You can’t govern what you can’t see. As simple as this axiom might sound, it holds true for industries of all types. It holds particular relevance to the IT industry since many critical processes that an entire business depends on runs under the hood in complicated code scripts and millions of lines of code. It is imperative for businesses to be able to pop the hood open and make sure that they have as much visibility into the inner workings of their business less something that could be preventable brings down an entire system. Bugs and code defects can definitely do that. With increasing code complexity, it is no longer a surprise to hear news stories of how entire clouds went offline, bringing down hundreds of dependent businesses along with them.
Governance is a well-established concept in many industries and was born out of necessity. The Sarbanes Oxley Act of 2002 was enacted as a reaction to a number of major corporate scandals including those affecting Enron, Tyco and WorldCom. These scandals cost investors billions of dollars when the stock prices of affected companies collapsed and shook investors’ confidence in the stock market. In 2004, Payment Card Industry (PCI) compliance was introduced to protect credit card issuers from credit card fraud by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data.
Software code governance has similar regulatory roots. The concept started in industries subject to regulation such as medical devices and avionics where issues with software quality can have catastrophic consequences. The initial focus of software code governance was to assure software quality and security of in-house developed code by establishing clear guidelines and procedures such as the FDA’s recommendation that infusion devices be tested with static analysis and DO-178B, Software Considerations in Airborne Systems and Equipment Certification for the avionics industry. Today, we see software code governance gaining momentum in a wide variety of industries as organizations seek to drive greater accountability and efficiency within distributed development teams and to achieve better visibility and control over third-party code.
Managing the quality and security of code across distributed development teams can be challenging. Companies must contend with language barriers, cultural differences and time zone incompatibility. For example, it is extremely difficult for teams from the United Stated, Russia, and China to find the right time and mechanisms for effective collaboration. Poor communication can lead to product release delays and missing critical time-to-market windows. Junior team members working in satellite development offices could have skill gaps which could be difficult to identify remotely and could lead to the introduction of excess complexity in the product or technical debt.
Technical debt accumulates when teams fail to perform appropriate actions such as refactoring, removing duplication and redundancy. Failure to perform these kinds of activities at the right time can hamper future innovation. To deal with these challenges, companies are looking for code governance to help them establish and enforce clear standards and policies for the quality and security of the code that is produced by the teams and to ensure that unnecessary complexity is not introduced.
Code governance is a well-established concept that was born out of the necessity to prevent system failures like the ones we see so often in the news. It’s a process which needs to be embraced by the organization and enforced across the internal and external supply chain. The process will vary by organization based upon whether you are trying to establish governance across internal teams, with outsourcers, offshore development teams, or partners. However, there are some basic tenants which apply to all organizations:
Prior to implementing a governance process:
Embrace the need for change
Often, changing human behavior can be the biggest obstacle in any new process. Today’s headline news about product recalls, security breaches, and deaths caused by faulty software clearly communicate the need for change for some organizations. For others, they will need to consider the potential headlines or implications that could result if they were to have a major defect found in the field, missed a critical product window, or experienced a product recall. They need to carefully consider the potential risk that a lack of effective software code governance poses to their brands, revenues, and customers.
Articulate the business problem
Companies must be able to articulate the business problem they are trying to address whether it is maintaining high quality, security, and efficiency standards across the distributed organization, meeting a critical time-to-market window, or controlling risk across third party suppliers.
Implementing a software governance process:
- Step 1: Define policies and thresholds
Organizations need to consider the appropriate policies or thresholds which should be put in place. Establishing realistic thresholds and service level agreements requires an understanding of today’s current state. Companies need to understand the current levels of quality, security, and efficiency to establish appropriate targets. In some industries, that could mean they must not have any defects in their code, for other organizations, they may implement a phased approach to quality and security improvement. - Step 2: Test
Organizations need to test against established policies to ensure targets are being met. - Step 3: Control
Finally, companies need to consider how to effectively measure and report compliance with the established policies. They need improved visibility across the organization and supply chain to ensure violations are addressed and the appropriate actions are taken to bring the teams and projects back into compliance.
To effectively implement software code governance, organizations must embrace a multi-step process and establish clear and measurable objectives that will lead to higher code visibility and help prevent the types of failures that can have real effects on a business’ bottom line.
About the Author
Rutul Dave Rutul received his Masters in Computer Science with a focus on networking and communications systems from University of Southern California. Within nine months into graduate school while learning about creating high-performance networking and distributed systems, he found his passion creating real bleeding-edge technology systems at various Bay Area-Silicon Valley startups like Procket Networks, Topspin Communications and then moving to Cisco Systems. He has years of software development experience in embedded and real-time systems.
His focus these days is on creating tools and technology to enhance the Software Development process and to equip Developers with the best resources, techniques and practices to maximize the integrity of software. When not evangelizing about the benefits of Software Integrity, he scratches the coding itch by developing mobile apps and understanding the Linux kernel.