Application development continues to get more complex, and because of that complexity, the ability to measure, monitor, and control what is happening both in-house and via outsourced development teams is very difficult. Predictability of system stability continues to be an issue as always, but with businesses relying so heavily on evolving application development for success and differentiation, it is imperative that these efforts become predictable and successful.

This is why application security is a tremendous issue in today's economy and continues to grow. Application security failures make news – big news. In the energy industry alone, multiple high-profile security failures have occurred over the last few years. Whether it is a directed attack like the unauthorized data access at New York State Electric & Gas and Rochester Gas and Electric or a virus like Stuxnet that infects industrial applications worldwide, security issues have created huge headaches for businesses.

At the root of a significant number of security breaches throughout businesses today – including those in the energy industry – are software failures stemming from poorly structured application software.

Yet in spite of security being a significant issue, market research firm IDC noted in its top 10 predictions for the industry that "companies will slowly move to fill security gaps with the help of vendors."

With security being the problem it is, not only should companies move more quickly to address the issue, but they also should take a more widespread view of their systems. Focusing solely on security vulnerabilities adds significant risk to applications. Design flaws account for more than 50% of security problems, according to "Software Security: Building Security In" by Gary McGraw, which is why architectural risk analysis plays a critical role in any solid software security program. Organizations need to look beyond security to the entire health of an application when considering its risk to the business and its ability to adapt and last throughout time.

photo of code

Companies need to perform a code review that examines an application’s overall health, including security.

Structural soundness

Evaluating an application for its structural quality defects is critical since these defects are difficult to detect through standard testing, yet these are the most likely to cause operational problems such as outages, performance degradation, breaches by unauthorized users, or data corruption.

In conducting the largest study of application software health in history, CAST Research Labs compiled and analyzed more than 35 million lines of code across numerous energy companies. These results were incorporated into the annual CAST Report on Application Software Health (CRASH) that showed empirical evidence of a remarkably high number of structural quality issues among mission-critical business applications. Problems with good structural quality practices can cause issues that affect the potential high cost or risk in an application.

The amount of data, communications, and transactions executed by that software continue to increase

significantly on a daily basis. The increase of software knowledge has brought a resurgence of security threats and infiltrations.

Although some software problems can be introduced into software intentionally, most of them happen accidentally through mistakes in application implementation, failing to adhere to standards, or from a lack of knowledge about best practices. While companies try to fend off potential attacks through data encryption, firewalls, and the like, catching these issues early before applications are deployed will save money and time and reduce risks.

Early and thorough detection

Finding defects as early as possible is a major reason why analysis of application source code itself is needed to determine potential vulnerabilities. If caught during the build process, these can be fixed more easily at reduced cost and lower risk.

Because many areas within software affect its internal quality, security is one facet of a thorough application quality inspection process that should also include:

  • Transferability – how easily a new team or team member can be productive when assigned to work on the application;
  • Changeability – how easily and quickly an application can be modified;
  • Robustness – the ability of an application to be changed without risk of failures or defects; and
  • Performance – performance issues of an application based on architectural designs and the appropriate risks in production.

These four characteristics plus security are the best measures of the inner health of an application.

Moreover, the external quality – the functionality and user experience – is dependent upon the internal quality of an application. When combined with security, analyzing these health factors gives management the overall view of the application's health and identifies areas at risk not only for security but for the future of the application in its entirety. Specifically, there is a significant complement between robustness, changeability, and security as well as across all of the application's health factors.

Comprehensive health check

Just as each of the health factors are made up of multiple measurements, each of the measurements is made up of several metrics. Some of them are specific to a language or technology, and others are more generic in nature. The metrics play a large part in understanding the application's "DNA," providing a detailed understanding about how the application works and how well best practices and standards are followed. There are hundreds if not thousands of known metrics in the discipline of software development, including those documented by standards bodies, vendors, and internal organizations responsible for an application's development.

There are inexpensive tools on the market today, some even being offered free of charge via open source, providing developers with a way to scan their code for health issues including security, but that is not enough.

Individual developers often do not care about the big picture, nor do they have insight into it, but management should be concerned with it. They need to ensure that applications do not become too complex, harder to maintain, insecure, etc. In addition, they need to be concerned about things that the "IDE Level Tools" do not generally look at. These tools are used by developers on pieces of code, not on the entire application, and do not provide any insight into the quality or issues of the entire application as it goes across all layers or even as pieces start to be plugged together.

For example, even to detect one of the most common security vulnerabilities like SQL Injection requires a detailed data flow analysis cutting across different layers of applications from user interface all the way to database. This cannot be achieved by looking at individual programs in isolation.

It is for this reason and many others that, while these developer tools have their value, they are not enough. Companies need to implement a comprehensive and automated platform for application analysis and measurement to perform a 100% code review that looks across the entire application or system and provides management with the view of its overall health, including security.

Through the measurement of application development, using application health factors that show how well an application or overall system is constructed, a company can get a true assessment of its application health and determine where issues lie. More importantly, by integrating this analysis and measurement into the development cycle, quality and security can be built into the product rather than just testing for them as an afterthought.