Software Risk is Business Risk

by

Who is responsible for lowering software risk? Cutter Consortium Senior Consultant Pete Kaminski has been looking at the business risks posed by software and how to mitigate them. He gives context to the issue this way:

“Driving business risk down is just smart business. Software-related business risk is an increasing portion of business risk, so knowing how to assiduously reduce software risk has become part and parcel of today’s business reality. Fortunately, there is an array of tools and methods that you can apply across your portfolio of software assets and development projects to manage software risk, which we’ll explore in this Executive Update. Industrializing software risk management is critical for organizations in the digital age. It unleashes the 'smarts' in developers so that they can work on the difficult parts of building and delivering applications for the future, while ensuring current, past, and future risk is baked out of applications, putting both human intelligence and software intelligence to their best use.

“Risk can be measured and mitigated at two complementary levels: the component level and the overall system level. There are powerful static code analysis tools available for both levels. Choice of analysis type depends on where the system is within its development and operation lifecycle of the software portfolio.

“Systemizing software risk management offloads automatable work of software architects and engineers so that they can focus instead on knowledge work and innovation for business benefit. Doing so allows the organization to improve development velocity, reduce the chance of outages or security breaches, and compete for current and future business more effectively.”

As Kaminski details in his recent Executive UpdateMitigating Business Risk: A Systems Perspective, many IT organizations are structured in a way that defies effectively managing business risk. Who should be responsible? Overall security is the mandate of CISOs, but they aren’t involved in day-to-day engineering/application development; architects set up the standards that determine how developers reduce risk, but are often disconnected from development when the apps are being built; and QA, while in charge of product quality don’t ordinarily have insight into how software is engineered. By default, mitigating software risk falls to developers. However, with today’s applications growing in both size and complexity, and a dizzying pace of delivery, developers’ view into software systems is diminishing. Ultimately, it should be the product owners/product managers who are responsible for managing the risk. Kaminski recommends they do this by leveraging contextual software analysis.

In his report, Kaminski reviews some tools, including Coverity Architecture Analysis and CAST Application Intelligence Platform (CAST AIP) to help measure and reduce software risk.

According to Kaminski, in addition to reducing business risk such as loss of revenue, negative PR, and negative customer/employee experience, mitigating software risk helps:

  • Improve organizational agility and throughput.
  • Get more for less — that is, cut wasted resources, under performing projects, and underutilized applications
  • Enhance your reputation as an analytic-driven leader
  • Place yourself in better negotiating positions with your senior team and executive peers, with quantifiable reduced risk and improved quality

GET ADDITIONAL INSIGHT INTO MITIGATING BUSINESS RISK

Cutter clients can read Pete Kaminski’s full Executive UpdateMitigating Business Risk: A Systems Perspective, as well as his follow on UpdateMitigating Business Risk: Unlock Software Potential.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Pete Pizzutillo
Pete Pizzutillo Vice President
Pete Pizzutillo is Vice President at CAST and has spent the last 15 years working in the software industry. He passionately believes Software Intelligence is the cornerstone to successful digital transformation, and he actively helps customers realize the benefits of CAST's software analytics to ensure their IT systems are secure, resilient and efficient to support the next wave of modern business.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|