This year has been marked by high-profile outages and security breaches at global organizations like Sony, Sega, RIM, Citi, RSA, Honda, the International Monetary Fund the International Olympic Committee and multiple airlines, not to mention the U.S. Department of Defense. What each of these have in common is they each have at their root some structural quality flaw that led to malfunctions in their IT systems, failures in their application software or loss of sensitive data.
It should come as little surprise, therefore, that the 2011 CAST Report on Application Software Health (CRASH) this morning reported that organizations are squandering millions of dollars in technical debt due to issues in their application software – issues that could have been eliminated during pre-production had proper structural assessments taken place.
It should come as little surprise, but according to CAST it does. Dr. Bill Curtis, chief scientist at CAST, says that most companies are not budgeting for the maintenance of these applications and this is taking away from their ability to be innovative and competitive in the market.
“Technical debt creates a double dose of trouble because it siphons money from IT innovation to pay for software repairs. The consequence is fewer dollars left to develop new applications capable of providing a competitive edge to an organization and increased risk embedded in the new applications designed to create that edge. It certainly makes technical debt something that should be critically important to both CIOs and CEOs,” said Curtis.
Penny Wise, Debt Foolish
The study is the largest ever conducted and used automated analysis to measure the structural quality of 365 million lines of code within 745 IT applications used by 160 companies throughout 10 industries. Five application software “health factors” were examined in determining structural soundness: security, performance, robustness (i.e., uptime) and the ease of software transferability and changeability. Using data drawn from the automated structural analysis, CAST made a conservative estimate – appointing only one hour of time to repair flaws at a rate of only $75/hour – of what should be fixed, focusing only on those issues critical to business cost and risk.
Even with this conservative estimate and weighing the severity of each problem, CAST still determined that applications carry on average $3.61 of technical debt per line of code. And with 15% of the applications studied exceeding one-million lines of code, this means a significant portion of the apps studied exceed $3M in technical debt!
Perhaps even more startling is that more than one-third (35%) of the violations identified in the report are the types that would have a direct impact on business. These violations fall into the areas of performance, security and robustness (uptime) of applications and provide corroboration that companies must pay greater attention to the structural quality of applications or they are likely to face very costly problems ranging from application lag time to outages to security breaches, all of which can cost organizations money and adversely affect their reputations.
Need Java Boost
While the average app is carrying $3.61 of technical debt per line of code, Java apps studied came in at an even greater number. Of the 745 apps studied, 339 were Java-based apps. Among these 339 apps, the calculated cost of technical debt was $5.42 per line of code – more than 50% above the average!
Java apps also came up short in performance, scoring well below COBOL applications in performance scores.
Business is Booming…Not in a Good Way
In his blog recently, David Norton, an analyst for Gartner, compared technical debt to “a ticking bomb.” He said this bomb is silent, but deadly noting, “First, it doesn’t go off with a bang, it’s more a slow burn. Change starts to take longer…and opex costs start to spiral—it will not be a single cataclysmic event, it will be death by a thousand cuts.”
The CRASH report certainly backs up Norton’s thoughts, but the issues it revealed go even deeper than technical debt. Other notable findings from the study included:
- Structural quality was lowest in applications that reported six or more releases per year
- Applications with the greatest number of users scored highest in maintainability
- COBOL applications scored the highest in security, while .NET applications received the lowest security scores
- Despite assumptions to the contrary, outsourced and in-house developed applications didn’t show any difference in structure quality. The same was true for onshore and offshore applications.
- Established development methods such as agile and waterfall scored significantly better in structural quality than custom methods, while waterfall scored the highest in transferability and changeability.
For those interested in learning more about the 2011 CRASH study, the Executive Summary is available at the CAST Research Labs.