CISQ’s Automated Function Points: History and Calculation

 

David Herron, Co-Founder, David Consulting Group

Bill Curtis, Executive Director, CISQ     

 

After requests from numerous commercial enterprises, the Consortium for IT Software Quality (CISQ) was formed in 2010 by the Software Engineering Institute at Carnegie Mellon University and the Object Management Group (OMG), an international IT standards organization. CISQ was chartered to create international standards for automating the measurement of size and structural quality from software source code. During early executive forums held in Washington DC, Frankfurt, and Bangalore, five measures were selected for initial specification, among which was a request to automate the counting of Function Points from source code based as closely as possible on counting guidelines from the International Function Points User Group (IFPUG).

 

The David Consulting Group, (DCG) a leader in Function Point analysis, was one of the founding members of CISQ. David Herron, co-founder of DCG, co-author of the Function Point Analysis, and a leader in IFPUG, was selected to head the international team chartered to develop a specification for automating Function Point counting. David’s team included members from North America, Europe, and India.

 

Function Points were originally defined by Allen Albrecht of IBM back in the 1970s to measure the functionality delivered by a software application. Traditionally Function Points are counting manually by trained Function Point experts. They are often counted from initial program specifications to estimate the size of the system and the effort required to build it. In 1986 the IFPUG was formed to support the Function Point counting community and formalize guidelines for counting Function Points.

 

While thorough in covering the many issues affecting Function Point counting, IFPUG counting guidelines leave some counting decisions to the judgement of the manual counter. These ambiguities had to be resolved to specify a consistent algorithm for automating the count. As a result, the OMG/CISQ Automated Function Point Sizing specification prioritizes repeatability and consistency over consistency with the IFPUG Function Point counting guidelines.

 

In certain counting situations, IFPUG guidelines are vague, leaving the interpretation to the judgment of the counter. In order to remove subjectivity, the specification makes explicit decisions about counting techniques in situations where the IFPUG guidelines were vague. Consequently some variation from the IFPUG guidelines were introduced in order to achieve the precision required for automation.

 

IFPUG functional sizing requires the identification of 5 types of functions; inputs, outputs, inquiries, external (referenced) data files and internal (stored) data. The challenge presented to the CISQ team was determining how to properly identify unique functions.

 

Identifying input and output functions is technically a simple process. Distinguishing the difference between an output and an inquiry can be a bit more difficult; however, the difference in functional value between the two is negligible. The real challenge is with identifying unique file types. Part of the solution is to collect specific inputs prior to automation. These include, along with the complete source code, a listing of all excluded files and libraries that don’t belong to the application. Additionally data definitions of data bases and flat files along with naming conventions are required. The result is an automated sizing capability that is consistent and verifiable.

 

How the automated counting tool performed relative to outcomes that were consistent with the IFPUG process of manual counting was a focus of the first round of analytics. It was always understood that a certain degree of calibration would be required. An independent study was performed on a random selection of 20 applications of varying sizes and technical profiles. Each application had been manually counted using current IFPUG guidelines. The objective was to understand the ‘accuracy’ of the automated counts relative to the manual IFPUG counts and to determine how many iterations were required until the automated tool had been properly calibrated for each application. The results were impressive.

 

The two critical variables that were analyzed were the variance between automated and manual counts and the number of iterations required to realize an acceptable size variance. The automated sizing on the first five applications resulted in a 300% variance between automated and manual counts and required 3 to 4 iterations each to calibrate the tool to result in an acceptable size variance of +/- 10%. After calibrating the tool for the first 10 applications the remaining 10 applications had a lower initial count variance of 13% (down from 300%) and required, on average, 1.5 iterations per application to realize an acceptable size range variance between automated and manual counts of -2.2% to 7.0%. This was a positive indicator that the initial calibrations included ‘standard’ adjustments that could be built into the automated tool and applied on subsequent calibrations thereby reducing the number of iterations and improving accuracy.

 

The benefits of functional size automation are many. It allows for the increased sizing at the application level providing the opportunity to more effectively and efficiently manage portfolios and better control production support costs. Organizations such as IFPUG, NESMA and Cosmic should continue to advocate and support the continued development of software that automates functional sizing and other software measurement practices.

Applying Coding Standards to the NIST Cybersecurity Framework

 

The NIST Cybersecurity Framework was first published in 2014 for operators of U.S. critical infrastructure and is now the de facto cybersecurity framework for a wide range of businesses and organizations across industries. Organizations link their cyber approaches to the Framework’s core functions of Identify, Protect, Detect, Respond and Recover to manage their cybersecurity strategy and identify areas for improvement.

 

Once aligned, an organization can use the NIST Cybersecurity Framework as evidence when seeking certifications or shopping for cyber insurance. Good cyber risk practices will result in a less expensive premium for cyber insurance services.

 

NIST hosted a Cybersecurity Risk Management Conference from November 7-9 in Baltimore, MD to discuss the current state of cybersecurity risk management and approaches being employed to strengthen quality and resiliency in the software development lifecycle and supply chain. Marc Jones, CISQ Director of Public Sector Outreach, presented on the automated quality characteristic measures developed by CISQ for measuring software Security, Reliability, Performance Efficiency and Maintainability to industry-supported standards.

 

The slide below depicts how the coding standards from CISQ map to various steps in the NIST Cybersecurity Framework. Download the presentation deck, Measuring the Cybersecurity Risk of Software-Intensive Systems, to learn more.

 

 

CISQ’s global private sector and government membership appreciates the continued support and input provided by NIST leadership over the last 6 years to support impactful and measurable automated software risk standards.

Software and Supply Chain Assurance (SSCA) Forum Winter 2018

 

Cyber risk has become a topic of core strategic concern for business and government leaders worldwide and is an essential component of an enterprise risk management strategy. The Software and Supply Chain Assurance Forum (SSCA) provides a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective practices and mitigation strategies, tools and technologies, and any gaps related to the people, processes, or technologies involved.

 

The effort is co-led by the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), the Department of Defense (DoD), and the Government Services Agency (GSA). Participants represent a diverse group of career professionals including government officials, chief information security officers, those in academia with cybersecurity and supply chain specialties, system administrators, engineers, consultants, vendors, software developers, managers, analysts, specialists in IT and cybersecurity, and many more fields.

 

SSCA forums are held 2-3 times/year and are free and open to all interested parties.

 

While the general intent is to share information, the SSCA Forum also offers government and private sector participants, including international participants, an opportunity to openly collaborate by presenting and receiving feedback on current and potential future work. Most events are two to three days long and contain a mixture of discussion and presentation; interaction is always strongly encouraged. To encourage open interaction, SSCA Forum meetings operate under the Chatham House Rule, meaning “participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed,” though many speakers allow NIST to post their presentations on this website.

 

To receive information about upcoming meetings and related publications and activities, please sign up for the sw.assurance mailing list, operated by NIST, by sending a blank email to sw.assurance-join@nist.gov

 

Visit https://csrc.nist.gov/Projects/Supply-Chain-Risk-Management/SSCA to view upcoming meetings.

CISQ Announces “Future of Software Delivery” Seminar on Nov. 16 in Bangalore

 

Industry thought leaders will discuss how measurement and intelligence will change the future of software delivery

 

BANGALORE, India – November 6, 2018 – The Consortium for IT Software Quality™ (CISQ™), an IT industry leadership group that develops standards for automating software quality measurement, today announced that registration is open for its “Future of Software Delivery” seminar in India on Friday, November 16. CISQ is organizing this full-day event in cooperation with Tech Mahindra at its Bangalore campus. Registration is complimentary, but pre-registration is required due to limited seating capacity.

 

Dr. Bill Curtis, CISQ Executive Director, will introduce software measurement standards and best practices for measuring software size, software quality, and technical debt. L. Ravichandran (“Ravi”), President and COO of Tech Mahindra, will deliver the keynote address, followed by distinguished speakers from NASSCOM, EY, rpa2ai and other organizations.

 

The seminar will address:

  • international standards for automating software size and structural quality measures
  • advances in productivity measurement – challenges and solutions
  • case study of measuring an Agile and DevOps transformation
  • progress on applying machine learning to software quality
  • capitalizing on the delivery capabilities of automation, RPA and AI

Attendees will also learn about the recently-released Trustworthy Systems Manifesto from CISQ, which contains 5 principles to ensure secure and trustworthy software systems. Senior executives are encouraged to read the Manifesto and become signatories. Signatories demonstrate a commitment to reduce the business or mission risk of critical software-intensive systems by creating policies to govern system development, deployment, and operations. To become a signatory, visit https://www.omg.org/it-cisq/tsm/signatures.php.

 

The Tech Mahindra campus is located at:

 

Plot No. 45 – 47, KIADB Industrial Area
Phase – II, Electronic City
Bengaluru – 560100 (Karnataka) India
Phone: + 91 80 67807777

 

The event is supported by CISQ sponsors: CAST, CGI, Cognizant, ISHPI Information Technologies, Northrop Grumman, Synopsys and Tech Mahindra.

 

About CISQ

The Consortium for IT Software Quality™ (CISQ™) is an IT leadership group that develops international standards for automating the measurement of software size and structural quality from the source code. The standards written by CISQ enable IT and business leaders to measure the risk IT applications pose to the business, as well as estimate the cost of ownership. CISQ was co-founded by the Object Management Group® (OMG®) and Software Engineering Institute (SEI) at Carnegie Mellon University. For more information, visit https://www.it-cisq.org/

 

Contact

Ann McDonough
mcdonough@omg.org
+1 781-444-0404

 

###

Note to editors: CISQ is an Object Management Group program. Object Management Group and OMG are registered trademarks of the Object Management Group. For a listing of all OMG trademarks, visit https://www.omg.org/legal/tm_list.htm. All other trademarks are the property of their respective owners.

 

 

Consortium for IT Software Quality Launches Trustworthy Systems Manifesto

 

December 6 webinar will outline 5 policy principles to advance the trustworthiness of software-intensive systems

 

Needham, MA – November 1, 2018 – The Consortium for IT Software Quality™ (CISQ™), an IT industry leadership group that develops standards for automating software quality and size measurement, today unveiled its Trustworthy Systems Manifesto. The Manifesto lists 5 principles around which senior executives can develop policy to govern system development and deployment.

 

Software-intensive systems are one of the largest sources of risk to enterprises and their customers. For example, IT-related incidents at Knight Capital, SWIFT, Target, and United Airlines far exceeded $100 million in damages. A new research report from CISQ estimates the cost of poor quality software in the U.S. to top $2.8 trillion. In the era of 9-digit glitches, the Manifesto will help management determine policies that strengthen software development and mitigate the risk exposure of these systems.

 

According to CISQ Executive Director Dr. Bill Curtis, “Financial risks from software-intensive systems dramatically increase as enterprises automate more of their critical business functions.  Executives are ultimately responsible for managing this risk. The Manifesto provides guidance to executives and senior managers, the majority of whom are not IT experts, for developing policy to ensure their critical systems are trustworthy.  The manifesto’s objective is to initiate discussions between the enterprise and IT or engineering about reducing operational and cost risks to the business.  Trustworthy systems are secure from malicious actors, reliable and safe in operation, resilient to unexpected conditions, and accurate in their computations.”

 

Dr. Curtis will present a webinar on Thursday, December 6, 2018 at 11 a.m. EST to introduce the Trustworthy Systems Manifesto and discuss its 5 principles:

 

  1. Engineering discipline in product and process
  2. Quality assurance to risk tolerance thresholds
  3. Traceable properties of system components
  4. Proactive defense of the system and its data
  5. Resilient and safe operations

 

Become a Signatory

Signatories indicate their willingness to develop policies and practices within their organizations to support these principles, and to encourage adoption of these principles in other organizations. To become a signatory, visit https://www.omg.org/it-cisq/tsm/signatures.php.

 

About CISQ

The Consortium for IT Software Quality™ (CISQ™) is an IT leadership group that develops international standards for automating the measurement of software size and structural quality from the source code. The standards written by CISQ enable IT and business leaders to measure the risk IT applications pose to the business, as well as estimate the cost of ownership. CISQ was co-founded by the Object Management Group® (OMG®) and Software Engineering Institute (SEI) at Carnegie Mellon University. For more information, visit https://www.it-cisq.org/

 

Contact

Ann McDonough
mcdonough@omg.org
+1 781-444-0404

 

###

Note to editors: CISQ is an Object Management Group program. Object Management Group and OMG are registered trademarks of the Object Management Group. For a listing of all OMG trademarks, visit https://www.omg.org/legal/tm_list.htm. All other trademarks are the property of their respective owners.

CISQ Executive to Speak on Nov. 8 at 2018 NIST Cybersecurity Risk Management Conference

 

Topic spotlights how to measure the cybersecurity risk of software-intensive systems

 

Baltimore, MD – November 2, 2018 – Marc Jones, Director of Public Sector Outreach from the Consortium for IT Software Quality™ (CISQ™), will present “Measuring the Cybersecurity Risk of Software-Intensive Systems” on November 8 at 2:45 p.m. at the 2018 NIST Cybersecurity Risk Management Conference, which will be held from November 7-9, 2018, at the Renaissance Baltimore Harborplace hotel, in Baltimore, Maryland. This presentation will describe how standards developed by CISQ for measuring software structural quality can be applied as part of the NIST Cybersecurity Framework.

 

CISQ is an industry consortium chartered with developing international standards for automating the measurement of size and structural quality from source code. The Automated Quality Characteristic Measure standards for Reliability, Security, Performance Efficiency, and Maintainability are based on quantifying violations of good architectural and coding practice in the source code of software systems.  When calibrated against operational performance, the standards assess several areas of cybersecurity risk to which a software system exposes the enterprise. The measures comply with software product quality definitions in ISO/IEC 25010 and supplement the behavioral measures in ISO/IEC 25023 by measuring software quality attributes at the source code level.

 

Marc Jones will also share the CISQ Trustworthy Systems Manifesto, just launched at the October 16 Cyber Resilience Summit in Arlington, Virginia.

 

The Manifesto lists five principles that senior IT executives can apply to govern system development and deployment in order to mitigate risks to an organization’s business or mission. The principles provide guidance to senior management to create an optimal environment for developing and operating trustworthy systems that are secure from unauthorized users and actions, reliable and safe in performance, resilient to unexpected conditions, and accurate in computations. After reading the Manifesto, executives are encouraged to become signatories, thereby demonstrating a willingness to create policies and practices to implement these principles within their organizations, and to encourage their adoption in other organizations. To become a signatory, visit https://www.omg.org/it-cisq/tsm/signatures.php.

 

Marc Jones volunteers his time to lead U.S. government outreach for CISQ. He is the Vice President of Public Sector at CISQ sponsor, CAST, where he works with public institutions to advance software intelligence.

 

About CISQ

The Consortium for IT Software Quality™ (CISQ™) is an IT leadership group that develops international standards for automating the measurement of software size and structural quality from the source code. The standards written by CISQ enable IT and business leaders to measure the risk IT applications pose to the business, as well as estimate the cost of ownership. CISQ was co-founded by the Object Management Group® (OMG®) and Software Engineering Institute (SEI) at Carnegie Mellon University. For more information, visit https://www.it-cisq.org/.

 

Contact

Ann McDonough
mcdonough@omg.org
+1 781-444-0404

 

###

 

Note to editors: CISQ is an Object Management Group program. Object Management Group and OMG are registered trademarks of the Object Management Group. For a listing of all OMG trademarks, visit https://www.omg.org/legal/tm_list.htm. All other trademarks are the property of their respective owners.

Webinar: Trustworthy Systems Manifesto

 

Speaker: Dr. Bill Curtis, Executive Director, CISQ
Presented live on December 6, 2018

 

 

The Consortium for IT Software Quality (CISQ) has launched a Trustworthy Systems Manifesto.

 

As a greater portion of mission, business, and safety-critical functionality is committed to software-intensive systems, these systems become one of the largest sources of risk to enterprises and their customers. In an era of 9-digit glitches (IT incidents with damages over $100,000,000), corporate executives are responsible for managing software risk and need guidance for communicating their expectations and developing policy to insure the business or mission is enabled by trustworthy systems.

 

This webinar will introduce the Trustworthy Systems Manifesto and discuss its 5 principles:

 

  1. Engineering discipline in product and process
  2. Quality assurance to risk tolerance thresholds
  3. Traceable properties of system components
  4. Proactive defense of the system and its data
  5. Resilient and safe operations

 

 

Watch the webinar on CISQ YouTube / Download the presentation

 

 

 

 

 

 

Gartner Identity & Access Management Summit

Date: December 3-5, 2018
Venue: Caesars Palace, 3570 Las Vegas Blvd South, Las Vegas, NV 89109
Website: https://gtnr.it/2CtOhVY
Special rate: CISQ members save $325 off the registration fee! Apply the code GARTOMG at registration

 

Discover IAM best practices: From cloud to consumer IAM and beyond

 

Businesses demand that IAM protect assets, ensure compliance and enable great customer experience the “digital way”: agile, efficient and customer-friendly. At Gartner Identity & Access Management Summit 2018, you’ll learn how to deliver successful IAM programs that takes business wherever digital transformation leads.

 

Craft a robust cloud IAM strategy. Automate and simplify IAM processes for agility and efficiency. Meet changing customer needs with consumer IAM. Protect APIs and ramp up fraud protection. What’s the next step on your IAM journey?

 

Choose from 5 tracks designed to equip you for the next steps on your IAM journey.

  • IAM Strategy and Program Management
  • Identity Governance and Administration
  • Trust, Authentication and Fraud Prevention
  • Access Management and Authorization
  • Security, Risk and Privacy

 

CISQ announces new study: The Cost of Poor Software Quality in the US: A 2018 Report

 

This report was written by Herb Krasner, a member of CISQ’s Advisory Board. Herb spent many years at the University of Texas at Austin as Professor of Software Engineering, the Director of Outreach Services for the UT Center for Advanced Research in Software Engineering (ARiSE), and founder and CTO of the UT Software Quality Institute (SQI).

 

The report aggregates publicly available source material to arrive at a rough estimate of the cost of poor software quality in the United States today.  This report fills a gap in our understanding of the financial implications of poor-quality software effecting society today and into the future.

 

In summary, the cost of poor quality software in the US in 2018 is approximately $2.8 trillion, the main components of which are outlined in the body of the report.  If we remove the future principal cost of technical debt, the total then becomes $2.26 trillion.

 

It was our intention to use this report as a starting point for a community discussion.  Recommendations for improving the situation are also described.

 

DOWNLOAD THE REPORT NOW

 

 

 

 

 

 

CISQ Seminar: Software Measurement Standards and Delivery Trends

 

 

The Consortium for IT Software Quality™ (CISQ™) heads to Bangalore on Friday, November 16. Attend this complimentary seminar to learn best practices for measuring and managing software quality and to hear the future of software delivery from industry thought leaders. While you are here, make sure to sign the new Trustworthy Systems Manifesto from CISQ containing 5 policy principles for ensuring secure and trustworthy software systems! Registration is now closed.

 

PRESENTATIONS TO DOWNLOAD:


TOPICS DISCUSSED:

  • International standards for automating software size and structural quality measures

  • Advances in productivity measurement – challenges and solutions

  • Case study of measuring an Agile and DevOps transformation

  • Progress on applying machine learning to software quality

  • Capitalizing on the delivery capabilities of automation, RPA and AI

 

SPEAKERS:

  • Dr. Bill Curtis, Executive Director, CISQ
  • L. Ravichandran (“Ravi”), President and COO, Tech Mahindra
  • Anil Sane, VP, Global Head, Quality and Engineering, Tech Mahindra
  • Sabyasachi Mishra, AVP, Program Head, Transformation Office, Tech Mahindra
  • Malay Shah, Executive Director, TMT, Business Advisory Services, EY
  • Sanjeev Maholtra, CEO, Center of Excellence for IoT and AI, NASSCOM
  • Kashyap Kompella, CEO and Chief Analyst, rpa2ai
  • and more

 

VENUE:

 

Tech Mahindra Ltd.
ITC 5, 8th floor auditorium
Plot No. 45 – 47, KIADB Industrial Area
Phase – II, Electronic City
Bengaluru – 560100 (Karnataka) India
Phone:+ 91 80 67807777

 

Arrival instructions: Entry of attendees will be from Gate 3. The attendees can get down near the front reception and cars will be parked in Tower 7 – Basement 2 or 3. TechM will have a driver on standby for valet parking.

 

If you have questions, please email CISQ program manager, Tracie Berardi, at tracie.berardi@it-cisq.org.

 

 

Thank you to our host

 

 

 

Thank you CISQ sponsors for supporting this seminar

Partner