Software program QA Course of for Product Managers


Twenty years in the past, after I labored within the automotive trade, the director of 1 manufacturing facility would typically say, “We now have someday to construct a automotive, however our buyer has a lifetime to examine it.” High quality was of the utmost significance. Certainly, in additional mature sectors just like the automotive and development industries, high quality assurance is a key consideration that’s systematically built-in into the product improvement course of. Whereas that is actually pushed by strain from insurance coverage corporations, it’s also dictated—as that manufacturing facility director famous—by the ensuing product’s lifespan.

In terms of software program, nonetheless, shorter life cycles and steady upgrades imply that supply code integrity is usually ignored in favor of recent options, subtle performance, and go-to-market pace. Product managers typically deprioritize supply code high quality assurance or go away it to builders to deal with, even supposing it is among the extra essential components in figuring out a product’s destiny. For product managers involved about constructing a strong basis for product improvement and eliminating dangers, defining and implementing a scientific evaluation of supply code high quality is important.

Defining “High quality”

Earlier than exploring the methods to correctly consider and enact a supply code QA course of, it’s necessary to find out what “high quality” means within the context of software program improvement. This can be a advanced and multifaceted challenge, however for the sake of simplicity, we are able to say high quality refers to supply code that helps a product’s worth proposition with out compromising shopper satisfaction or endangering the event firm’s enterprise mannequin.

A good software qa process should consider a number of factors.

In different phrases, high quality supply code precisely implements the useful specs of the product, satisfies the non-functional necessities, ensures customers’ satisfaction, minimizes safety and authorized dangers, and may be affordably maintained and prolonged.

Given how broadly and rapidly software program is distributed, the influence of software program defects may be vital. Issues like bugs and code complexity can harm an organization’s backside line by hindering product adoption and rising software program asset administration (SAM) prices, whereas safety breaches and license compliance violations can have an effect on firm popularity and lift authorized considerations. Even when software program defects don’t have catastrophic outcomes, they’ve an plain value. In a 2018 report, software program firm Tricentis discovered that 606 software program failures from 314 corporations accounted for $1.7 trillion in misplaced income the earlier yr. In a just-released 2020 report, CISQ put the price of poor high quality software program within the U.S. at $2.08 trillion, with one other estimated $1.31 trillion in future prices incurred by technical debt. These numbers may very well be mitigated with earlier interventions; the typical value of resolving a difficulty throughout product design is considerably decrease than resolving the identical challenge throughout testing, which is in flip exponentially lower than resolving the problem after deployment.

Dealing with the Scorching Potato

Regardless of the dangers, high quality assurance in software program improvement is handled piecemeal and is characterised by a reactive method quite than the proactive one taken in different industries. The possession of supply code high quality is contested, when it must be seen because the collective duty of various features. Product managers should view high quality as an impactful characteristic quite than overhead, executives ought to take note of the standard state and put money into it, and engineering features ought to resist treating code-cleaning as a “sizzling potato.”

Compounding these delegation challenges is the truth that current methodologies and instruments fail to handle the code high quality challenge as a complete. Using steady integration/steady supply methodologies reduces the influence of low-quality code, however until CI/CD relies on an intensive and holistic high quality evaluation it can’t successfully anticipate and deal with most hazards. Groups chargeable for QA testing, utility safety, and license compliance work in silos utilizing instruments which were designed to resolve just one a part of the issue and consider solely a few of the non-functional or useful necessities.

Contemplating the Product Supervisor’s Function

Supply code high quality performs into quite a few dilemmas a product supervisor faces throughout product design and all through the software program improvement life cycle. Τechnical debt is heavy overhead. It’s more durable and dearer so as to add and modify options on a low-quality codebase, and supporting current code complexity requires vital investments of time and assets that would in any other case be spent on new product improvement. As product managers frequently steadiness danger towards go-to-market pace, they need to take into account questions like:

  • Ought to I exploit an OSS (open supply software program) library or construct performance from scratch? What licenses and potential liabilities are related to the chosen libraries?
  • Which tech stack is most secure? Which ensures a quick and low-cost improvement cycle?
  • Ought to I prioritize app configurability (excessive value/time delay) or implement custom-made variations (excessive upkeep value/lack of scalability)?
  • How possible will it’s to combine newly acquired digital merchandise whereas sustaining excessive code high quality, minimizing dangers, and holding engineering prices low?

The solutions to those questions can critically influence enterprise outcomes and the product supervisor’s personal popularity, but selections are sometimes made based mostly on instinct or previous expertise quite than rigorous investigation and strong metrics. A radical software program high quality analysis course of not solely gives the info wanted for decision-making, but additionally aligns stakeholders, builds belief, and contributes to a tradition of transparency, wherein priorities are clear and agreed-upon.

Implementing a 7-Step Course of

A whole supply code high quality analysis course of leads to a prognosis that considers the complete set of high quality determinations quite than a number of remoted signs of a bigger downside. The seven-step technique introduced beneath is aligned with CISQ’s suggestions for course of enchancment and is supposed to facilitate the next goals:

  • Discover, measure, and repair the issue near its root trigger.
  • Make investments neatly in software program high quality enchancment based mostly on total high quality measurements.
  • Assault the issue by analyzing the whole set of measurements and figuring out the perfect, most cost-effective enhancements.
  • Contemplate the whole value of a software program product, together with the prices of possession, upkeep, and license/safety regulation alignment.
  • Monitor the code high quality all through the SDLC to stop disagreeable surprises.
The seven steps needed for a full software qa process.
A complete seven-step course of for evaluating code high quality

1. Product-to-code mapping: Tracing product options again to their codebase could seem to be an apparent first step, however given the speed at which improvement complexity will increase, it isn’t essentially easy. In some conditions, a product’s code is split amongst a number of repositories, whereas in others, a number of merchandise share the identical repository. Figuring out the varied places that home particular elements of a product’s code is critical earlier than additional analysis can happen.

2. Tech stack evaluation: This step takes under consideration the varied programming languages and improvement instruments used, the share of feedback per file, the share of auto-generated code, the typical improvement value, and extra.

Prompt instruments: cloc

Alternate options: Tokei, scc, sloccount

A tech stack analysis is part of a good software qa process.
Tech stack evaluation utilizing cloc

3. Variations evaluation: Based mostly on the outcomes of this portion of the audit, which includes figuring out all variations of a codebase and calculating similarities, variations may be merged and duplications eradicated. This step may be mixed with a bugspots (sizzling spots) evaluation, which identifies the tough elements of code which might be most continuously revised and have a tendency to generate greater upkeep prices.

Prompt instruments: cloc, scc, sloccount

4. Automated code evaluate: This inspection probes the code for defects, programming observe violations, and dangerous components like hard-coded tokens, lengthy strategies, and duplications. The device(s) chosen for this course of will depend upon the outcomes of the tech stack and variations analyses above.

Prompt instruments: SonarQube, Codacy

Alternate options: RIPS, Veracode, Micro Focus, Parasoft, and lots of others. An alternative choice is Sourcegraph, a common code search answer.

An automated code review is part of a good software qa process.
Automated code evaluate utilizing SonarQube

5. Static safety evaluation: This step, also referred to as static utility safety testing (SAST), explores and identifies potential utility safety vulnerabilities. Nearly all of out there instruments scan the code towards the continuously occurring safety considerations recognized by organizations similar to OWASP and SANS.

Prompt instruments: WhiteSource, Snyk, Coverity

Alternate options: SonarQube, Reshift, Kiuwan, Veracode

A static security analysis is part of a good software qa process.
Safety evaluation utilizing Snyk

6. Software program elements evaluation (SCA)/License compliance evaluation: This evaluate includes figuring out the open supply libraries linked instantly or not directly to the code, the licenses that shield every of those libraries, and the permissions related to every of those licenses.

Prompt instruments: Snyk, WhiteSource, Black Duck

Alternate options: FOSSA, Sonatype, and others

7. Enterprise danger evaluation: This remaining measure includes consolidating the data gathered from the earlier steps in an effort to perceive the complete influence of the supply code high quality standing on the enterprise. The evaluation ought to lead to a complete report that gives stakeholders, together with product managers, venture managers, engineering groups, and C-suite executives, with the small print they should weigh dangers and make knowledgeable product selections.

Though the earlier steps on this analysis course of may be automated and facilitated through a variety of open supply and business merchandise, there are not any current instruments that assist the complete seven-step course of or the aggregation of its outcomes. As a result of compilation of this knowledge is a tedious and time-consuming activity, it’s both carried out haphazardly or skipped completely, doubtlessly jeopardizing the event course of. That is the purpose at which an intensive software program inspection course of typically falls aside, making this final step arguably probably the most essential one within the analysis course of.

Though software program high quality impacts the product and thus the enterprise outcomes, device choice is mostly delegated to the event departments and the outcomes may be tough for non-developers to interpret. Product managers must be actively concerned in choosing instruments that guarantee a clear and accessible QA course of. Whereas particular instruments for the varied steps within the analysis are recommended above, there are a variety of normal concerns that must be factored into any device choice course of:

  • Supported tech stack: Remember the fact that the vast majority of out there choices assist solely a small set of improvement instruments and may end up in partial or deceptive reporting.
  • Set up simplicity: Instruments whose set up processes are based mostly on advanced scripting could require a big engineering funding.
  • Reporting: Choice must be given to instruments that export detailed, well-structured studies that determine main points and supply suggestions for fixes.
  • Integration: Instruments must be screened for straightforward integration with the opposite improvement and administration instruments getting used.
  • Pricing: Instruments not often include a complete value listing, so it is very important fastidiously take into account the funding concerned. Varied pricing fashions sometimes have in mind issues like staff headcount, code dimension, and the event instruments concerned.
  • Deployment: When weighing on-premise versus cloud deployment, take into account components like safety. For instance, if the product being evaluated handles confidential or delicate knowledge, on-prem instruments and instruments utilizing the blind-audit method (FOSSID) could also be preferable.

Holding It Going

As soon as dangers have been recognized and analyzed methodically, product managers could make considerate selections round prioritization and triage defects extra precisely. Groups may very well be restructured and assets allotted to handle probably the most emergent or prevalent points. “Showstoppers” like high-risk license violations would take priority over lower-severity defects, and extra emphasis could be positioned on actions that contribute to the discount of codebase dimension and complexity.

This isn’t a one-time course of, nonetheless. Measuring and monitoring software program high quality ought to occur repeatedly all through the SDLC. The total seven-step analysis must be carried out periodically, with high quality enchancment efforts starting instantly following every evaluation. The sooner a brand new danger level is recognized, the cheaper the treatment and the extra restricted the fallout. Making supply code high quality analysis central to the product improvement course of focuses groups, aligns stakeholders, mitigates dangers, and provides a product its highest probability at success—and that’s each product supervisor’s enterprise.


Please enter your comment!
Please enter your name here