SlideShare a Scribd company logo

Managing Software Risk with CAST

CAST, profile picture
CAST

The document discusses the increasing risks associated with software failures in business technology and how CAST technology can help mitigate these risks through effective software analysis. It outlines the causes of software failures, the impact on business operations, and outlines steps for risk management including identifying, stabilizing, hardening, and optimizing software systems. CAST provides tools and approaches for assessing and improving software quality to minimize potential defects and enhance organizational resilience.

TechnologyBusiness
1 of 45
Downloaded 95 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Managing Software Risk with CAST Building Resilient Software to Support Business
CAST Confidential 1 Webinar goal and content Goal: Understand how CAST can help avoid software glitches Content  Review of state of software risk in business technology industry  Analysis of reasons that software fails  Explanation of CAST technology for software analysis  Examples of potentially-lethal software CAST has uncovered  How to implement CAST as a quality gate to lower software risk
CAST Confidential IT risk has become a serious concern 2 How IT Risk Impacts Business Percent of respondents identifying each business element Source: 2012 IBM Global Reputational Risk and IT Study n = 427 What Drives Reputation Risk
CAST Confidential System outages have never been easy to control 3 Sources: The Register – 2008 Risk & Resilience Study, IDC Software Quality Study 2011 n = 200 Number of defects requiring patches in 12 months after production rollout 21% of project managers report over 50 defects in the first 12 months after rollout
CAST Confidential Incidence of software “glitches” is clearly on the rise 4  Software is the primary culprit in system outages  Software glitches in live business systems happen frequently  Most of the time we don’t find out, but recently there’s more in the news Trading platforms & exchanges Airlines Sources: Wall Street Journal, Bloomberg, The Register – 2008 Risk & Resilience Study
CAST Confidential Incidence of software “glitches” is clearly on the rise 5  Responsible for 10% of North America trading by volume  $440 million loss in 45 minutes
CAST Confidential Air traffic control system Ticketing self-service website 6 Past forensics related to similar outages  Variable not sized properly, limited to 50 days of operation  IT procedure to reboot system every 30 days reset timer almost 3 weeks before it ran out  Until that procedure was changed  A user accidentally types a URL into the wrong field  Thousands of personal, records leaked all over the internet  Website service suspended for months until new version released
CAST Confidential 7 Are we just getting used to software failure?
CAST Confidential 8 Why does this happen?  System complexity keeps increasing  Too many applications to track  Hitting limits of doing more with less  Turnover and short-term-ism  Sourcing complexity & offshore  Speed of software production  Inadequate approach to QA No institutionalized product oversight at the structural level
CAST Confidential 9 Analyst perspectives on the problem, and solution “There is a balance between ‘just get it done’ and ‘do it the right way.’A few additional quality measures help you find that balance.” “Addressing technical debt is really a risk decision for IT executives. I can invest in fixing some of the technical quality problems now, or risk that they result in outages, breaches or other problems that can cost far more.” The architectural assessment of design consequences (on software performance, stability, adaptability, maintainability, and security vulnerabilities) is an area in which CAST excels and successfully differentiates from static analyzers.”
CAST Confidential Defects in poor systems turn into software failures  Software delivered contains 5 potential defects per FP  Many defects are dormant in the code  Technical debt continues to mount Source: Capers Jones. Data collected from 1984 through 2011;About 675 companies (150 clients in Fortune 500 set); About 35 government/military groups; About 13,500 total projects; New data = about 50-75 projects per month; Data collected from 24 countries; Observations during more than 15 lawsuits. 1. Design defects 17.00% 2. Code defects 15.00% 3. Structural defects 13.00% 4. Data defects 11.00% 5. Requirements creep defects 10.00% 6. Requirements defects 9.00% 7. Web site defects 8.00% 8. Security defects 7.00% 9. Bad fix defects 4.00% 10. Test case defects 2.00% 11. Document defects 2.00% 12. Architecture Defects 2.00% TOTAL DEFECTS 100.00% Severity 1 = total stoppage; Severity 2 = major disruption Defect Origin % Severity 1 or 2 Defects 10
CAST Confidential 11 Industry starting to pay attention to code quality But code quality & hygiene is only a small part of the solution Component-level Violations Architecturally Complex Violations Dev Test 83% 10% Operations 2% 13% % of violations crossing a phase boundary 8X worse 6X worse 60,700 83,000 168,000 2009 2010 2011 Searches for code quality Violations that cause defects Sources: Li, et al. (2011). Characteristics of multiple component defects and architectural hotspots: A large system case study. Empirical Software Engineering
CAST Confidential 12 Measurement based on standards Consortium for IT Software Quality Characteristic Architectural & System Level Flaws Coding & Component Level Flaws RELIABILITY Multi-layer design compliance Software manages data integrity and consistency Exception handling through transactions Class architecture compliance Protecting state in multi-threaded environments Safe use of inheritance and polymorphism Patterns that lead to unexpected behaviors Resource bounds management, Complex code Managing allocated resources, Timeouts, Built-in remote addresses PERFORMANCE EFFICIENCY Appropriate interactions with expensive and/or remote resources Data access performance and data management Memory, network and disk space management Centralized handling of client requests Use of middle tier components versus stored procedures and database functions Compliance with Object-Oriented best practices Compliance with SQL best practices Expensive computations in loops Static connections versus connection pools Compliance with garbage collection best practices SECURITY Input validation SQL injection Cross-site scripting Failure to use vetted libraries or frameworks Secure architecture design compliance Error and exception handling Use of hard-coded credentials Buffer overflows Broken or risky cryptographic algorithms Missing initialization Improper validation of array index Improper locking References to released resources Uncontrolled format string MAINTAIN- ABILITY Strict hierarchy of calling between architectural layers Excessive horizontal layers Tightly coupled modules Unstructured and Duplicated code Cyclomatic complexity Controlled level of dynamic coding Encapsulated data access Over-parameterization of methods Hard coding of literals Commented out instructions Excessive component size Compliance with OO best practices www.it-cisq.org
CAST Confidential 13 Technical debt is related to software risk  Most technical debt measures do not categorize the debt  There’s a lot of debt out there, many questions about “when to pay it off?” and “which to debt focus on?”  It turns out only about 30% of technical debt has any immediate risk component Source: CRASH Report for 2011-2012, CAST Research Labs Distribution of Technical Debt n = 756 applications (365 million lines of code)
CAST Confidential 14 CAST approach to software risk management (1/2) IDENTIFY  Risk reduction starts with identification of risks to understand the scale and scope of risks across an organization  Identification using automated tools for consistency and objectivity  Output of “Identify” stage should include portfolio view & high profile risks STABILIZE  Prioritized list provides an action plan  Focus on immediate, short-term risks to critical business systems – Security risks – Production defects  Reassess to validate that short term risks have been addressed IDENTIFY STABILIZE HARDEN OPTIMIZE Risk Perspective Immediate-Risk Long-Term Risk Assessment Level Portfolio Critical Systems Application Application
CAST Confidential 15 CAST approach to software risk management (2/2) HARDEN  Move beyond short term, immediate risks to address the “long tail”  Focus on performance, robustness, security  Improving brittle systems to become responsive, adaptable OPTIMIZE  Shift to long-term thinking  Shift from process thinking to product thinking  Focus on improving maintainability and transferability of systems  Address organizational or process issues for long-term improvements  Technical debt management and reporting strategy IDENTIFY STABILIZE HARDEN OPTIMIZE Risk Perspective Immediate-Risk Long-Term Risk Assessment Level Portfolio Critical Systems Application Application
CAST Confidential Analysis strategy for typical IT application portfolio 16 Effort(ManDays/Year) Importance to Business Highest Lowest Critical Apps Entire Application Portfolio CAST AIP  Deep Structural Analysis  Risk Detection  Lean Application Development  Function Points & Productivity  Vendor Management  Continuous Improvement CAST Highlight  Fast Cloud-based Delivery  No source code aggregation  Key Metrics on Entire Portfolio  Size, Complexity and Risk analytics  Annual/Quarterly Benchmark
CAST Confidential Portfolio risk review with Highlight 17 Risk vs. Application Criticality This chart examines business criticality against the risk level of the applications. 40 applications are situated in the high risk zone. These 40 applications require detailed assessment and planning for ongoing improvement.
CAST Confidential ArchitectureCompliance Enterprise IT applications require depth of analysis 18  Intra-technology architecture  Intra-layer dependencies  Module complexity & cohesion  Design & structure  Inter-program invocation  Security Vulnerabilities Module Level  Integration quality  Architectural compliance  Risk propagation simulation  Application security  Resiliency checks  Transaction integrity  Function point & EFP measurement  Effort estimation  Data access control  SDK versioning  Calibration across technologies System Level Data FlowTransaction Risk  Code style & layout  Expression complexity  Code documentation  Class or program design  Basic coding standards Program Level Propagation Risk Java EJB PL/SQL Oracle SQL Server DB2 T/SQL Hibernate Spring Struts .NET C# VB COBOL C++ COBOL Sybase IMS Messaging Java Web Services 1 2 3 JSP ASP.NETAPIs
CAST Confidential CAST going well beyond static analysis Static Analysis Behavioral Simulation Dependencies Code Pattern Scanning Data Flow Architecture Checker Rule Engine Transaction Finder Function Points Aggregation & Consolidation Understanding of language syntax and grammar using source code parsing Analysis of some run-time behaviors to understand dynamic behaviors of applications Understanding of cross-layer and cross-technology links between application components Finding patterns and anti-patterns in application control flow Tracking the use of the content of variables such as user inputs along static and dynamic call stacks Identification of invalid calls and references between application architectural layers Analysis of knowledge base against quality rules, metrics and constraints to identify violations (non- compliant objects or situations) Identification and configuration of cross-layer and cross-technology transactions from UI down to data entities Estimation of Function Points functional sizing, relying on data entities and Application-wide transactions Aggregation and calibration of results along the quality model and consolidation across applications Intelligent Configuration Capability to build object sets based on object properties, links, etc. to support layers, modules, and scope definition Content Updater Adjustment of analysis results to better match application advanced behaviors 19
CAST Confidential Simulating runtime behavior to resolve links in code 20 Behavioral Simulation Emulating some run-time behaviors to understand dynamic behaviors of applications Consider “Select Title from Authors where Author = ” as a SQL statement Use (select) link between Java method “f()” and SQL table “Author” quasi-runtime behavior
CAST Confidential Multi-tier analysis for dependencies (1/2) Capability to handle cross-layer and cross-technology links between Application components Create links between Java Class and Sql Table Hibernate mapping.dtd Table oracle address Address.java Dependencies 21
CAST Confidential Multi-tier analysis for dependencies (2/2) 22 Create links between JSP page and Action mapping Create links between Action mapping and Java class Struts-config.xml Payment.jsp ActionPaymentMethod.java Capability to handle cross-layer and cross-technology links between Application components Dependencies
CAST Confidential 23 AIP counts of framework diagnostics  Frameworks are the link between components in a well- architected system  There are also rules to using such constructs effectively Framework Rule Counts Struts 1.x 21 Struts 2.x 9 Spring 3 Hibernate/JPA 23 EJB 8 JSF 1 Servlet 2 Tiles 1
CAST Confidential Data flow – cross distributed architecture 24 Capability to track along static and dynamic call stacks the use of the content of variables such as user inputs (1) (2) (3) (4) SQL injection vulnerability – CWE-89 Data Flow
CAST Confidential Configuring rules specific to enterprise architecture 25 Capability to identify invalid calls and references between Application architectural layers Architecture Checker
CAST Confidential Security breach due to architecture misuse  For example: banking application, for monitoring reasons, all database calls must go through specific stored procedures  Investigations showed: – Many transactions developed offshore did not comply with secure architecture framework – Without automation, this could not be monitored • 100 UI elements (250 kloc) • 2000 mid-tier programs (1 mloc) • 250 tables, 350 kloc of PL/SQL  Use of Architecture Checker – to define the desired architecture – To generate and enforce the appropriated quality rules 26
CAST Confidential “UPDATE” trigger causing big problems at a global services provider  In reservation system Java application must access legacy main- frame to finalize transaction. In production, a performance issue occurred when a volume of transactions occurred at one time.  Investigation showed: – Abnormal activity on the database due to an "on update" trigger that was fired too frequently. – The Hibernate ‘show SQL property’ revealed that the trigger was firing even if the data had not changed. Error was due to a specific parameter in Hibernate: select-before- update on the entity that was set to false. When set to false, Hibernate updated the table systematically. MY_ENTITY A B C D MyUpdateTrigger Always fired 27
CAST Confidential Real, measurable performance improvement numbers after fixing open/close inside loops. We get around 90% performance improvement. 28 90% performance improvement in large mainframe batch process
CAST Confidential 29 Application shows a potentially dangerous lack of data control Reduce risk – better use of safe components
CAST Confidential 30 Violation with the largest impact on the rest of the application, regarding Robustness, Performance, or Security LogicLayerDataLayerGUILayer Propagated Risk Index (PRI) explained
CAST Confidential 31  Allows to rapidly identify the most significant critical violations related to a Health Factor  PRI is based on – Violation Index (VI) which assesses the quality issues a defective object for a specific Health Factor – Risk Propagation Factor (RPF) which assesses the number of call paths of a defective object Violation ViewContext (software / Health Factor) Propagated Risk Index – Prioritize findings
CAST Confidential 32 Transaction Risk Index (TRI)  Identify the riskiest transactions for pen testing, remediation  Sum of Violation Indices (VIs) of the objects along a specific transaction: Robustness, Performance or Security. Transaction View Transaction Details View
CAST Confidential Transaction Weight Risk Index explained 33 GUILayerLogicLayerDataLayer Transaction with largest number of Robustness, Performance or Security violations
CAST Confidential Stabilizing a multi-tier IT application Missing error handling block across all layers User Interface - Flex Business Logic – C# .NET Data Access – SQL Server (T-SQL) 34
CAST Confidential Securing a multi-tier IT applications Multiple violations across the same transaction make warfighter / broad end-user facing applications more vulnerable  Input validation - 4 form fields without validator in user interface  Architecture design - action class talking to data access object bypassing business layer  Database access security - multiple artifacts accessing and modifying data on the LOAN table potentially containing confidential data 1 1 2 2 3 3 35
CAST Confidential 36 Making risk management actionable  Identify and stabilize are the tactical steps  To harden and optimize is a move towards proactive risk management  Requires inserting some actionable processes into the application lifecycle IDENTIFY STABILIZE HARDEN OPTIMIZE Risk Perspective Immediate-Risk Long-Term Risk Assessment Level Portfolio Critical Systems Application Application
CAST Confidential Measuring risk is important, but not enough  At some point, inserting proactive prevention into application lifecycle 37
CAST Confidential 38 Cost vs. risk tradeoffs  If you have Technical Debt – so what? Technical Debt SoftwareRisk L H H L
CAST Confidential IT risk management is an area of investment 39 IT executives expect to spend more on IT risk IT, and IT risk, is a C-level concern Who has responsibility for reputational risk due to IT? If you’re working on code quality, your efforts should be tied to managing software risk
CAST Confidential Market leader in Software Analysis & Measurement 40 Ambitious Mission Rock Solid Foundation Market Leader Introduce fact-based transparency into application development and sourcing to transform it into a management discipline  Broad market presence in Europe, North America and India  Strongly endorsed by software industry gurus and long term investors  Over $100 million of investment in R&D, driven by top talent in computer science and software engineering  Pioneer and recognized market leader since 1999  CAST Research Labs, the world’s largest R&D facility dedicated to the science of software analysis & measurement (SAM) “CAST metrics have become the de facto standard for measuring the quality and productivity of application services.” – Helen Huntley, Research VP, Gartner
CAST Confidential Driving software measurement in the ADM industry 41 Key Influencers Recognize CAST 250 Global Leaders Rely on CAST Institutions Engage CASTSIs Resell CASTSIs Use/Resell CAST Top technology First in business IT Biggest benchmark DB
CAST Confidential CAST dashboards, reports & benchmarks 42 CAST Highlight Portfolio Analysis  Size  Complexity  Risk  Technical debt estimation Zero Deployment  No centralized source code collection  Portal results  Full analysis report CAST Application Intelligence Platform Risk Drivers  Robustness  Performance  Security Cost Drivers  Transferability  Changeability Alerts, trending, root cause analysis Discovery Portal Automated App Blueprint Discover, modernize and change applications Function Point Manager • Automated FP counts • Technical Sizing • Effort Estimation Function Point Changes Due to a Sequence of Change Requests 0 5 10 15 20 25 30 35 40 0 50 100 150 200 Cumulative Effort (Staff Hours) #FunctionPoints 1 52 3 4 Benchmarking Services Compare to industry business process and technology
CAST Confidential 43 Year end assessment offer from CAST  Immediate, actionable insight into a business critical application regarding: – Resilience and stability risk – Performance risk – Portfolio risk assessment  How it works: – An assessment will typically take 3 weeks, the longest part of that is collecting all the source files – Can be delivered by CAST or a certified AI Services partner – Typically $10k to $50k for an assessment, depending on the size and complexity of the application Contact Pete Pizzutillo for more information
CAST Confidential Contact Information Pete Pizzutillo p.pizzutillo@castsoftware.com www.castsoftware.com blog.castsoftware.com linkedin.com/company/cast @OnQuality slideshare.net/castsoftware

More Related Content

PPTX
U1T1 - Conceptos Básicos de Ingeniería del Software
Luis Eduardo Pelaez Valencia
 
DOCX
Caracteristicas rup
Stefany Sulca Huamaccto
 
PDF
Solution Architecture And Solution Security
Alan McSweeney
 
PPTX
Metodologias xp
ElvisAR
 
PDF
Crossing the low-code and pro-code chasm: a platform approach
Asanka Abeysinghe
 
PPTX
Normas e Padrões para a Qualidade de Software
Danilo Sousa
 
PPTX
Teste de software - Conhecendo e Aplicando
André Phillip Bertoletti
 
PDF
Design your Business, Model your Architecture (presentation by Marc Lankhorst...
Patrick Van Renterghem
 
U1T1 - Conceptos Básicos de Ingeniería del Software
Luis Eduardo Pelaez Valencia
 
Caracteristicas rup
Stefany Sulca Huamaccto
 
Solution Architecture And Solution Security
Alan McSweeney
 
Metodologias xp
ElvisAR
 
Crossing the low-code and pro-code chasm: a platform approach
Asanka Abeysinghe
 
Normas e Padrões para a Qualidade de Software
Danilo Sousa
 
Teste de software - Conhecendo e Aplicando
André Phillip Bertoletti
 
Design your Business, Model your Architecture (presentation by Marc Lankhorst...
Patrick Van Renterghem
 

What's hot (20)

PDF
Apqc business improvement
Haryo Utomo
 
PDF
2. Softare QA roles and responsibilities
Chandra Maddigapu
 
PDF
DevOps & SRE at Google Scale
Kaushik Bhattacharya
 
PDF
Introduction to AUTOSAR BSW (Base Software) & RTE (Real-Time Environment)
Embitel Technologies - A VOLKSWAGEN GROUP COMPANY
 
PDF
Developing a Testing Strategy for DevOps Success
DevOps.com
 
PPT
Approach To It Strategy And Architecture
Alan McSweeney
 
PPTX
IHC - Abordagem geral, processos ou metodologia
Ros Galabo, PhD
 
PPT
Minicurso - Teste de software (CACSI 2015)
Vanilton Pinheiro
 
PDF
Metricas de software
cartavio753
 
PPTX
DevOps principles and practices - accelerate flow
Murughan Palaniachari
 
PDF
MuleSoft y la Arquitectura Orientada a Microservicios (MSA)
Larry Magallanes
 
PDF
Engenharia de requisitos
Mailson Queiroz
 
PDF
MuleSoft PKO - C4E and Platform Insights
Angel Alberici
 
PDF
Test Automation Trends and Beyond
Knoldus Inc.
 
PDF
Procesos De Ingenieria Del Software
Raquel Solano
 
PPTX
About DevOps in simple steps
Ihor Odynets
 
PDF
Azure Pipeline Tutorial | Azure DevOps Tutorial | Edureka
Edureka!
 
PDF
Solution Architecture – Approach to Rapidly Scoping The Initial Solution Options
Alan McSweeney
 
PDF
Cast vs sonar
Rajesh Kumar
 
PDF
intro to DevOps
Mujahed Al-Tahle
 
Apqc business improvement
Haryo Utomo
 
2. Softare QA roles and responsibilities
Chandra Maddigapu
 
DevOps & SRE at Google Scale
Kaushik Bhattacharya
 
Introduction to AUTOSAR BSW (Base Software) & RTE (Real-Time Environment)
Embitel Technologies - A VOLKSWAGEN GROUP COMPANY
 
Developing a Testing Strategy for DevOps Success
DevOps.com
 
Approach To It Strategy And Architecture
Alan McSweeney
 
IHC - Abordagem geral, processos ou metodologia
Ros Galabo, PhD
 
Minicurso - Teste de software (CACSI 2015)
Vanilton Pinheiro
 
Metricas de software
cartavio753
 
DevOps principles and practices - accelerate flow
Murughan Palaniachari
 
MuleSoft y la Arquitectura Orientada a Microservicios (MSA)
Larry Magallanes
 
Engenharia de requisitos
Mailson Queiroz
 
MuleSoft PKO - C4E and Platform Insights
Angel Alberici
 
Test Automation Trends and Beyond
Knoldus Inc.
 
Procesos De Ingenieria Del Software
Raquel Solano
 
About DevOps in simple steps
Ihor Odynets
 
Azure Pipeline Tutorial | Azure DevOps Tutorial | Edureka
Edureka!
 
Solution Architecture – Approach to Rapidly Scoping The Initial Solution Options
Alan McSweeney
 
Cast vs sonar
Rajesh Kumar
 
intro to DevOps
Mujahed Al-Tahle
 
Ad

Viewers also liked (12)

PDF
CAST Architecture Checker
CAST
 
PDF
Future of Software Analysis & Measurement_CAST
CAST
 
PDF
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
CAST
 
PDF
Software Risk Management for IT Execs CAST
CAST
 
PDF
Cast Application Intelligence Platform
John Fotiadis ✔️
 
PDF
The business case for software analysis & measurement
CAST
 
PDF
CAST AIP Support of Industry Security Standards
CAST
 
PDF
Accenture Customer Story_CAST
CAST
 
PDF
New IDC Research on Software Analysis & Measurement
CAST
 
PDF
Sonar Metrics
Keheliya Gallaba
 
PPTX
Cast analysis
Masuma Ryzvee
 
PPTX
Research design and Proposal Writing
AIMS Education
 
CAST Architecture Checker
CAST
 
Future of Software Analysis & Measurement_CAST
CAST
 
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
CAST
 
Software Risk Management for IT Execs CAST
CAST
 
Cast Application Intelligence Platform
John Fotiadis ✔️
 
The business case for software analysis & measurement
CAST
 
CAST AIP Support of Industry Security Standards
CAST
 
Accenture Customer Story_CAST
CAST
 
New IDC Research on Software Analysis & Measurement
CAST
 
Sonar Metrics
Keheliya Gallaba
 
Cast analysis
Masuma Ryzvee
 
Research design and Proposal Writing
AIMS Education
 
Ad

Similar to Managing Software Risk with CAST (20)

PDF
Standardized Risk Measurement for IT Executives 101
Konstantin Berger
 
PDF
NessPRO Italy on CAST
Ernesto Di Mauro
 
PDF
entrust-it - Seminar ULG 290416 v1.0
Geert Janssen
 
PDF
CAST Federal Solutions
CAST
 
PPTX
BUSTED! How to Find Security Bugs Fast!
Parasoft
 
PPT
Software Security in the Real World
Mark Curphey
 
PDF
CAST for the Architect
CAST
 
PPT
Software Security Initiatives
Marco Morana
 
PDF
Value of 'software and IT' Quality-Le Point du LIEGE science park-29 avril 2016
Interface ULg, LIEGE science park
 
PDF
2011 App Failures - Year in Review CAST
CAST
 
PPTX
Software Security
Integral university, India
 
PPTX
Productivity Measurement by Dr. Bill Curtis
CISQ - Consortium for IT Software Quality
 
PPTX
Cast cloud april_2019
SPIN Chennai
 
PDF
How To Integrate Independent QA To Shorten Development Cycles
Altoros
 
PPTX
Digital Product Security
SoftServe
 
PDF
Software Safety and Security Through Standards
Parasoft
 
PDF
EuroSPI 2016 - Software Safety and Security Through Standards
Arthur Hicken
 
PPTX
SEPM UNIT V.pptx software engineering and product management
ManjuAppukuttan2
 
PPTX
SEPM UNIT V.pptx software engineeing and product management
ManjuAppukuttan2
 
PDF
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
Standardized Risk Measurement for IT Executives 101
Konstantin Berger
 
NessPRO Italy on CAST
Ernesto Di Mauro
 
entrust-it - Seminar ULG 290416 v1.0
Geert Janssen
 
CAST Federal Solutions
CAST
 
BUSTED! How to Find Security Bugs Fast!
Parasoft
 
Software Security in the Real World
Mark Curphey
 
CAST for the Architect
CAST
 
Software Security Initiatives
Marco Morana
 
Value of 'software and IT' Quality-Le Point du LIEGE science park-29 avril 2016
Interface ULg, LIEGE science park
 
2011 App Failures - Year in Review CAST
CAST
 
Software Security
Integral university, India
 
Productivity Measurement by Dr. Bill Curtis
CISQ - Consortium for IT Software Quality
 
Cast cloud april_2019
SPIN Chennai
 
How To Integrate Independent QA To Shorten Development Cycles
Altoros
 
Digital Product Security
SoftServe
 
Software Safety and Security Through Standards
Parasoft
 
EuroSPI 2016 - Software Safety and Security Through Standards
Arthur Hicken
 
SEPM UNIT V.pptx software engineering and product management
ManjuAppukuttan2
 
SEPM UNIT V.pptx software engineeing and product management
ManjuAppukuttan2
 
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 

More from CAST (20)

PDF
Six steps-to-enhance-performance-of-critical-systems
CAST
 
PDF
Application Performance: 6 Steps to Enhance Performance of Critical Systems
CAST
 
PDF
Application Assessment - Executive Summary Report
CAST
 
PDF
Cloud Migration: Azure acceleration with CAST Highlight
CAST
 
PDF
Cloud Readiness : CAST & Microsoft Azure Partnership Overview
CAST
 
PDF
Cloud Migration: Cloud Readiness Assessment Case Study
CAST
 
PDF
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...
CAST
 
PDF
Why computers will never be safe
CAST
 
PDF
Green indexes used in CAST to measure the energy consumption in code
CAST
 
PDF
9 Steps to Creating ADM Budgets
CAST
 
PDF
Improving ADM Vendor Relationship through Outcome Based Contracts
CAST
 
PDF
Drive Business Excellence with Outcomes-Based Contracting: The OBC Toolkit
CAST
 
PDF
CAST Highlight: Code-level portfolio analysis. FAST.
CAST
 
PPTX
Shifting Vendor Management Focus to Risk and Business Outcomes
CAST
 
PDF
Applying Software Quality Models to Software Security
CAST
 
PDF
Cast Highlight Software Maintenance Infographic
CAST
 
PDF
What is system level analysis
CAST
 
PDF
Deloitte Tech Trends 2014 Technical Debt
CAST
 
PDF
What you should know about software measurement platforms
CAST
 
PDF
CRASH Report 2014
CAST
 
Six steps-to-enhance-performance-of-critical-systems
CAST
 
Application Performance: 6 Steps to Enhance Performance of Critical Systems
CAST
 
Application Assessment - Executive Summary Report
CAST
 
Cloud Migration: Azure acceleration with CAST Highlight
CAST
 
Cloud Readiness : CAST & Microsoft Azure Partnership Overview
CAST
 
Cloud Migration: Cloud Readiness Assessment Case Study
CAST
 
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...
CAST
 
Why computers will never be safe
CAST
 
Green indexes used in CAST to measure the energy consumption in code
CAST
 
9 Steps to Creating ADM Budgets
CAST
 
Improving ADM Vendor Relationship through Outcome Based Contracts
CAST
 
Drive Business Excellence with Outcomes-Based Contracting: The OBC Toolkit
CAST
 
CAST Highlight: Code-level portfolio analysis. FAST.
CAST
 
Shifting Vendor Management Focus to Risk and Business Outcomes
CAST
 
Applying Software Quality Models to Software Security
CAST
 
Cast Highlight Software Maintenance Infographic
CAST
 
What is system level analysis
CAST
 
Deloitte Tech Trends 2014 Technical Debt
CAST
 
What you should know about software measurement platforms
CAST
 
CRASH Report 2014
CAST
 

Recently uploaded (20)

PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Teaching material agriculture food technology
LiaRayya
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
KodekX | Application Modernization Development
KodekX
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Cloud computing and distributed systems.
kkkkkhan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 

Managing Software Risk with CAST

  • 1. Managing Software Risk with CAST Building Resilient Software to Support Business
  • 2. CAST Confidential 1 Webinar goal and content Goal: Understand how CAST can help avoid software glitches Content  Review of state of software risk in business technology industry  Analysis of reasons that software fails  Explanation of CAST technology for software analysis  Examples of potentially-lethal software CAST has uncovered  How to implement CAST as a quality gate to lower software risk
  • 3. CAST Confidential IT risk has become a serious concern 2 How IT Risk Impacts Business Percent of respondents identifying each business element Source: 2012 IBM Global Reputational Risk and IT Study n = 427 What Drives Reputation Risk
  • 4. CAST Confidential System outages have never been easy to control 3 Sources: The Register – 2008 Risk & Resilience Study, IDC Software Quality Study 2011 n = 200 Number of defects requiring patches in 12 months after production rollout 21% of project managers report over 50 defects in the first 12 months after rollout
  • 5. CAST Confidential Incidence of software “glitches” is clearly on the rise 4  Software is the primary culprit in system outages  Software glitches in live business systems happen frequently  Most of the time we don’t find out, but recently there’s more in the news Trading platforms & exchanges Airlines Sources: Wall Street Journal, Bloomberg, The Register – 2008 Risk & Resilience Study
  • 6. CAST Confidential Incidence of software “glitches” is clearly on the rise 5  Responsible for 10% of North America trading by volume  $440 million loss in 45 minutes
  • 7. CAST Confidential Air traffic control system Ticketing self-service website 6 Past forensics related to similar outages  Variable not sized properly, limited to 50 days of operation  IT procedure to reboot system every 30 days reset timer almost 3 weeks before it ran out  Until that procedure was changed  A user accidentally types a URL into the wrong field  Thousands of personal, records leaked all over the internet  Website service suspended for months until new version released
  • 8. CAST Confidential 7 Are we just getting used to software failure?
  • 9. CAST Confidential 8 Why does this happen?  System complexity keeps increasing  Too many applications to track  Hitting limits of doing more with less  Turnover and short-term-ism  Sourcing complexity & offshore  Speed of software production  Inadequate approach to QA No institutionalized product oversight at the structural level
  • 10. CAST Confidential 9 Analyst perspectives on the problem, and solution “There is a balance between ‘just get it done’ and ‘do it the right way.’A few additional quality measures help you find that balance.” “Addressing technical debt is really a risk decision for IT executives. I can invest in fixing some of the technical quality problems now, or risk that they result in outages, breaches or other problems that can cost far more.” The architectural assessment of design consequences (on software performance, stability, adaptability, maintainability, and security vulnerabilities) is an area in which CAST excels and successfully differentiates from static analyzers.”
  • 11. CAST Confidential Defects in poor systems turn into software failures  Software delivered contains 5 potential defects per FP  Many defects are dormant in the code  Technical debt continues to mount Source: Capers Jones. Data collected from 1984 through 2011;About 675 companies (150 clients in Fortune 500 set); About 35 government/military groups; About 13,500 total projects; New data = about 50-75 projects per month; Data collected from 24 countries; Observations during more than 15 lawsuits. 1. Design defects 17.00% 2. Code defects 15.00% 3. Structural defects 13.00% 4. Data defects 11.00% 5. Requirements creep defects 10.00% 6. Requirements defects 9.00% 7. Web site defects 8.00% 8. Security defects 7.00% 9. Bad fix defects 4.00% 10. Test case defects 2.00% 11. Document defects 2.00% 12. Architecture Defects 2.00% TOTAL DEFECTS 100.00% Severity 1 = total stoppage; Severity 2 = major disruption Defect Origin % Severity 1 or 2 Defects 10
  • 12. CAST Confidential 11 Industry starting to pay attention to code quality But code quality & hygiene is only a small part of the solution Component-level Violations Architecturally Complex Violations Dev Test 83% 10% Operations 2% 13% % of violations crossing a phase boundary 8X worse 6X worse 60,700 83,000 168,000 2009 2010 2011 Searches for code quality Violations that cause defects Sources: Li, et al. (2011). Characteristics of multiple component defects and architectural hotspots: A large system case study. Empirical Software Engineering
  • 13. CAST Confidential 12 Measurement based on standards Consortium for IT Software Quality Characteristic Architectural & System Level Flaws Coding & Component Level Flaws RELIABILITY Multi-layer design compliance Software manages data integrity and consistency Exception handling through transactions Class architecture compliance Protecting state in multi-threaded environments Safe use of inheritance and polymorphism Patterns that lead to unexpected behaviors Resource bounds management, Complex code Managing allocated resources, Timeouts, Built-in remote addresses PERFORMANCE EFFICIENCY Appropriate interactions with expensive and/or remote resources Data access performance and data management Memory, network and disk space management Centralized handling of client requests Use of middle tier components versus stored procedures and database functions Compliance with Object-Oriented best practices Compliance with SQL best practices Expensive computations in loops Static connections versus connection pools Compliance with garbage collection best practices SECURITY Input validation SQL injection Cross-site scripting Failure to use vetted libraries or frameworks Secure architecture design compliance Error and exception handling Use of hard-coded credentials Buffer overflows Broken or risky cryptographic algorithms Missing initialization Improper validation of array index Improper locking References to released resources Uncontrolled format string MAINTAIN- ABILITY Strict hierarchy of calling between architectural layers Excessive horizontal layers Tightly coupled modules Unstructured and Duplicated code Cyclomatic complexity Controlled level of dynamic coding Encapsulated data access Over-parameterization of methods Hard coding of literals Commented out instructions Excessive component size Compliance with OO best practices www.it-cisq.org
  • 14. CAST Confidential 13 Technical debt is related to software risk  Most technical debt measures do not categorize the debt  There’s a lot of debt out there, many questions about “when to pay it off?” and “which to debt focus on?”  It turns out only about 30% of technical debt has any immediate risk component Source: CRASH Report for 2011-2012, CAST Research Labs Distribution of Technical Debt n = 756 applications (365 million lines of code)
  • 15. CAST Confidential 14 CAST approach to software risk management (1/2) IDENTIFY  Risk reduction starts with identification of risks to understand the scale and scope of risks across an organization  Identification using automated tools for consistency and objectivity  Output of “Identify” stage should include portfolio view & high profile risks STABILIZE  Prioritized list provides an action plan  Focus on immediate, short-term risks to critical business systems – Security risks – Production defects  Reassess to validate that short term risks have been addressed IDENTIFY STABILIZE HARDEN OPTIMIZE Risk Perspective Immediate-Risk Long-Term Risk Assessment Level Portfolio Critical Systems Application Application
  • 16. CAST Confidential 15 CAST approach to software risk management (2/2) HARDEN  Move beyond short term, immediate risks to address the “long tail”  Focus on performance, robustness, security  Improving brittle systems to become responsive, adaptable OPTIMIZE  Shift to long-term thinking  Shift from process thinking to product thinking  Focus on improving maintainability and transferability of systems  Address organizational or process issues for long-term improvements  Technical debt management and reporting strategy IDENTIFY STABILIZE HARDEN OPTIMIZE Risk Perspective Immediate-Risk Long-Term Risk Assessment Level Portfolio Critical Systems Application Application
  • 17. CAST Confidential Analysis strategy for typical IT application portfolio 16 Effort(ManDays/Year) Importance to Business Highest Lowest Critical Apps Entire Application Portfolio CAST AIP  Deep Structural Analysis  Risk Detection  Lean Application Development  Function Points & Productivity  Vendor Management  Continuous Improvement CAST Highlight  Fast Cloud-based Delivery  No source code aggregation  Key Metrics on Entire Portfolio  Size, Complexity and Risk analytics  Annual/Quarterly Benchmark
  • 18. CAST Confidential Portfolio risk review with Highlight 17 Risk vs. Application Criticality This chart examines business criticality against the risk level of the applications. 40 applications are situated in the high risk zone. These 40 applications require detailed assessment and planning for ongoing improvement.
  • 19. CAST Confidential ArchitectureCompliance Enterprise IT applications require depth of analysis 18  Intra-technology architecture  Intra-layer dependencies  Module complexity & cohesion  Design & structure  Inter-program invocation  Security Vulnerabilities Module Level  Integration quality  Architectural compliance  Risk propagation simulation  Application security  Resiliency checks  Transaction integrity  Function point & EFP measurement  Effort estimation  Data access control  SDK versioning  Calibration across technologies System Level Data FlowTransaction Risk  Code style & layout  Expression complexity  Code documentation  Class or program design  Basic coding standards Program Level Propagation Risk Java EJB PL/SQL Oracle SQL Server DB2 T/SQL Hibernate Spring Struts .NET C# VB COBOL C++ COBOL Sybase IMS Messaging Java Web Services 1 2 3 JSP ASP.NETAPIs
  • 20. CAST Confidential CAST going well beyond static analysis Static Analysis Behavioral Simulation Dependencies Code Pattern Scanning Data Flow Architecture Checker Rule Engine Transaction Finder Function Points Aggregation & Consolidation Understanding of language syntax and grammar using source code parsing Analysis of some run-time behaviors to understand dynamic behaviors of applications Understanding of cross-layer and cross-technology links between application components Finding patterns and anti-patterns in application control flow Tracking the use of the content of variables such as user inputs along static and dynamic call stacks Identification of invalid calls and references between application architectural layers Analysis of knowledge base against quality rules, metrics and constraints to identify violations (non- compliant objects or situations) Identification and configuration of cross-layer and cross-technology transactions from UI down to data entities Estimation of Function Points functional sizing, relying on data entities and Application-wide transactions Aggregation and calibration of results along the quality model and consolidation across applications Intelligent Configuration Capability to build object sets based on object properties, links, etc. to support layers, modules, and scope definition Content Updater Adjustment of analysis results to better match application advanced behaviors 19
  • 21. CAST Confidential Simulating runtime behavior to resolve links in code 20 Behavioral Simulation Emulating some run-time behaviors to understand dynamic behaviors of applications Consider “Select Title from Authors where Author = ” as a SQL statement Use (select) link between Java method “f()” and SQL table “Author” quasi-runtime behavior
  • 22. CAST Confidential Multi-tier analysis for dependencies (1/2) Capability to handle cross-layer and cross-technology links between Application components Create links between Java Class and Sql Table Hibernate mapping.dtd Table oracle address Address.java Dependencies 21
  • 23. CAST Confidential Multi-tier analysis for dependencies (2/2) 22 Create links between JSP page and Action mapping Create links between Action mapping and Java class Struts-config.xml Payment.jsp ActionPaymentMethod.java Capability to handle cross-layer and cross-technology links between Application components Dependencies
  • 24. CAST Confidential 23 AIP counts of framework diagnostics  Frameworks are the link between components in a well- architected system  There are also rules to using such constructs effectively Framework Rule Counts Struts 1.x 21 Struts 2.x 9 Spring 3 Hibernate/JPA 23 EJB 8 JSF 1 Servlet 2 Tiles 1
  • 25. CAST Confidential Data flow – cross distributed architecture 24 Capability to track along static and dynamic call stacks the use of the content of variables such as user inputs (1) (2) (3) (4) SQL injection vulnerability – CWE-89 Data Flow
  • 26. CAST Confidential Configuring rules specific to enterprise architecture 25 Capability to identify invalid calls and references between Application architectural layers Architecture Checker
  • 27. CAST Confidential Security breach due to architecture misuse  For example: banking application, for monitoring reasons, all database calls must go through specific stored procedures  Investigations showed: – Many transactions developed offshore did not comply with secure architecture framework – Without automation, this could not be monitored • 100 UI elements (250 kloc) • 2000 mid-tier programs (1 mloc) • 250 tables, 350 kloc of PL/SQL  Use of Architecture Checker – to define the desired architecture – To generate and enforce the appropriated quality rules 26
  • 28. CAST Confidential “UPDATE” trigger causing big problems at a global services provider  In reservation system Java application must access legacy main- frame to finalize transaction. In production, a performance issue occurred when a volume of transactions occurred at one time.  Investigation showed: – Abnormal activity on the database due to an "on update" trigger that was fired too frequently. – The Hibernate ‘show SQL property’ revealed that the trigger was firing even if the data had not changed. Error was due to a specific parameter in Hibernate: select-before- update on the entity that was set to false. When set to false, Hibernate updated the table systematically. MY_ENTITY A B C D MyUpdateTrigger Always fired 27
  • 29. CAST Confidential Real, measurable performance improvement numbers after fixing open/close inside loops. We get around 90% performance improvement. 28 90% performance improvement in large mainframe batch process
  • 30. CAST Confidential 29 Application shows a potentially dangerous lack of data control Reduce risk – better use of safe components
  • 31. CAST Confidential 30 Violation with the largest impact on the rest of the application, regarding Robustness, Performance, or Security LogicLayerDataLayerGUILayer Propagated Risk Index (PRI) explained
  • 32. CAST Confidential 31  Allows to rapidly identify the most significant critical violations related to a Health Factor  PRI is based on – Violation Index (VI) which assesses the quality issues a defective object for a specific Health Factor – Risk Propagation Factor (RPF) which assesses the number of call paths of a defective object Violation ViewContext (software / Health Factor) Propagated Risk Index – Prioritize findings
  • 33. CAST Confidential 32 Transaction Risk Index (TRI)  Identify the riskiest transactions for pen testing, remediation  Sum of Violation Indices (VIs) of the objects along a specific transaction: Robustness, Performance or Security. Transaction View Transaction Details View
  • 34. CAST Confidential Transaction Weight Risk Index explained 33 GUILayerLogicLayerDataLayer Transaction with largest number of Robustness, Performance or Security violations
  • 35. CAST Confidential Stabilizing a multi-tier IT application Missing error handling block across all layers User Interface - Flex Business Logic – C# .NET Data Access – SQL Server (T-SQL) 34
  • 36. CAST Confidential Securing a multi-tier IT applications Multiple violations across the same transaction make warfighter / broad end-user facing applications more vulnerable  Input validation - 4 form fields without validator in user interface  Architecture design - action class talking to data access object bypassing business layer  Database access security - multiple artifacts accessing and modifying data on the LOAN table potentially containing confidential data 1 1 2 2 3 3 35
  • 37. CAST Confidential 36 Making risk management actionable  Identify and stabilize are the tactical steps  To harden and optimize is a move towards proactive risk management  Requires inserting some actionable processes into the application lifecycle IDENTIFY STABILIZE HARDEN OPTIMIZE Risk Perspective Immediate-Risk Long-Term Risk Assessment Level Portfolio Critical Systems Application Application
  • 38. CAST Confidential Measuring risk is important, but not enough  At some point, inserting proactive prevention into application lifecycle 37
  • 39. CAST Confidential 38 Cost vs. risk tradeoffs  If you have Technical Debt – so what? Technical Debt SoftwareRisk L H H L
  • 40. CAST Confidential IT risk management is an area of investment 39 IT executives expect to spend more on IT risk IT, and IT risk, is a C-level concern Who has responsibility for reputational risk due to IT? If you’re working on code quality, your efforts should be tied to managing software risk
  • 41. CAST Confidential Market leader in Software Analysis & Measurement 40 Ambitious Mission Rock Solid Foundation Market Leader Introduce fact-based transparency into application development and sourcing to transform it into a management discipline  Broad market presence in Europe, North America and India  Strongly endorsed by software industry gurus and long term investors  Over $100 million of investment in R&D, driven by top talent in computer science and software engineering  Pioneer and recognized market leader since 1999  CAST Research Labs, the world’s largest R&D facility dedicated to the science of software analysis & measurement (SAM) “CAST metrics have become the de facto standard for measuring the quality and productivity of application services.” – Helen Huntley, Research VP, Gartner
  • 42. CAST Confidential Driving software measurement in the ADM industry 41 Key Influencers Recognize CAST 250 Global Leaders Rely on CAST Institutions Engage CASTSIs Resell CASTSIs Use/Resell CAST Top technology First in business IT Biggest benchmark DB
  • 43. CAST Confidential CAST dashboards, reports & benchmarks 42 CAST Highlight Portfolio Analysis  Size  Complexity  Risk  Technical debt estimation Zero Deployment  No centralized source code collection  Portal results  Full analysis report CAST Application Intelligence Platform Risk Drivers  Robustness  Performance  Security Cost Drivers  Transferability  Changeability Alerts, trending, root cause analysis Discovery Portal Automated App Blueprint Discover, modernize and change applications Function Point Manager • Automated FP counts • Technical Sizing • Effort Estimation Function Point Changes Due to a Sequence of Change Requests 0 5 10 15 20 25 30 35 40 0 50 100 150 200 Cumulative Effort (Staff Hours) #FunctionPoints 1 52 3 4 Benchmarking Services Compare to industry business process and technology
  • 44. CAST Confidential 43 Year end assessment offer from CAST  Immediate, actionable insight into a business critical application regarding: – Resilience and stability risk – Performance risk – Portfolio risk assessment  How it works: – An assessment will typically take 3 weeks, the longest part of that is collecting all the source files – Can be delivered by CAST or a certified AI Services partner – Typically $10k to $50k for an assessment, depending on the size and complexity of the application Contact Pete Pizzutillo for more information
  • 45. CAST Confidential Contact Information Pete Pizzutillo p.pizzutillo@castsoftware.com www.castsoftware.com blog.castsoftware.com linkedin.com/company/cast @OnQuality slideshare.net/castsoftware