The global economy is in danger of collapsing under a mountain of debt — and guess what? So is the software that runs your company, according to a study this week from CAST, a software analysis and measurement company. The report shows that enterprise software is loaded with technical debt. That’s the term for the cost of fixing all the quality defects that remain in an application’s code after it’s released. Make that all the deliberate shortcuts and shoddy work. Technical debt is calculated only on violations that the organization intends to remediate.
Based on an analysis of 745 applications submitted by 160 organizations in 10 industry segments and representing 365 million lines of code, CAST calculates it costs businesses millions of dollars to fix technical debt — and companies are not budgeting for it.
“The findings revealed an average technical debt of $3.61 per line of code,” said Bill Curtis, CAST’s chief scientist and senior vice president of CAST Research Labs.
That debt adds up: Nearly 15% of the applications examined by CAST had more than a million lines of code. Just like the kind of debt that weighs on many of us 99%-ers, technical debt incurs interest as the violations go unfixed, so it just gets bigger and bigger over time. Research house Gartner predicts global technical debt will reach $1 trillion by 2015.
Notable findings in the CAST report:
- Java apps, accounting for about 45% of the study sample, scored lower on performance and carried more technical debt than apps using other languages — $5 per line of code compared with the average $3.61.
- COBOL apps (yes, these monsters are still around) scored highest in security. They deteriorate in quality as they get bigger, however, unlike their less secure but more modular, newer relatives, Java EE and .NET. (.NET apps scored lowest on security.)
- Structural defects were equally prevalent in outsourced apps and those developed in-house. This finding might be skewed, however, by the fact that most outsourced apps were developed in-house originally before being farmed out for maintenance, Curtis said.
“Even though we have known for two decades that things like cross-site scripting, SQL injection and buffer overflows are huge opportunities for hackers to break in, we still see those things in the code; and that is a huge problem,” Curtis said. “The problem is that you don’t always know which violation in the code is the one that is going to cause the outage or offer a hacker the way in.”
But you do know it’s going to cost millions to fix when it happens.
This leaves CIOs between a rock and a hard place when it comes to managing the risk of technical debt. You can’t fix everything — and you don’t want to, Curtis said. What CIOs need to identify are the most severe violations that carry the highest cost for the maintenance of the system or have the highest risk to the business — “for an outage or data corruption or a security breach or performance problem” — and then go fix those.