A new study examining 365 million lines of code in 745 applications identifies bad coding practices that affect security, performance and uptime, with Java Enterprise Edition applications having the greatest number of problems. Cast Software, which makes tools that automate the analysis of business applications, examined programs written in Java-EE, .NET, ABAP, C, C++, Cobol, Oracle Forms, and Visual Basic, used across a wide range of industries from energy and financial services to IT consulting, insurance, government, retail, telecom, and more.
Java-EE applications were the most prevalent in the Cast Report on Application Software Health, taking up 46 percent of all applications, and also had the most problems on average, while Cobol and SAP's ABAP had the fewest. Cast analyzed factors such as the stability of an application and likelihood of introducing defects when modifying it; efficiency of software performance; ability to prevent security breaches; transferability, the ease with which a new team can understand an application and become productive working on it; and the ability to quickly and easily modify an application.
These factors were rolled up into a score called "technical debt," the theoretical cost of repairing each line of code (at a rate of $75 per hour) that doesn't follow good practices, as Computerworld notes. Java EE's technical debt was pegged at $5.42 per line of code while Cobol impressed with a score of $1.26. Oracle Forms and .NET were second- and third-worst behind Java, with the industry average settling at $3.61. ABAP did the best with a score near zero.
Java was not the worst in terms of security, as .NET posted the worst security score and Cobol the best. But Java was the worst in performance, contributing to its overall poor score. "Modern development languages such as Java-EE are generally more flexible and allow developers to create dynamic constructs that can be riskier in operation," Cast wrote in its report. "This flexibility is an advantage that has encouraged their adoption, but can also be a drawback that results in less predictable system behavior."
Cast was not surprised by Cobol's strong results, particularly in security. "Applications with higher security scores continue to be predominantly large Cobol applications in the financial services and insurance sectors where high security for confidential financial information is mandated," the company stated. "These scores should not be surprising since Cobol applications run in mainframe environments where they are not as exposed to the security challenges of the Internet. In addition, these are typically the oldest applications in our sample and have likely undergone more extensive remediation for security vulnerabilities over time." C++ and Visual Basic were the second- and third-best in security behind Cobol.
Across most types of applications, scores declined the more often software was released. "Scores for robustness, security, and changeability declined as the number of releases grew, with the trend most pronounced for security," Cast said.
Cast's data contradicted the common belief that software quality degrades as applications grow larger. With the exception of Cobol, which was designed before the current focus on modularity in software design, applications in the study generally did not get worse as they got bigger, Cast said. You can read a long executive summary on Cast's website, but any way it's sliced the vendor says bad code is a big problem, with one-third of software violations affecting security, performance or uptime.
"While two-thirds of the violations found were destined to have a
dramatic effect on IT costs and a company's bottom line, the other
one-third is even more critical as it has a direct negative impact on
business performance," Cast chief scientist Bill Curtis said in a
statement accompanying the report.