“Really, the issue of software as a whole is essentially [that] software is still handmade. It’s developers getting together and still hammering it out by hand,” says ZapThink Senior Analyst Jason Bloomberg. He advocates XP (extreme programming) and “agile” software methodologies that “more tightly link developers to the users who will use the final product.”
Agile methodologies are specifically intended to ensure software meets business-side requirements, especially when requirements are changing, Bloomberg says. But the practice loses effectiveness when scaled beyond small project teams. “Often, the project is too large to have a small team of developers with some users on it,” he says. The requirements are too numerous and the repeated evaluation of applications by the business side becomes too heavy a burden.
Besides, many developers are naturally resistant to feedback. “To a large degree, developers still see themselves as artists,” says Alexander Falk, president and CEO of Altova, an XML tools developer. He stresses that software development should be more like engineering and less like art so that developers can be open to different approaches.
Getting the Business Side on Board
Management must be more attuned to software quality issues, says Jeff Klagenberg, director of product management at Reasoning, a code inspection service. “When you get to business management, there’s often a disconnect with the software development side and [the fact] that services and tools exist out there to make it easy to remove these defects,” Klagenberg says.
Apparently, word is getting out. Reasoning revenues have increased 50 percent or more each quarter this year, according to the company, and the number of lines of code inspected has increased more than 200 percent per quarter. The company’s prices start at 18 cents per line of Java, C, or C++ code examined in a process that mixes manual and automated techniques.
The business risks of lax inspection can be high. Through code assessments, Cigital customer MasterCard has uncovered security issues in applications, according to Simon Pugh, vice president of infrastructure and standards at MasterCard. “Certainly, as a result of their services, we have found and prevented a number of problems that otherwise would occur,” such as flaws in software that could have been exploited by a hacker, Pugh says. For example, in a smart-card application developed by a third-party company and subsequently analyzed by Cigital, the application contained a back door that would have allowed a rogue Web site to interact with a card and obtain a PIN number, he says.
Empirix, which provides load and performance testing, has found code problems such as e-commerce site users’ pages getting transposed so each received the other’s personal information, says Colin Mason, performance consultant in the Empirix hosted testing service group. The company in its testing of Web sites always finds at least one problem, says Bob Eldridge, manager of remote hosted services at Empirix. “We have yet to test a site that didn’t have an issue with it before we started testing,” Eldridge says.