New Worldwide Software Quality Study from CAST Exposes Millions In Hidden IT Costs

Over $3.6 million of technical debt in applications with one million or more lines of code

NEW YORK, DECEMBER 8, 2011 – Results of the new CAST Report on Application Software Health (CRASH) released today by CAST, the world leader in software analysis and measurement, reveal that businesses are exposed to millions of dollars to fix technical debt – the cost to fix hidden problems that remain damaging risks in applications after they are operational – yet they are not budgeting for these costs. 

“The number of software glitches, outages and security breaches reported in the press this year, and the damage they have done to the reputations of organizations like Toyota, Sony and RIM, not to mention the U.S. Government and a multitude of banks and stock exchanges around the world, have made problems with structural quality in application software a boardroom issue,” said Dr. Bill Curtis, CAST’s chief scientist, senior vice president of the CAST Research Labs and director of the Consortium for IT Software Quality. “The purpose of the 2011 Worldwide Applications Software Quality Study is to provide an objective, empirical foundation for discussing the structural quality of IT applications and the extent to which they suffer from structural flaws. What we found were numerous problems that should have been addressed prior to deployment.  It’s little different from ignoring termites that are destroying the structure of your home.”

The study is the largest ever conducted and used automated analysis to measure the structural quality of 365 million lines of code within 745 IT applications used by 160 companies throughout 10 industries.  Five application software “health factors” were examined in determining structural soundness: security, performance, robustness (i.e., uptime) and the ease of software transferability and changeability. Using data drawn from the automated structural analysis, CAST made a conservative estimate of what should be fixed, focusing only on those issues critical to business cost and risk.

“Our findings, although conservative, revealed an average technical debt of $3.61 per line of code,” said Curtis. “A significant number of applications examined in the study – nearly 15% – had over a million lines of code which means even the smallest of those contains over $3.6 million in technical debt.”

As David Norton, an analyst for Gartner put it in his blog this month when talking about the ticking bomb of technical debt, “First, it doesn’t go off with a bang, it’s more a slow burn.  Change starts to take longer…and opex costs start to spiral—it will not be a single cataclysmic event, it will be death by a thousand cuts.”

Curtis explained that over one-third (35%) of the violations discovered in the study result in damage to business by adversely affecting the security, performance and uptime of application software.

“That means that while two-thirds of the violations found were destined to have a dramatic effect on IT costs and a company’s bottom line, the other one-third is even more critical as it has a direct negative impact on business performance.”  said Curtis. “Technical debt creates a double dose of trouble because it siphons money from IT innovation to pay for software repairs. The consequence is fewer dollars left to develop new applications capable of providing a competitive edge to an organization and increased risk embedded in the new applications designed to create that edge.  It certainly makes technical debt something that should be critically important to both CIOs and CEOs.”

Other notable findings from the study included:

  • Despite assumptions to the contrary, outsourced and in-house developed applications didn’t show any difference in structure quality.  The same was true for onshore and offshore applications.
  • Java EE applications were the most prevalent among those studied and received significantly lower performance scores as well as carrying greater technical debt than other languages.
  • Established development methods such as agile and waterfall scored significantly better in structural quality than custom methods, while waterfall scored the highest in transferability and changeability.
  • COBOL applications scored the highest in security, while .NET applications received the lowest security scores.

To obtain the Executive Summary of the 2011 CRASH Study, contact the CAST Information Center at +1 (212) 871-8330 or visit CAST Research Labs at