See how to Assess Your Application: https://www.castsoftware.com/use-cases/application-assessment
Assessing application development like the rest of the business
Well overdue, it is time to measure application development and
maintenance the same way as the rest of the business, based on not just how much work someone does, but how well they do the work. As we know, looking to see if the code works as expected is only a single measurement. Knowing how easy it will be to maintain over time, how flexible it is to change as required by business changes, how quickly new team members can understand the code and get working on it and how easily the application can be tested are just some of the things that we need to look at in order to understand the real quality of the work being done by application development teams. When these measurements are combined with ways of counting the productivity (quantity) of development teams, we can get a real understanding of how well the teams are performing and what return is being realized from the investment. These measurements can be assessed both for in-house development organizations as well as the work being done by outsourcers.
The applications delivered by IT are a significant differentiator between competitors and therefore it needs to be managed as a core business process. Held up against corporate standards and no matter how or where the development work is done, it must be done well and the resulting applications need to be able to withstand time.
See how to Assess Your Application: https://www.castsoftware.com/use-cases/application-assessment
2. CAST Confidential 2
Agenda
• Context & Objectives
• About CAST
• High level results
• Critical Violations focus
• Complexity & Documentation focus
• Architecture Analysis
• Detailed results
• Industry benchmark
• Summary and recommendations
• Appendix
3. CAST Confidential 3
Business Objective
NOVA is an application that manages the missions, times and invoicing of XXXX. It offers fairly complex management features that also include analysis and
reporting.
NOVA is based on the XXX software package, which has not attracted users, mainly due to a lack of ergonomics. In 2006, NOVA was redeveloped the
application in.NET. Although this new development builds on some components of the initial application, NOVA is now essentially a specific development.
XXX considers that the application works properly without any particular pain. On the other hand, it evolves continuously, the team working continuously with
tense flow with demands that arrive at the run of the water.
10 years after this rewrite XXX wishes to take stock of the application and define a strategy for the future evolutions.
• Objective of the initiative: Study the durability of the application and define a target
− Where are the main risks on the application?
− How can we position ourselves for the future?
• To determine the main risks of the application, this assessment will review:
➢ Performance and Scalability of the application
➢ Robustness and Security of the application
➢ Maintainability of the code and the technical base
• This assessment is based on :
➢ The automated system-level analysis provided by CAST AIP
➢ An interpretation of the results by CAST personnel.
5. CAST Confidential
Summary of APPLICATION results
APPLICATION is a large size
application with 781,124 lines of code
for 163,205 test cases to cover the
whole application.
APPLICATION shows a very high risk
in Efficiency and high risks in
Robustness and Security. Some
improvements could be done on
Changeability.
Transferability has a better score of
2.65 which results in a good team
transfer / turnover handling capability.
The documentation ratio is good, with
33% of the lines of code commented
(the average in the industry is 25%).
Documentation Ratio
781,124 / 220,051 = 33%
# Test Cases
(Cyclomatic Complexity):
163,205
RISQUE A COURT TERME
MAINTANABILITY VOLUMETRIE
DEFECTSSHORT TERM RISKS
SIZING
2.45
2.21 / 4 2.15 / 4 1.84 / 4
2.28 / 4 2.35 / 4
6. CAST Confidential
By Technology: T-SQL
Prog. Arch. Doc.
T-SQL 2,05 3,14 1,66
Conformance to Best Practices
TQI Robu. Eff. Sec.. Trans. Chng.
T-SQL 2,24 2,39 1,74 2,22 2,13 2,51
Health Factors
• The databases present a high level of risk on all health factors, and in particular on the performance of stored procedures.
• The SQL code carries more than 50% of the critical defects identified by CAST AIP (916 for 1,701)
• More than 70% of these defects are related to insufficient error handling in the stored procedures. 26% of these defects
concern loops within SQL queries.
• Stored procedures have few comments that strongly degrade the Documentation score
• That being said, CAST AIP has not identified calls to more than 1,000 stored procedures: they are no longer used, or are used
by peripheral programs (eg batch processes)
Summary
Technology Inventory
T-SQL
100%
Nom KLoC Art.
Database 154 3120
TOTAL 154
VIOLATIONS
Nom Value
Critical Violations 5
Number of violations 916
Defect Density in kLoC 5.95
BY MODULE
8. CAST Confidential
Maintainability – VB.NET
Evaluates the ease and speed of changing an applicationEvaluates ease of appropriation / impact on productivity
when the code of an application is taken over by a new
team or collaborator
Transferability: 2.84 Changeability: 2.93
Technical Criteria Indic.
Documentation - Volume of Comments 1.54
Documentation - Style Conformity 1.64
Documentation - Naming Convention Conformity 1.86
Dead code (static) 2.31
Architecture - Object-level Dependencies 2.87
Complexity - Algorithmic and Control Structure Complexity 3.15
Complexity - SQL Queries 3.32
Documentation - Bad Comments 3.43
Volume - Number of LOC 3.65
Complexity - Dynamic Instantiation 3.86
Complexity - OO Inheritance and Polymorphism 3.98
Programming Practices - Structuredness 4.00
Technical Criteria Indic.
Architecture - Reuse 1.37
Documentation - Volume of Comments 1.54
Documentation - Naming Convention Conformity 1.86
Dead code (static) 2.31
Programming Practices - Modularity and OO Encapsulation
Conformity 2.41
Architecture - Multi-Layers and Data Access 2.71
Architecture - Object-level Dependencies 2.87
Complexity - Algorithmic and Control Structure Complexity 3.15
Complexity - SQL Queries 3.32
Complexity - Dynamic Instantiation 3.86
Complexity - OO Inheritance and Polymorphism 3.98
Programming Practices - Structuredness 4.00
Architecture - OS and Platform Independence 4.00
• Primary issue is insufficient documentation
• Low rate of comments and low respect for the style of code writing and naming conventions
• Quasi-nonexistent test code
• Complexity is well controlled in VB.NET
• The absence of a centralized data access layer degrades architecture indicators related to data access
Summary
9. CAST Confidential
Complexity Distribution
SQL VB.NET .NET
Base 1 523 15 519 18 393
Increasing 506 3 068 1 019
High 285 705 113
Very High 244 377 35
• The SQL code shows strong signs of application erosion with 11.1% +
9.5% components of high complexity and very high
• 40% of the stored procedures are not called by the Octave code of
which 80 stored procedures are called by an external scheduler
(import / export data).
• The distribution of complexity is being degraded on the VB.NET code
(with 3.6% + 1.9%)
• This code being 15 to 20 years old, this shows that the team has
tackled to control the drift of complexity.
• The complexity of the .NET code is well controlled (with 0.6% + 0.2%)
• This code embodies recent code (Octave Web 7 <2 years) and less
recent (Back Office .NET 4.5> 6 years) and thus testifies of a good
effort of mastery on the part of the team.
Summary
App Erosion
- Advanced with T-SQL
- In Progress with VB.NET
- Negligble with .NET
CAST recommends to not exceed 5-6% complexity rates
11. CAST Confidential
Back Office VB.NET – Drivers of Efficiency
Technical Criteria – Efficiency Métier Transverse
Efficiency - Expensive Calls in Loops 2,42 3,58
Efficiency - SQL and Data Handling Performance 3,63 3,10
Complexity - Dynamic Instantiation 3,86 3,91
Complexity - SQL Queries 4,00 3,30
• Performance indicators are good in both modules
• In particular the complexity and performance of SQL queries is well controlled
• The business module "VB.NET Octave" often uses "DoEvents" from a loop
• By making the hand too systematically, the treatments are suspended
• There are 160 critical "Expensive Calls in Loops"
• The use of "Variant" variables is also damaging
• This data type is less efficient and more memory intensive
• 19 critical defects for the criterion "Dynamic Instantiation"
Summary
3,35 3,47
12. CAST Confidential
Back Office VB.NET – Drivers of Robustness
Technical Criteria- Robustness Métier Transverse
Architecture - Reuse 1,38 1,34
Architecture - Multi-Layers and Data Access 3,81 1,92
Dead code (static) 2,55 2,02
Architecture - Object-level Dependencies 2,80 3,06
Complexity - Algorithmic and Control Structure Complexity 3,07 3,22
Complexity - Technical Complexity 3,10 3,56
Programming Practices - Error and Exception Handling 3,68 3,28
Complexity - Dynamic Instantiation 3,86 3,91
Complexity - OO Inheritance and Polymorphism 3,99 3,91
Complexity - SQL Queries 4,00 3,30
Architecture - OS and Platform Independence 4,00 4,00
Programming Practices - Structuredness 4,00 4,00
• The absence of a layer dedicated to data access prevents the structuring of the code
• SQL queries are scattered throughout the application (business classes, User Controls, screens) to
access the data
• CAST AIP also detects a large amount of copied / pasted code ("Reuse" criterion)
• Defects in the original code are propagated in the copied code, which can be regressive if corrections are
postponed
• The criteria related to complexity indicate the efforts made to master this complexity 20 years after the first
developments
• The code also shows good error management practices
Summary
3,42 3,18
14. CAST Confidential
Back Office VB.NET – Architecture interne
• The Back Office VB.NET (historical version) shows a 2-tier Windows client architecture + SQL Server
• There is no layer dedicated to access to the database
• The database is interrogated directly by the business classes but also by the "User Controls" and the
screens themselves
• There are gateways between Back-Office VB.NET and .NET (not shown here)
• The system runs on a secure TSE Windows server, sized and hosted by OCTAVE
15. CAST Confidential
Back Office VB.NET – Security & Scalability
Evaluates the system's ability to protect its internal state
and data integrity
Security: 3,38
Technical Criteria Indic.
Architecture - Multi-Layers and Data Access 2,71
Secure Coding - Encapsulation 3,60
Programming Practices - Error and Exception Handling 3,62
Architecture - OS and Platform Independence 4,00
Evaluates the effectiveness of the algorithms implemented
in the system from the point of view of performance
Efficiency: 3,25
Technical Criteria Indic.
Efficiency - Expensive Calls in Loops 2,86
Efficiency - SQL and Data Handling Performance 3,15
Complexity - SQL Queries 3,32
Complexity - Dynamic Instantiation 3,86
• The use of the Back-Office VB.NET is subject to
authentication of the user via the Resident
• The Resident runs on the client computer and
connects the user to the TSE environment
hosting the Back-Office
• The lack of a data access layer in the Back-Office
VB.NET is detrimental to security by several
aspects
• Data Integrity: The spread of SQL queries in
the code poses a risk of misaligning business
rules or deviating from the data model Note:
OCTAVE has a tool to automate the updating of
Data models and stored procedures.
• Protection against attacks: SQL queries are
built by hand by concatenation, often integrating
external data, provided by the user. This poses
risks of security breach by SQL injection. Note:
the Back-Office is an application used by a
restricted population on a secure infrastructure,
which minimizes the risk.
Summary
17. CAST Confidential 17
APPLICATION Benchmark
• Appmarq is by far the biggest repository of data about real IT systems. It’s built on thousands of analyzed applications, made of
35 different technologies, by over 300 business organizations across major verticals (more than 2500 applications registered).
740
applications
457.37M
lines of code
87
organizations
Security is a bigger focus for the industry than Changeability and Transferability.
19. CAST Confidential 19
Overall Summary
- In general, on all projects, there is respect for good
programming practices and a visible effort to master
the complexity of VB.NET and .NET programs.
- The replacement of the Back-Office VB.NET is well
understood, there are gateways between the
VB.NET code and the .NET code.
- The architecture of .NET projects corresponds to
good practices and is well respected.
- The e-Commerce portal has good technical
features: latest .NET framework, Elastic Search
indexes, and use of external Web services.
- The Back-Office VB.NET relies on an obsolete
environment
- Back-Office requires the installation of a local
component (Octave Resident) and the opening of
connections to TSE
- Databases have evolved significantly over the last
20 years, with a significant increase in the complexity
of SQL processing
- Robustness and Security share common areas of
improvement: management of exceptions and
transactions
- Management of resources in loops (eg memory) and
SQL processing are the main drivers of Performance
- The code has few comments overall and unit tests
are non-existent, however the structuring of .NET
developments is compatible with an efficient testing
procedure
Postives
Tobereviewed/addressed
21. CAST Confidential
Critical Violations by Technology
Technology Critical Violations
# of
Violations
T-SQL
Avoid Procedures using an Insert, Update, Delete, Create Table or Select
without including error management
665
Avoid using SQL queries inside a loop 188
Avoid Cursors inside a loop 49
Avoid use of "truncate table" 13
Avoid exists independent clauses 1
.NET
Avoid instantiations inside loops 288
Avoid declaring public Fields 154
Avoid cyclical calls and inheritances between namespaces content 137
Avoid empty catch blocks 58
Avoid using untyped DataSet 18
The exception Exception should never been thrown. Always Subclass Exception
and throw the subclassed Classes.
17
Close SQL connection ASAP 4
VB.NET
Utilization of "DoEvents" inside a loop 165
Avoid Variables declared as Variants 23