There is not so much demand for structural software quality measurement.
This is the view of a CEO which provides software quality measurement technology and services.
What this acutally means, he says, is that "by the time comes that they approach us, they are already in the deep stuff. They are in deep trouble. It is when it is almost too late. When something is already very bad.”
The various scenarios offered when users wake up to the issue include end users hitting the headlines [for the wrong reasons], because of a big leak or breach or the CIO getting fired.
That is when, says Vincent Delaroche, CEO of Cast Software, that they check with the analysts to see who is good in software risk prevention.
“And they approach us in panic mode and say 'help us figure the risk, the software quality risk.' It is always urgent, tactical, and reactive.“
Many execs are less concerned about the technology risk exposure of the business to bad or poorly written and managed software because they see themselves as having invested and delivered technology which matches the risk appetite of the business.
“It is a trade-off between time to market and delivering the right software for the business. I’ve been talking many times about how execs see software. They believe that software is seen as a black box. IT is delivered as a ‘I’d like to have this system up and ready to go next week and I’d like to have a price.’ And so they are aware, but what they are not aware of is that with IT, it is accountable and you can measure the level of risk to which they may be exposed.”
Mr Delaroche says he’s been speaking with a very large US bank recently which is in trouble.
The CIO was saying ‘well, if we had seen those analytics back in November, we would have checked and proceeded to technical audit of the system before pushing the button which means we would have prevented it [the trouble]’.
It often the IT executives who are shooting in the dark.
“Sometimes it is more comfortable to not know than to know,” he says.
How Cast operates is to audit and provide ongoing visibility.
“We do an audit of an iT system. We measure the potential risk, and we generate a list of analytics and saying if you fix x, y, z, things then that is a way to move forward to remediation. We don’t’ do the remediation but we give a list for remediation. That would impact the level of risk positively.”
The most risky things are usually not that expensive to fix.
Mr Delaroche says in France it is a common belief that 20% of the problem is the cause of 80% of the issues. In the software game it is 1-99%. It is 1% of the bad software patterns that generate 99% of the outages and problems.
For software firms this is good news because you don’t need to spend hundreds of millions of dollars to fix the problem but you do need to focus where it hurts and on the little things which could potentially blow up in your face, he says.
Most problems with software are not security breaches or seeing off attempted hacks, but there are software problems.
Every week there is issues with resiliency, software quality, software issues which is nothing to do with security which damages, brand, business, CIOs and CEO careers.
In terms of acknowledging software risk, we are at the tipping point, believes Mr Delaroche.
In the last six or seven years, there is lots of demand for security but limited demand for quality and resiliency.
“Now we are starting to enjoy some demand for proactive software measurement. Most of the cases is still people coming to see us who are in trouble. Now we’re starting to see smart IT people who wish to assess their risk exposure and see if they can mitigate or prevent the most crucial risks like big system outages. That’s our speciality, what’s what we’re good at.”
The new software environments have helped somewhat change the view of software quality. New software environments around DevOps, microservices and containers have increased CIO recognition of risk. Some CIO behaviour is elevating that risk. believes Mr Delaroche.
“Some of those guys speak as if everything has to be agile. They say ‘we deliver three times per week, some new system, blah, blah, blah’,
This is what is happening and this is dangerous because it is trendy. And in terms of technology and methodology when it is being applied everywhere it becomes dangerous.
There are many good things in traditional software development methodology.
The traditional is for the core system. You wear a suit for back office and for front office wear a tee shirt with images of tongues and peace and love – then that’s cool. It will work well as long as it is interconnected.
But when it comes to using DevOPs methodology or No Ops methodology for everything takes us into the realms of the insane says Mr Delaroche.
"In my view this is completely crazy. Because this is new, this is excellent? When you are google or amazon, this is excellent. But when you look at Barclays, or Bank of America and the topology is not the same as google, he says.
As for those who believe that the technology which is good google is good for Barclays: “These guys are crazy.”
“These web guys are 100% online and have relatively small business processes that are distributed. So they are built on micro services, and that’s DevOps and it is ideal for those online guys. But saying I ‘want to transform everyone to the cloud.’ This is crazy."