September 17th 2014–New York/London—CAST, a leader in software analysis and measurement, today revealed new findings from its 2014 CAST Research on Application Software Health (CRASH) that confirms enterprise software built using a mixture of Agile and Waterfall methods – with an up-front emphasis on architectural quality and design – will result in more robust and secure applications than those built using either Agile or Waterfall methods alone.
“This research confirms a suspicion that many in the industry have long held – but that some in the Agile community ignored: Development teams that disregard architectural quality at the start of development are introducing serious business risk into their organization,” says Dr. Bill Curtis, SVP and Chief Scientist at CAST and primary author of the CRASH Report. “Our research shows that applications produced using traditional Agile or Waterfall methods alone have more security vulnerabilities, more reliability and performance issues, and a higher cost to maintain than those produced with a mixed method. It’s time to take the religion out of software development and get back to sound software engineering.”
Analyzing architectural and code quality weaknesses in 186 different enterprise-grade applications built using Java-EE, the CRASH Report found that over three quarters of the robustness, security, and changeability scores for applications developed with a mix of Agile and Waterfall methods were higher than the median scores for projects using only Agile methods. In essence, applications developed and maintained using a mix of Agile and Waterfall methods were found to have far fewer architectural and code quality weaknesses that could result in outages, security breaches, or lengthy enhancement cycles. In addition, there was less variation in the structural quality of applications developed with an Agile/Waterfall mix compared to projects developed using other methods. The report did not find differences in architectural or code quality between applications developed with only Agile or Waterfall methods. However, applications reported to be developed using no defined method resulted in the lowest code quality.
“There are quite a few organizations claiming they’re Agile, but aren’t actually following how it was designed. Rather, they use it as an excuse to do whatever they want and crank out code quickly,” says CAST Executive Vice President Lev Lesokhin, a co-author of the report. “Other Agile organizations assume that the right architecture will emerge over time, only to run into problems down the line trying to refactor the architecture with a growing code base. It’s becoming increasingly important to secure your architectural quality and design before writing the first line of code.”
The CRASH Report also produced the first confirmation that the code quality of applications produced by low maturity, CMMI Level 1 organizations is significantly worse than that produced by organizations appraised at CMMI Level 2 or higher. Whether applications were developed in-house or outsourced had no impact on code quality, and whether they were developed on-shore or off-shore had only minor effects. Applications developed for more than 5000 users, typically those that are customer-facing, were found to have higher code quality than those developed for use by fewer than 5000.

Kaynak : 