CAST: Analyzing and Measuring the Risk and Structural Quality of Software

Vincent Delaroche, Chairman & CEO
In today’s complex IT environments, security is not just about protecting a business and its assets from an attack on the outside. In fact, today, an estimated 84 percent of all security breaches are application-related, not firewall violations. This has prompted some security professionals to opt for a direct and effective approach—designing security directly into applications by forming an architectural defense against threats, whether internal or external.

“CAST has been pioneering this area for a long time,” begins Vincent Delaroche, Chairman and CEO, CAST. “We began by reverse engineering the existing technical architecture of legacy applications and then overlaid software engineering rules onto those blueprints. Now, we provide sophisticated architectural rule compliance right out of the box enforcing secure architecture for key business applications.”

Today, CAST delivers this assurance to Fortune 1000 customers across the globe. “We resolve issues that traditional approaches cannot, by providing system-level engineering intelligence through structural and architectural analysis. This is an important perspective because it depicts the inner workings of your operations—how companies make money and how end users interact with your business,” says Delaroche.

The company’s Application Intelligence Platform (AIP) analyzes all types of source code, headers, files, data structure—everything that makes a complete IT system and automatically “rebuilds” a logical model of the entire app. It points out hard-to-find coding mistakes and architectural flaws that may represent serious security threats. Part of CAST’s AIP is its Application Analytics Dashboard that drives out IT risks by creating visibility into system level weakness. This offers a holistic view of the IT system’s structure, from the UX to the logic layers and from the business logic to the data structure.

“Our customers are on the leading edge of adopting secure architecture principles and ensuring all development adheres to pre-defined secure data access rules,” says Delaroche. For instance, a large healthcare provider deployed CAST and started focusing on overall structural quality in the development process—part quality control and part developer education. “By addressing overall quality, the customer greatly improved their security.
Moreover, they dispatched security flaws much earlier in their development cycle than they would with more traditional security approaches,” he says.

One key to CAST’s success is its own benchmark repository named Appmarq, an application quality database that enables clients to compare software systems. “The Appmarq database includes the structural quality statistics of two thousand applications, representing more than 1.8 billion lines of code analyzed, classified by all key industry sectors and technologies. Appmarq’s insights on how an application’s structural quality deviates from the norm helps organizations to improve their performance, reduce costs, and increase productivity,” explains Delaroche.

“Most recently, we’ve been developing a new approach to measuring technical debt and we’re also innovating in the area of automated function point (AFP) measurement.” CAST introduced Transaction Risk Index (TRI) that identifies vulnerable transaction call paths and the Propagated Risk Index (PRI)—which highlights the risk hotspots throughout an application. “We continue to combine our software analysis capabilities with dynamic performance data and other environment parameters in order to provide increasingly meaningful results.”

We resolve issues that traditional approaches cannot, by providing systemlevel engineering intelligence through structural and architectural analysis

The company is also working on a certification capability which allows customers the ability to put an “ingredients label” on their software, showing that it’s compliant with standards from the Consortium for IT Software Quality (CISQ), a joint initiative of Carnegie Mellon University’s Software Engineering Institute (SEI) and the Object Management Group (OMG). “CISQ compliance will provide business managers with the proof that their software is of the highest quality and security—up to the task of running their critical business processes,” concludes Delaroche.


New York, NY

Vincent Delaroche, Chairman & CEO

Provides Software Analysis and Measurement, with unique technology and fact-based transparency into application development and sourcing to transform it into a management discipline.