SlideShare a Scribd company logo

Managing Software Risk with CAST

CAST
CAST

See how IT Risks Impacts your Business. CAST help you to check on software performance, stability, maintainability, and security vulnerabilities in which CAST excels and successfully differentiates from code analyzers.CAST’s Application Intelligence Platform and Rapid Portfolio Analysis solutions can help you avoid these types of “software glitches” or "software risks" by allowing you to gain greater visibility through automated code review that identifies the root causes of risks before they become production problems, while expediting time-to-market with shorter release time lines and improved business agility.

TechnologyBusiness
1 of 45
Download to read offline
Managing Software Risk with CAST Building Resilient Software to Support Business
CAST Confidential 1 Webinar goal and content Goal: Understand how CAST can help avoid software glitches Content  Review of state of software risk in business technology industry  Analysis of reasons that software fails  Explanation of CAST technology for software analysis  Examples of potentially-lethal software CAST has uncovered  How to implement CAST as a quality gate to lower software risk
CAST Confidential IT risk has become a serious concern 2 How IT Risk Impacts Business Percent of respondents identifying each business element Source: 2012 IBM Global Reputational Risk and IT Study n = 427 What Drives Reputation Risk
CAST Confidential System outages have never been easy to control 3 Sources: The Register – 2008 Risk & Resilience Study, IDC Software Quality Study 2011 n = 200 Number of defects requiring patches in 12 months after production rollout 21% of project managers report over 50 defects in the first 12 months after rollout
CAST Confidential Incidence of software “glitches” is clearly on the rise 4  Software is the primary culprit in system outages  Software glitches in live business systems happen frequently  Most of the time we don’t find out, but recently there’s more in the news Trading platforms & exchanges Airlines Sources: Wall Street Journal, Bloomberg, The Register – 2008 Risk & Resilience Study
CAST Confidential Incidence of software “glitches” is clearly on the rise 5  Responsible for 10% of North America trading by volume  $440 million loss in 45 minutes
CAST Confidential Air traffic control system Ticketing self-service website 6 Past forensics related to similar outages  Variable not sized properly, limited to 50 days of operation  IT procedure to reboot system every 30 days reset timer almost 3 weeks before it ran out  Until that procedure was changed  A user accidentally types a URL into the wrong field  Thousands of personal, records leaked all over the internet  Website service suspended for months until new version released
CAST Confidential 7 Are we just getting used to software failure?
CAST Confidential 8 Why does this happen?  System complexity keeps increasing  Too many applications to track  Hitting limits of doing more with less  Turnover and short-term-ism  Sourcing complexity & offshore  Speed of software production  Inadequate approach to QA No institutionalized product oversight at the structural level
CAST Confidential 9 Analyst perspectives on the problem, and solution “There is a balance between ‘just get it done’ and ‘do it the right way.’A few additional quality measures help you find that balance.” “Addressing technical debt is really a risk decision for IT executives. I can invest in fixing some of the technical quality problems now, or risk that they result in outages, breaches or other problems that can cost far more.” The architectural assessment of design consequences (on software performance, stability, adaptability, maintainability, and security vulnerabilities) is an area in which CAST excels and successfully differentiates from static analyzers.”
CAST Confidential Defects in poor systems turn into software failures  Software delivered contains 5 potential defects per FP  Many defects are dormant in the code  Technical debt continues to mount Source: Capers Jones. Data collected from 1984 through 2011;About 675 companies (150 clients in Fortune 500 set); About 35 government/military groups; About 13,500 total projects; New data = about 50-75 projects per month; Data collected from 24 countries; Observations during more than 15 lawsuits. 1. Design defects 17.00% 2. Code defects 15.00% 3. Structural defects 13.00% 4. Data defects 11.00% 5. Requirements creep defects 10.00% 6. Requirements defects 9.00% 7. Web site defects 8.00% 8. Security defects 7.00% 9. Bad fix defects 4.00% 10. Test case defects 2.00% 11. Document defects 2.00% 12. Architecture Defects 2.00% TOTAL DEFECTS 100.00% Severity 1 = total stoppage; Severity 2 = major disruption Defect Origin % Severity 1 or 2 Defects 10
CAST Confidential 11 Industry starting to pay attention to code quality But code quality & hygiene is only a small part of the solution Component-level Violations Architecturally Complex Violations Dev Test 83% 10% Operations 2% 13% % of violations crossing a phase boundary 8X worse 6X worse 60,700 83,000 168,000 2009 2010 2011 Searches for code quality Violations that cause defects Sources: Li, et al. (2011). Characteristics of multiple component defects and architectural hotspots: A large system case study. Empirical Software Engineering
CAST Confidential 12 Measurement based on standards Consortium for IT Software Quality Characteristic Architectural & System Level Flaws Coding & Component Level Flaws RELIABILITY Multi-layer design compliance Software manages data integrity and consistency Exception handling through transactions Class architecture compliance Protecting state in multi-threaded environments Safe use of inheritance and polymorphism Patterns that lead to unexpected behaviors Resource bounds management, Complex code Managing allocated resources, Timeouts, Built-in remote addresses PERFORMANCE EFFICIENCY Appropriate interactions with expensive and/or remote resources Data access performance and data management Memory, network and disk space management Centralized handling of client requests Use of middle tier components versus stored procedures and database functions Compliance with Object-Oriented best practices Compliance with SQL best practices Expensive computations in loops Static connections versus connection pools Compliance with garbage collection best practices SECURITY Input validation SQL injection Cross-site scripting Failure to use vetted libraries or frameworks Secure architecture design compliance Error and exception handling Use of hard-coded credentials Buffer overflows Broken or risky cryptographic algorithms Missing initialization Improper validation of array index Improper locking References to released resources Uncontrolled format string MAINTAIN- ABILITY Strict hierarchy of calling between architectural layers Excessive horizontal layers Tightly coupled modules Unstructured and Duplicated code Cyclomatic complexity Controlled level of dynamic coding Encapsulated data access Over-parameterization of methods Hard coding of literals Commented out instructions Excessive component size Compliance with OO best practices www.it-cisq.org
CAST Confidential 13 Technical debt is related to software risk  Most technical debt measures do not categorize the debt  There’s a lot of debt out there, many questions about “when to pay it off?” and “which to debt focus on?”  It turns out only about 30% of technical debt has any immediate risk component Source: CRASH Report for 2011-2012, CAST Research Labs Distribution of Technical Debt n = 756 applications (365 million lines of code)
CAST Confidential 14 CAST approach to software risk management (1/2) IDENTIFY  Risk reduction starts with identification of risks to understand the scale and scope of risks across an organization  Identification using automated tools for consistency and objectivity  Output of “Identify” stage should include portfolio view & high profile risks STABILIZE  Prioritized list provides an action plan  Focus on immediate, short-term risks to critical business systems – Security risks – Production defects  Reassess to validate that short term risks have been addressed IDENTIFY STABILIZE HARDEN OPTIMIZE Risk Perspective Immediate-Risk Long-Term Risk Assessment Level Portfolio Critical Systems Application Application
CAST Confidential 15 CAST approach to software risk management (2/2) HARDEN  Move beyond short term, immediate risks to address the “long tail”  Focus on performance, robustness, security  Improving brittle systems to become responsive, adaptable OPTIMIZE  Shift to long-term thinking  Shift from process thinking to product thinking  Focus on improving maintainability and transferability of systems  Address organizational or process issues for long-term improvements  Technical debt management and reporting strategy IDENTIFY STABILIZE HARDEN OPTIMIZE Risk Perspective Immediate-Risk Long-Term Risk Assessment Level Portfolio Critical Systems Application Application
CAST Confidential Analysis strategy for typical IT application portfolio 16 Effort(ManDays/Year) Importance to Business Highest Lowest Critical Apps Entire Application Portfolio CAST AIP  Deep Structural Analysis  Risk Detection  Lean Application Development  Function Points & Productivity  Vendor Management  Continuous Improvement CAST Highlight  Fast Cloud-based Delivery  No source code aggregation  Key Metrics on Entire Portfolio  Size, Complexity and Risk analytics  Annual/Quarterly Benchmark
CAST Confidential Portfolio risk review with Highlight 17 Risk vs. Application Criticality This chart examines business criticality against the risk level of the applications. 40 applications are situated in the high risk zone. These 40 applications require detailed assessment and planning for ongoing improvement.
CAST Confidential ArchitectureCompliance Enterprise IT applications require depth of analysis 18  Intra-technology architecture  Intra-layer dependencies  Module complexity & cohesion  Design & structure  Inter-program invocation  Security Vulnerabilities Module Level  Integration quality  Architectural compliance  Risk propagation simulation  Application security  Resiliency checks  Transaction integrity  Function point & EFP measurement  Effort estimation  Data access control  SDK versioning  Calibration across technologies System Level Data FlowTransaction Risk  Code style & layout  Expression complexity  Code documentation  Class or program design  Basic coding standards Program Level Propagation Risk Java EJB PL/SQL Oracle SQL Server DB2 T/SQL Hibernate Spring Struts .NET C# VB COBOL C++ COBOL Sybase IMS Messaging Java Web Services 1 2 3 JSP ASP.NETAPIs
CAST Confidential CAST going well beyond static analysis Static Analysis Behavioral Simulation Dependencies Code Pattern Scanning Data Flow Architecture Checker Rule Engine Transaction Finder Function Points Aggregation & Consolidation Understanding of language syntax and grammar using source code parsing Analysis of some run-time behaviors to understand dynamic behaviors of applications Understanding of cross-layer and cross-technology links between application components Finding patterns and anti-patterns in application control flow Tracking the use of the content of variables such as user inputs along static and dynamic call stacks Identification of invalid calls and references between application architectural layers Analysis of knowledge base against quality rules, metrics and constraints to identify violations (non- compliant objects or situations) Identification and configuration of cross-layer and cross-technology transactions from UI down to data entities Estimation of Function Points functional sizing, relying on data entities and Application-wide transactions Aggregation and calibration of results along the quality model and consolidation across applications Intelligent Configuration Capability to build object sets based on object properties, links, etc. to support layers, modules, and scope definition Content Updater Adjustment of analysis results to better match application advanced behaviors 19
CAST Confidential Simulating runtime behavior to resolve links in code 20 Behavioral Simulation Emulating some run-time behaviors to understand dynamic behaviors of applications Consider “Select Title from Authors where Author = ” as a SQL statement Use (select) link between Java method “f()” and SQL table “Author” quasi-runtime behavior
CAST Confidential Multi-tier analysis for dependencies (1/2) Capability to handle cross-layer and cross-technology links between Application components Create links between Java Class and Sql Table Hibernate mapping.dtd Table oracle address Address.java Dependencies 21
CAST Confidential Multi-tier analysis for dependencies (2/2) 22 Create links between JSP page and Action mapping Create links between Action mapping and Java class Struts-config.xml Payment.jsp ActionPaymentMethod.java Capability to handle cross-layer and cross-technology links between Application components Dependencies
CAST Confidential 23 AIP counts of framework diagnostics  Frameworks are the link between components in a well- architected system  There are also rules to using such constructs effectively Framework Rule Counts Struts 1.x 21 Struts 2.x 9 Spring 3 Hibernate/JPA 23 EJB 8 JSF 1 Servlet 2 Tiles 1
CAST Confidential Data flow – cross distributed architecture 24 Capability to track along static and dynamic call stacks the use of the content of variables such as user inputs (1) (2) (3) (4) SQL injection vulnerability – CWE-89 Data Flow
CAST Confidential Configuring rules specific to enterprise architecture 25 Capability to identify invalid calls and references between Application architectural layers Architecture Checker
CAST Confidential Security breach due to architecture misuse  For example: banking application, for monitoring reasons, all database calls must go through specific stored procedures  Investigations showed: – Many transactions developed offshore did not comply with secure architecture framework – Without automation, this could not be monitored • 100 UI elements (250 kloc) • 2000 mid-tier programs (1 mloc) • 250 tables, 350 kloc of PL/SQL  Use of Architecture Checker – to define the desired architecture – To generate and enforce the appropriated quality rules 26
CAST Confidential “UPDATE” trigger causing big problems at a global services provider  In reservation system Java application must access legacy main- frame to finalize transaction. In production, a performance issue occurred when a volume of transactions occurred at one time.  Investigation showed: – Abnormal activity on the database due to an "on update" trigger that was fired too frequently. – The Hibernate ‘show SQL property’ revealed that the trigger was firing even if the data had not changed. Error was due to a specific parameter in Hibernate: select-before- update on the entity that was set to false. When set to false, Hibernate updated the table systematically. MY_ENTITY A B C D MyUpdateTrigger Always fired 27
CAST Confidential Real, measurable performance improvement numbers after fixing open/close inside loops. We get around 90% performance improvement. 28 90% performance improvement in large mainframe batch process
CAST Confidential 29 Application shows a potentially dangerous lack of data control Reduce risk – better use of safe components
CAST Confidential 30 Violation with the largest impact on the rest of the application, regarding Robustness, Performance, or Security LogicLayerDataLayerGUILayer Propagated Risk Index (PRI) explained
CAST Confidential 31  Allows to rapidly identify the most significant critical violations related to a Health Factor  PRI is based on – Violation Index (VI) which assesses the quality issues a defective object for a specific Health Factor – Risk Propagation Factor (RPF) which assesses the number of call paths of a defective object Violation ViewContext (software / Health Factor) Propagated Risk Index – Prioritize findings
CAST Confidential 32 Transaction Risk Index (TRI)  Identify the riskiest transactions for pen testing, remediation  Sum of Violation Indices (VIs) of the objects along a specific transaction: Robustness, Performance or Security. Transaction View Transaction Details View
CAST Confidential Transaction Weight Risk Index explained 33 GUILayerLogicLayerDataLayer Transaction with largest number of Robustness, Performance or Security violations
CAST Confidential Stabilizing a multi-tier IT application Missing error handling block across all layers User Interface - Flex Business Logic – C# .NET Data Access – SQL Server (T-SQL) 34
CAST Confidential Securing a multi-tier IT applications Multiple violations across the same transaction make warfighter / broad end-user facing applications more vulnerable  Input validation - 4 form fields without validator in user interface  Architecture design - action class talking to data access object bypassing business layer  Database access security - multiple artifacts accessing and modifying data on the LOAN table potentially containing confidential data 1 1 2 2 3 3 35
CAST Confidential 36 Making risk management actionable  Identify and stabilize are the tactical steps  To harden and optimize is a move towards proactive risk management  Requires inserting some actionable processes into the application lifecycle IDENTIFY STABILIZE HARDEN OPTIMIZE Risk Perspective Immediate-Risk Long-Term Risk Assessment Level Portfolio Critical Systems Application Application
CAST Confidential Measuring risk is important, but not enough  At some point, inserting proactive prevention into application lifecycle 37
CAST Confidential 38 Cost vs. risk tradeoffs  If you have Technical Debt – so what? Technical Debt SoftwareRisk L H H L
CAST Confidential IT risk management is an area of investment 39 IT executives expect to spend more on IT risk IT, and IT risk, is a C-level concern Who has responsibility for reputational risk due to IT? If you’re working on code quality, your efforts should be tied to managing software risk
CAST Confidential Market leader in Software Analysis & Measurement 40 Ambitious Mission Rock Solid Foundation Market Leader Introduce fact-based transparency into application development and sourcing to transform it into a management discipline  Broad market presence in Europe, North America and India  Strongly endorsed by software industry gurus and long term investors  Over $100 million of investment in R&D, driven by top talent in computer science and software engineering  Pioneer and recognized market leader since 1999  CAST Research Labs, the world’s largest R&D facility dedicated to the science of software analysis & measurement (SAM) “CAST metrics have become the de facto standard for measuring the quality and productivity of application services.” – Helen Huntley, Research VP, Gartner
CAST Confidential Driving software measurement in the ADM industry 41 Key Influencers Recognize CAST 250 Global Leaders Rely on CAST Institutions Engage CASTSIs Resell CASTSIs Use/Resell CAST Top technology First in business IT Biggest benchmark DB
CAST Confidential CAST dashboards, reports & benchmarks 42 CAST Highlight Portfolio Analysis  Size  Complexity  Risk  Technical debt estimation Zero Deployment  No centralized source code collection  Portal results  Full analysis report CAST Application Intelligence Platform Risk Drivers  Robustness  Performance  Security Cost Drivers  Transferability  Changeability Alerts, trending, root cause analysis Discovery Portal Automated App Blueprint Discover, modernize and change applications Function Point Manager • Automated FP counts • Technical Sizing • Effort Estimation Function Point Changes Due to a Sequence of Change Requests 0 5 10 15 20 25 30 35 40 0 50 100 150 200 Cumulative Effort (Staff Hours) #FunctionPoints 1 52 3 4 Benchmarking Services Compare to industry business process and technology
CAST Confidential 43 Year end assessment offer from CAST  Immediate, actionable insight into a business critical application regarding: – Resilience and stability risk – Performance risk – Portfolio risk assessment  How it works: – An assessment will typically take 3 weeks, the longest part of that is collecting all the source files – Can be delivered by CAST or a certified AI Services partner – Typically $10k to $50k for an assessment, depending on the size and complexity of the application Contact Pete Pizzutillo for more information
CAST Confidential Contact Information Pete Pizzutillo p.pizzutillo@castsoftware.com www.castsoftware.com blog.castsoftware.com linkedin.com/company/cast @OnQuality slideshare.net/castsoftware

Recommended

CAST Architecture Checker
CAST Architecture CheckerCAST Architecture Checker
CAST Architecture Checker
CAST
 
Build, Train & Deploy Machine Learning Models at Scale
Build, Train & Deploy Machine Learning Models at ScaleBuild, Train & Deploy Machine Learning Models at Scale
Build, Train & Deploy Machine Learning Models at Scale
Amazon Web Services
 
The A-Z of Data: Introduction to MLOps
The A-Z of Data: Introduction to MLOpsThe A-Z of Data: Introduction to MLOps
The A-Z of Data: Introduction to MLOps
DataPhoenix
 
A Pattern Language for Microservices
A Pattern Language for MicroservicesA Pattern Language for Microservices
A Pattern Language for Microservices
Chris Richardson
 
What is MLOps
What is MLOpsWhat is MLOps
What is MLOps
Henrik Skogström
 
HGConcept-CMDB-Blueprint Design
HGConcept-CMDB-Blueprint DesignHGConcept-CMDB-Blueprint Design
HGConcept-CMDB-Blueprint Design
HGConcept Inc.
 
Predictive analytics
Predictive analytics Predictive analytics
Predictive analytics
SAS Singapore Institute Pte Ltd
 
MLOps.pptx
MLOps.pptxMLOps.pptx
MLOps.pptx
AllenPeter7
 

Recommended

CAST Architecture Checker
CAST Architecture CheckerCAST Architecture Checker
CAST Architecture Checker
CAST
 
Build, Train & Deploy Machine Learning Models at Scale
Build, Train & Deploy Machine Learning Models at ScaleBuild, Train & Deploy Machine Learning Models at Scale
Build, Train & Deploy Machine Learning Models at Scale
Amazon Web Services
 
The A-Z of Data: Introduction to MLOps
The A-Z of Data: Introduction to MLOpsThe A-Z of Data: Introduction to MLOps
The A-Z of Data: Introduction to MLOps
DataPhoenix
 
A Pattern Language for Microservices
A Pattern Language for MicroservicesA Pattern Language for Microservices
A Pattern Language for Microservices
Chris Richardson
 
What is MLOps
What is MLOpsWhat is MLOps
What is MLOps
Henrik Skogström
 
HGConcept-CMDB-Blueprint Design
HGConcept-CMDB-Blueprint DesignHGConcept-CMDB-Blueprint Design
HGConcept-CMDB-Blueprint Design
HGConcept Inc.
 
Predictive analytics
Predictive analytics Predictive analytics
Predictive analytics
SAS Singapore Institute Pte Ltd
 
MLOps.pptx
MLOps.pptxMLOps.pptx
MLOps.pptx
AllenPeter7
 
Deploying ML models in the enterprise
Deploying ML models in the enterpriseDeploying ML models in the enterprise
Deploying ML models in the enterprise
doppenhe
 
Azure Machine Learning
Azure Machine LearningAzure Machine Learning
Azure Machine Learning
Mostafa
 
Machine Learning Model Deployment: Strategy to Implementation
Machine Learning Model Deployment: Strategy to ImplementationMachine Learning Model Deployment: Strategy to Implementation
Machine Learning Model Deployment: Strategy to Implementation
DataWorks Summit
 
MLOps with Azure DevOps
MLOps with Azure DevOpsMLOps with Azure DevOps
MLOps with Azure DevOps
Marco Parenzan
 
Machine Learning & Amazon SageMaker
Machine Learning & Amazon SageMakerMachine Learning & Amazon SageMaker
Machine Learning & Amazon SageMaker
Amazon Web Services
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connect
Kellton Tech Solutions Ltd
 
MLOps Using MLflow
MLOps Using MLflowMLOps Using MLflow
MLOps Using MLflow
Databricks
 
From KPIs to dashboards
From KPIs to dashboardsFrom KPIs to dashboards
From KPIs to dashboards
Ani Lopez
 
Predictive analytics in health insurance
Predictive analytics in health insurancePredictive analytics in health insurance
Predictive analytics in health insurance
Prasad Narasimhan
 
“Houston, we have a model...” Introduction to MLOps
“Houston, we have a model...” Introduction to MLOps“Houston, we have a model...” Introduction to MLOps
“Houston, we have a model...” Introduction to MLOps
Rui Quintino
 
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
James Serra
 
MLOps and Data Quality: Deploying Reliable ML Models in Production
MLOps and Data Quality: Deploying Reliable ML Models in ProductionMLOps and Data Quality: Deploying Reliable ML Models in Production
MLOps and Data Quality: Deploying Reliable ML Models in Production
Provectus
 
Mendix Platform
Mendix PlatformMendix Platform
Mendix Platform
SAKTHIVEL PERIYASAMY
 
MLOps - Getting Machine Learning Into Production
MLOps - Getting Machine Learning Into ProductionMLOps - Getting Machine Learning Into Production
MLOps - Getting Machine Learning Into Production
Michael Pearce
 
Introdution to Dataops and AIOps (or MLOps)
Introdution to Dataops and AIOps (or MLOps)Introdution to Dataops and AIOps (or MLOps)
Introdution to Dataops and AIOps (or MLOps)
Adrien Blind
 
[AI] ML Operationalization with Microsoft Azure
[AI] ML Operationalization with Microsoft Azure[AI] ML Operationalization with Microsoft Azure
[AI] ML Operationalization with Microsoft Azure
Korkrid Akepanidtaworn
 
Narayaneeyam metres
Narayaneeyam metresNarayaneeyam metres
Narayaneeyam metres
D Murali ☆
 
Dissecting SysML v2.pptx
Dissecting SysML v2.pptxDissecting SysML v2.pptx
Dissecting SysML v2.pptx
Elizabeth Steiner
 
Business Architecture
Business ArchitectureBusiness Architecture
Business Architecture
Joaquin Marques
 
Strategic Portfolio Management Capability Map.pdf
Strategic Portfolio Management Capability Map.pdfStrategic Portfolio Management Capability Map.pdf
Strategic Portfolio Management Capability Map.pdf
SivaTeja206849
 
Cast vs sonar
Cast vs sonarCast vs sonar
Cast vs sonar
Rajesh Kumar
 
Future of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CASTFuture of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CAST
CAST
 

More Related Content

What's hot

Deploying ML models in the enterprise
Deploying ML models in the enterpriseDeploying ML models in the enterprise
Deploying ML models in the enterprise
doppenhe
 
Machine Learning Model Deployment: Strategy to Implementation
Machine Learning Model Deployment: Strategy to ImplementationMachine Learning Model Deployment: Strategy to Implementation
Machine Learning Model Deployment: Strategy to Implementation
DataWorks Summit
 
Machine Learning & Amazon SageMaker
Machine Learning & Amazon SageMakerMachine Learning & Amazon SageMaker
Machine Learning & Amazon SageMaker
Amazon Web Services
 
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
James Serra
 
MLOps and Data Quality: Deploying Reliable ML Models in Production
MLOps and Data Quality: Deploying Reliable ML Models in ProductionMLOps and Data Quality: Deploying Reliable ML Models in Production
MLOps and Data Quality: Deploying Reliable ML Models in Production
Provectus
 

What's hot (20)

Deploying ML models in the enterprise
Deploying ML models in the enterpriseDeploying ML models in the enterprise
Deploying ML models in the enterprise
 
Azure Machine Learning
Azure Machine LearningAzure Machine Learning
Azure Machine Learning
 
Machine Learning Model Deployment: Strategy to Implementation
Machine Learning Model Deployment: Strategy to ImplementationMachine Learning Model Deployment: Strategy to Implementation
Machine Learning Model Deployment: Strategy to Implementation
 
MLOps with Azure DevOps
MLOps with Azure DevOpsMLOps with Azure DevOps
MLOps with Azure DevOps
 
Machine Learning & Amazon SageMaker
Machine Learning & Amazon SageMakerMachine Learning & Amazon SageMaker
Machine Learning & Amazon SageMaker
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connect
 
MLOps Using MLflow
MLOps Using MLflowMLOps Using MLflow
MLOps Using MLflow
 
From KPIs to dashboards
From KPIs to dashboardsFrom KPIs to dashboards
From KPIs to dashboards
 
Predictive analytics in health insurance
Predictive analytics in health insurancePredictive analytics in health insurance
Predictive analytics in health insurance
 
“Houston, we have a model...” Introduction to MLOps
“Houston, we have a model...” Introduction to MLOps“Houston, we have a model...” Introduction to MLOps
“Houston, we have a model...” Introduction to MLOps
 
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
 
MLOps and Data Quality: Deploying Reliable ML Models in Production
MLOps and Data Quality: Deploying Reliable ML Models in ProductionMLOps and Data Quality: Deploying Reliable ML Models in Production
MLOps and Data Quality: Deploying Reliable ML Models in Production
 
Mendix Platform
Mendix PlatformMendix Platform
Mendix Platform
 
MLOps - Getting Machine Learning Into Production
MLOps - Getting Machine Learning Into ProductionMLOps - Getting Machine Learning Into Production
MLOps - Getting Machine Learning Into Production
 
Introdution to Dataops and AIOps (or MLOps)
Introdution to Dataops and AIOps (or MLOps)Introdution to Dataops and AIOps (or MLOps)
Introdution to Dataops and AIOps (or MLOps)
 
[AI] ML Operationalization with Microsoft Azure
[AI] ML Operationalization with Microsoft Azure[AI] ML Operationalization with Microsoft Azure
[AI] ML Operationalization with Microsoft Azure
 
Narayaneeyam metres
Narayaneeyam metresNarayaneeyam metres
Narayaneeyam metres
 
Dissecting SysML v2.pptx
Dissecting SysML v2.pptxDissecting SysML v2.pptx
Dissecting SysML v2.pptx
 
Business Architecture
Business ArchitectureBusiness Architecture
Business Architecture
 
Strategic Portfolio Management Capability Map.pdf
Strategic Portfolio Management Capability Map.pdfStrategic Portfolio Management Capability Map.pdf
Strategic Portfolio Management Capability Map.pdf
 

Viewers also liked

Cast Application Intelligence Platform
Cast Application Intelligence PlatformCast Application Intelligence Platform
Cast Application Intelligence Platform
John Fotiadis ✔️
 
CAST AIP Support of Industry Security Standards
CAST AIP Support of Industry Security StandardsCAST AIP Support of Industry Security Standards
CAST AIP Support of Industry Security Standards
CAST
 

Viewers also liked (12)

Cast vs sonar
Cast vs sonarCast vs sonar
Cast vs sonar
 
Future of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CASTFuture of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CAST
 
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio AnalysisIntroduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
 
Software Risk Management for IT Execs CAST
Software Risk Management for IT Execs CASTSoftware Risk Management for IT Execs CAST
Software Risk Management for IT Execs CAST
 
Cast Application Intelligence Platform
Cast Application Intelligence PlatformCast Application Intelligence Platform
Cast Application Intelligence Platform
 
The business case for software analysis & measurement
The business case for software analysis & measurementThe business case for software analysis & measurement
The business case for software analysis & measurement
 
CAST AIP Support of Industry Security Standards
CAST AIP Support of Industry Security StandardsCAST AIP Support of Industry Security Standards
CAST AIP Support of Industry Security Standards
 
Accenture Customer Story_CAST
Accenture Customer Story_CASTAccenture Customer Story_CAST
Accenture Customer Story_CAST
 
New IDC Research on Software Analysis & Measurement
New IDC Research on Software Analysis & MeasurementNew IDC Research on Software Analysis & Measurement
New IDC Research on Software Analysis & Measurement
 
Sonar Metrics
Sonar MetricsSonar Metrics
Sonar Metrics
 
Cast analysis
Cast analysisCast analysis
Cast analysis
 
Research design and Proposal Writing
Research design and Proposal WritingResearch design and Proposal Writing
Research design and Proposal Writing
 

Similar to Managing Software Risk with CAST

CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)
CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)
CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)
CISQ - Consortium for IT Software Quality
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
Mark Curphey
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development Lifecycle
Rishi Kant
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Explainable Artificial Intelligence (XAI) 
to Predict and Explain Future Soft...
Explainable Artificial Intelligence (XAI) 
to Predict and Explain Future Soft...Explainable Artificial Intelligence (XAI) 
to Predict and Explain Future Soft...
Explainable Artificial Intelligence (XAI) 
to Predict and Explain Future Soft...
Chakkrit (Kla) Tantithamthavorn
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
Andrew Kanikuru
 
Reliability Improvement with PSP of Web-Based Software Applications
Reliability Improvement with PSP of Web-Based Software ApplicationsReliability Improvement with PSP of Web-Based Software Applications
Reliability Improvement with PSP of Web-Based Software Applications
CSEIJJournal
 
CAST Imaging: Map & Master Your Software
CAST Imaging: Map & Master Your SoftwareCAST Imaging: Map & Master Your Software
CAST Imaging: Map & Master Your Software
Neo4j
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
Lumension
 

Similar to Managing Software Risk with CAST (20)

Unsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable AppsUnsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable Apps
 
Standardized Risk Measurement for IT Executives 101
Standardized Risk Measurement for IT Executives 101Standardized Risk Measurement for IT Executives 101
Standardized Risk Measurement for IT Executives 101
 
CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)
CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)
CISQ and Software Quality Measurement - Software Assurance Forum (March 2010)
 
[Europe merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development Testing[Europe merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development Testing
 
CAST for Vendor Monitoring and Control
CAST for Vendor Monitoring and ControlCAST for Vendor Monitoring and Control
CAST for Vendor Monitoring and Control
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
 
The Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs PublicThe Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs Public
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development Lifecycle
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Introduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptxIntroduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptx
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Explainable Artificial Intelligence (XAI) 
to Predict and Explain Future Soft...
Explainable Artificial Intelligence (XAI) 
to Predict and Explain Future Soft...Explainable Artificial Intelligence (XAI) 
to Predict and Explain Future Soft...
Explainable Artificial Intelligence (XAI) 
to Predict and Explain Future Soft...
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
 
Reliability Improvement with PSP of Web-Based Software Applications
Reliability Improvement with PSP of Web-Based Software ApplicationsReliability Improvement with PSP of Web-Based Software Applications
Reliability Improvement with PSP of Web-Based Software Applications
 
The Significance of Regression Testing in Software Development.pdf
The Significance of Regression Testing in Software Development.pdfThe Significance of Regression Testing in Software Development.pdf
The Significance of Regression Testing in Software Development.pdf
 
CAST Imaging: Map & Master Your Software
CAST Imaging: Map & Master Your SoftwareCAST Imaging: Map & Master Your Software
CAST Imaging: Map & Master Your Software
 
Get Smart About Technical Debt
Get Smart About Technical DebtGet Smart About Technical Debt
Get Smart About Technical Debt
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 

More from CAST

Six steps-to-enhance-performance-of-critical-systems
Six steps-to-enhance-performance-of-critical-systemsSix steps-to-enhance-performance-of-critical-systems
Six steps-to-enhance-performance-of-critical-systems
CAST
 
Application Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsApplication Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical Systems
CAST
 
Application Assessment - Executive Summary Report
Application Assessment - Executive Summary ReportApplication Assessment - Executive Summary Report
Application Assessment - Executive Summary Report
CAST
 
Cloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST HighlightCloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST Highlight
CAST
 
Cloud Readiness : CAST & Microsoft Azure Partnership Overview
Cloud Readiness : CAST & Microsoft Azure Partnership OverviewCloud Readiness : CAST & Microsoft Azure Partnership Overview
Cloud Readiness : CAST & Microsoft Azure Partnership Overview
CAST
 
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...
CAST
 
Improving ADM Vendor Relationship through Outcome Based Contracts
Improving ADM Vendor Relationship through Outcome Based ContractsImproving ADM Vendor Relationship through Outcome Based Contracts
Improving ADM Vendor Relationship through Outcome Based Contracts
CAST
 
Drive Business Excellence with Outcomes-Based Contracting: The OBC Toolkit
Drive Business Excellence with Outcomes-Based Contracting: The OBC ToolkitDrive Business Excellence with Outcomes-Based Contracting: The OBC Toolkit
Drive Business Excellence with Outcomes-Based Contracting: The OBC Toolkit
CAST
 
Shifting Vendor Management Focus to Risk and Business Outcomes
Shifting Vendor Management Focus to Risk and Business OutcomesShifting Vendor Management Focus to Risk and Business Outcomes
Shifting Vendor Management Focus to Risk and Business Outcomes
CAST
 

More from CAST (20)

Six steps-to-enhance-performance-of-critical-systems
Six steps-to-enhance-performance-of-critical-systemsSix steps-to-enhance-performance-of-critical-systems
Six steps-to-enhance-performance-of-critical-systems
 
Application Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsApplication Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical Systems
 
Application Assessment - Executive Summary Report
Application Assessment - Executive Summary ReportApplication Assessment - Executive Summary Report
Application Assessment - Executive Summary Report
 
Cloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST HighlightCloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST Highlight
 
Cloud Readiness : CAST & Microsoft Azure Partnership Overview
Cloud Readiness : CAST & Microsoft Azure Partnership OverviewCloud Readiness : CAST & Microsoft Azure Partnership Overview
Cloud Readiness : CAST & Microsoft Azure Partnership Overview
 
Cloud Migration: Cloud Readiness Assessment Case Study
Cloud Migration: Cloud Readiness Assessment Case StudyCloud Migration: Cloud Readiness Assessment Case Study
Cloud Migration: Cloud Readiness Assessment Case Study
 
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...
 
Why computers will never be safe
Why computers will never be safeWhy computers will never be safe
Why computers will never be safe
 
Green indexes used in CAST to measure the energy consumption in code
Green indexes used in CAST to measure the energy consumption in codeGreen indexes used in CAST to measure the energy consumption in code
Green indexes used in CAST to measure the energy consumption in code
 
9 Steps to Creating ADM Budgets
9 Steps to Creating ADM Budgets9 Steps to Creating ADM Budgets
9 Steps to Creating ADM Budgets
 
Improving ADM Vendor Relationship through Outcome Based Contracts
Improving ADM Vendor Relationship through Outcome Based ContractsImproving ADM Vendor Relationship through Outcome Based Contracts
Improving ADM Vendor Relationship through Outcome Based Contracts
 
Drive Business Excellence with Outcomes-Based Contracting: The OBC Toolkit
Drive Business Excellence with Outcomes-Based Contracting: The OBC ToolkitDrive Business Excellence with Outcomes-Based Contracting: The OBC Toolkit
Drive Business Excellence with Outcomes-Based Contracting: The OBC Toolkit
 
CAST Highlight: Code-level portfolio analysis. FAST.
CAST Highlight: Code-level portfolio analysis. FAST.CAST Highlight: Code-level portfolio analysis. FAST.
CAST Highlight: Code-level portfolio analysis. FAST.
 
Shifting Vendor Management Focus to Risk and Business Outcomes
Shifting Vendor Management Focus to Risk and Business OutcomesShifting Vendor Management Focus to Risk and Business Outcomes
Shifting Vendor Management Focus to Risk and Business Outcomes
 
Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software Security
 
Cast Highlight Software Maintenance Infographic
Cast Highlight Software Maintenance InfographicCast Highlight Software Maintenance Infographic
Cast Highlight Software Maintenance Infographic
 
What is system level analysis
What is system level analysisWhat is system level analysis
What is system level analysis
 
Deloitte Tech Trends 2014 Technical Debt
Deloitte Tech Trends 2014 Technical DebtDeloitte Tech Trends 2014 Technical Debt
Deloitte Tech Trends 2014 Technical Debt
 
What you should know about software measurement platforms
What you should know about software measurement platformsWhat you should know about software measurement platforms
What you should know about software measurement platforms
 
CRASH Report 2014
CRASH Report 2014CRASH Report 2014
CRASH Report 2014
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Recently uploaded (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Managing Software Risk with CAST

  • 1. Managing Software Risk with CAST Building Resilient Software to Support Business
  • 2. CAST Confidential 1 Webinar goal and content Goal: Understand how CAST can help avoid software glitches Content  Review of state of software risk in business technology industry  Analysis of reasons that software fails  Explanation of CAST technology for software analysis  Examples of potentially-lethal software CAST has uncovered  How to implement CAST as a quality gate to lower software risk
  • 3. CAST Confidential IT risk has become a serious concern 2 How IT Risk Impacts Business Percent of respondents identifying each business element Source: 2012 IBM Global Reputational Risk and IT Study n = 427 What Drives Reputation Risk
  • 4. CAST Confidential System outages have never been easy to control 3 Sources: The Register – 2008 Risk & Resilience Study, IDC Software Quality Study 2011 n = 200 Number of defects requiring patches in 12 months after production rollout 21% of project managers report over 50 defects in the first 12 months after rollout
  • 5. CAST Confidential Incidence of software “glitches” is clearly on the rise 4  Software is the primary culprit in system outages  Software glitches in live business systems happen frequently  Most of the time we don’t find out, but recently there’s more in the news Trading platforms & exchanges Airlines Sources: Wall Street Journal, Bloomberg, The Register – 2008 Risk & Resilience Study
  • 6. CAST Confidential Incidence of software “glitches” is clearly on the rise 5  Responsible for 10% of North America trading by volume  $440 million loss in 45 minutes
  • 7. CAST Confidential Air traffic control system Ticketing self-service website 6 Past forensics related to similar outages  Variable not sized properly, limited to 50 days of operation  IT procedure to reboot system every 30 days reset timer almost 3 weeks before it ran out  Until that procedure was changed  A user accidentally types a URL into the wrong field  Thousands of personal, records leaked all over the internet  Website service suspended for months until new version released
  • 8. CAST Confidential 7 Are we just getting used to software failure?
  • 9. CAST Confidential 8 Why does this happen?  System complexity keeps increasing  Too many applications to track  Hitting limits of doing more with less  Turnover and short-term-ism  Sourcing complexity & offshore  Speed of software production  Inadequate approach to QA No institutionalized product oversight at the structural level
  • 10. CAST Confidential 9 Analyst perspectives on the problem, and solution “There is a balance between ‘just get it done’ and ‘do it the right way.’A few additional quality measures help you find that balance.” “Addressing technical debt is really a risk decision for IT executives. I can invest in fixing some of the technical quality problems now, or risk that they result in outages, breaches or other problems that can cost far more.” The architectural assessment of design consequences (on software performance, stability, adaptability, maintainability, and security vulnerabilities) is an area in which CAST excels and successfully differentiates from static analyzers.”
  • 11. CAST Confidential Defects in poor systems turn into software failures  Software delivered contains 5 potential defects per FP  Many defects are dormant in the code  Technical debt continues to mount Source: Capers Jones. Data collected from 1984 through 2011;About 675 companies (150 clients in Fortune 500 set); About 35 government/military groups; About 13,500 total projects; New data = about 50-75 projects per month; Data collected from 24 countries; Observations during more than 15 lawsuits. 1. Design defects 17.00% 2. Code defects 15.00% 3. Structural defects 13.00% 4. Data defects 11.00% 5. Requirements creep defects 10.00% 6. Requirements defects 9.00% 7. Web site defects 8.00% 8. Security defects 7.00% 9. Bad fix defects 4.00% 10. Test case defects 2.00% 11. Document defects 2.00% 12. Architecture Defects 2.00% TOTAL DEFECTS 100.00% Severity 1 = total stoppage; Severity 2 = major disruption Defect Origin % Severity 1 or 2 Defects 10
  • 12. CAST Confidential 11 Industry starting to pay attention to code quality But code quality & hygiene is only a small part of the solution Component-level Violations Architecturally Complex Violations Dev Test 83% 10% Operations 2% 13% % of violations crossing a phase boundary 8X worse 6X worse 60,700 83,000 168,000 2009 2010 2011 Searches for code quality Violations that cause defects Sources: Li, et al. (2011). Characteristics of multiple component defects and architectural hotspots: A large system case study. Empirical Software Engineering
  • 13. CAST Confidential 12 Measurement based on standards Consortium for IT Software Quality Characteristic Architectural & System Level Flaws Coding & Component Level Flaws RELIABILITY Multi-layer design compliance Software manages data integrity and consistency Exception handling through transactions Class architecture compliance Protecting state in multi-threaded environments Safe use of inheritance and polymorphism Patterns that lead to unexpected behaviors Resource bounds management, Complex code Managing allocated resources, Timeouts, Built-in remote addresses PERFORMANCE EFFICIENCY Appropriate interactions with expensive and/or remote resources Data access performance and data management Memory, network and disk space management Centralized handling of client requests Use of middle tier components versus stored procedures and database functions Compliance with Object-Oriented best practices Compliance with SQL best practices Expensive computations in loops Static connections versus connection pools Compliance with garbage collection best practices SECURITY Input validation SQL injection Cross-site scripting Failure to use vetted libraries or frameworks Secure architecture design compliance Error and exception handling Use of hard-coded credentials Buffer overflows Broken or risky cryptographic algorithms Missing initialization Improper validation of array index Improper locking References to released resources Uncontrolled format string MAINTAIN- ABILITY Strict hierarchy of calling between architectural layers Excessive horizontal layers Tightly coupled modules Unstructured and Duplicated code Cyclomatic complexity Controlled level of dynamic coding Encapsulated data access Over-parameterization of methods Hard coding of literals Commented out instructions Excessive component size Compliance with OO best practices www.it-cisq.org
  • 14. CAST Confidential 13 Technical debt is related to software risk  Most technical debt measures do not categorize the debt  There’s a lot of debt out there, many questions about “when to pay it off?” and “which to debt focus on?”  It turns out only about 30% of technical debt has any immediate risk component Source: CRASH Report for 2011-2012, CAST Research Labs Distribution of Technical Debt n = 756 applications (365 million lines of code)
  • 15. CAST Confidential 14 CAST approach to software risk management (1/2) IDENTIFY  Risk reduction starts with identification of risks to understand the scale and scope of risks across an organization  Identification using automated tools for consistency and objectivity  Output of “Identify” stage should include portfolio view & high profile risks STABILIZE  Prioritized list provides an action plan  Focus on immediate, short-term risks to critical business systems – Security risks – Production defects  Reassess to validate that short term risks have been addressed IDENTIFY STABILIZE HARDEN OPTIMIZE Risk Perspective Immediate-Risk Long-Term Risk Assessment Level Portfolio Critical Systems Application Application
  • 16. CAST Confidential 15 CAST approach to software risk management (2/2) HARDEN  Move beyond short term, immediate risks to address the “long tail”  Focus on performance, robustness, security  Improving brittle systems to become responsive, adaptable OPTIMIZE  Shift to long-term thinking  Shift from process thinking to product thinking  Focus on improving maintainability and transferability of systems  Address organizational or process issues for long-term improvements  Technical debt management and reporting strategy IDENTIFY STABILIZE HARDEN OPTIMIZE Risk Perspective Immediate-Risk Long-Term Risk Assessment Level Portfolio Critical Systems Application Application
  • 17. CAST Confidential Analysis strategy for typical IT application portfolio 16 Effort(ManDays/Year) Importance to Business Highest Lowest Critical Apps Entire Application Portfolio CAST AIP  Deep Structural Analysis  Risk Detection  Lean Application Development  Function Points & Productivity  Vendor Management  Continuous Improvement CAST Highlight  Fast Cloud-based Delivery  No source code aggregation  Key Metrics on Entire Portfolio  Size, Complexity and Risk analytics  Annual/Quarterly Benchmark
  • 18. CAST Confidential Portfolio risk review with Highlight 17 Risk vs. Application Criticality This chart examines business criticality against the risk level of the applications. 40 applications are situated in the high risk zone. These 40 applications require detailed assessment and planning for ongoing improvement.
  • 19. CAST Confidential ArchitectureCompliance Enterprise IT applications require depth of analysis 18  Intra-technology architecture  Intra-layer dependencies  Module complexity & cohesion  Design & structure  Inter-program invocation  Security Vulnerabilities Module Level  Integration quality  Architectural compliance  Risk propagation simulation  Application security  Resiliency checks  Transaction integrity  Function point & EFP measurement  Effort estimation  Data access control  SDK versioning  Calibration across technologies System Level Data FlowTransaction Risk  Code style & layout  Expression complexity  Code documentation  Class or program design  Basic coding standards Program Level Propagation Risk Java EJB PL/SQL Oracle SQL Server DB2 T/SQL Hibernate Spring Struts .NET C# VB COBOL C++ COBOL Sybase IMS Messaging Java Web Services 1 2 3 JSP ASP.NETAPIs
  • 20. CAST Confidential CAST going well beyond static analysis Static Analysis Behavioral Simulation Dependencies Code Pattern Scanning Data Flow Architecture Checker Rule Engine Transaction Finder Function Points Aggregation & Consolidation Understanding of language syntax and grammar using source code parsing Analysis of some run-time behaviors to understand dynamic behaviors of applications Understanding of cross-layer and cross-technology links between application components Finding patterns and anti-patterns in application control flow Tracking the use of the content of variables such as user inputs along static and dynamic call stacks Identification of invalid calls and references between application architectural layers Analysis of knowledge base against quality rules, metrics and constraints to identify violations (non- compliant objects or situations) Identification and configuration of cross-layer and cross-technology transactions from UI down to data entities Estimation of Function Points functional sizing, relying on data entities and Application-wide transactions Aggregation and calibration of results along the quality model and consolidation across applications Intelligent Configuration Capability to build object sets based on object properties, links, etc. to support layers, modules, and scope definition Content Updater Adjustment of analysis results to better match application advanced behaviors 19
  • 21. CAST Confidential Simulating runtime behavior to resolve links in code 20 Behavioral Simulation Emulating some run-time behaviors to understand dynamic behaviors of applications Consider “Select Title from Authors where Author = ” as a SQL statement Use (select) link between Java method “f()” and SQL table “Author” quasi-runtime behavior
  • 22. CAST Confidential Multi-tier analysis for dependencies (1/2) Capability to handle cross-layer and cross-technology links between Application components Create links between Java Class and Sql Table Hibernate mapping.dtd Table oracle address Address.java Dependencies 21
  • 23. CAST Confidential Multi-tier analysis for dependencies (2/2) 22 Create links between JSP page and Action mapping Create links between Action mapping and Java class Struts-config.xml Payment.jsp ActionPaymentMethod.java Capability to handle cross-layer and cross-technology links between Application components Dependencies
  • 24. CAST Confidential 23 AIP counts of framework diagnostics  Frameworks are the link between components in a well- architected system  There are also rules to using such constructs effectively Framework Rule Counts Struts 1.x 21 Struts 2.x 9 Spring 3 Hibernate/JPA 23 EJB 8 JSF 1 Servlet 2 Tiles 1
  • 25. CAST Confidential Data flow – cross distributed architecture 24 Capability to track along static and dynamic call stacks the use of the content of variables such as user inputs (1) (2) (3) (4) SQL injection vulnerability – CWE-89 Data Flow
  • 26. CAST Confidential Configuring rules specific to enterprise architecture 25 Capability to identify invalid calls and references between Application architectural layers Architecture Checker
  • 27. CAST Confidential Security breach due to architecture misuse  For example: banking application, for monitoring reasons, all database calls must go through specific stored procedures  Investigations showed: – Many transactions developed offshore did not comply with secure architecture framework – Without automation, this could not be monitored • 100 UI elements (250 kloc) • 2000 mid-tier programs (1 mloc) • 250 tables, 350 kloc of PL/SQL  Use of Architecture Checker – to define the desired architecture – To generate and enforce the appropriated quality rules 26
  • 28. CAST Confidential “UPDATE” trigger causing big problems at a global services provider  In reservation system Java application must access legacy main- frame to finalize transaction. In production, a performance issue occurred when a volume of transactions occurred at one time.  Investigation showed: – Abnormal activity on the database due to an "on update" trigger that was fired too frequently. – The Hibernate ‘show SQL property’ revealed that the trigger was firing even if the data had not changed. Error was due to a specific parameter in Hibernate: select-before- update on the entity that was set to false. When set to false, Hibernate updated the table systematically. MY_ENTITY A B C D MyUpdateTrigger Always fired 27
  • 29. CAST Confidential Real, measurable performance improvement numbers after fixing open/close inside loops. We get around 90% performance improvement. 28 90% performance improvement in large mainframe batch process
  • 30. CAST Confidential 29 Application shows a potentially dangerous lack of data control Reduce risk – better use of safe components
  • 31. CAST Confidential 30 Violation with the largest impact on the rest of the application, regarding Robustness, Performance, or Security LogicLayerDataLayerGUILayer Propagated Risk Index (PRI) explained
  • 32. CAST Confidential 31  Allows to rapidly identify the most significant critical violations related to a Health Factor  PRI is based on – Violation Index (VI) which assesses the quality issues a defective object for a specific Health Factor – Risk Propagation Factor (RPF) which assesses the number of call paths of a defective object Violation ViewContext (software / Health Factor) Propagated Risk Index – Prioritize findings
  • 33. CAST Confidential 32 Transaction Risk Index (TRI)  Identify the riskiest transactions for pen testing, remediation  Sum of Violation Indices (VIs) of the objects along a specific transaction: Robustness, Performance or Security. Transaction View Transaction Details View
  • 34. CAST Confidential Transaction Weight Risk Index explained 33 GUILayerLogicLayerDataLayer Transaction with largest number of Robustness, Performance or Security violations
  • 35. CAST Confidential Stabilizing a multi-tier IT application Missing error handling block across all layers User Interface - Flex Business Logic – C# .NET Data Access – SQL Server (T-SQL) 34
  • 36. CAST Confidential Securing a multi-tier IT applications Multiple violations across the same transaction make warfighter / broad end-user facing applications more vulnerable  Input validation - 4 form fields without validator in user interface  Architecture design - action class talking to data access object bypassing business layer  Database access security - multiple artifacts accessing and modifying data on the LOAN table potentially containing confidential data 1 1 2 2 3 3 35
  • 37. CAST Confidential 36 Making risk management actionable  Identify and stabilize are the tactical steps  To harden and optimize is a move towards proactive risk management  Requires inserting some actionable processes into the application lifecycle IDENTIFY STABILIZE HARDEN OPTIMIZE Risk Perspective Immediate-Risk Long-Term Risk Assessment Level Portfolio Critical Systems Application Application
  • 38. CAST Confidential Measuring risk is important, but not enough  At some point, inserting proactive prevention into application lifecycle 37
  • 39. CAST Confidential 38 Cost vs. risk tradeoffs  If you have Technical Debt – so what? Technical Debt SoftwareRisk L H H L
  • 40. CAST Confidential IT risk management is an area of investment 39 IT executives expect to spend more on IT risk IT, and IT risk, is a C-level concern Who has responsibility for reputational risk due to IT? If you’re working on code quality, your efforts should be tied to managing software risk
  • 41. CAST Confidential Market leader in Software Analysis & Measurement 40 Ambitious Mission Rock Solid Foundation Market Leader Introduce fact-based transparency into application development and sourcing to transform it into a management discipline  Broad market presence in Europe, North America and India  Strongly endorsed by software industry gurus and long term investors  Over $100 million of investment in R&D, driven by top talent in computer science and software engineering  Pioneer and recognized market leader since 1999  CAST Research Labs, the world’s largest R&D facility dedicated to the science of software analysis & measurement (SAM) “CAST metrics have become the de facto standard for measuring the quality and productivity of application services.” – Helen Huntley, Research VP, Gartner
  • 42. CAST Confidential Driving software measurement in the ADM industry 41 Key Influencers Recognize CAST 250 Global Leaders Rely on CAST Institutions Engage CASTSIs Resell CASTSIs Use/Resell CAST Top technology First in business IT Biggest benchmark DB
  • 43. CAST Confidential CAST dashboards, reports & benchmarks 42 CAST Highlight Portfolio Analysis  Size  Complexity  Risk  Technical debt estimation Zero Deployment  No centralized source code collection  Portal results  Full analysis report CAST Application Intelligence Platform Risk Drivers  Robustness  Performance  Security Cost Drivers  Transferability  Changeability Alerts, trending, root cause analysis Discovery Portal Automated App Blueprint Discover, modernize and change applications Function Point Manager • Automated FP counts • Technical Sizing • Effort Estimation Function Point Changes Due to a Sequence of Change Requests 0 5 10 15 20 25 30 35 40 0 50 100 150 200 Cumulative Effort (Staff Hours) #FunctionPoints 1 52 3 4 Benchmarking Services Compare to industry business process and technology
  • 44. CAST Confidential 43 Year end assessment offer from CAST  Immediate, actionable insight into a business critical application regarding: – Resilience and stability risk – Performance risk – Portfolio risk assessment  How it works: – An assessment will typically take 3 weeks, the longest part of that is collecting all the source files – Can be delivered by CAST or a certified AI Services partner – Typically $10k to $50k for an assessment, depending on the size and complexity of the application Contact Pete Pizzutillo for more information
  • 45. CAST Confidential Contact Information Pete Pizzutillo p.pizzutillo@castsoftware.com www.castsoftware.com blog.castsoftware.com linkedin.com/company/cast @OnQuality slideshare.net/castsoftware