FROM

KILLER APPS
S
KILLER
PP
TO A

e f e c t s
om p lex D
l ly C
i tec t ura
fA r c h
pa c t o
tating Im
a s
The Dev Art inspired by original artwork Anatomy of a Murder by Saul Bass
 c a u t i o n
cau t i o n Architecturally
Complex
Violations
constitute 8% of
violations, but
they are:

Year after year, killer apps developed by organizations that rely upon technology to service
52%
of the repair
their clients, face app killers like major outages, malfunctions, and security breaches
that disrupt business and damage reputations. Sadly, nearly all of these failures had an
effort
architectural flaw that had gone undetected.

The technical diversity that gives modern business applications their unique power and
flexibility comes at a cost of staggering complexity. Quite simply, the complexity of modern
8X
more likely to
business applications exceeds the capability of any single individual or team to understand all
escape into
of the potential interactions among the component languages and technologies. Organizations
are now faced with the devastating impact of Architecturally Complex Violations.
testing

6X
more likely
to escape
operations

2
 TERMINOLOGY Architecture of Decay
A map of the defect fix relationships
among Architectural Hotspots

Architecturally
Complex Violation
A structural flaw involving
interactions among multiple
components that may reside in
different application layers

User Interface
Architectural Hotspot
A component that contributes
to many Architecturally
Complex Violations

Logic

Data

3
 EFFORT D RIVERS
Architecturally
Complex
Violations 8%
LinkedIn
92% Component-Level
experienced
Violations a security
52% 48% breach
Architecturally Component-Level
Complex Violations exposing

6.4M
Violations
% of Total Violations

passwords
% of Effort to Correct

Why do Architecturally Complex Violations take more effort to fix?

They are multi-component and therefore require a lot more files to fix than a Code-Level
Violation. Reported data indicates that frequently as many as 20 different modifications to files
are required to remediate a single architecturally complex defect.

4
 COS T D RIVERS
Sony suffered a
Most Component- dozen attacks
Level Violations at the hands
are fixed with a of the LulzSec
single change Group, which
exposed
customer
accounts
resulting in
Relative number of changes
to correct an Architecturally
Complex Violation
55
class action
lawsuits and
Why are Architecturally Complex Violations more costly to fix? cost
These defects are more expensive to fix because they involve interactions between multiple
tiers of the application often written in different languages and hosted on different platforms.
These violations require much more involvement and coordination across teams to ensure that
$178M
the fix is resolved system-wide.

5
 BLEM D RIVERS
PRO
83%
Architecturally
Complex Violations Knight
8X worse Capital trading
system had
Architecturally
Complex Violations
an algorithmic
error which
6X worse caused erratic
trading activity
10% 13% 2%
and left the firm
with billions
of dollars in
Test Operations
unwanted
% of violations crossing a phase boundary
securities and

Why are Architecturally Complex Violations worse as they cross phases?

Since Complex Violations are more likely to persist into operations, they are more likely to
$400M
loss.
cause operational problems than the single component violations that tend to get caught
earlier.

6
 DECAY D RIVERS
80%
of
Architecturally
Complex
Violations
involve an
Architectural
Hotspot.
Architectural
Hotspots reveal
concentrations
Architecture of Decay of architectural
A map of the most frequent fix relationships among Architectural Hotspots reveals the
Architecture of Decay but it also presents a roadmap to guide high-value remediation and the
decay
greatest opportunities to restore the structural health of an application.
Big problems are often the result of several interacting weaknesses in the code, none of which
caused the problem by itself. Preventing application-level defects requires analysis of all the
interactions between components of heterogeneous technologies. Reliably detecting software
quality problems requires an analysis of each application component in the context of the
entire application as a whole an evaluation of application quality rather than code quality.

7
 D RIVERS
B USINESS Application
Quality
You will rarely detect Architecturally Complex Violations with unit tests or code analyzers. To analyzes
detect these App Killers you need the software
across all of the
CAST Application Intelligence Platform. A dynamic business environment, new technology, applications
and multiple sourcing options amplify the complexity of business application software. Since languages, tiers,
even the most talented developers can no longer know all of the nuances of the different and technologies
languages, technologies, and tiers in an application, their capability needs to be augmented to measure how
by automated tools to evaluate the entire application. Without such assistance, defects well all of the
hidden in the interactions between application tiers will place the business at risk for outages, applications
degraded service, security breaches, and corrupted data. components
come together to
CAST AIP is unique in its ability to find structural defects early at build time when the code can create operational
first be analyzed at the level of the entire application. Detection and repair at this point can be performance
an order of magnitude cheaper than if these structural flaws slip into the final stages of testing and overall
where they are deeply embedded in the application and a larger portion of the code will have maintainability.
to be torn down and rebuilt.

To find out more about CAST AIP visit www.castsoftware.com/AIP

8
 SUMMARY
Enterprise-grade analysis
requires a 3-tiered approach

CAST Application Intelligence Platform

CAST Application Intelligence Platform (AIP) is the only enterprise-grade software quality assessment and performance
measurement solution available. CAST AIP inspects source code, identifies and tracks quality issues, and provides
the data to monitor development performance. CAST can read, analyze, and semantically understand most kinds of
source code, including scripting and interface languages, 3GLs, 4GLs, and web and mainframe technologies, across all
layers of an application (UI, logic, and data). By analyzing all tiers of a complex application, CAST measures quality and
adherence to architectural and coding standards, while providing visual specification models.

Sources:
Z. Li, et al. (2011). Characteristics of multiple component defects and architectural hotspots: A large system case study. Empirical Software Engineering, 16 (5), 667-702.
M. Leszak, et al. (2000). A case study of root cause defect analysis. Proceedings of the 22nd International Conference on Software Engineering. Los Alamitos, CA: IEEE Computer Society, 428-437.
A. Von Mayerhauser, et al. (2000). Deriving fault architectures from defect history. Journal of Software Maintenance: Research and Practice, 12 (5), 287-304.

9
 OU T CAS T
A B
Call: 877-852-2278 Follow Us
Email: info@castsoftware.com
Visit our Web site: www.castsoftware.com

CAST is a pioneer and world leader in Software Analysis and Measurement, with unique technology resulting from
more than $100 million in R&D investment. CAST introduces fact-based transparency into application development
and sourcing to transform it into a management discipline. More than 250 companies across all industry sectors and
geographies rely on CAST to prevent business disruption while reducing hard IT costs. CAST is an integral part of
software delivery and maintenance at the worlds leading IT service providers such as IBM and Capgemini.
Founded in 1990, CAST is listed on NYSE-Euronext (Euronext: CAS) and serves IT intensive enterprises worldwide with a
network of offices in North America, Europe and India. For more information, visit www.castsoftware.com

10