Bill Curtis with Consortium for Information and Software Quality
Industrial Talk is onsite at OMG, Q1 Meeting and talking to Bill Curtis, Executive Director with the Consortium for Information and Software Quality about “ISO 5055 – Software quality standards to positively impacting industry”.
The conversation centered around the importance of prioritizing software quality to improve productivity and reduce costs. The speakers highlighted the significant financial costs associated with software quality issues and emphasized the need for implementing and applying software security standards in the industry. They also discussed automated source code quality measures and the importance of software quality standards and certification, with one speaker expressing a preference for free and open-source software and the other emphasizing the need for a certification exam to test developers' knowledge of ISO 5055.
Action Items
- [ ] Update ISO/IEC 5055 to include new measures around data protection and resource sustainability.
- [ ] Submit annexes to ISO/IEC 5055 covering the new measures.
- [ ] Develop a certification exam on ISO/IEC 5055 through OMG for developers and quality assurance professionals.
- [ ] Connect with Bill Curtis via ACM.org or LinkedIn for more information on software quality standards and initiatives.
Outline
Software quality, technical debt, and cost of poor quality software.
- Dr. Bill Curtis, leading expert on capability maturity model, discusses software bombs and cybersecurity.
- Bill discusses the high cost of poor quality software, citing a report that estimates $1.5 trillion in annual costs.
- Bill emphasizes the importance of executive management in protecting the development team from unnecessary requirements and technical debt.
Software quality issues and their costs in the billions.
- Bill: Technical debt costs in the 9-10 digits, with estimates reaching $175 million pounds.
- Bill: Quantifying technical debt is challenging, but public sources provide reasonably based estimates.
- Expert panel identified 75 serious weaknesses in software systems.
Software security weaknesses and how to address them using static analysis technology.
- OMG developed a standard for software security, ISO approved it in 2021.
- Bill: Setting thresholds for software weaknesses in contracts with suppliers.
- Bill: Static analysis technology helps evaluate existing systems for security vulnerabilities.
- Bill: System-level weaknesses require prioritization, not just code-level fixes.
- Companies work with partners for security weakness identification and remediation.
Software quality standards and ISO 5055.
- Bill discusses the importance of keeping ISO standards up-to-date, citing examples of expanded weaknesses and sustainability issues.
- OMG team is responsible for updating the ISO standard, relying on submitters to keep it current, and adding new annexes for data protection and resource sustainability.
- Bill discusses submitting additional measures to improve software quality, while Scott promotes connecting with Bill Curtis for expertise on software quality standards.
If interested in being on the Industrial Talk show, simply contact us and let's have a quick conversation.
Finally, get your exclusive free access to the Industrial Academy and a series on “Marketing Process Course” for Greater Success in 2024. All links designed for keeping you current in this rapidly changing Industrial Market. Learn! Grow! Enjoy!
BILL CURTIS' CONTACT INFORMATION:
Personal LinkedIn: https://www.linkedin.com/in/bill-curtis-bab9985/
Company Website: https://www.it-cisq.org/standards/code-quality-standards/
PODCAST VIDEO:
OTHER GREAT INDUSTRIAL RESOURCES:
NEOM: https://www.neom.com/en-us
Hexagon: https://hexagon.com/
Siemens: https://www.siemens.com/global/en.html
Palo Alto Networks: https://www.paloaltonetworks.com/ot-security-tco
Palo Alto Networks Report HERE.
Hitachi Digital Services: https://hitachids.com/
CAP Logistics: https://www.caplogistics.com/
Industrial Marketing Solutions: https://industrialtalk.com/industrial-marketing/
Industrial Academy: https://industrialtalk.com/industrial-academy/
Industrial Dojo: https://industrialtalk.com/industrial_dojo/
We the 15: https://www.wethe15.org/
YOUR INDUSTRIAL DIGITAL TOOLBOX:
LifterLMS: Get One Month Free for $1 – https://lifterlms.com/
Active Campaign: Active Campaign Link
Social Jukebox: https://www.socialjukebox.com/
Industrial Academy (One Month Free Access And One Free License For Future Industrial Leader):
Business Beatitude the Book
Do you desire a more joy-filled, deeply-enduring sense of accomplishment and success? Live your business the way you want to live with the BUSINESS BEATITUDES…The Bridge connecting sacrifice to success. YOU NEED THE BUSINESS BEATITUDES!
TAP INTO YOUR INDUSTRIAL SOUL, RESERVE YOUR COPY NOW! BE BOLD. BE BRAVE. DARE GREATLY AND CHANGE THE WORLD. GET THE BUSINESS BEATITUDES!
Reserve My Copy and My 25% Discount
Transcript
SUMMARY KEYWORDS
software, weaknesses, omg, iso, standard, put, industrial, fix, measure, security, bad, technical debt, cost, problems, bill, work, curtis, company, digits, iso standard
Welcome to the Industrial Talk Podcast with Scott MacKenzie. Scott is a passionate industry professional dedicated to transferring cutting edge industry focused innovations and trends while highlighting the men and women who keep the world moving. So put on your hard hat, grab your work boots, and let's go.
re gonna be talking about ISO:a meeting. Yeah, because we're getting some standards through that are pretty critical. Like for software bill of materials, best bombs, bombs, bombs. Yeah. And then in response to the President's initiative on cybersecurity. And this was a big piece of it to get past bombs used by anybody to submit software to the federal government. So we know what's in it.
Before we get into that, because I have so many questions. Take us through who you are all sort of establish. Alright,
well, I'm Dr. Bill Curtis, probably best known for leading the effort to build the capability maturity model at the SEI back in the early 90s. Which means in the Agile community, many consider me the great Satan. But, but it actually made a great difference. And they're actually suffering from some of the problems we tried to solve, which is people throwing require additional requirements. And once you've got your plan in place, and you're throwing everything out of kilter, it happens all the time, it happens all the time to this day, it happened, it's a major reason for poor quality software, because you got running too fast, you didn't have time to, to fix things, you got tons of technical debt, you know, you're gonna have to fix someday. It's just it's a mess. And agile had a way to stop that, which is the use of the frozen stories for this sprint until the gaff or marketing or the business comes down and throws more requirements in and says no, no, you got to do it, we have to have it for competitive reasons, and blah, blah, blah, I'll go straight to the CEO, the old chain. And so it really puts the onus on executive management to protection to say no, these guys have a frozen set. And you can put that in the next one if they don't have policies for both protection and for removing technical debt later is never going to happen. Did you say technical debt technical debt? Yeah. So one of the my, the thing I do right now is I've been in the software industry since the late 70s. And one of the the efforts right now is the Consortium for information and software quality, which builds standards for measuring software. And we also sponsor reports and we sponsor a report called the cost of poor quality software, which is redone every two years to look at what's the latest data felony herb crasner goes through about 130 different sources of cost data, which is cost for outages cost for what it you know, maintenance costs, migration costs, and modernization costs and all kinds of things that that you have to pay for because the quote, quality software's bad and it's terrifying what numbers he comes up with, based on these public sources. And you know, it's like one and a half trillion dollars this last time. Oh, my God, that's a chunk, huge chunk of the national national. What am I looking for the product productivity? It's just it's it's a hell of a, you know, the national product and actual product. Yeah. And it's, yeah, it is. But it's a drag on productivity. And it's sitting out there. We're in the era of nine digit defects. And by nine digits, I don't mean bits and bytes, I mean, dollars and euros. Right, so you're looking at some of these things like if an airline has their their reservation system go down so people can't get their tickets to get on airplanes and they can't fly the airplanes you know, they're looking at they're looking at nine digits if they have to go two days. You can look at what's happened to some of these airlines experience look at what happened to them because the cost would wouldn't directly an experience it was in all the credit card problems they created when all that stuff Got stolen. And now they're gonna get sued by the credit card companies for the expenses. And then repairing all that and putting everybody on on, you know, free watch for all the problems they could have. The one of the worst was night trading, which is a high speed on on, you know, high speed trading company on the stock market. And they had an update that accidentally activated some dead code because they had a lot of dead code they hadn't removed and it made $440 million of bad trades in 30 minutes. They were bankrupt. Right. So you, you look at something royal, RBS and England had a bad update and the kid when he tried to back it out and ended up screwing up all the data, all the customer files, and you know, Brits 22 million Brits couldn't get to their their bank accounts for like three weeks couldn't pay mortgages. Yeah, it was just it, they estimated the initial estimate was 175 million pounds. Figure that out. And dollar eight was probably worse. So you're looking at some of these outages. Now some of these online problems costing in the nine digits, and we probably have a few that may be in the 10 digits. You know, the the one that broke into all the networking systems. And that one was that when they can't do it, they're not not sure that government will ever get all that stuff out
a couple of great points. I like that technical debt. I like the term that cost of poor quality software. Yeah. Because I don't think that we really truly understand that I think people understand the pain. They know it, they know that it's it's clunky or cumbersome or don't do this because when I did it one time it did. They know that it exists out there.
But to be able to quantify it, well in herds, huge herb crasner, when he built that report, goes out and looks at all these public sources. He's not sitting here, just guessing. Now, some of those public sources are probably estimates, but they're probably reasonably based. He looks at so many of them, he gets a good sort of broad picture of what's happening. He kind of triangulates down on costs in different areas like outages, excessive maintenance, and technical debt and things of that, that nature, security breaches. And they pulled it all together. And when he puts that data together, it's staggering. What he comes up with.
All right, now I want to curl up in a ball. Yeah, well, I, I don't know where to start, you know, you always want to say, well, what's the solution? We
take your money out and put it onto your mattress?
Talk to us a little bit about ISO.
formal title is ISO slash IEC:So I have an existing, I have an existing application of software. And I know there's some questions here and there. Can I take this standard and then be able to do something that is sort of more, I hate to use, I'll use it brownfield as opposed to Yeah, yeah, the Greenfield type of absolute, you know, just, it makes sense. In the beginning, you want to be able to nail it down, right, you're getting but but there's so many existing systems out there
well, and and that's where serious static analysis technology comes in. And you want it to be able to deal with the system level, not just the code level, but the system level. So because a lot of the about a third of these weaknesses involve system level interactions between components. Now people that skip skip layers, with called make that just makes maintainability a nightmare. Or they skip around the authentication routines, which is a massive security breach. So there's all kinds of things that really do affect. So you want system level, and there's a couple of the sponsors of CES cast and Coverity both have serious technologies for doing that I worked for CAS so I know our, our technology and where we are, have spent a lot of time being able to identify and detect a lot of these, in fact, moat the majority of these weaknesses, Coverity has been going after the same sort of thing. So you've got technologies like that, they can go and do the static analysis, identify what the weaknesses are, and then you have to prioritize because you can't fix everything. So that becomes an executive decision or management decision. You know, what are we going to prioritize as security, the most important thing is you how important is maintainability for this component or for this system, and then make those priorities and then, you know, protect time that your developers need to fix it. Because if you don't protect the time, it's never going to get fixed because a business is going to be constantly running down the halls exactly what the next you know, you got to do this now. And and the software degrades and degrades and degrades to where it's a nightmare to fix anything. So if you don't fix the software, it becomes a serious limitation on organizational agility.
You mentioned that company so that company is able to provide the solution or service to be able to analyze Your, your software, you have to say, Okay, we've done this. Yeah, we've looked at it. These are the the the areas of challenges, then it's up to the client to say, that's number one. That's number two. But there is there an interaction between you and the client saying, we recommend this being number one, just because it's a security. Well,
a lot of companies work with third parties. outsourcers security companies, whatever, and they provide the service, you know, we provide the technology can also provide the service. But we work with partners who are service related, and that's their business. So they can work with the company to identify the weaknesses they want to fix, and then help them get them fixed. So it's, you know, there's all all kinds of approaches they can take.
Now, this is a, this has already been published, it's out there. Yeah, it's free, free days
free. Here's the warning. That if you go, if you go to the website, guys a website, and if you list it'll take you the website, and you can buy it for a bunch of Swiss francs. But at the bottom of the page, there's a link, you can click that takes you to the free when the publicly available standard. So you know, go for the free, when could I go to OMG, you can go into OMG. And it's on the OMG website is automated source code quality measures, ASC QM is the is the catchphrase. And you can get it free from OMG. I think we have it on the Cisco website as well. Well, it would make sense yeah, yeah.
What What fascinates me a little bit about this is going to be the responsibility now of OMG. Team OMG. To make, keep this ISO standard up and changing and, and and then resubmitting an update. And that's that's
those in is annexes into ISO:I like free. I like free to I like free. Know how to people get a hold of you, Curtis
at ACM dot orgy.
Do you do anything on LinkedIn?
edge of the weaknesses in ISO:Yeah, see, as long as there's a process to keep things current and exactly the date and, and I can trust. Yeah, trust what's going on there. And it's not static. It's more dynamic because the world is dynamic. Exactly. So I do like it. Thank you very much. My
pleasure. being here. Thank you so much.
All right. Let's just we're gonna have all the contact information for Bill out on an Industrial Talk. So make sure you connect with this gent because you will not be disappointed. He knows more than you. Just FYI. All right, we're gonna be wrapping it up on the other side. Stay tuned, we will be right back.
You're listening to the Industrial Talk Podcast Network
s it is always out there. ISO: