Automation, when done properly, can improve the productivity, quality, safety, and security in your software development.
Automation isn’t just a “nice-to-have” element of modern business. It’s a “must-have.” Companies simply can’t compete on multiple levels—quality, speed to market, safety, and security—if they rely on manual tools and processes.
That’s especially true when it comes to software, which powers everything in business from finance to human resources, marketing, products, and services. The quality of that software is crucial—it has to function as intended and do so safely, reliably, and securely. And when it comes to testing that software for design flaws or random defects in thousands of lines of code, an automated tool can find in milliseconds what it could take a team of humans hours, days or even weeks to find. As is obvious, humans don’t scale.
But automation has to work effectively and reliably as well. If an automated testing tool misses a design flaw in a program controlling a robot on an assembly line, it will multiply problems instead of solving them. If it doesn’t catch a vulnerability in the software for an application or network, it could open an organization to a catastrophic cyber attack.
Hence the need for quality standards in automation. And the good news is that they now exist, in the form of the International Organization for Standardization/International Electrotechnical Commission’s ISO/IEC 5055:2021 – Automated Source Code Quality Measures (ASCQM). The Object Management Group and the Consortium for Information & Software Quality (CISQ) announced publication of the standard on April 7, 2021.
Joe Jarzombek, a retired U.S. Air Force Lt. Colonel with over 30 years of experience with defense agencies, military services, and the defense industry, is the director for government and critical infrastructure programs with Synopsys and a member of the CISQ governing board. He describes ISO 5055 as a “standard for measuring the internal structure of a software product on four business-critical factors: security, reliability, performance efficiency, and maintainability. These are the factors that determine how trustworthy, dependable, and resilient a software system will be.”
The ISO 5055 standard is hugely significant, Jarzombek pointed out, because while the ISO/IEC 25000 series of standards that govern software product quality has been around for more than a decade, it doesn’t really focus on the source code level.
“Before ISO 5055 there was no international standard for measuring the quality and integrity of a software system by analyzing its internal construction to detect severe structural weaknesses,” he said, likening that lack to evaluating a house only from its exterior “without ever checking its internal structure for wood rot.”
Jarzombek also noted that many existing software standards have been reactive, measuring the operational damage from of severe weaknesses after the fact. By contrast, ISO 5055 focuses on helping organizations “build security in” to their software while it’s being developed, with proactive measures that enable structural weaknesses to be identified and eliminated before they cause operational problems.
As the “Building Security In Maturity Model” (BSIMM) report by Synopsys has documented for more than a decade, finding and fixing defects in software during the development life cycle is both cheaper and faster than fixing the operational and security problems those defects generate after a product is on the market.
Indeed, a report last year by the CISQ, in partnership with Synopsys, titled “The Cost of Poor Software Quality in the US,” noted that it’s about 10 times more expensive to fix software defects after a product has been released than to find and fix them during development.
And the way to find and fix them during development is by using effective automated tools. Jarzombek believes that IT organizations should select a vendor technology that conforms with ISO 5055.
The ISO 5055 standards include a list of the most dangerous weaknesses, which are taken from the Common Weakness Enumeration (CWE) list maintained by the MlTRE Corp. A good static application security testing (SAST) tool, which analyzes software code while it is being written and before it is running, will find known weaknesses on the CWE list.
“Static analysis at the system level should become a standard task in vendor acceptance, application modernization, and quality assurance processes,” Jarzombek said.
Besides SAST, other automated tools that can improve software quality (which includes security and safety) while it’s being written and built include dynamic and interactive application security testing, which find bugs or other defects when code is running and when it’s interacting with external input.
Software composition analysis (SCA) can help developers find and fix known vulnerabilities and potential licensing conflicts in open source software components, which are now the large majority of every software codebase. A good SCA tool will identify open source components, as well as which version is being used.
And for IT departments worried that the use of multiple testing tools will slow development down, Synopsys Intelligent Orchestration is in the works. Meera Rao, senior director of product management in the Synopsys Software Integrity Group, has called Intelligent Orchestration an automated “heart and brain” for DevOps workflows. Intelligent Orchestration calls for the right software testing at the right time, instead of overwhelming developers with so many security notifications that they start treating it as unwelcome background noise.
“With DevOps, testing, deployment, and infrastructure are all automated using Intelligent Orchestration,” she said.
Bottom line: Automation, done right, enhances the quality, safety, and security of software. It helps protect data and avoid data leakage on websites. And it helps organizations achieve regulatory compliance, increase productivity, and minimize costs and time to market.
All of which will help organizations be more competitive at much lower risk.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.