CISQ Sponsors Meet in Bangalore to Improve the Sizing of Maintenance Work

Dr. Bill Curtis, Executive Director, CISQ   During May 25-27 the sponsors of CISQ met in Bangalore, India to develop a specification for automating a Function Point-style measure for analyzing the productivity of maintenance and enhancement activity. Current Function Point-based measures do not account for significant portions of the code in a modern application, that is, the non-functional code required for operating large multi-language, multi-layer IT applications. Thus developers or maintenance staff can perform extensive work enhancing, modifying, and deleting code that does not affect traditional Function Point counts. Consequently their productivity cannot be accurately measured. Although NESMA has proposed an adjustment for this problem, the IT community needs an automatable solution that analyzes the full application.   The goal for this mew measure involves sizing the portion of an application affected during maintenance and enhancement activity in a way that is strongly related to the effort expended. The fundamental question related to this goal is how non-functional code should be measured when it is involved in changes. This spring … Continue reading

You’ve Been Cloned

We no longer need biology to clone people. Electronics will do nicely. Hieu Minh Ngo, an enterprising young citizen of Vietnam, has just been arraigned in New Hampshire for posing as a private investigator from Singapore and offering an underground service that provided clients with identity information including social security numbers that were available from Court Ventures, an Experian subsidiary that provides access to court records, as well as from US Info Search, a firm that provides identity verification information. While it is unknown how many identities were breached, the likely count is in the millions.   How many databases hold shards of information about you? Start with what you have published openly on Facebook, LinkedIn, Twitter, and similar social sites. Then add the information saved by companies with which you do business, electronically or face-to-face, such as credit cards, purchases, preferences, and the like. Then add all the companies that gather data from them, collate it into records about you they sell to others regarding your financial, criminal, shopping, … Continue reading

What Does Application Security Cost? – Your Job!

Today Target Stores announced that Beth Jacob, their CIO since 2008, has resigned.  Estimates vary, but the confidential data of at least 70 million of Target’s customers were compromised.  Target’s profits and sales have declined as a result, and it faces over $100 million in legal settlements.  Not surprisingly, CEO Gregg Steinhafel announced that Target will hire an interim CIO charged with dramatically upgrading its information security and compliance infrastructure.    Whether it’s security breaches at Target, humiliating performance at Healthcare.gov, outages in airline ticketing systems, or 30 minutes of disastrous trading at Knight Capital, the costs of poor structural quality can be staggering.  In fact, they are now so high that CEOs are being held accountable for IT’s misses and messes.  Consequently, Ms. Jacob will not be the last CIO to lose a job over an application quality problem.   Don’t be surprised if the next CIO survey from one of the IT industry analysts reports that a CIO’s top concern is some combination of application security, resilience, and … Continue reading

Tough Love for Software Security

Each day brings more reports of hacked systems.  The security breaches at Target, TJ Maxx, and Heartland Payment Systems are reported to have cost well beyond $140,000,000 each.  Are we near a tipping point where people stop trusting online and electronic systems and go back to buying over-the-counter with cash and personal checks?  When does the financial services industry reach the breaking point and start charging excessive fees to cover their losses?  Before we arrive there, IT needs to apply some tough love to software security.   Reports following the shutdown of a crime ring last summer that had stolen 130,000,000+ credit card numbers indicated that the weakness most frequently exploited to gain entry was SQL injection.  SQL injection???  Haven’t we known about that weakness for two decades?  How can we still be creating these types of vulnerabilities?  How can we not have detected them before putting the code into production?  Don’t you validate your input?  Don’t you wash your hands before eating?   What do we have to do … Continue reading

CISQ – 2013 Review and 2014 Plans

Since our formation in 2011, The Consortium for IT Software Quality (CISQ) has taken IT industry leadership for measuring and improving the quality and productivity of business application software. We are the collective voice of global IT leaders explaining the costs and risks of poor application quality along with best practices to improve.   Highlights of CISQ in 2013 The CISQ specification for Automated Function Points (AFP) was approved as a supported specification of the Object Management Group, making it an international standard. We conducted CISQ Deployment Workshops on Productivity and Quality Measurement at OMG meetings in Reston, Virginia (March) and Berlin, Germany (June). We signed up industry giants Huawei and Wipro as CISQ Silver Sponsors. We now have over 750 worldwide CISQ members across a broad range of industries. We hosted a lively CISQ IT Executive Roundtable in New York City on Software Robustness and Resiliency in Capital Markets. We submitted comments on CISQ’s behalf to the Securities and Exchange Commission (SEC) regarding a proposed new regulation governing software … Continue reading

Leaving Software Health Uninsured Part 1 – The Healthcare.gov Front End

  Dr. Bill Curtis Director, Consortium for IT Software Quality     According to testimony before a US Congressional Subcommittee, government administrators knew about the performance problems of Healthcare.gov long before the American public were used as system testers. Of course they did. I have never seen a system disaster of this magnitude when the technical folks weren’t alerting management about operational risks long before the system went live, if it ever did.   I will leave it to journalists to report the decisions behind an immutable Oct. 1 go-live date regardless of the operational consequences. As a result of these and other decisions, the health and quality of the software in Healthcare.gov suffered from the engineering equivalent of medical malpractice. As with all uninsured patients, the costs will be borne by the public. This series of posts will focus on the constellation of snafus in requirements, code, acquisition, system integration strategy, etc. that collectively created the Healthcare.gov fiasco. So let’s start where the American public attempted to start, at … Continue reading

Insecure Software and My Supersonic Trip around the World

A year and a half ago I registered for the spring semester at Baruch College in New York City.  The same morning I had an eye procedure in Florida.  Shortly after that I bought $4000 of art from a dealer in Kansas City.  By midday I had bought several thousand dollars more art in Australia.  Apparently I was having a fine time at supersonic speeds.  Then my credit card company’s neural nets caught up with me.  Well, not me exactly.   Within an hour that fine morning I received a call, an email, and a text message telling me my credit card had been terminated and wanting to verify recent charges.  Apparently I was joined on this round-the-world foray by several thousand other credit card customers.  The credit card company figured the only way we could have executed this spending spree was on the Concorde, which of course had been grounded years earlier…and rarely flew to Australia anyway.  Yep, somebody had been hacked.   I received a new credit card … Continue reading

CISQ/OMG Automated Function Point specification available on the CISQ Website

The CISQ specification for Automated Function Points has been approved as a Supported Specification of CISQ’s co-sponsor, the Object Management Group. The preliminary draft of the specification currently undergoing finalization in OMG is available in the members area as 13-02-01 Automated Function Points. Membership in CISQ is free and we will be posting more materials related to the use of this specification over time.   This Thursday, February 14 at 10:30 AM EST (15:30 GMT) CISQ is sponsoring a Webinar on how automated Function Points will affect the future of software sizing and application development. The Featured Speaker will be David Herron, co-author of the book Function Point Analysis, co-founder of the David Consulting Group, and the technical lead of the multi-national CISQ work group that developed the Automated Function Point specification.   This specification mirrors as closely as possible the counting guidelines of the International Function Point User Group (IFPUG). However, the specification necessarily resolved any decisions involving subjective judgment in order to support automation. Therefore, although counts may … Continue reading

Can’t Anybody Here Play This Game?

This famous quote was allegedly uttered by Casey Stengel, coach of the New York Mets baseball team during their inaugural season in 1962. It became the title of a book by Jimmy Breslin documenting a season of endless bumbling by the Mets. I wonder how many senior corporate or government executives feel like Stengel when they face another IT disaster?     I just heard yet another news report about a $1 billion dollar system development failure in the U.S. government. This one was cancelled by the Air Force because after 7 years and $1B it didn’t work and showed no signs of ever working. “Can’t anybody here build these things?”   When asked how this colossal waste of taxpayer money compared with the infamous $600 toilet seats exposed by Congress years ago, U.S. Senator John McCain quipped, “Well in that case at least we got a toilet seat.” In IT you get nothing, not even something for flushing it all down!   The U.S. government seems perpetually susceptible to … Continue reading

Architecturally Complex Defects

There’s a new strain of detection-resistant bugs going around—architecturally complex defects. The bugs are difficult to diagnose and even more difficult to remove. And they are often the most deadly.   What Are They?   An architecturally complex defect involves interactions between several components, often spread across different levels of an application. These defects reside at the subsystem or system level rather than at the code unit level. Architecturally complex defects are even more complicated if the modules or code units involved are written in different languages or reside on different technology platforms.   When tested or analyzed at the unit level, the modules or code units may show no signs of defect. The problems emerge at the subsystem or system level resulting frequently from incorrect assumptions about how different components will interact. Usually such defects can only by detected by quality techniques performed after software exits the build process, such as integration testing and static or dynamic analysis of the integrated software. Thus, quality analysis after integration must be … Continue reading

Non-Functional Requirements Be Here

Non-Functional App Killers   Non-functional requirements are the killers of most modern multi-language, multi-layer applications. The continuing stream of business system disasters being reported in the press are rarely the result of a functional defect. Rather they are structural flaws in the system that we cluster under the catch-all phrase, ‘non-functional requirements’. Okay, fine, but shouldn’t these structural, non-functional requirements have been stated clearly from the beginning? After all, they are requirements!   The brilliant Greek computer scientist Diomidis Spinellis warned us about this conundrum in his book Code Quality (2006, Addison Wesley): “…a failure to satisfy non-functional requirements can be critical, even catastrophic …an insecure web-server or unreliable anti-lock brake system are worse than useless…non-functional requirements are sometimes difficult to verify. We cannot write a test case to verify a system’s reliability or the absence of security vulnerabilities.”   The Challenge of Verifying Non-Functional Requirements   Quality assurance has become reasonably good at testing for the correctness of functional requirements. Such requirements can be stated clearly if the system … Continue reading

Did Your Vote Really Count?

Until its conclusion at the end of July, I was entertained by the Texas primary runoff elections. I have never seen so much mud slung in one election. I guess it replaces the other stuff politicians are famous for slinging, especially down here. However, I have no idea if my vote counted. It’s not the usual complaint that with so many voters how can my single ballot matter. No, it’s a 21st century complaint that the software in the ballot-scanning machine started glitching, and I have no idea if it ever registered my vote. Software quality is the new ‘hanging chad’.   The poor election official was trying to fix the scanner when it reported “ballot rejected” after scanning the ballot before mine. Problem was, officials at the county elections office said they had a record of the ballot coming through and being tallied correctly. The machine got so bollixed up that it refused to accept my ballot for scanning. I left the precinct hall with panicked election volunteers on … Continue reading

It’s the Product, Stupid!

Too often when I meet with executives I get confronted with, “Hey, you’re the CMM guy. How come my outsourcer is Level 5 and the software they sent me is full of bugs?”   CMM and its successor, CMMI, were never meant to be certifications for defect-free software products. Rather, they were roadmaps to help organizations adopt best software engineering practices that have proven over many decades to produce high quality software products.   There are many factors beyond process that affect the quality of a software product, such as: The skill of the developers and their knowledge of the domain of application, The novelty of the technology, The accuracy and volatility of the requirements, and The effectiveness with which a rapidly growing organization can sustain its high maturity development practices. A high maturity process can mitigate the detrimental effects of these factors, but it cannot eliminate them. Ultimately, process only provides capability—the potential to produce high quality products. The achieving the full potential of an organization’s capability only occurs … Continue reading

The Director’s Blog

It’s been several years since I was asked to become the first Director of CISQ. I’ve resisted the urge to blog in favor of driving the creation of automatable measures of software quality, presenting keynotes and webinars, consulting with IT executives, and publishing in both academic journals and the trade press. However, the almost daily outages of software-intensive systems whose damages are in the billions of $€¥₤ have convinced me that we need a blog focused software quality and directed at senior IT and business executives and managers. I will be posting weekly. The posts will alternate between advocating critical changes in our approach to ensuring the dependability, resilience, security, and cost-effectiveness of software-intensive systems, and translating the latest results from research and case studies into actionable recommendations for senior IT and software executives and managers.   I look forward to interacting with those who are affected by software quality and want to take action, or at least discuss the critical issues.   Dr. Bill Curtis Director, CISQ