Professional Documents
Culture Documents
SW Due Diligence Report Project Alpha
SW Due Diligence Report Project Alpha
SOFTWARE DUE
DILIGENCE
PROJECT ALPHA
Page |2
TABLE OF CONTENTS
1 INTRODUCTION .............................................................................................................................................. 3
3.3 Code Quality Trends and Predicted Future of Code Quality ..................................................................... 8
4 INTERVIEWS ................................................................................................................................................. 14
4.1 Background, Purpose, and Scope ............................................................................................................ 14
6 TERMINOLOGY ............................................................................................................................................. 17
7 TOOLS ........................................................................................................................................................... 17
8 AUTHORS ..................................................................................................................................................... 18
W W W . SY ST E MV E R I FI C A T IO N . C O M
Page |3
1 I NTRODUCTION
System Verification has conducted a Software Due Diligence of project Alpha. The purpose of the
Software Due Diligence is to provide an assessment of how well the project compares with peers
when it comes to software code quality, scalability of technology, organization, and architecture.
This report is based on a technical analysis of the software source code. It is performed with state-
of-the-art tools to identify complex code with high maintenance costs, and/or security vulnerabilities
considering the historical evolution of the code. The technical analysis is further supplemented by in-
depth interviews with key employees in the development organization of project Alpha.
This document shall be considered as an independent review and data driven foundation for further
discussions. It shall not be considered a recommendation whether to invest in project Alpha.
W W W . SY ST E MV E R I FI C A T IO N . C O M
Page |4
2 E XECUTIVE S UMMARY
2.1 SOFTWARE DEVELOPMENT PROCESSES AND ORGANIZATION
Based on our interviews the project Alpha is managing the process of feature definition and
requirement breakdown well. They have overbridged the challenges related to having a
development site in Hanoi and provide efficient ways of gathering and follow up features to be
developed. All processes, as requirements, development, and test, are structured and documented,
and the tools used are supporting them well.
However, as shown in the technical analysis, there is a need to improve code quality to avoid many
of the problems related to it, and to reach a steady flow through the development life cycle. The
end-to-end flow could be dramatically improved by increasing maturity within the Development,
DevOps and Test Team, and getting automated CI/CD pipeline in place, where automated tests are
included prior to any deployment. This will in the long term have a high impact on lower the cost of
getting new features into production.
The code quality ranks below the average of what would be expected. This means higher
maintenance costs and higher costs developing the software further.
A targeted effort to prioritize refactoring to break the negative trend in code quality should be
made. By doing so the code quality will increase together with the maintainability and the ability to
comprehend the code.
Open-source dependencies are well-documented, but with a result below reasonable expectation.
The most acute problem is a potential missing license which demands immediate further
investigation.
W W W . SY ST E MV E R I FI C A T IO N . C O M
Page |5
3 T ECHNICAL A NALYS IS
W W W . SY ST E MV E R I FI C A T IO N . C O M
Page |6
Project Alpha has chosen to have a technical architecture mainly written in C#, JavaScript, and
TypeScript. All languages are well-known and popular, meaning that the choice of technology does
reduce the risk of not finding developers with good experience of the languages chosen.
The code itself is documented in different ways depending on the scenario. They are using the self-
explained code convention, in-code class and methods description, and in-code comments to
document the actual code. Above that they have API specifications, and core framework
documentation to work as a guide for developers building applications on their solution.
C# 4,525 759,686
W W W . SY ST E MV E R I FI C A T IO N . C O M
Page |7
C# 10,181 466,289
C# 1,702 432,987
The analyzed products in project Alpha consist of Resource Central, Office Place, and Digital Signage.
The Workspace product is also included as a part of the Digital Signage codebase. The respective
architectural overview of the products can be found in Appendix A.
Looking through the high-level architecture, the division of the products is good with no change
coupling detected; meaning if two (or more) modules change together over time.
The codebase of project Alpha is of varying quality with one product being on par with that of the
Code Quality Index, while the other two are below. The index is based on multiple similar analyses
performed against other companies. All three products have prioritized technical debt to address,
but naturally the amount is bigger in the two products with lower quality.
W W W . SY ST E MV E R I FI C A T IO N . C O M
Page |8
Re-factoring these parts of the code, in the top prioritized files, will approximately cost 500 man-
hours estimated on our experience and various studies. The monetary cost varies depending on the
salary situation in the country of development and how extensive the verification needs to be.
This section of the report will give insights into predicted code quality in the coming 6 months. How
will the code quality evolve if the project chooses not to take additional actions on identified
technical debt? This prediction is partly based on historical trends but also on collected data from
similar project analyses made in the past.
A negative trend is always good to act upon early, otherwise the re-factoring work tends to be both
harder and more expensive. Code of lower quality is also both harder to maintain and easier to
create defects in.
W W W . SY ST E MV E R I FI C A T IO N . C O M
Page |9
Organizational trends are good for further discussions about the team’s composition and
performance. What are the underlying factors to the eventual problems? Is Alpha project facing an
architecture that is hard to develop on, or is the team working in the wrong way?
Combining this data with the understanding of areas with potential Knowledge Loss makes it easier
for decision makers on where to broaden/share knowledge to secure good progress in the project.
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 10
Figure 1 Development output relative the number of authors for Resource Central
Figure 2 Development output relative the number of authors for Office Place
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 11
Figure 3 Development output relative the number of authors for Digital Signage
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 12
The authors listed in Table 5 are identified to be the top, active, contributors in project Alpha.
Securing these people is crucial for the consistency of the project.
PRIMARY FILE
AUTHOR PRODUCT MONTHS
OWNER
Table 5 Top contributors in terms of primary file owner for the different products.
3.5 SECURITY
The Alpha project has been analyzed using an external security tool. Going through the result states
that the project is on top of security with only three issues found:
3.6 OPEN-SOURCE
Getting the full picture of known vulnerabilities in the open-source dependencies together with
open-source license compliance is important for potential investors. License issues can be complex,
up to interpretation, and costly over time.
The three different products Resource Central, Office Place, and Digital Signage have all been
scanned for both vulnerabilities and license compliancy within the dependencies used.
The scan resulted in 258 vulnerabilities of different severities among the three products distributed
between the products as below:
Resource Central: 5 critical, 27 high, and 11 medium
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 13
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 14
4 I NTERVIEWS
In addition to the technical analysis, where a data-driven approach is conducted using a subset of
tools, System Verification has had four interviews to cover the more process related aspects of the
software development life cycle. The people interviewed are presented in Table 6.
The purpose of the interviews was to complement the technical analysis in assessing the ways of
working with respect to the different phases of the development life cycle, including scalability of
organization, technology, and architecture. During the interviews we covered, for example, history
of product(s), team compositions, roles, vision and goals, requirements elicitation, development
process, iterations and cadence, tool usage, test strategy and release process.
The Interviews were perceived as both positive and open. The topics mentioned above were
discussed in detail and we tried to challenge the answers and find improvement areas. More results
are provided in the following sections.
Team consists of a management lead and 3 different Product Owners, each driving their own
development team setup consisting of in total 4 team leads, 27 developers, and 14 testers cross
different sites.
The organization manages a mid to large sized customer base and is streamlined to manage this in a
good way. Working with these type of customers points out the importance of communication,
process maturity, and a well-established way of working.
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 15
Once every quarter, management and organization meet to update (led by the PO’s) the upcoming
scope and backlog items, by doing a strategic directive adjustment.
Product owners are running the requirements process in a classical agile way. A roadmap is defined
and updated on quarterly basis, where the team in Hanoi is involved. There is a high level of
involvement of customers as input-source for new development, combined with support and feature
requests from the product strategy backlog. When handed over to the development team the
requirements are broken down to technical tasks, test cases are created prior to development and
product owners are validated those to secure and validate expected outcome.
As a foundation of all further activities, the maturity of the requirement process is a prerequisite to
enable a steady flow through the development life cycle. This is even more important when the
requirement team is not at the same location as the development team such as in the project Alpha
team structure with one part in Denmark and one in Vietnam.
Based on the interviews we believe that team Alpha has solved those challenges well and shows a
high maturity through the whole requirements process.
As mentioned above the requirement breakdown process provides a good foundation for the
development teams. Then, by using SCRUM methodology, sprints and backlog are planned, technical
tasks sorted, estimated, and executed with a clear definition of done.
Sprints are developed in 2-week sprints and going to production in 2-3 services releases per year.
Additionally, another 2-4 hard fixes are released yearly.
The development team adopted a DevOps approach (2019) and is currently developing a pipeline to
improve the stability in the development process ahead.
As a structured way of working is in place regarding development activities, it was mentioned during
the interviews a need of more maturity within the development teams (the results from the
technical analysis in terms of code quality confirms that observation) and to introduce a skilled
DevOps resource to help them going forward to a full implemented DevOps set up.
From our point of view a survey should be conducted to identify skills needed and set a resource
strategy to set a good foundation to improve in those areas.
Even in the QA processes the Alpha team showed a structured and documented way of working. The
testers create test cases early in the process and as soon as features are under test an efficient
feedback loop is in place where the Product Owner could act and give necessary feedback to both
developers and testers. Additionally, load and stress tests are included in the overall scope of test
activities.
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 16
However, as shown in the defect’s statistics provided in the VDR, a clear QA strategy is missing to
reduce the number of defects that is showing a negative trend. Note that a QA strategy should not
only address the test processes but also prevent and reduce the number of defects in general,
meaning addressing QA within the development process (code guideline, unit test, static analysis,
and code reviews). The high level of testers (12 testers for 24 developers) might indicate a way to
solve the problem in a reactive way instead. Additionally, there is a low coverage of automated tests
that could help to identify defects earlier to avoid unnecessary cost related to manual tests.
However, as mentioned during the interviews there is a lack of competence within this area.
5 N EXT S TEPS
Below we list points and topics we believe are of top priority in further discussions with the project
Alpha team.
Immediately investigate the missing license for one of the open-source dependencies to rule
out a potential false-positive.
Secure key developers to mitigate the low code familiarity.
Invest in more senior developers to increase maturity.
Break the negative code quality trends by refactoring.
Invest to finalize DevOps gateway maturity in the pipeline.
Integrate more skilled testers for automated tests.
Increase automated test coverage suite.
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 17
6 T ERMINOLOGY
Code Quality Index: A weighted average on Code quality. The average is derived from numerous
analyses made of similar projects.
Technical Debt: Technical debt is code with low Code quality and could be compared to paying
interest on a bank loan - the bigger the loan, the bigger the interest. This code requires frequent
work by the development teams and such code is very likely to have a direct effect on the business
and product roadmap since each change is more expensive and carries an unnecessarily high
delivery risk.
Prioritized Hotspots: Hotspots are files where you have most development activity. If a Hotspot also
has low code quality, it is a Prioritized Hotspot.
Low code quality in a development hotspot is expensive and should be prioritized in terms of
quality improvements.
Low code quality in stable parts, i.e., a non-hotspot, has lower priority in terms of quality
improvements.
7 T OOL S
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 18
8 A UTHORS
Marcus Lundström
Jonas is a technical test specialist with 19 years of experience from companies such as Sony, Ikea,
Qlik and Axis. As a professional he is always looking for new solutions to complex problems, and he
has been a very appreciated team player on many of his assignments. He is not only a skilled
technical tester, but Jonas also possesses a strong solution-oriented mind.
Eric Järdemar
Eric is a senior leader and test manager with strong focus on delivering tangible results. He has been
working with software quality since 2005 and during the years he has gained great understanding of
software development from an end-to-end perspective. During his career he has held roles at e.g.,
E.ON., Borg Warner, Securitas and Trelleborg, and he has been involved in all parts of the QA
process, from requirements to acceptance through every step of software development life cycle.
His main focus is within analysis and QA process improvement, where he helps setting up and
implement test strategies based on customer specific needs in order to reach their quality goals. Eric
is also team and delivery manager of our Tech Team that work with different types of Software
Assessments.
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 19
Christian Holmberg
Christian has been working in the tech industry the last 15 years, and he is known for being a very
skilled product manager and product owner. Christian’s focus has always been the interaction
between tech and people, and he emphasizes an agile and data driven approach when facing new
challenges. Christian has held many different senior roles on Sony Mobile, and he is part of System
Verifications extended Tech Team.
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 20
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 21
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 22
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 23
W W W . SY ST E MV E R I FI C A T IO N . C O M
P a g e | 24
W W W . SY ST E MV E R I FI C A T IO N . C O M