Application Assessments: Maximizing the Value of Software Intelligence for Complex IT Systems

by

An application assessment is an automated, objective analysis of the structural and architectural quality of applications in your IT portfolio.

Lacking an understanding of what's inside your software, is commonplace and extremely risky as poorly constructed software can degrade performance, stability and security, while driving-up maintenance costs, delaying releases and at worst, bringing down entire systems.

Software Intelligence platforms, like CAST, have the ability to analyze multi-technology, multi-layer applications and provide visibility and understanding of these complex systems. An application assessment is the first step to helping delivery teams do a better job communicating with business partners, an important first step towards alignment and satisfaction of business constituents.

Set and Measure Application Assessment Objectives

Clearly identify the objectives of the engagement. CAST recommends establishing clear objectives for both the technical and business aspects of the assessment. 

  • Establish objectives – are you just doing a benchmark, or do you need to fix a specific problem?
  • Ensure buy-in to the objectives with key stakeholders
  • Make sure there is a specific outcome (one or several) from the assessment and document the desired outcome via email to all stakeholders

Some example application assessment objectives include:

  • Improve production stability by identifying coding mistakes and improve end user experience
  • Identify the critical violations in the latest release of the application
  • Understand what transactions are suspect for performance issues
  • Compare application quality characteristics across portfolios to identify problem areas, or teams
  • Understand the structural quality of an application to verify the delivery performance of an outsourced team or justify maintenance budgets

Define Assessment Scope & Frequency

Typically an application assessment for an average business application will take about two weeks. Assessment activities and some potential durations include:

  • Socialization, planning and objective setting – 1 day
  • Application discovery & analysis – 3-4 days
  • Final assessment generation & portal publishing – 1 day
  • Results review with SMEs and stakeholders – 1 day
  • Finalize assessment report and readout – day

A reassessment of the application can be advised to understand the level of improvements made by in-house or outsourced teams.

It is advisable to start planning the post-assessment next steps as you are planning the assessment itself (what will you do with the data, who will be involved in remediation, etc.?), in order to make the process actionable.

Identify Key Stakeholders

Multiple stakeholders need to be available for an assessment to be completed, stakeholders that cannot be accessible during the assessment process may cause for the process to be delayed. The scope of your assessment will determine the number of stakeholders, but the basic roles are almost always the same. Typical roles to consider include:

  • Sponsor - Every project needs a champion to serve as the driver in your company, rallying support and resources for your implementation. Assisted by a Project Manager he/she will ultimately ensure clarity of scope, objectives and priority.
  • Application Owner - Your assessment team should also include a representative from each of your application areas, such as key users, managers, architect , etc. If you don’t take the time to enroll your users before assessment you’ll definitely hear about it after and jeopardize action based on results. This team will also play a vital role with the ongoing success of the initiative.

Ensure Teams & Vendors are Prepared

If the scope of the assessment includes code that is managed by third parties, be sure you will have access to the latest relevant source code from your vendor(s). It is also important to ensure that vendor SMEs are available and prepared to support the discovery portion of the assessment. In some cases they will be needed to help define application boundaries, to separate application tiers and validate transaction boundaries.

Manage Expectations

Most times during an assessment, especially when performed by a third party, you may see some sensitivities and internal resistance. Technical colleagues will be sensitive about putting a measure on the quality of anything they have had a hand in developing.  Development is a team sport, often handed off from one team to the next – communicate that the focus is not to score anyone, but to find ways to improve the asset (the application) on behalf of the company.

Be sure to reinforce that this assessment is neutral, objective and based on industry best practices and software engineering principles. Prepare key stakeholders to act on the data once it has been prioritized and a business case has been put together for refactoring/remediation.

Application Assessment Deliverables

Below a list of potential deliverables from the application assessment:

  • Dashboard– A private, secure portal that contains the assessment results.
  • Assessment Report – A concise report containing the key insights and summary of the assessment results.
  • Detailed Action Plan – Your action plan contains a prioritized list of artifacts causing critical violations.
  • Onsite Assessment Debrief – A CAST-certified assessment professional will walk through the assessment results and key insights to you and your stakeholders.This session presents a valuable opportunity to engage CAST consultants to enhance insights and develop next steps.Typically the Assessment Debrief is delivered as a workshop immediately after assessment report delivery.

Learn more about gaining insight into your most sensitive and critical applications, here.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Pete Pizzutillo
Pete Pizzutillo Vice President
Pete Pizzutillo is Vice President at CAST and has spent the last 15 years working in the software industry. He passionately believes Software Intelligence is the cornerstone to successful digital transformation, and he actively helps customers realize the benefits of CAST's software analytics to ensure their IT systems are secure, resilient and efficient to support the next wave of modern business.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|