6 Hidden Costs of Building Your Own Open Source Code Analyzer Platform

by

Thinking about building your own multi-language custom source code analyzer platform using open source components?  Sure, the upsides seem to add up: no licensing fees, great customization ability, and an impressive new entry on your resume (making it even shinier).  Read that project charter once more before you sign it in ink, because our experience has shown it’s not quite that simple.

Source Code Analyzer:  What is under the code?

First, what we mean by “multi-language custom source code analyzer platform” is a platform that analyzes all the source code underlying your critical custom software applications and projects, and:

  • Delivers consistent and business relevant measurements, trends, and benchmarking
  • Enables staff to identify and address flaws causing instability and excess complexity
  • Provides insights on the trajectory of code quality and complexity
  • Analyzes flaws at both the code and component interaction levels across all technology layers

Anything less would leave your applications difficult to manage, your users unsatisfied, and your management team in the dark.

 

Hidden Costs of Building an Open Source Code Analyzer

This is a big undertaking.  Yes, you’ve seen much bigger projects, but this one comes with significant hidden costs:

  1. Scarce Expertise – Open source doesn’t automatically mean easy-to-integrate.  In fact, many times, it means quite the opposite.  Many companies resort to hiring expensive code quality consultants when it’s time to integrate the results.  And, if this happens in the middle of the project, after your team has thrown in the towel, it can be extra costly.
  1. Training – Sure, you can develop your own source code analyzer and parsing expertise.  But, it takes time, money, and you have to be sure you can retain the talent once they are trained.
  1. Project Scope Creep – Currently available open source code analyzers are mostly based on Java.  If you applications are based in C, COBOL, .Net, or other commonly used languages, you may need to purchase or extend additional custom code analyzers.  This means a significant expansion in the original scope of the project.
  1. Inability to Scale – Many open source code analyzers work very well at the individual developer or small team scale.  However, an organizational-wide adoption of code analysis requires sharing of information, easily accessible visibility, and meeting all technologies needs of the entire organization.  Often, companies see huge hurdles to adoption or outright abandonment because it was simply not useful for everyone.
  1. Opportunity Cost – We estimate that it takes two resources over five years to build an adequate software quality analysis platform (10 man-years) for a specific environment.  That means these management and development resources have to deprioritize tasks that may have better returns.
  1. Waiting for Return – Typically the value of software quality analysis and the process that implement to address it begin to materialize 6 - 12 months after initial implementation.  Building your own means that the return is that much further down the timeline.

An off-the-shelf solution will not only help you avoid the above hidden costs, but also deliver immediate code quality improvements.  Plus, a proven provider will help you navigate through challenges that you may face during implementation.

This is the first in a series of two blog posts.  In the next post, we will look at the hidden costs of owning and maintaining your own software quality analysis platform based on open source components.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
John Chang
John Chang Head of Solution Design
John Chang is the Head of Solution Design for CAST in North America, helping Fortune 2000 companies leverage CAST’s solutions to reduce system-level defects and improve application development outcome success.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|