Flying High with Software Intelligence: A Guide for Technical Leads (Part 2)

by

Any inventor knows it: a great design really isn’t all that great until it stands the test of real-time use. (Proof: All those crazy old movies of flying machines crashing before they even got off the runway.) The same is true with software development. Only through system-level analysis can you learn how components interact with one another across multiple layers (UI, logic and data) and across multiple technologies. Much like those crazy old flying machines, the exact same piece of code can be safe and of excellent quality or highly dangerous, depending on its interaction with other components.

Old Fashioned Airplane

When you conduct system-level analysis in conjunction with application discovery and blueprinting, you’re setting yourself up for success. Three months ago, I shared my insights on getting started with Software Intelligence for the technical lead. Here I'd like to continue with that thread by looking at the process of building Software Intelligence with CAST Architecture Checker.

By using this module of the CAST Application Intelligence Platform (AIP), you can build a view of an application’s structural quality that helps in reducing security vulnerabilities and overall risk. Architecture Checker aids the Technical Lead or subject-matter-expert by:

  • Providing information about application structure
  • Allowing the definition of custom rules
  • Tracking and control of these rules in subsequent application development.

Architecture rules are custom to each application. However CAST’s Extend repository includes a starter library of rules. You can build on these rules and save them for use with future analyses

Constructing Your View

  • Start by building layers and sets–logical containers of elements – within Architecture Checker, using types and properties (attributes of the object). The logic for creating layers can be any combination of technology, identification (e.g. type, name, module, code path, etc.), or category (CAST Quality Rules and Measures)
  • The Layers and Sets display provides a detailed description of contents for each of Architecture Checker’s layer and sets contents.

Layers and Sets_Photo 1

  • Types and Properties displays the contents in the CAST Meta-Model – an exhaustive list of object types and categories.

Once you’ve built the layers representing the objects of a system, you can now build either Authorized Dependencies (acceptable flow through the application) or Forbidden Dependencies (unacceptable flow through the application). Do this by dragging-and-dropping an arrow from one layer to another.

Going Live with Architecture Checker

After repeating this process to build a system “map,” you can now conduct a live violations check, using data from the most recent CAST analysis knowledge base.


Violations_Photo 2

  • Orange connection arrow(s) indicate a violation to the intended model. You’ll also see a count of the number of links violating the model, and you can access a detailed view.
  • When you’re connected to a specific application using Architect Checker, you can conduct Live Check for Architecture Model in the application’s current state. (Green connection arrow(s) indicated an intended connection.)
  • Analyzing and enforcing structural quality and adherence to architecture is difficult. By defining and saving an architecture model using Architecture Checker, the CAST analysis can alert you when violations occur based on the model, then help you to investigate them. You can also leverage Architecture Model to create architectural and custom rules, then save them to the CAST assessment model for later evaluation during application analysis.

Architecture Model_Photo 3

I look forward to your comments and questions about Architect Checker’s role in system-level analysis and building upon overall Software Intelligence. In Part 3, I’ll discuss how you can use CAST Enlighten to blueprint software as you continue to gather, refine, and leverage Software Intelligence – all in your effort to ensure software quality and make certain that your “crazy flying machines” will soar off the runway as planned.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Kyle Christiansen
Kyle Christiansen Technical Solutions Architect
Kyle Christiansen is a Technical Solutions Architect at CAST and has more than a decade of experience as a software engineer and team manager. He has designed systems and product architectures to deliver personalized, secure and highly available apps.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|