Customer introduction

Dura Vermeer is a family business that has existed since 1855. It is an independent construction company active in the Netherlands. Their independence and long-term continuity form the basis for its strategy. With a turnover of more than € 1.6 billion and approximately 2800 employees, it is among the top of the Dutch construction sector. They are active in residential construction, non-residential construction, infrastructure, and technology. Its core activities include design, development and realization of construction and infrastructural projects, including maintenance, renovation, and transformation.

The challenge at hand

Dura Vermeer is in the process of redeveloping one of its core custom-made applications. In this application all project-related information is stored and managed, and therefore it is considered a business-critical application. Dura Vermeer has hired external expertise to develop the new application. Dura Vermeer management wishes to ensure that the code and architecture quality of this critical application is very high, which should result in a very robust, efficient, and secure application that is easy to change and to maintain.

IDC Metri service

IDC Metri has carried out its Software Quality and Risk Assessment (SQRA) service to assess the quality of and the risk in this application. CAST technology was used to blueprint the architecture and to measure the quality and risk against all current industry standards and best practices, including ISO 25010, ISO 5055, OWASP, NIST, CWE, etc. The SQRA took about 4 weeks duration and resulted in a comprehensive understanding of the quality and risk in the application and its architecture.

The study answered several research questions:

  1. What is the technical quality of the application based on all common international standards (ISO 25010, ISO 5055, CISQ, CWE, OMG, NIST, OWASP, etc.) and best practices, measured at system level (including the communication between components, layers, and objects?
  2. What is the quality of and what are the risks in this application, expressed in a score of 1 to 4 on the health factors Robustness, Efficiency, Security, Changeability, Transferability,and Total Quality (Total Quality Index)?
  3. What are the Security-related critical violations in the applications in relation to the OWASP and other security standards that are measured against?
  4. What is the technical size of the application and what is the functional size of the application in Automated Function Points (AFP)?
  5. What known risks and known vulnerabilities reside in the versions of the open-source components used and in the licenses of these components?
  6. What is the extent of the technical debt in this application and how much technical debt may be expected from technologically similar applications?
  7. What are the critical violations found, where in the code have they been found, why have these violations been marked as critical (including reference to the relevant standard or best practice) and how could these violations be solved? These insights are shown in a specific engineering dashboard in which developers can work specifically on solving these.
  8. What does a concrete improvement plan look like? Which critical violations can be solved in the short term at the lowest possible cost with the highest quality improvement. What are the scores (simulated) regarding the health factors after implementation of the improvement plan and what is the effort required to implement this plan?  In the case of any repeat measurements, the progress regarding the improvement plan is displayed on the Management dashboard after each measurement, so that Dura Vermeer management gains insight into the trends and progress regarding the agreements made.
  9. How is the architecture and the technical solution structured and does it meet the current standards in the market regarding completeness, applicability and future-proofness?  What architecture flaws are present in the application?
  10. What is the expected maintenance fee of the application per year?
How this helped Dura Vermeer

IDC Metri answered these questions and provided detailed insight into the architecture and code quality and risk. The quality of the application is very high and the risks in the application regarding robustness, security, efficiency, changeability and transferability are very low, which is good news for Dura Vermeer management and the development team.

The main deliverables were:

  • Management presentation with the major findings, observations, and recommendations as well as the answers to the research questions above.
  • Management Health dashboard with the scores on the health factors, the critical violations found and metrics like technical debt, technical size, functional size, etc.
  • Engineering dashboard with the (critical) violations found in the code, with their exact location, the reason these are considered (critical) with reference to the source standard or best practice and how to remediate the violation.
  • Architectural Blueprint in Imaging, where all connections between the components, frameworks, layers, etc. are made visual in order to facilitate the understanding of how the application works.
  • An improvement plan with 28 concrete actions to improve the quality of the application even further and to remediate the very few critical violations that were in the code.

The results were discussed with Dura Vermeer management, and with the development team. The team clearly already had a high-quality mindset which resulted in high quality code with low technical debt and only a few critical violations. After carrying out the suggested Improvement plan, the critical violations should all have been resolved, and the maintenance cost should be as low as possible after the handover to Dura Vermeer maintenance.

This allows Dura Vermeer management to rest assured that their key application will be running in a stable, secure, and efficient way.

 

Reference cases

We like to share our stories. Do you want to know more about our collaboration with the company mentioned above? Please leave your details behind and we’ll get in touch with you.