Software Risk and Security in 2016


Software has always been risky business compared to more mature industries such as telecommunications and manufacturing. Historically, software has seen more canceled projects, higher costs and more frequent schedule overruns than any other industry.

Today in 2016 we are also on the forefront of receiving an increasing amount of cyber-attacks in many different forms such as denial of service, data theft, phishing and the like. Of course, other industries are also risk prone, such as banking and finance as seen by their many failures circa 2008. Indeed the insurance industry centers around risk and has developed sophisticated actuarial methods for predicting the costs of risks and when they will occur.

What software needs today is a better understanding of security techniques and security economics, in terms of preventing and recovering from cyber-attacks. In other words, we should mirror insurance in the use of solid actuarial analysis of software and security risks.

Namcook’s Software Risk Master (SRM) tool is starting that shift by predicting the main forms of software risks before software projects start, when there is still time to create effective risk avoidance strategies. The top risks we predict are:

Project Risk Metrics predicted by SRM

These risk predictions are variables, and the key factors that influence them include team experience, development methodologies, programming languages, effective quality control techniques before and during testing, and achieving high levels on the SEI capability maturity model integrated. For example, both formal inspections and static analysis have proven to be effective risk-reduction techniques.

Concentrating primarily on security risks, we are also concerned with security costs in two forms:

  • Preventing cyber-attacks by using more sophisticated quality control during development.
  • Recovering from successful cyber-attacks.

To provide a context of risk and security costs, the below table shows the top cost drivers today:

U.S. Software Cost Drivers in Rank Order for 2016

As can be seen, software security risks consume a significant portion of key software cost drivers. To be successful and reduce IT spend, it will be important to push them down to the bottom of the ranked list of cost drivers by 2026. There are existing technologies for doing this, such as deploying security inspections and using static analysis on all critical software projects. CAST’s Application Intelligence Platform measures technical vulnerabilities that put your organization at risk based on industry leading code quality standards from CISQ. Plus there are ways to participate with cyber-attack groups established by the FBI, Homeland Security, and some state and local police departments. However many companies and government groups are still careless in both software quality control and software security.

Improved knowledge of software risk and security flaws is on the critical path for making significant reductions in high-cost problems.

There are two obvious paths facing the software industry in 2016. The best path would be to achieve major software risk reductions and major reductions in cyber-attacks by means of deploying more sophisticated quality and risk control techniques during development, including analyzing the quality of application portfolios.

The more dangerous path will lead to increasing numbers of successful cyber-attacks and steadily increasing expenses associated with related software risks. This will also lead to severe erosion in customer satisfaction, especially in regards to banking applications, where thefts of funds and identities are a daily hazard. This second path assumes continued laxness in quality control and security control.

Both poor software quality and software security flaws are treatable conditions somewhat like medical conditions that can be eliminated by a combination of vaccinations and effective therapies. It is theoretically possible to reduce delivered software defects and deployed software security flaws by over 90% compared to 2016 norms. Even better, some of the effective therapies such as static analysis are also very cost effective and lower both development and maintenance costs as well as lowering cyber-attack costs.

To learn more, check out or contact Capers at

Filed in:
  This report describes the effects of different industrial factors on  structural quality. Structural quality differed across technologies with COBOL  applications generally having the lowest densities of critical weaknesses,  while JAVA-EE had the highest densities. While structural quality differed  slightly across industry segments, there was almost no effect from whether the  application was in- or outsourced, or whether it was produced on- or off-shore.  Large variations in the densities in critical weaknesses across applications  suggested the major factors in structural quality are more related to  conditions specific to each application. CRASH Report 2020: CAST Research on  the Structural Condition of Critical Applications Report
Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Capers Jones
Capers Jones VP and Chief Technology Officer at Namcook Analytics LLC
Capers Jones is Vice President and Chief Technology Officer at Namcook Analytics LLC, which builds advanced risk and estimations tools. He has worked in the software industry for over thirty years, during which time he authored 17 books dealing with software assessments, cost estimation and application benchmarking.
Load more reviews
Thank you for the review! Your review must be approved first
New code

You've already submitted a review for this item