Published on the 18/01/2023 | Written by Heather Wright
Is it time to focus on DevQualOps?…
Bugs and errors may be the ‘cost of doing business at speed’ according to some, but they’re more than just an irritation, with the cost of poor software quality nearly doubling in two years to US$2.4 trillion.
That figure is for the US alone in 2022, and comes from a report by the Consortium for Information and Software Quality (CISQ) industry group and vendor Synopsys. It includes costs from software supply chain issues, cyberattacks targeting existing vulnerabilities and the growing impact of rapidly accumulating technical debt.
“It’s a primary reason that many modernisation projects fail.”
The report – The Cost of Poor Software Quality in the US, says existing vulnerabilities, software supply chain complexities and the growing impact of technical debt are key drivers of both increased costs and increased cyberattacks.
The report aggregates publicly available data to estimate the impact of known software failures on the economy, and identifies software failures in operational systems– including cybersecurity failures and data breaches – as the single largest cost at US$1.8 trillion, up from $1.56 trillion in 2020.
The huge rise in cybercrime costs, hitting $1.44 trillion, accounts for most of this year’s increase.
Finding and fixing defects accounted for $607 billion, with legacy systems at $520 billion and unsuccessful development adding $260 billion to the total.
Among the key problem areas highlighted is the crucial aspect of software supply chain problems with underlying third party components, especially open source software.
CISQ says supply chain problems with underlying third-party components are rising significantly, with problems stemming from weaknesses in open source components within the supply chain increasing an ‘alarming’ 650 percent from 2020 to 2021.
High-profile incidents, including the SolarWinds hack and the Log4Shell vulnerability have highlighted the growing risk of third-party attacks and the potential dangers in failing to treat open source software security with the attention it needs.
“In today’s complex software supply chain, just because a newly-added open source component is secure today does not mean that it will be secure tomorrow,” says Anita D’Amico, Synopsys software integrity group VP of cross portfolio solutions and strategy and CISQ board member.
The report, which is authored by former University of Texas professor of software engineering, Herb Krasner, says 77 percent of organisations reported an increase in the use of open source software in 2021.
On that front, D’Amico flags the creation of robust software bill of materials (SBOM) as a key first step in securing the software supply chain.
“Creating an SBOM allows organisations to proactively gather a comprehensive inventory of the components used to make up a piece of software. This means when a new vulnerability is identified in an existing component, organisations can quickly identify where it is in their software and take action to remedy it,” she says.
The growing impact of technical debt – further exacerbated by skills shortages – is also highlighted in the report, which says it has become the biggest obstacle to making any changes to existing code bases.
“Technical debt principle increased to US$1.52 trillion, because deficiencies are not getting fixed,” the report says.
“In late 2021 it was predicted that by 2025, 40 percent of IT budgets will be spent simply maintaining technical debt, and it’s a primary reason that many modernisation projects fail.”
The report says the number of weekly hours an average company developer spends addressing technical debt is 13.5 out of 41.1 hours.
Unsurprisingly, cybercrime losses were also up 64 percent from 2020 due to the rising number of software vulnerabilities.
Gaining control over poor software quality
CISQ has been pushing a ‘DevQualOps’ practice in the last few Cost of Poor Software Quality reports. It’s an extension of the Agile and DevOps model, with an emphasis on quality of the engineering activity, with specific quality gates at the end of each of the phases of requirements, design, development and testing.
“Methodologies such as Agile and DevOPs … result in higher velocity and more responsive development cycles, but not necessarily better quality.
“As DevSecOps aims to improve the security mechanisms around high-velocity software development, the emergence of DevQualOps encompasses activities that assure an appropriate level of quality across Agile, DevOps and DevSecOps lifecycle.”
The report says many modern static analysis tools support the DevQualOps model and also support many languages and most popular configuration management tools.
“Empirical evidence suggests that organisations incorporating automated quality analysis and DevQualOps practices will observe improved quality through the improved discovery of deficiencies by integrating analysis as well as monitoring tools in their development and deployment environments.”
Among the other recommendations in the report are integrating continuous technical debt remediation into software development life cycles, using software quality standards, related measurements and tools that are emerging, and analysing and assessing the quality of all third party and open source software components included in any system.
“Monitor them closely in operation. Apply patches in a timely fashion.”
