Games Begin!

    The Olympics are all about winning teams -- which country is first, and which country is best. Well, we thought we’d like to take some of the spotlight off the winners (just for a second) and focus a little on the guys and gals who come in last.

    Nobody remembers the last place athletic team, but everyone remembers when a software team’s project or app fails spectacularly, sometimes even making headlines around the world. Despite such different outcomes, it turns out there is a huge likeness between the losing athletic team and the losing development team. To illustrate our point, we developed this infotoon below to show some of the similarities.

  • Some advice for the Fourth of July

    Here’s a poster for you to celebrate the Fourth of July in the way only a mature development team can appreciate.

  • Software Glitch Symptomatic of Consumer Banking Industry

    When some poorly written code takes down your Twitter stream, that’s one thing. It’s something else entirely when a software bug prevents you from accessing the money you have in the bank.

  • For Whom the Bell Curve Tolls

    As an IT executive, how do you make sure you consistently deliver good results and help the business innovate? How do you do it when you are relying on your vendors to get 80% of your work done? These topics were top of mind at the Forrester Sourcing & Vendor Management Forum I just attended. In the past couple years I’ve had many conversations with IT executives about vendor management, about productivity, about quality and overall about improving large app dev organizations with many moving parts. There are many approaches that come up – process improvement, better governance, introducing measurement, or replacing your vendor. This is not an easy problem and it’s not unusual for the conversation to land somewhere like: “we just need to get better people” or, “it’s all about the people running our projects” or “I just hired the vendor who’s known for paying a little more than the others.”

  • The Impact of Outsourcing on ADM

    Last week, Steve Hall, Partner & Managing Director at ISG (formerly TPI), presented a webinar on the topic of aligning vendor SLAs with long-term value. The discussion focused on the need to not only consider cost savings within ADM (Application Development & Maintenance), but also the importance of risk mitigation and value enhancement of vendor-client relationships.

  • London Bourse is Falling Down – Time to Analyze Its Structure?

    This morning’s news was rife with accounts of the London Stock Exchange Group being forced to halt trading on its main market due to a technical fault in its barely two-week-old MilleniumIT trading system.  This is yet another example of the need for pre-deployment analysis of structural quality.

  • Reduce Your Software’s Carbon Footprint

    As you read this, thousands of data centers across the country are using up something around 1.5% of US electricity consumption. That number is projected to increase by 70% according to a recent congressional report. There’s quite a lot of coverage about software that helps manage power use when computers are not fully utilized, virtualization technology saving on hardware use, Cloud performance testing, and more recently about data center metrics like CUE and PUE.

  • Quantifying Technical Debt: Beware of Your Assumptions

    Our colleagues at Gartner have made a little bit of a stir in the media with their findings on IT debt. Almost every industry pub, and some bloggers, have opined by this point. Here is a stack containing some of the recent articles and posts on the topic:

  • Agile Deals Thoughtworks a 21

    Eli attended the fun ThoughtWorks “Big Casino” night during the Agile 2010 conference in Orlando this week. ThoughtWorks, cleverly put together this event to generate money for charity and of course build brand awareness.

  • The iPhone is Changing the Face of IT

    We’ve been reading quite a bit the last few weeks about iPhone related issues that have had an impact on the security (Citi) and stability (AT&T) of customer data. Beyond the current arms race in the media to see who can write more frequently about Apple, there may actually be something there that spells real news for us in IT.

  • Cloud Testing – A Non-Starter for Some

    Last week I had the privilege to host a dinner with a set of IT executives from financial services institutions and some of the systems integrators who serve them. Real practitioners, trying to solve real complex problems for their businesses. A lot is at stake – for the enterprises it’s all about guaranteeing a customer experience, while enabling the business to keep upgrading functionality. For the SIs it’s winning bids, while setting expectations on which they can actually deliver.