A new standard that helps to more reliably define the security and maintainability of software could be ready within weeks, according to the director of the Consortium for IT Software Quality (CISQ), Dr Bill Curtis.
Talking to CBR, Dr Curtis, a renowned expert on software quality who co-authored the Capability Maturity Model (CMM) framework and who is also SVP and chief scientist at software quality firm Cast Software, said a new function point standard is almost ready while a draft standard that measures the security and maintainability of software could be just two to three months away.
The reason for the excitement is that companies have long complained that it is hard to objectively say how well software – particularly software developed by a third party such as an outsourcing provider – meets security, maintainability and quality benchmarks. End user companies as well as the outsourcers and other application development shops have for some time sought a standard that makes it easier to appraise the quality of software delivered.
Some work has been done in this area by the International Function Point User Group (IFPUG), with an automatable Function Point standard draft expected any day.
A function point is a unit of measurement to express the amount of business functionality an information system provides to a user. The cost (in dollars/pounds or hours) of a single unit is calculated from past projects. Function points are the units of measure used by the IFPUG Functional Size Measurement Method – also an ISO recognised software metric.
But according to Dr Curtis, "Since IFPUG Function Points only measure size, and since ISO only provides conceptual definitions for quality measures such as security, maintainability, reliability and performance, CISQ is working on defining automatable measures for these quality characteristics as well."
So alongside IFPUG’s draft standard CISQ has been working with the Object Management Group (OMG) on a security and maintainability standard, a draft of which is expected in the next two to three months. Dr Curtis told CBR: "Getting this draft spec ready in a year must be a Guinness World Record. The OMG is fast but we sped them up even more. We only managed it because it is industry driven."
Further draft metrics on performance and reliability are expected in Q3 2011.
On the security side, for example, Dr Curtis said that the forthcoming standard may decide on the 25 or 30 most risky security practices in application development – such as the risky practice of cross-site scripting – and then enable delivered applications to be checked against such risky practices and given ‘marks’ for their security (or lack of it).
The firm at which Curtis is SVP, Cast Software, will attempt to make it easier for firms to compare software with those emerging standards, while it already helps them identify security or quality issues. Cast Software has a repository of over 900 potential software development defects gleaned from its work with clients on their software development projects. It can analyse source code, regardless of language, to uncover those risks and where they occur so that they can be fixed.
Dr Curtis said Cast’s customers use its technology as a ‘quality gate’ for software coming into their infrastructure from third party developers. "It enables customers to check that none of these risk or quality issues are coming in; as well as look at trends to see whether quality is getting worse or improving. Cast gives them visibility."
Dr Curtis added that the emerging standards and the technology from Cast Software could help companies get to grips with their ‘technical debt’ – the accumulation of insecure, buggy or simply poorly documented applications in the enterprise.
You may wish to follow this author on Twitter: www.twitter.com/jasonstamper