Getting Started with Software Intelligence for the Technical Lead

by

As we’ve written before, Software Intelligence is becoming increasingly useful, helping bridge the gap between a true understanding of software health and the demands placed on IT and software systems by the business to deliver a seamless customer experience on digital platforms. But, of course, gaining Software Intelligence is done through an analysis of the complex inner structure of business-critical software systems.

What follows is a step-by-step guide to help technical leads discover and share the Software Intelligence produced by CAST.

After setting up your CAST Application Intelligence Platform (AIP) analysis cadence to match your app dev team’s Agile/sprint timing (e.g. every two weeks), the resulting Software Intelligence from the CAST analysis needs to be evaluated and prioritized so it can be put to work increasing your software quality.

Though this data review and prioritization can be automated, it is best to have someone begin by looking at the entire set of results. Typically, this should be someone, usually the Technical Lead or subject matter expert, with application-specific knowledge. This will help you better understand the data generated by the analysis and will ultimately serve as a starting point for automating the results.

The best place to start your review is with the results presented via the CAST Engineering Dashboard. With the Engineering Dashboard, you will be able to prioritize the most useful and impactful violations and flag them to be sent back to the development teams for remediation. 

PRI

Technical and Quality Rule Weight
Both Technical Criteria and their associated Quality Rules are weighted to help prioritize the most impactful violations to select for remediation.

Propagated Risk Index (PRI)
This is a measurement of the riskiest objects of the application along with the Health Factors of Robustness, Performance, Security, Changeability and Transferability.

As these violations are identified, you will also be showed snippets of source code with the violation areas highlighted. From that snippet, you will also be presented with a Show More button to display additional code surrounding the violation, or you can use the View File option to view the entire source code file. This will allow you to better understand where the violations exist and decide which elements should be added to the Action Plan for remediation. Repeating this quality investigation on the application will build up a succinct list of violations flagged for remediation which are sorted by priority. 

Action Plan

Action Plan
Establish action plans to remediate violations based on priority. The action plan data can be viewed in the dashboard, exported to Excel or automatically synced with a tracking software like Jira.

Unlocking the real power of CAST-generated Software Intelligence is applying this data in a reoccurring way. Whether that is performing a scan based on a calendar schedule or implementing a CAST analysis step in your CI/CD pipeline triggered by an event in your SDLC/DevOps flow, analyzing changes will help enable an ongoing feedback loop to both developers and IT leaders.

Next up, for Part 2, we will discuss how to enhance your Software Intelligence using CAST Architecture Checker. 

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Kyle Christiansen Technical Solutions Architect
Kyle is a technical solutions architect at CAST and has more than a decade of experience as a software engineer and team manager. He has designed systems and product architectures to deliver personalized, secure, highly available apps.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|