CAST@IBM: Global CoE

Improved Quality and Faster Delivery with Accurate Measurement

IBM Confidential
 Contents
▪ CAST Overview
▪ Functional Components
▪ Features and Benefits
▪ Use cases and Licensing
▪ Environment / Network Configuration
▪ Implementation Approach
▪ Governance Model
▪ Technologies Supported

2
 CAST Overview
The CAST Application Intelligence Platform(AIP) is an industry leading automated code analysis platform, with
coverage of all major development tools and languages. It provides comprehensive analytics so that software
development and maintenance can be better governed and informed decisions are made. With the help of the CAST
generated reports, communication with the client and business partners becomes objective, fact based and
constructive.

CAST primarily performs Application Development Performance Management that helps ADM organizations by:
• Enabling faster and smoother delivery to the business
• Mitigating risk in production environment
• Reducing the total cost of application maintenance and ownership

The CAST AIP analyzes applications automatically (GUI, Business Layer, and Database), thus providing the metrics
and information needed to measure, control and improve the health of overall business systems.

It aggregates defects using a set of health factors to categorize findings and acts as a quality gateway. Application
health factors includes transferability, changeability, robustness, and performance, security, programming
practices, architectural design and documentation.

3
 CAST Overview

4
 CAST Overview

5
 Security Dashboard

The screenshots provide a sample security

dashboard and this dashboard can be
drilled down further to get more details
about the violations and security rules

6
 Imaging

Imaging tool facilitates software learning and re-engineering. It helps in understanding the application code structure and its linkage
across the multiple tiers of the application
7
 Jenkins Automation Framework

• AIP Automation Solution is based on the Jenkins

Continuous Integration system and supports
automation

• Each application is automated individually

through its own Jenkins job, and consists of
series of configurable tasks

• The Jenkins system exposes a single job for each

automated application These jobs can then be
configured

• The automation system can be configured to run

the entire process completely hands off or with
some human intervention

Detailed
Jenkins Documentation on Jenkins
Documentation
https://doc.castsoftware.com/display/FBP/Jenkins+Integration+%28JAF%29+Older+Versions+-+Legacy+Approach

8
 Functional Components
Application Analytics Dashboard (CAST AAD)
Provides IT executives with accurate business relevant analytics to drive their organization
• Application functional size based on LOC & Automated FP standard
• Evolution of the risk factors
• Critical violations
• Report generation

Application Engineering Dashboard (CAST AED)

Provides engineering and QA teams with powerful code and system level structural flaw insight and remediation guidance
• Identity top riskiest component upfront
• Traceability of violations to code base
• Action Plan for managing violations
• Track violation to remediation

Enlighten
Provides power to understand your application architecture and create a visual representation of the application
• Identify the Code structure
• Transaction flow within code
• Generate reports

9
 Functional Components
Architecture Checker
Gives architects a reliable, automated solution to enforce architectural integrities
• Define architecture layering
• Identify potential undesirable communications within code
• Integrate architectural rule violations with dashboards

Security Dashboard
Provides support for wide range of security rules
• Helps in identifying the possible security violations
• Provides a dashboard summarizing the violations and provides a drill down

Imaging
Reverse-engineers code components, database structures, and their interdependencies
• Creates accurate interactive architecture blueprints.
• Navigate all technologies, frameworks and databases that make up the application, layer by layer, and end-to-
end transactions

Jenkins Automation Framework

Provides ability to rescan code after adding Jenkins in the toolchain
• Helps to automate the code scan and reducing significant amount of time post the initial scan
• Can automate the code extraction and thus reducing significant amount of time

10
 CAST AIP – Features and Benefits
The CAST Application Intelligence Platform (AIP):
• Supports 50+ languages and 12+ databases
• Includes 1600+ built-in rules (baselined as per industry standards)
• Appends new rules as functionally/technically needed
• Provides deep insight into critical applications
1. System-Level* Analysis 2. Best Practices and Industry 3. Accurate Analytics and Benchmarks
Source code, transactions, data Standards
structure Architectural integrity and • Continuous
critical violations
Improvement

APP ANALYTICS APPMARQ

• Differentiation
DASHBOARD Benchmarking
Business relevant Analytics Database
DATA ACCESS
• Automation

LOGIC
• Growth and
Expansion

APP ENGINEERING
DASHBOARD
Critical Structural Flaws,
Action Plans and
eLearning
* “Architectural software flaws lead to 90% of the production issues.” - Dr. R. Soley, OMG/ PhD MIT
11
 CAST AIP – Benefits (Use Cases for IBM)
Shift Left
• CAST follows the Shift-Left methodology for early detection of violation
of rules and defects to ensure robustness and quality standard of the
code
• Proactive quality management
• Reduction in testing cycle and re-work
• Improved client satisfaction through defect free delivery,
faster time to market
• 8% savings in defect fixing/rework effort on continuous use of CAST

Transition and Knowledge Transfer

• The CAST tool will help identify the most complex and critical applications during transition and that will help plan the transition
activities accurately. It will save time and reduce dependency on SME’s.
• Acts as a quality gateway
• Generates technical reverse engineering documents, which help create the Application Information documents (AID), the most
important deliverable of the transition
• 10% savings in transition effort

Newcomer Induction in ADM Business

• Faster knowledge transfer for newly on-boarded members with the help of technical documents generated using the CAST tool.
• Eliminates dependency on the outgoing resource
• Reduces the risk related to sudden attrition by technical resources
• Faster analysis of the code where no or little documentation available
• 7% savings in newcomer onboarding effort on continuous use of CAST

12
 Security Model

Security Efficiency - Memory, Network and Disk Space Management

Programming Practices - Error and Exception Handling

CAST provides a calibrated quality
model that scores application security Programming Practices - Unexpected Behavior
in a reliable, consistent way and
delivers insight to management. Some Architecture - Multi-Layers and Data Access
of the categories for security are given
Architecture - OS and Platform Independence
in the picture on the right side
Secure Coding - Encapsulation

Secure Coding - Input Validation

Secure Coding - Time and State

Secure Coding - API Abuse

13
 Candidates for CAST (Project Types)
➢ Application Development
CAST enables development projects to measure and improve Application Software Quality right from the beginning using code scanning and
help detecting defects earlier in the lifecycle.
Use cases to be used :
• Shift Left
• Newcomer Onboarding

➢ Application Maintenance and Production Support

CAST helps to perform impact analysis for maintenance and production support project which will save time when there is a no/little
documentation available on the codebase. It is also helpful in generating the documentation (AID) by doing reverse engineering in case of
resource turnover and unplanned attrition
Use cases to be used :
• Newcomer Onboarding

➢ Application Transition and Transformation

CAST helps to perform due diligence during transition and identify different category of applications in order to plan the transition effort
most effectively. It is also capable of generating technical documentation for the codebase using the “enlighten” feature.
Use cases to be used :
• Transition and Transformation
• Newcomer Onboarding

14
 Licensing Information
Cost • SaaS model

• Number of FTEs in the application (e.g., developers,

Number of License testers, PM, architects, etc.) Steady State

SME Support for • 40 – 45 hours/application (on actuals)

• For medium-complex application*
Onboarding
• SME hours to be charged (on actuals)
Remediation Support

Cost • SaaS model

• Number of FTEs in transition (e.g., developers, Transition

Number of License testers, PM, architects, etc.)
Phase

SME Support for • 60 – 65 hours/application (on actuals)

• For medium-complex application*
Onboarding

*A typical, web-based java application consisting of 200 KLOC; for complex application 80 – 100 hours. Simple applications are not recommended.
15
 Readiness Criteria
✓ The client should be informed before sharing code base for CAST scanning.

✓ If the client is not ok to share code base outside their network, then infrastructure and connectivity needs to be
provided by the customer or account team where the CAST tool can be installed.

✓ A labor cost of 45 hours (typically Band 8) needs to be considered for CAST tool installation on the client infrastructure.

✓ Application technology is supported by CAST (provided with the list of supported technologies).

✓ Application SME's/Owner availability is there for any clarifications and reviews on the in-scope applications.

✓ The prioritization criteria will be applicable based on the complexity, size, and phase of the application to be scanned.

✓ The project team need to fill in the relevant metrics sheet before and after the CAST scan.

16
 CAST – Network Configuration

Network Type: Infrastructure requirement for Accounts B and C:

▪ Account A - IBM Blue N/W ▪ Up to 10 application(s) = 1 Server/ VM (contains Web, App, DB altogether)
▪ Account B - Yellow N/W (Client shared N/W) ▪ More than 10 applications = 3 Servers / VM(s) (1Web,1App,1DB each)
▪ Account C - Red N/W (Client dedicated N/W) o RAM = 32 GB
o CPU = 4
o HDD = 500 GB
17
 CAST – Implementation Flowchart

18
 CAST Deployment Governance Approach

AIA = App
Intelligence Admins ▪ Review actuals, plan & rolling forecasts

Leadership
▪ Performance, review quality, cost etc.
▪ Escalation management
GTM = Go to Market /
Solutioning Leadership ▪ CAST – IBM Relationships and Joint Ops.
Governance &
Steering Committee
▪ Establish and review of overall COE status
KU = Key Users
▪ Monthly review with Leadership

CAST CoE
CAST CoE Lead ▪ Program level Risks, Issue, Actions
▪ Prioritizing, CAST Analysis progress,
escalations

AIA
GTM / S
Team ▪ Application On boarding for CAST AIP
KU

Application Team
configuration as per Account Leadership
Team
Project Delivery Teams direction
▪ Project status, Risks, Issues, Actions down to
Project 1 Project 2 Project 3 Project 4 ……….. Project n application level

…….
App. 1 App. 1 App. 1
App. 1
App. 1 ▪ CAST AIP Solution Implementation status
App 3 App. 2 App 3 App. 2 App 3 App. 2 ▪ Report analysis and remediation plan and
App 3 App. 2 App 3 App. 2 execution

19
 CAST Metrics and KPI
CAST Metrics helps to identify key risk areas, and thus, improves quality and reduces effort.
KPIs can be derived from CAST Analytics and Project metrics as described below:
CAST Analytics Metrics

Project Metrics

Transition Newcomer Induction Defect Detection

• Reduction in self-study effort • In process defect density
• Estimated transition time • Reduction in hours effort for • Delivered defect density /
• Revised transition time person to person knowledge Production defect density
transfer

20
 CAST & SonarQube – CAST Pros & Cons

Capability to control the global and holistic software Not adapted to be used directly by developer at
quality at performance, robustness, revolution and the early stage in the development cycle
security level • Not focused on Unit Test and Testing
• Very well adapted to give visibility to IT management Coverage
to manage the risks and take decisions • Requires additional services and extra effort
• Recognized as a “de facto standard” (analysts, for implementation
customers, system integrators); important for
internal and external credibility
• Unique capability to cover multilayer architecture
and transactional context
• Exhaustive technology coverage
• Coherence of the Quality Model over time and
evolution of technologies and easy to install and
administrate
• Features for Knowledge Management (Technical
Documentation, Cartography etc.)
• Features for Evolution Management (Impact
Analysis, Cost Control etc.

21
 Technologies Supported by CAST
Please refer to “Supported Technologies” Tab under Resources in CAST W3Publisher
https://w3.ibm.com/w3publisher/cast-ibm/faq for latest list of
technologies supported

22 22
« You can’t manage what you don’t measure »
Jack Welch, General Electric

Thank You