CAST Confidential
Deep-dive Structural Application Assessments
Powered by CAST
Deep-grained, standard-based, actionable assessments,
delivered by experts
Gerard Karsenti – SVP Northern Europe, MEA & Emerging at CAST
David Markey - Senior Consultant at CAST
Deck V1.0 November 28, 2017
CAST Confidential
Why perform In-depth structural assessments?
1st Reason: RISK prevention or burning ISSUES to deal with
RISK can quickly translate
into BURNING ISSUES
Software Risk constantly on the rise
✓ US companies losing $26.5 billion in revenue to
downtime each year, and more to security
breaches
✓ 580 IT incidents experienced per Fortune
500 business unit every year✓ $1,650 Revenue, cost, brand and regulatory
impact per incident
✓ Cost of Defect going though the roof
$600K average cost of a Severity-1 IT incident
✓ 81% Fortune 500 companies reported security breaches
✓ $7M average Total Cost per security breach
✓ Security breach requires an Average of 201 Days to Identify, 70 Days to fix
Typical issues that may induce need for a deep-dive assessment:✓ Downtime, poor Performance or Security risk
✓ Excessive maintenance, run time costs, or MIPS consumption
✓ Compliance to regulations such as GDPR, PCI or from FDA
✓ Troubled projects
✓ Knowledge acquisition upon application transfers
Best course of action is prevention during development…But:
• QA in development often basic, not addressing RISK
• What about legacy & transformed apps?
• What about acquired software or Cies?
• What about new compliance regulations?
CAST Confidential
Why perform In-depth structural assessments?
• Rapid Transformation means many decisions to make
− 27% of executives rate digital transformation as a "matter of survival
− 85% of enterprise feel they have a timeframe of 2 years to make significant transformation
• Decisions on risky, costly applications or projects, and on their sourcing
• Too often, functional aspects prevail at the detriment of structural factors
such as risk, complexity, technical debt, changeability or transferability, or architecture soundness
2nd Reason: Business DECISIONS to make
Decision examples where structural aspects matter:✓ Invest/Kill or Buy/Build
✓ Re-allocate resources
✓ Accept/Deny a release or an outsourced delivery
✓ Delay a Go Live
✓ Change sourcing or Negociate ADM Costs
✓ Migrate to Cloud
✓ Perform Forensic after a failure
✓ …
CAST Confidential
6 Requirements for sound decisionsand effective actions
✓ Exhaustive assessments
✓ Unquestionable findings
relying on standards
✓ Actionable conclusions
Sampling:
Not accurate enough
Not actionable enough (No complete action items lists)
Need exhaustive analysis of complex applications
Must rely on standards to make risk or size evaluations objective and credible
Must be able to audit assessement results for refutability
Findings must result from a deep-dive analysis taking into account the true
complexity of modern business systems
Pertinent findings can be enough for just decision-making
But for problem resolution, root cause analysis must result in the delivery of
complete lists of action items
CAST Confidential
6 Requirements for sound decisionsand effective actions
✓ Prioritized
✓ Enable Benchmarking
of Risk or Costs
✓ Repeatable
Expert-only reviews pin point the problem, not the complete solution
Inversely, automated reviews often list tens of thousands of issues
One need impact-prioritized findings and action items to act effectively
All the more since 90% of severe issues originate in just 8% violations
Apple to apple comparison is a strong decision-making parameter
Benchmarking of findings to similar applications is necessaryCAST has a unique Health / Risk benchmarking DBISBSG has the most complete Project / Costs Open Source Benchmarking DB
One shot assessments can bring a lot a value
Many situations also require progress monitoring over time
Assessments should be repeatable in a cost-effective manner
CAST Confidential
The Power of CAST Software analysis & MeasurementTechnology
• Breadth & Depth of analysis• Result of $ 150 M R&D investment• Proven at 250 global corporations & Major Syst.Integrators
• Relying on well-acceptedactionable standards
Deep-Dive Structural Assessments powered by CAST
The Best ADM experts
• From CAST
or/and
• From the best
Consultancies
Actionable insight into software structure, size, risk
and into the performance of ADM activities
for informed decision-making, risk prevention or mitigation, cost reduction
The perfect combination
for ADM Decision-Making and Risk & Cost Reduction
CAST Confidential
The technology behind “powered by CAST” assessmentsassessments
CAST Application Intelligence Platform
Delivered as an Assessment Service
CAST Confidential
Key “features” of a Deep-Dive Assessment
Depending on use case, typically one of 7:
➢ Due Diligence for Business Decisions
➢ Costing & ADM Performance Benchmarking Audits
➢ Pre-Prod Risk Prevention
➢ Run or Maintenance Costs Optimization
➢ Audit / Mitigation of Troubled Project / Application
➢ GDPR, PCI or other Compliance Risk Mitigation
➢ Transferability Facilitation
Delivery of:
✓ Technical and Functional sizing
✓ General Health & Risk metrics based on CISQ/OMG standards
✓ Relevant Structural Documentation and/or Impact Analysis
✓ Evaluation of compliance with Architecture Design
✓ Business Process Risk evaluation
✓ Optimized recommended Action Plan (with Quick Wins)
✓ Health/Risk or Cost* benchmarking to similar applications
✓ CISQ Compliance Certification
Available in Live CAST Dashboard, Reports, Exploration Tools AND in Exec Findings PP Report & Action Plan reports
* Cost Benchmarking leveraging ISBSG Benchmarking DB only available from Partner
Technical and Functional Sizing
• Reducing maintenance costs of a multi-million line-of-code Banking Information System for an ISV:
• CAST measured the technical size of the application and identified dead-code, re-use and refactoring opportunities in order to reduce LOC under maintenance.
• Project sizing for transforming and modernizing a legacy client/server application for a French state agency:
• CAST measured the functional sizing of the various modules, identified re-use opportunities and estimated the effort to rewrite the other modules based on AFP count.
9
➢ What budget should be assigned to the maintenance of this application?
➢ How complex is the code base of this application?
➢ How is complexity distributed across the code base?
✓ For technical aspects, measure size in terms of lines of code (LOC) and
cyclomatic complexity of methods and procedures.
✓ For functional aspects, measure size in terms of Automated Function Points
(AFP).
QUESTIONS ASKED
NECESSARY INFORMATION
REAL LIFE EXAMPLES
General Health Assessment and Risk Control
10
➢ What are the risks introduced in this application with regards to best-practices
conformance (or non-conformance)?
➢ What action plan should be implemented to improve this application?
✓ Assess conformance to best-practices throughout the whole code base
✓ Provide KPIs for health factors of interest
✓ Identify most important gaps to best-practices compliance
✓ Target specific pain points
QUESTIONS ASKED
NECESSARY INFORMATION
• Performance issues in a time-tracking and billing software for a global industry company:
• CAST analyzed the source code of the application and identified improvement opportunities especially in SQL and LINQ practices.
• Transformation and modernization of a core business application for an insurance company:
• CAST identified the main bad practices at source-code level that impacted the system’s changeability: better conformance to best-practices reduced the regression rate found during the integration phase and ultimately improved time-to-market.
REAL LIFE EXAMPLES
Documentation and Impact Analysis
11
• Transformation and modernization of a core business application for an insurance company:
• CAST analyzed the system and provided tools to explore components hierarchy and call graphs.
• This helped the development team get a better picture of technical processes and identify opportunities to refactor and rationalize components.
➢ How does this legacy application work internally?
➢ What are the main components?
➢ How are they organized and orchestrated?
✓ Identify components (classes and methods, database tables, stored
procedures…) and their relationships
✓ Identify core, shared components
QUESTIONS ASKED
NECESSARY INFORMATION
REAL LIFE EXAMPLES
Conformance to Architecture Design
12
• Transformation and modernization of a core business application for an insurance company:
• CAST has mapped the application’s components to layers in order to reverse-engineer the application and identify main layers
• This mapping also showed some components bypassing the Data Access Layer (DAL) thus exposing the system to “SQL Injection” attacks.
➢ Does the development team understand and respects the architecture
guidelines and principles?
➢ Is there any security hole due to architectural flaws?
✓ Map the application’s concrete components (classes and methods, database
tables, stored procedures…) to layers in the architecture model
✓ Identify unauthorized dependencies between layers
QUESTIONS ASKED
NECESSARY INFORMATION
REAL LIFE EXAMPLES
Business Process Risk Control
13
• Performance issues in a payroll and time management system for a global ISV:
• CAST identified the technical transactions supporting payroll computation, from user-facing components to payroll engine.
• Investigations in this business process showed a cross-cutting component was used by this process but also shared with the entire system, ultimately creating a bottleneck.
• Improving the component to better concurrency support removed the bottleneck and improved performance.
➢ How are business processes implemented in this application?
➢ What are the components taking part in the business processes?
➢ What are the risks carried by business processes?
✓ Identify individual technical transactions
✓ Map technical transactions to business processes
✓ Identify software components supported technical transactions and assess
their quality and level of risk
QUESTIONS ASKED
NECESSARY INFORMATION
REAL LIFE EXAMPLES
Maximization of Action Plan Impact
14
• Due diligence conducted on a core-business application before acquisition by a global service provider:
• CAST identified gaps in terms of best-practice conformance and provided an estimation of the additional investment required to improve the application.
• Combined with sizing and architecture findings, such evidence helped the purchaser estimate the technical quality of the system and supported the negotiation discussions.
➢ How can I cost-effectively prioritize the action plan and get maximum value for
minimum budget?
➢ Are there any quick-wins? What is the effort in the long run?
✓ Identify all violations to best practices and estimate the criticality and impact of
each violation on the whole system
✓ Estimate the effort required to fix while taking into account the context and
complexity of each violation to be fixed
QUESTIONS ASKED
NECESSARY INFORMATION
REAL LIFE EXAMPLES
Quality Benchmark
15
• Due diligence conducted on a core-business application before acquisition by a global service provider:
• Over the years, CAST has gathered quality metrics for several thousands applications and built the Appmarq repository
• Quality KPIs computed by CAST on the application have been submitted to Appmarq in order to benchmark the audited application versus other applications, with analytics available by technology, by industry…
• This is another insight that helped the customer make a decision on buying or not the audited application
➢ How does this application compare to the market?
✓ Gather objective and standardized KPIs based on the application’s source
code quality
✓ Compare the application’s results to a significant repository containing KPIs of
other applications
QUESTIONS ASKED
NECESSARY INFORMATION
REAL LIFE EXAMPLES
CAST Confidential
2 types of Deep-Dive assessment powered by CAST
Structural
Deep-DiveAssessment
• Focused on structural aspects of decision or problem
• Based one esentially static anaysis and CAST product and skill set
• Key contribution to the 7 use cases listed
360°Assessment
Direct from CAST
Or from partner
ONLY from
partner consultancies
• Broader scope assessment
• May encompass broader technical AND functional/business aspects
• May encompass costing and benchmarking audit
• On technical side, may incorporate multiple aspects:
− CAST deliverables one input among several
− Ex.: For performance issues, may combine static and dynamicassessment
CAST Confidential
What you get
✓ CAST Dashboards (3 month duration) & Reports
✓ PowerPoint report & Live presentation
Key findings
Detailed analysis of major issues or decision-support points
Recommendations or suggested action plan if appropriate
Minimmum 50 Slide deck
Management dashboards Technical dashboards or reports Benchmark report Ad Hoc report or Action Plan / Use Case
Live Dashboards
to Explore
CAST AAD for Execs
login/pswd CIO/cast (case sensitive).
AED for Architects & SMEs
login/pswd architect/cast (case sensitive).
CAST Confidential 18
How
Project Steps & Duration
✓ 3 Steps:
➢ Preparation: Code delivery & Kick Off
➢ Analysis & Interviews
➢ Investigation based on analysis results & Recommendations
✓ Usually a 6 week project
T0 T0+1s T0+2s T0+3s T0+4s T0+5s T0+6s T0+7s T0+8s
Step 1 : Kick-off & source code delivery 1
Step 2 : Functional & architecture interviews (incl. travel) 3
Step 3 : Automated analysis (analyzer setup & operation) 6,5
Step 4 : Code review & architecture audit 14,5
Step 5 : Finalization & presentation (incl. travel) 5
Step 6 : Technical accompaniment (Q&A) 2
Code & documentation delivery (OP) Report delivery (CAST)
Intermediatepresentation (CAST)
Prerequisites
✓ Complete source code availability
✓ Code preferably transferable Off-premise to CAST secure platform, under NDA
✓ On-Premise Deep-Dive can be done (less efficient & more expensive)
CAST Confidential
To learn more on Deep-Dives
✓ Ask for an anomyzed sample result presentation
✓ Contact us to discuss about your specific assessment needs
emma.jensen @castsoftware.com
✓ Explore one of the deliverables: CAST Dashboards
✓ Learn more about CISQ/OMG Standards for Sizing and Software Quality/Risk
http://it-cisq.org/ https://en.wikipedia.org/wiki/CISQ
Live Dashboards
to Explore
CAST AAD for Execs
login/pswd CIO/cast (case sensitive).
AED for Architects & SMEs
login/pswd architect/cast (case sensitive).
CAST Confidential
About CAST and its Ecosystem
CAST BY THE NUMBERS
• Almost $180M investment in R&D
• 250+ customers worldwide
• 25+ years of software analytics experience
measuring some of the most complex IT
systems in the industry
• Traded on Euronext Paris
• Offices in US, Europe, India, China
Editor’s Choice Award: A Top-10
Company to Watch
CAST Named “Cool Vendor” by
Leading Analyst Firm
“CAST is the de facto
standard for measuring
quality and productivity
of application services”
“CAST is at the forefront of
standards adoption for robustness,
security, maintainability, and
automated function points from
code”
“CAST is the leader in the
business IT space”
“CAST is the leading
technology of its kind”
250+ Enterprise Customers
Count on CAST
Consulting Firms
Recommend CAST
Global SI’s ADM Delivery
Rely on CAST
Global SI’s Provide Services
Powered by CAST
CAST technology delivers key insight about software health, risk, functional & technical sizes, and ADM
performance of internal or outsourced teams; based on automated analysis of application source code.
Better decisions, lower risk, increased management control and higher ADM effectiveness and efficiency.
CAST Confidential
CAST Application Intelligence Products & Services
• Approx. 2,300 apps and 3 billion LoC
• Query by industry, technology & geo
• CRASH Annual Report
• CAST Research Labs
• Custom benchmarks
• Software flaw detection
• Architectural analysis and
blueprinting
• Critical violation drill down
• Propagation risk
• Standards-based software
metrics
• Automated function points
• Trend analysis
• Transaction risk
• SaaS, Cloud based
• Source code analyzed where it
resides
• Rapid portfolio analysis
• Portfolio continuous monitoring
CAST HIGHLIGHT
Ultra-fast Portfolio AssessmentCAST AIP - APPLICATION INTELLIGENCE PLATFORM
Deep-dive actionable Insight into Key Applications
Global Benchmarking of Software
CAST Confidential
CAST value is delivered through 3 solutions
• Key metrics on application sizes, risk, complexity, technical debt, cloud readiness
• Combined with business or technology factors: business criticality, sourcing, technologies…
• Cloud service delivered in weeks with very low footprint
• One shot portfolio baselining or on-going monitoring
✓ Ultra-fast Assessment of Application Portfolios (SaaS)
✓ Deep-Dive Assessments of Critical Business Applications (SaaS)
✓ Application Intelligence Platform
for Enterprise Software Analytics & Risk Prevention (Software or Managed Service)
• Health/Risk structural assessment, Functional/Technical sizing, Structural documentation
• Deliverable combines reports; risk prevention or remediation plans; access to CAST dashboards; Expert advice
• Delivered by CAST or by your advisory consultancy of choice
• Same metrics as in Deep-Dive assessments, available for continuous use on all key applications
• Multiple dashboards & tools fit for all stakeholders, from CIO to technical SME
• Delivered from a COE, operated by client/CAST/or a partner
CAST Confidential
Questions ?