Ensuring Code Resiliency and Maintainability in CI/CD
Agile development, DevOps, and CI/CD enable organizations to quickly publish and deliver modern applications. But ever-accelerating timelines for new apps or new layers of functionality make it difficult to balance the quality of delivery with speed. The Consortium for IT Software Quality reported that the cost of poor quality software in the US in 2018 was approximately $2.84 trillion (2019 Benchmark Report: Through the SIG Looking Glass).
OutSystems and Software Improvement Group (SIG) recently announced a partnership that will enable customers to deliver high-quality, secure applications and features to meet today’s accelerated timelines. I recently had an opportunity to ask the team at SIG some questions about their solution and market trends. These are the answers.
SIG offers customers “deep code visibility.” How does this add value in software projects?
SIG provides actionable advice on how and where to improve software. We help organizations reduce their software costs, eliminate security issues, improve reliability and scalability, and increase their speed of development. We provide guidance on other relevant software assurance topics, like cloud migration, moving away from legacy code or improving architecture. We do this using a unique combination of technology, through our software assurance platform, Sigrid®, and focused consulting services.
Our approach to improving software differs from others in a few fundamental ways. First of all, SIG analyzes and measures all of the code, driven by Sigrid. What really sets SIG apart here are the underlying scientific models that are accredited by TÜViT every year, making SIG the only software laboratory in the world for ISO 25010 software quality assurance. This allows SIG to factually benchmark systems against our software analysis database, which contains more than 25 billions lines of code, making it the largest in the world. Finally, this factual software assurance data is then augmented by our software engineering experts to make the outcome truly actionable for developers, architects, application portfolio managers and C-level leadership.
What services and technology do you offer for checking code quality? Why is that important for organizations?
We provide software quality assurance for more than 275 technologies, which are all supported by Sigrid. When customers start with Sigrid for one technology, they can seamlessly extend the analysis to others and add more systems to their portfolio.
In addition to ISO 25010 maintainability, other quality aspects can also be covered by SIG, such as security, reliability and performance efficiency. When you start with monitoring ISO 25010 maintainability, you can seamlessly extend Sigrid to monitor other aspects as well. The real value SIG brings here is the combination of technology and consultancy: our experts can put findings into the perspective of the business and purpose. Not all applications require the same level and breadth of quality assurance, and that’s why Sigrid allows you to make more granular subscriptions and grow these services over time when needed.
SIG has been offering customers independent software quality analysis since 2000. In an industry where many companies don’t last more than a decade, what has been the secret to this longevity?
Based on our independent position, we’ve built long-term cooperation with many enterprise customers. We also often see that when senior IT executives change jobs, they continue working with us at their new companies. This has led us to organically expand internationally to the USA and Asia. We recently opened an office in New York to further support our clients there. Another reason SIG has long-standing relationships is that our advice covers large parts of the IT landscape and takes a long-term view. That makes a continuing engagement beneficial for the client.
In May 2019, you announced Sigrid, your “software assurance with a service platform.” What does Sigrid offer that makes it unique? Do your customers automate the usage of Sigrid in their pipelines? Why?
Sigrid has a couple of elements that make it unique. First, the software quality measurement is based on a benchmark of more than 25 billion lines of code, so it reflects quality based on the actual industry status. The quality measurements are done according to ISO 25010, for which we have been TÜViT certified. Our software laboratory is ISO 17025 certified, which means our measurements are reliable and repeatable.
In addition, the coverage of effectively any technology (if Sigrid doesn’t support it yet, we will add it to the 275 technologies covered already) and any non-functional quality aspect, allows you to use it for all applications in your portfolio. It also makes it possible to learn about dependencies and hotspots in your application landscape and architecture. Last but not least, Sigrid allows clients to easily combine self service with assistance from the SIG specialists and/or SIG certified partners.
We see more and more clients using Sigrid as part of their CI/CD pipeline to proactively make sure the quality of the software is as required.
What about security? How does your technology help customers address their security concerns?
Sigrid offers two different types of security solutions:
- Sigrid measures out-of-the-box dependencies from open source components used in your application or applications.
- Other security vulnerabilities can be measured with third-party tools and reported back in Sigrid by SIG specialists, SIG certified partners, or both. Sigrid can help small to large enterprises with strong security control on the application portfolio level. Especially in cases where the company is lacking the required expertise, Sigrid allows for full code security coverage powered by security specialists from SIG and/or SIG certified partners.
Can you share some of the trends you are seeing that are fueling the growth of static code analysis?
Companies are becoming increasingly dependent on all kinds of technology, often without knowing if the applications are trustworthy. As an independent advisor, SIG makes this transparent and demonstrates with facts how investing in code quality brings concrete benefits to reliability, security and reduced time to market. The deep code analysis, in combination with the expertise from SIG, helps to make the improvements as effective and efficient as possible, while executing this in a transparent and controlled fashion.
Another driver is the need for clean code to address security by design. We’re seeing more and more cyberattacks on governments and enterprises, which requires strong focus and attention on prevention. If applications score low on maintainability according to ISO 25010, the risk for security threats in general is higher. In the case of a security breach, it also takes more time to repair and retain security. This means more and more enterprises are proactively and preventively focusing on deep code analysis to secure their assets.
What use cases have you seen where low-code and static code analysis excelled when used together?
Low-code has enormous potential, as seen by the significant uptake of low-code technologies in past years.* Low-code development, however, is still software engineering, and although it can be easily adopted by less technical users, the same proper software engineering practices, requirements, and tooling should be employed. That way, the low-code advantage can be realized in the long term.
Sigrid for OutSystems will allow customers to carefully monitor the quality of their applications and address optimizations immediately, as required. That will allow for customer success and maximum return on the investment made in the low-code technology.
Another use case is using the deep code analysis to quickly assess legacy applications and produce a cost-estimation model for refactoring or replacing it. This allows for a smart, fact-based approach to gradually upgrade the portfolio - while balancing the optimization and life cycle of legacy applications with creating agility and new functionalities using low code applications.
How do you see the partnership benefitting joint customers of SIG and OutSystems?
The partnership between SIG and OutSystems grew out of the increasing number of requests we received from joint customers who wanted to extend their quality assurance for OutSystems applications in the same way they were using for their applications in other technologies. The partnership now makes it easy for customers to have their applications measured by SIG and reported via Sigrid, as this has been fully automated. The broad coverage SIG provides, also in terms of geographical coverage, will allow customers to scale whenever, wherever they need to.