Software quality
Encyclopedia
In the context of software engineering
, software quality refers to two related but distinct notions that exist wherever quality is defined in a business context:
Structural quality is evaluated through the analysis of the software inner structure, its source code, in effect how its architecture adheres to sound principles of software architecture
. In contrast, functional quality is typically enforced and measured through software testing
.
Historically, the structure, classification and terminology of attributes and metrics applicable to software quality management have been derived or extracted from the ISO 9126-3
and the subsequent ISO 25000:2005 quality model. Based on these models, the software structural quality characteristics have been clearly defined by the Consortium for IT Software Quality (CISQ
), an independent organization founded by the Software Engineering Institute (SEI) at Carnegie Mellon University
, and the Object Management Group (OMG).
CISQ has defined 5 major desirable characteristics needed for a piece of software to provide business value
: Reliability, Efficiency, Security, Maintainability and (adequate) Size.
Software quality measurement is about quantifying to what extent a software or system rates along each of these five dimensions. An aggregated measure of software quality can be computed through a qualitative or a quantitative scoring scheme or a mix of both and then a weighting system reflecting the priorities. This view of software quality being positioned on a linear continuum has to be supplemented by the analysis of Critical Programming Errors that under specific circumstances can lead to catastrophic outages or performance degradations that make a given system unsuitable for use regardless of rating based on aggregated measurements.
However, the distinction between measuring and improving software quality in an embedded system (with emphasis on risk management) and software quality in business software (with emphasis on cost and maintainability management) is becoming somewhat irrelevant. Embedded systems now often include a user interface and their designers are as much concerned with issues affecting usability and user productivity as their counterparts who focus on business applications. The latter are in turn looking at ERP or CRM system as a corporate nervous system whose uptime and performance are vital to the well-being of the enterprise. This convergence is most visible in mobile computing: a user who accesses an ERP application on their smartphone
is depending on the quality of software across all types of software layers.
Both types of software now use multi-layered technology stacks and complex architecture so software quality analysis and measurement have to be managed in a comprehensive and consistent manner, decoupled from the software's ultimate purpose or use. In both cases, engineers and management need to be able to make rational decisions based on measurement and fact-based analysis in adherence to the precept "In God (we) trust. All others bring data". ((mis-)attributed to W. Edwards Deming
and others).
), an independent organization founded by the Software Engineering Institute (SEI) at Carnegie Mellon University, and the Object Management Group (OMG) . Under the guidance of Bill Curtis, co-author of the Capability Maturity Model
framework and CISQ's first Director and Capers Jones
, CISQ's Distinguished Advisor, CISQ has defined 5 major desirable characteristics of a piece of software needed to provide business value
(see CISQ 2009 Executive Forums Report). In the House of Quality
model, these are "Whats" that need to be achieved:
Software functional quality is defined as conformance to explicitly stated functional requirements, identified for example using Voice of the Customer
analysis (part of the Design for Six Sigma
toolkit and/or documented through use cases) and the level of satisfaction experienced by end-users. The later is referred as to as usability
and is concerned with how intuitive and responsive the user interface
is, how easy simple and complex operations can be performed, how useful error messages are. Typically, software testing practices and tools insure that a piece of software behaves in compliance with the original design, planned user experience and desired testability
, i.e. a software's disposition to support acceptance criteria.
The dual structural/functional dimension of software quality is consistent with the model proposed in Steve McConnell
's Code Complete
which divides software characteristics into two pieces: internal and external quality characteristics. External quality characteristics are those parts of a product that face its users, where internal quality characteristics are those that do not .
Dr. Tom DeMarco
has proposed that "a product's quality is a function of how much it changes the world for the better." . This can be interpreted as meaning that functional quality and user satisfaction, is more important than structural quality in determining software quality.
Another definition, coined by Gerald Weinberg
in Quality Software Management: Systems Thinking, is "Quality is value to some person." This definition stresses that quality is inherently subjective - different people will experience the quality of the same software very differently. One strength of this definition is the questions it invites software teams to consider, such as "Who are the people we want to value our software?" and "What will be valuable to them?"
.
approach, these measurable attributes are the "Hows" that need to be enforced to enable the "whats" in the Software Quality definition above.
The structure, classification and terminology of attributes and metrics applicable to software quality management have been derived or extracted from the ISO 9126-3
and the subsequent ISO 25000:2005 quality model. The main focus is on internal structural quality. Subcategories have been created to handle specific areas like business application architecture and technical characteristics such as data access and manipulation or the notion of transactions.
The dependence tree between software quality characteristics and their measurable attributes is represented in the diagram on the right, where each of the 5 characteristics that matter for the user (right) or owner of the business system depends on measurable attributes (left):
Software quality measurement is about quantifying to what extent a software or system rate along these dimensions. The analysis can be performed using a qualitative, quantitative approach or a mix of both to provide an aggregate view (using for example weighted average(s) that reflect relative importance between the factor being measured).
This view of software quality on a linear continuum has to be supplemented by the identification of discrete Critical Programming Errors. These vulnerabilities may not fail a test case, but they are the result of bad practices that under specific circumstances can lead to catastrophic outages, performance degradations, security breaches, corrupted data, and myriad other problems (Nygard, 2007) that makes a given system de facto unsuitable for use regardless of its rating based on aggregated measurements. A well known example of vulnerability is the Common Weakness Enumeration at http://cwe.mitre.org/ (Martin, 2001) , a repository of vulnerabilities in the source code that make applications exposed to security breaches.
The measurement of critical application characteristics involves measuring structural attributes of the application's architecture, coding, in-line documentation, as displayed in the picture above. Thus, each characteristic is affected by attributes at numerous levels of abstraction in the application and all of which must be included calculating the characteristic’s measure if it is to be a valuable predictor of quality outcomes that affect the business. The layered approach to calculating characteristic measures displayed in the figure above was first proposed by Boehm and his colleagues at TRW (Boehm, 1978) and is the approach taken in the ISO 9126 and 25000 series standards. These attributes can be measured from the parsed results of a static analysis of the application source code. Even dynamic characteristics of applications such as reliability and performance efficiency have their causal roots in the static structure of the application.
Structural quality analysis and measurement is performed through the analysis of the source code
, the architecture
, software framework
, database schema
in relationship to principles and standards that together define the conceptual and logical architecture of a system. This is distinct from the basic, local, component-level code analysis typically performed by development tools which are mostly concerned with implementation considerations and are crucial during debugging
and testing
activities.
Assessing reliability requires checks of at least the following software engineering best practices and technical attributes:
Depending on the application architecture and the third-party components used (such as external libraries or frameworks), custom checks should be defined along the lines drawn by the above list of best practices to ensure a better assessment of the reliability of the delivered software.
Assessing performance efficiency requires checking at least the following software engineering best practices and technical attributes:
at Carnegie Mellon University.
Assessing security requires at least checking the following software engineering best practices and technical attributes:
Assessing maintainability requires checking the following software engineering best practices and technical attributes:
The Function Point Analysis sizing standard is supported by the International Function Point Users Group (IFPUG) (www.ifpug.org). It can be applied early in the software development life-cycle and it is not dependent on lines of code like the somewhat inaccurate Backfiring method. The method is technology agnostic and can be used for comparative analysis across organizations and across industries.
Since the inception of Function Point Analysis, several variations have evolved and the family of functional sizing techniques has broadened to include such sizing measures as COSMIC , NESMA, Use Case Points, FP Lite, Early and Quick FPs, and most recently Story Points. However, Function Points has a history of statistical accuracy, and has been used as a common unit of work measurement in numerous application development management (ADM) or outsourcing engagements, serving as the ‘currency’ by which services are delivered and performance is measured.
One common limitation to the Function Point methodology is that it is a manual process and therefore it can be labor intensive and costly in large scale initiatives such as application development or outsourcing engagements. This negative aspect of applying the methodology may be what motivated industry IT leaders to form the Consortium for IT Software Quality (www.it-cisq.org) focused on introducing a computable metrics standard for automating the measuring of software size while the IFPUG www.ifpug.org keep promoting a manual approach as most of its activity rely on FP counters certifications.
In November 2011, CISQ announced the availability of its first metric standard, Automated Function Points, to the CISQ membership, in CISQ Technical Report 2011-01 available at http://www.cisq.org/cisqwiki/images/a/a2/CISQ_Function_Point_Specification.pdf. These recommendations have been developed in OMG’s Request for Comment format and submitted to OMG’s process for standardization.
These are quite often technology-related and depend heavily on the context, business objectives and risks. Some may consider respect for naming conventions while others – those preparing the ground for a knowledge transfer for example – will consider it as absolutely critical.
Critical Programming Errors can also be classified per CISQ Characteristics. Basic example below:
Software engineering
Software Engineering is the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software, and the study of these approaches; that is, the application of engineering to software...
, software quality refers to two related but distinct notions that exist wherever quality is defined in a business context:
- Software functional quality reflects how well it complies with or conforms to a given design, based on functional requirementsFunctional requirementsIn software engineering, a functional requirement defines a function of a software system or its component. A function is described as a set of inputs, the behavior, and outputs ....
or specifications. That attribute can also be described as the fitness for purpose of a piece of software or how it compares to competitors in the marketplace as a worthwhile productProduct (business)In general, the product is defined as a "thing produced by labor or effort" or the "result of an act or a process", and stems from the verb produce, from the Latin prōdūce ' lead or bring forth'. Since 1575, the word "product" has referred to anything produced...
; - Software structural quality refers to how it meets non-functional requirementsNon-functional requirementsIn systems engineering and requirements engineering, a non-functional requirement is a requirement that specifies criteria that can be used to judge the operation of a system, rather than specific behaviors. This should be contrasted with functional requirements that define specific behavior or...
that support the delivery of the functional requirements, such as robustness or maintainability, the degree to which the software was produced correctly.
Structural quality is evaluated through the analysis of the software inner structure, its source code, in effect how its architecture adheres to sound principles of software architecture
Software architecture
The software architecture of a system is the set of structures needed to reason about the system, which comprise software elements, relations among them, and properties of both...
. In contrast, functional quality is typically enforced and measured through software testing
Software testing
Software testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test. Software testing can also provide an objective, independent view of the software to allow the business to appreciate and understand the risks of software...
.
Historically, the structure, classification and terminology of attributes and metrics applicable to software quality management have been derived or extracted from the ISO 9126-3
ISO 9126
ISO/IEC 9126 Software engineering — Product quality is an international standard for the evaluation of software quality. The fundamental objective of this standard is to address some of the well known human biases that can adversely affect the delivery and perception of a software development...
and the subsequent ISO 25000:2005 quality model. Based on these models, the software structural quality characteristics have been clearly defined by the Consortium for IT Software Quality (CISQ
CISQ
The Consortium for IT Software Quality is an IT industry leadership group comprising IT executives from the Global 2000, system integrators, outsourced service providers, and software technology vendors committed to making dramatic improvements in the quality of IT application software.Jointly...
), an independent organization founded by the Software Engineering Institute (SEI) at Carnegie Mellon University
Carnegie Mellon University
Carnegie Mellon University is a private research university in Pittsburgh, Pennsylvania, United States....
, and the Object Management Group (OMG).
CISQ has defined 5 major desirable characteristics needed for a piece of software to provide business value
Business Value
In management, business value is an informal term that includes all forms of value that determine the health and well-being of the firm in the long-run...
: Reliability, Efficiency, Security, Maintainability and (adequate) Size.
Software quality measurement is about quantifying to what extent a software or system rates along each of these five dimensions. An aggregated measure of software quality can be computed through a qualitative or a quantitative scoring scheme or a mix of both and then a weighting system reflecting the priorities. This view of software quality being positioned on a linear continuum has to be supplemented by the analysis of Critical Programming Errors that under specific circumstances can lead to catastrophic outages or performance degradations that make a given system unsuitable for use regardless of rating based on aggregated measurements.
Motivation for Defining Software Quality
"A science is as mature as its measurement tools," (Louis Pasteur in ) and software engineering has evolved to a level of maturity that makes it not only possible but also necessary to measure quality software for at least two reasons:- Risk Management: Software failure has caused more than inconvenience. Software errors have caused human fatalities. The causes have ranged from poorly designed user interfaces to direct programming errors. An example of a programming error that lead to multiple deaths is discussed in Dr. Leveson's paper . This resulted in requirements for the development of some types of software, particularly and historically for software embeddedEmbedded softwareEmbedded software is computer software that plays an integral role in the electronics it is supplied with.Embedded software's principal role is not Information technology , but rather the interaction with the physical world. It's written for machines that are not, first and foremost, computers...
in medical and other devices that regulate critical infrastructures: "[Engineers who write embedded software] see Java programs stalling for one third of a second to perform garbage collection and update the user interface, and they envision airplanes falling out of the sky.". In the United States, within the Federal Aviation Administration (FAA)Federal Aviation AdministrationThe Federal Aviation Administration is the national aviation authority of the United States. An agency of the United States Department of Transportation, it has authority to regulate and oversee all aspects of civil aviation in the U.S...
, the Aircraft Certification Service provides software programs, policy, guidance and training, focus on software and Complex Electronic Hardware that has an effect on the airborne product (a “product” is an aircraft, an engine, or a propeller)". - Cost Management: As in any other fields of engineering, an application with good structural software quality costs less to maintain and is easier to understand and change in response to pressing business needs. Industry data demonstrate that poor application structural quality in core business applications (such as Enterprise Resource Planning (ERP)Enterprise resource planningEnterprise resource planning systems integrate internal and external management information across an entire organization, embracing finance/accounting, manufacturing, sales and service, customer relationship management, etc. ERP systems automate this activity with an integrated software application...
, Customer Relationship Management (CRM)Customer relationship managementCustomer relationship management is a widely implemented strategy for managing a company’s interactions with customers, clients and sales prospects. It involves using technology to organize, automate, and synchronize business processes—principally sales activities, but also those for marketing,...
or large transaction processingTransaction processingIn computer science, transaction processing is information processing that is divided into individual, indivisible operations, called transactions. Each transaction must succeed or fail as a complete unit; it cannot remain in an intermediate state...
systems in financial services) results in cost and schedule overruns and creates waste in the form of rework (up to 45% of development time in some organizations ). Moreover, poor structural quality is strongly correlated with high-impact business disruptions due to corrupted data, application outages, security breaches, and performance problems.
However, the distinction between measuring and improving software quality in an embedded system (with emphasis on risk management) and software quality in business software (with emphasis on cost and maintainability management) is becoming somewhat irrelevant. Embedded systems now often include a user interface and their designers are as much concerned with issues affecting usability and user productivity as their counterparts who focus on business applications. The latter are in turn looking at ERP or CRM system as a corporate nervous system whose uptime and performance are vital to the well-being of the enterprise. This convergence is most visible in mobile computing: a user who accesses an ERP application on their smartphone
Smartphone
A smartphone is a high-end mobile phone built on a mobile computing platform, with more advanced computing ability and connectivity than a contemporary feature phone. The first smartphones were devices that mainly combined the functions of a personal digital assistant and a mobile phone or camera...
is depending on the quality of software across all types of software layers.
Both types of software now use multi-layered technology stacks and complex architecture so software quality analysis and measurement have to be managed in a comprehensive and consistent manner, decoupled from the software's ultimate purpose or use. In both cases, engineers and management need to be able to make rational decisions based on measurement and fact-based analysis in adherence to the precept "In God (we) trust. All others bring data". ((mis-)attributed to W. Edwards Deming
W. Edwards Deming
William Edwards Deming was an American statistician, professor, author, lecturer and consultant. He is perhaps best known for his work in Japan...
and others).
Definition
Even though (as noted in the article on quality in business) "quality is a perceptual, conditional and somewhat subjective attribute and may be understood differently by different people," Software structural quality characteristics have been clearly defined by the Consortium for IT Software Quality (CISQCISQ
The Consortium for IT Software Quality is an IT industry leadership group comprising IT executives from the Global 2000, system integrators, outsourced service providers, and software technology vendors committed to making dramatic improvements in the quality of IT application software.Jointly...
), an independent organization founded by the Software Engineering Institute (SEI) at Carnegie Mellon University
Capability Maturity Model
The Capability Maturity Model is a development model that was created after study of data collected from organizations that contracted with the U.S. Department of Defense, who funded the research. This model became the foundation from which CMU created the Software Engineering Institute...
framework and CISQ's first Director and Capers Jones
Capers Jones
Capers Jones is a specialist in software engineering methodologies, and is often associated with the function point model of cost estimation. He also collects data on software quality, software risks, and software best practices. His many computer science publications have been widely used by many...
, CISQ's Distinguished Advisor, CISQ has defined 5 major desirable characteristics of a piece of software needed to provide business value
Business Value
In management, business value is an informal term that includes all forms of value that determine the health and well-being of the firm in the long-run...
(see CISQ 2009 Executive Forums Report). In the House of Quality
House of Quality
House of Quality is a diagram, resembling a house, used for defining the relationship between customer desires and the firm/product capabilities. It is a part of the Quality Function Deployment and it utilizes a planning matrix to relate what the customer wants to how a firm is going to meet...
model, these are "Whats" that need to be achieved:
- Reliability: An attribute of resiliency and structural solidity. Reliability measures the level of risk and the likelihood of potential application failures. It also measures the defects injected due to modifications made to the software (its “stability” as termed by ISO). The goal for checking and monitoring Reliability is to reduce and prevent application downtime, application outages and errors that directly affect users, and enhance the image of IT and its impact on a company’s business performance.
- EfficiencyEfficiencyEfficiency in general describes the extent to which time or effort is well used for the intended task or purpose. It is often used with the specific purpose of relaying the capability of a specific application of effort to produce a specific outcome effectively with a minimum amount or quantity of...
: The source code and software architecture attributes are the elements that ensure high performance once the application is in run-time mode. Efficiency is especially important for applications in high execution speed environments such as algorithmic or transactional processing where performance and scalability are paramount. An analysis of source code efficiency and scalability provides a clear picture of the latent business risks and the harm they can cause to customer satisfaction due to response-time degradation. - SecuritySecuritySecurity is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
: A measure of the likelihood of potential security breaches due to poor coding and architectural practices. This quantifies the risk of encountering critical vulnerabilities that damage the business. - MaintainabilityMaintainabilityIn engineering, maintainability is the ease with which a product can be maintained in order to:* isolate defects or their cause* correct defects or their cause* meet new requirements* make future maintenance easier, or* cope with a changed environment...
: Maintainability includes the notion of adaptability, portability and transferability (from one development team to another). Measuring and monitoring maintainability is a must for mission-critical applications where change is driven by tight time-to-market schedules and where it is important for IT to remain responsive to business-driven changes. It is also essential to keep maintenance costs under control. - Size: While not a quality attribute per se, the sizing of source code is a software characteristic that obviously impacts maintainability. Combined with the above quality characteristics, software size can be used to assess the amount of work produced and to be done by teams, as well as their productivity through correlation with time-sheet data, and other SDLCSoftware development processA software development process, also known as a software development life cycle , is a structure imposed on the development of a software product. Similar terms include software life cycle and software process. It is often considered a subset of systems development life cycle...
-related metrics.
Software functional quality is defined as conformance to explicitly stated functional requirements, identified for example using Voice of the Customer
Voice of the customer
Voice of the customer is a term used in business and Information Technology to describe the in-depth process of capturing a customer's expectations, preferences and aversions...
analysis (part of the Design for Six Sigma
Design for Six Sigma
Design for Six Sigma is a separate and emerging business-process management methodology related to traditional Six Sigma. While the tools and order used in Six Sigma require a process to be in place and functioning, DFSS has the objective of determining the needs of customers and the business, and...
toolkit and/or documented through use cases) and the level of satisfaction experienced by end-users. The later is referred as to as usability
Usability
Usability is the ease of use and learnability of a human-made object. The object of use can be a software application, website, book, tool, machine, process, or anything a human interacts with. A usability study may be conducted as a primary job function by a usability analyst or as a secondary job...
and is concerned with how intuitive and responsive the user interface
User interface
The user interface, in the industrial design field of human–machine interaction, is the space where interaction between humans and machines occurs. The goal of interaction between a human and a machine at the user interface is effective operation and control of the machine, and feedback from the...
is, how easy simple and complex operations can be performed, how useful error messages are. Typically, software testing practices and tools insure that a piece of software behaves in compliance with the original design, planned user experience and desired testability
Software testability
Software testability is the degree to which a software artifact supports testing in a given test context....
, i.e. a software's disposition to support acceptance criteria.
The dual structural/functional dimension of software quality is consistent with the model proposed in Steve McConnell
Steve McConnell
Steven C. McConnell is an author of many software engineering textbooks including Code Complete, Rapid Development, and Software Estimation...
's Code Complete
Code Complete
Code Complete is a software development book, written by Steve McConnell and published in 1993 by Microsoft Press, urging developers to get past code and fix programming and the "big design up front" waterfall model...
which divides software characteristics into two pieces: internal and external quality characteristics. External quality characteristics are those parts of a product that face its users, where internal quality characteristics are those that do not .
Alternative Approaches to Software Quality Definition
One of the challenges in defining quality is that "everyone feels they understand it" and other definitions of software quality could be based on extending the various description of the concept of quality used in business (see a list of possible definition here.)Dr. Tom DeMarco
Tom DeMarco
Tom DeMarco is an American software engineer, author, teacher and speaker on software engineering topics. He is known as one of the developers of Structured analysis in the 1980s.- Biography :...
has proposed that "a product's quality is a function of how much it changes the world for the better." . This can be interpreted as meaning that functional quality and user satisfaction, is more important than structural quality in determining software quality.
Another definition, coined by Gerald Weinberg
Gerald Weinberg
Gerald Marvin Weinberg is an American computer scientist, author and teacher of the psychology and anthropology of computer software development.- Biography :Gerald Weinberg was born and raised in Chicago...
in Quality Software Management: Systems Thinking, is "Quality is value to some person." This definition stresses that quality is inherently subjective - different people will experience the quality of the same software very differently. One strength of this definition is the questions it invites software teams to consider, such as "Who are the people we want to value our software?" and "What will be valuable to them?"
Software Quality Measurement
Although the concepts presented in this section are applicable to both Software Structural and Functional Quality, measurement of the latter is essentially performed through testing, see main article: Software TestingSoftware testing
Software testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test. Software testing can also provide an objective, independent view of the software to allow the business to appreciate and understand the risks of software...
.
Introduction
Software quality measurement is about quantifying to what extent a software or system possesses desirable characteristics. This can be performed through qualitative or quantitative means or a mix of both. In both cases, for each desirable characteristic, there are a set of measurable attributes the existence of which in a piece of software or system tend to be correlated and associated to this characteristic. For example, an attribute associated with portability is the number of target-dependent statements in a program. More precisely, using the Quality Function DeploymentQuality function deployment
Quality function deployment is a “method to transform user demands into design quality, to deploy the functions forming quality, and to deploy methods for achieving the design quality into subsystems and component parts, and ultimately to specific elements of the manufacturing process.”, as...
approach, these measurable attributes are the "Hows" that need to be enforced to enable the "whats" in the Software Quality definition above.
The structure, classification and terminology of attributes and metrics applicable to software quality management have been derived or extracted from the ISO 9126-3
ISO 9126
ISO/IEC 9126 Software engineering — Product quality is an international standard for the evaluation of software quality. The fundamental objective of this standard is to address some of the well known human biases that can adversely affect the delivery and perception of a software development...
and the subsequent ISO 25000:2005 quality model. The main focus is on internal structural quality. Subcategories have been created to handle specific areas like business application architecture and technical characteristics such as data access and manipulation or the notion of transactions.
The dependence tree between software quality characteristics and their measurable attributes is represented in the diagram on the right, where each of the 5 characteristics that matter for the user (right) or owner of the business system depends on measurable attributes (left):
- Application Architecture Practices
- Coding Practices
- Application Complexity
- Documentation
- Portability
- Technical & Functional Volume
Code-Based Analysis of Software Quality Attributes
Many of the existing software measures count structural elements of the application that result from parsing the source code such individual instructions (Park, 1992) , tokens (Halstead, 1977) , control structures (McCabe, 1976), and objects (Chidamber & Kemerer, 1994) .Software quality measurement is about quantifying to what extent a software or system rate along these dimensions. The analysis can be performed using a qualitative, quantitative approach or a mix of both to provide an aggregate view (using for example weighted average(s) that reflect relative importance between the factor being measured).
This view of software quality on a linear continuum has to be supplemented by the identification of discrete Critical Programming Errors. These vulnerabilities may not fail a test case, but they are the result of bad practices that under specific circumstances can lead to catastrophic outages, performance degradations, security breaches, corrupted data, and myriad other problems (Nygard, 2007) that makes a given system de facto unsuitable for use regardless of its rating based on aggregated measurements. A well known example of vulnerability is the Common Weakness Enumeration at http://cwe.mitre.org/ (Martin, 2001) , a repository of vulnerabilities in the source code that make applications exposed to security breaches.
The measurement of critical application characteristics involves measuring structural attributes of the application's architecture, coding, in-line documentation, as displayed in the picture above. Thus, each characteristic is affected by attributes at numerous levels of abstraction in the application and all of which must be included calculating the characteristic’s measure if it is to be a valuable predictor of quality outcomes that affect the business. The layered approach to calculating characteristic measures displayed in the figure above was first proposed by Boehm and his colleagues at TRW (Boehm, 1978) and is the approach taken in the ISO 9126 and 25000 series standards. These attributes can be measured from the parsed results of a static analysis of the application source code. Even dynamic characteristics of applications such as reliability and performance efficiency have their causal roots in the static structure of the application.
Structural quality analysis and measurement is performed through the analysis of the source code
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
, the architecture
Software architecture
The software architecture of a system is the set of structures needed to reason about the system, which comprise software elements, relations among them, and properties of both...
, software framework
Software framework
In computer programming, a software framework is an abstraction in which software providing generic functionality can be selectively changed by user code, thus providing application specific software...
, database schema
Database schema
A database schema of a database system is its structure described in a formal language supported by the database management system and refers to the organization of data to create a blueprint of how a database will be constructed...
in relationship to principles and standards that together define the conceptual and logical architecture of a system. This is distinct from the basic, local, component-level code analysis typically performed by development tools which are mostly concerned with implementation considerations and are crucial during debugging
Debugging
Debugging is a methodical process of finding and reducing the number of bugs, or defects, in a computer program or a piece of electronic hardware, thus making it behave as expected. Debugging tends to be harder when various subsystems are tightly coupled, as changes in one may cause bugs to emerge...
and testing
Software testing
Software testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test. Software testing can also provide an objective, independent view of the software to allow the business to appreciate and understand the risks of software...
activities.
Measuring Reliability
The root causes of poor reliability are found in a combination of non- compliance with good architectural and coding practices. This non-compliance can be detected by measuring the static quality attributes of an application. Assessing the static attributes underlying an application’s reliability provides an estimate of the level of business risk and the likelihood of potential application failures and defects the application will experience when placed in operation.Assessing reliability requires checks of at least the following software engineering best practices and technical attributes:
|
|
Depending on the application architecture and the third-party components used (such as external libraries or frameworks), custom checks should be defined along the lines drawn by the above list of best practices to ensure a better assessment of the reliability of the delivered software.
Measuring Efficiency
As with Reliability, the causes of performance inefficiency are often found in violations of good architectural and coding practice which can be detected by measuring the static quality attributes of an application. These static attributes predict potential operational performance bottlenecks and future scalability problems, especially for applications requiring high execution speed for handling complex algorithms or huge volumes of data.Assessing performance efficiency requires checking at least the following software engineering best practices and technical attributes:
- Application Architecture Practices
- Appropriate interactions with expensive and/or remote resources
- Data access performance and data management
- Memory, network and disk space management
- Coding Practices
- Compliance with Object-Oriented and Structured Programming best practices (as appropriate)
- Compliance with SQL programming best practices
Measuring Security
Most security vulnerabilities result from poor coding and architectural practices such as SQL injection or cross-site scripting. These are well documented in lists maintained by CWE http://cwe.mitre.org/ (see below), and the SEI/Computer Emergency Center (CERT)CERT Coordination Center
The CERT Coordination Center was created by DARPA in November 1988 after the Morris worm struck. It is a major coordination center in dealing with Internet security problems....
at Carnegie Mellon University.
Assessing security requires at least checking the following software engineering best practices and technical attributes:
- Application Architecture Practices
- Multi-layer design compliance
- Security best practices (Input Validation, SQL Injection, Cross-Site Scripting, etc. See CWE’s Top 25 http://www.sans.org/top25-programming-errors/ )
- Programming Practices (code level)
- Error & Exception handling
- Security best practices (system functions access, access control to programs)
Measuring Maintainability
Maintainability includes concepts of modularity, understandability, changeability, testability, reusability, and transferability from one development team to another. These do not take the form of critical issues at the code level. Rather, poor maintainability is typically the result of thousands of minor violations with best practices in documentation, complexity avoidance strategy, and basic programming practices that make the difference between clean and easy-to-read code vs. unorganized and difficult-to-read code.Assessing maintainability requires checking the following software engineering best practices and technical attributes:
|
|
Measuring Size
Measuring software size requires that the whole source code be correctly gathered, including database structure scripts, data manipulation source code, component headers, configuration files etc. There are essentially two types of software sizes to be measured, the technical size (footprint) and the functional size:- There are several software technical sizing methods that have been widely described here: http://en.wikipedia.org/wiki/Software_Sizing. The most common technical sizing method is number of Lines Of Code (#LOC) per technology, number of files, functions, classes, tables, etc., from which backfiring Function Points can be computed;
- The most common for measuring functional size is Function Point Analysis (see http://en.wikipedia.org/wiki/Function_point). Function Point Analysis measures the size of the software deliverable from a user’s perspective. Function Point sizing is done based on user requirements and provides an accurate representation of both size for the developer/estimator and value (functionality to be delivered) and reflects the business functionality being delivered to the customer. The method includes the identification and weighting of user recognizable inputs, outputs and data stores. The size value is then available for use in conjunction with numerous measures to quantify and to evaluate software delivery and performance (Development Cost per Function Point; Delivered Defects per Function Point; Function Points per Staff Month..).
The Function Point Analysis sizing standard is supported by the International Function Point Users Group (IFPUG) (www.ifpug.org). It can be applied early in the software development life-cycle and it is not dependent on lines of code like the somewhat inaccurate Backfiring method. The method is technology agnostic and can be used for comparative analysis across organizations and across industries.
Since the inception of Function Point Analysis, several variations have evolved and the family of functional sizing techniques has broadened to include such sizing measures as COSMIC , NESMA, Use Case Points, FP Lite, Early and Quick FPs, and most recently Story Points. However, Function Points has a history of statistical accuracy, and has been used as a common unit of work measurement in numerous application development management (ADM) or outsourcing engagements, serving as the ‘currency’ by which services are delivered and performance is measured.
One common limitation to the Function Point methodology is that it is a manual process and therefore it can be labor intensive and costly in large scale initiatives such as application development or outsourcing engagements. This negative aspect of applying the methodology may be what motivated industry IT leaders to form the Consortium for IT Software Quality (www.it-cisq.org) focused on introducing a computable metrics standard for automating the measuring of software size while the IFPUG www.ifpug.org keep promoting a manual approach as most of its activity rely on FP counters certifications.
In November 2011, CISQ announced the availability of its first metric standard, Automated Function Points, to the CISQ membership, in CISQ Technical Report 2011-01 available at http://www.cisq.org/cisqwiki/images/a/a2/CISQ_Function_Point_Specification.pdf. These recommendations have been developed in OMG’s Request for Comment format and submitted to OMG’s process for standardization.
Identifying Critical Programming Errors
Critical Programming Errors are specific architectural and/or coding bad practices that result in the highest, immediate or long term, business disruption risk.These are quite often technology-related and depend heavily on the context, business objectives and risks. Some may consider respect for naming conventions while others – those preparing the ground for a knowledge transfer for example – will consider it as absolutely critical.
Critical Programming Errors can also be classified per CISQ Characteristics. Basic example below:
- Reliability
- Avoid software patterns that will lead to unexpected behavior (Uninitialized variable, null pointers, etc.)
- Methods, procedures and functions doing Insert, Update, Delete, Create Table or Select must include error management
- Multi-thread functions should be made thread safe, for instance servlets or struts action classes must not have instance/non-final static fields
- Efficiency
- Ensure centralization of client requests (incoming and data) to reduce network traffic
- Avoid SQL queries that don’t use an index against large tables in a loop
- Security
- Avoid fields in servlet classes that are not final static
- Avoid data access without including error management
- Check control return codes and implement error handling mechanisms
- Ensure input validation to avoid cross-site scripting flaws or SQL injections flaws
- Maintainability
- Deep inheritance trees and nesting should be avoided to improve comprehensibility
- Modules should be loosely coupled (fanout, intermediaries) to avoid propagation of modifications
- Enforce homogeneous naming conventions
See also
|
Software testing Software testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test. Software testing can also provide an objective, independent view of the software to allow the business to appreciate and understand the risks of software... Quality control Quality control, or QC for short, is a process by which entities review the quality of all factors involved in production. This approach places an emphasis on three aspects:... , Total Quality Management Total Quality Management Total quality management or TQM is an integrative philosophy of management for continuously improving the quality of products and processes.... Software Quality Model Software quality can be defined as 'conformance to requirements' and/or 'fitness of use'. Quality achievements start with a clear definition of what "quality of source code" means to the organization or project... Software quality assurance Software quality assurance consists of a means of monitoring the software engineering processes and methods used to ensure quality. The methods by which this is accomplished are many and varied, and may include ensuring conformance to one or more standards, such as ISO 9000 or a model such as...
Software metric A software metric is a measure of some property of a piece of software or its specifications. Since quantitative measurements are essential in all sciences, there is a continuous effort by computer science practitioners and theoreticians to bring similar approaches to software development... s
|
Standards (software) A software standard is a standard, protocol, or other common format of a document, file, or data transfer accepted and used by one or more software developers while working on one or more than one software programs... Ilities Within systems engineering, quality attributes are non-functional requirements used to evaluate the performance of a system. These are sometimes named "ilities" after the suffix many of the words share...
Security Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection... Security engineering Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts... Anomaly in software In software testing, a software anomaly is anything that differs from expectation. This expectation can result from many things like from a document or from a person's view or experiences In software testing, a software anomaly is anything that differs from expectation. This expectation can... Software Quality Model Software quality can be defined as 'conformance to requirements' and/or 'fitness of use'. Quality achievements start with a clear definition of what "quality of source code" means to the organization or project... Software quality assurance Software quality assurance consists of a means of monitoring the software engineering processes and methods used to ensure quality. The methods by which this is accomplished are many and varied, and may include ensuring conformance to one or more standards, such as ISO 9000 or a model such as... |
Further reading
- International Organization for Standardization. Software Engineering—Product Quality—Part 1: Quality Model. ISO, Geneva, Switzerland, 2001. ISO/IEC 9126-1:2001(E).
- Diomidis Spinellis. Code Quality: The Open Source Perspective. Addison Wesley, Boston, MA, 2006.
- Ho-Won Jung, Seung-Gweon Kim, and Chang-Sin Chung. Measuring software product quality: A survey of ISO/IEC 9126. IEEE Software, 21(5):10–13, September/October 2004.
- Stephen H. Kan. Metrics and Models in Software Quality Engineering. Addison-Wesley, Boston, MA, second edition, 2002.
- Omar Alshathry, Helge Janicke, "Optimizing Software Quality Assurance," compsacw, pp. 87–92, 2010 IEEE 34th Annual Computer Software and Applications Conference Workshops, 2010.
- Robert L. Glass. Building Quality Software. Prentice Hall, Upper Saddle River, NJ, 1992.
- Roland Petrasch, "The Definition of‚ Software Quality’: A Practical Approach", ISSRE, 1999
External links
- Linux: Fewer Bugs Than Rivals Wired Magazine, 2004