Static analysis: Leveraging source code analysis to reign in application maintenance cost


The ever-growing cost to maintain systems continues to crush IT organizations, robbing their ability to fund innovation while increasing risks across the organization. The cost of maintaining a software system is directly proportional to the size and complexity of the system. Therefore any effort to reduce the size and complexity translates into direct improvement of software maintenance costs. The following provides guidance on how a static code analysis of applications generates actionable insight you can take to immediately improve the maintainability of systems.

Eliminate dead code

Between 5-10 percent of legacy application source code is dead code -- code that can never be executed in a running program. It wastes computation time, complicates the deployment process, complicates maintenance, and distorts program measurements by artificially inflating the LOC.

To improve readability and ensure that logic errors are resolved, dead code should be identified, understood, and eliminated.

Make sure your source code is documented

Application maintenance accounts for more than 80 percent of the lifetime cost of an application, so wasting effort on just trying to understand excessively complex code is an enormous waste of time and money that development could be putting toward innovation. Believe it or not, 47 percent of software maintenance is spent understanding the existing codebase. Programmers who work on an application with no documentation spent 21.5 percent longer trying to understand the codebase.

IT managers need to ensure that there are proper processes in place for code documentation and they’re being adhered to by development.

Identify and eliminate duplicate code

Between 5 and 20 percent of typical business systems source code is duplicated -- what developers call copy and paste development.

It might seem like an easy fix at first, but it increases the time it takes for developers to get up to speed. Not only that, but it also impacts feature enhancements since the same changes need to be made on multiple clones. As a result, it increases the amount of test cases you need to do before deployment and carries the potential to impact your company’s reputation due to update anomalies.

Reduce code complexity

Now that you’ve identified and fixed problem areas in your application portfolio, it’s time to work on its resiliency and stability by reducing its overall complexity. High levels of software complexity account for approximately 25 percent of maintenance costs or more than 17 percent of total lifecycle costs. This increased complexity makes it a burden to transfer the application to a new outsourcer without creating a huge learning curve that dilutes the expected cost benefits. Similarly to eliminating duplicate code, reducing code complexity allows new features to be delivered more quickly.

Pulling yourself out of the application maintenance death spiral

Each one of these exercises is aimed at helping your organization pull itself out of its application maintenance death spiral that consumes critical IT resources. The path to regaining control is first through visibility generated by automated code review then through governance that is focused on the end result -- the product.

IT leaders need measures that track trends in the health of critical applications -- robustness, security, changeability, performance efficiency, and transferability -- in order to know where they need to invest their resources to sustain the level of service they provide to the business.

Read more about source code analysis and application maintenance here:  “Unsustainable: Regaining Control of Uncontrollable Apps.”

Filed in: Software Analysis
Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Pete Pizzutillo
Pete Pizzutillo VP Corporate Marketing at CAST
Pete Pizzutillo is Vice President of Corporate Marketing at CAST. He is responsible for leading the integrated marketing strategies (digital and social media, public relations, partners, and events) to build client engagement and generate demand. He passionately believes that the industry has the knowledge, tools and capability such that no one should lose customers, revenue or damage their brand (or career) due to poor software. Pete also oversees CAST’s product marketing team whose mission is to help organizations understand how Software Intelligence supports this belief. Prior to CAST, Pete oversaw product development and product management for an estimating and planning software company in the Aerospace and Defense market. He has worked in several industries in various marketing roles and started his career as an advertising agency art director. He is a graduated of The Pennsylvania State University with degrees in Business Administration and Art. Pete lives in New Jersey with his wife and their four children. You can connect with Pete on LinkedIn or Twitter: @pizzutillo.
Load more reviews
Thank you for the review! Your review must be approved first
New code

You've already submitted a review for this item