Copyright TechTarget - All rights reserved https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Sat, 18 Apr 2026 20:39:37 GMT https://www.techtarget.com/searchsoftwarequality editor@techtarget.com <p>Behavior-driven development (BDD) is an <a href="https://www.techtarget.com/searchsoftwarequality/definition/agile-software-development">Agile</a> development methodology that documents, designs and develops software around the behavior a user expects to experience when interacting with an app. BDD extends the capabilities of test-driven development (<a href="https://www.techtarget.com/searchsoftwarequality/definition/test-driven-development">TDD</a>) and acceptance test-driven development (<a href="https://www.techtarget.com/whatis/definition/acceptance-testdriven-development-ATDD">ATDD</a>) by encouraging collaboration among stakeholders and writing plain-language scenarios that can be used as both executable tests and living documentation.</p> <p>Behavior-driven development aims to ensure that each software release delivers real value that solves a user problem or meets a business need. The methodology's collaborative approach to defining requirements enables all <a href="https://www.techtarget.com/searchcio/definition/stakeholder">stakeholders</a> to understand requirements the same way, and the methodology's <a href="https://www.techtarget.com/searchsoftwarequality/tip/Iterative-vs-incremental-development-Whats-the-difference">iterative sprints</a> can reduce the time it takes to identify and fix issues.</p> <section class="section main-article-chapter" data-menu-title="Benefits of behavior-driven development"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of behavior-driven development</h2> <p>The main advantage of BDD is that it improves communication and collaboration between stakeholders with different business priorities and/or levels of technical expertise. To help stakeholders understand an application's purpose and expected behavior, requirements are always expressed as real-world scenarios and are written in plain language. This approach reduces ambiguity and makes it easier for BDD teams to understand the scope of each <a href="https://www.techtarget.com/searchsoftwarequality/definition/Scrum-sprint">Agile sprint</a> from a user's perspective.</p> <p>Another benefit of BDD is that once a scenario has been written, it can be automated once and re-run many times in different contexts. This is important because it allows the same scenario to be used for documentation and testing in both stage and production environments. Focusing on user needs also helps to avoid code bloat. Because BDD requires each functionality to be backed by a behavioral requirement, teams can avoid <a href="https://www.techtarget.com/whatis/definition/scope-creep">scope creep</a> and other issues that delay the software development lifecycle (<a href="https://www.techtarget.com/searchsoftwarequality/definition/software-development-life-cycle-SDLC">SDLC</a>).</p> </section> <section class="section main-article-chapter" data-menu-title="How behavior-driven development works (BDD lifecycle)"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How behavior-driven development works (BDD lifecycle)</h2> <p>A typical project that uses behavior-driven development begins with a conversation between software developers, software testers, <a href="https://www.techtarget.com/searchsoftwarequality/definition/product-owner">product owners</a> and potential end users. The goal is to build a shared understanding of requirements that clarifies expected behaviors in plain language and defines acceptance criteria before any code is written.</p> <p>Typically, BDD consists of the following steps:</p> <ul class="default-list"> <li>Discover and gather requirements after discussions with all stakeholders.</li> <li>Define potential scenarios in simple, natural (human) language.</li> <li>Turn scenarios into automated test scripts with tools like <a href="https://cucumber.io/" target="_blank" rel="noopener">Cucumber</a> or <a href="https://concordion.org/index.html" target="_blank" rel="noopener">Concordion</a>.</li> <li>Develop <a href="https://www.techtarget.com/searchapparchitecture/definition/source-code">source code</a> to satisfy defined scenarios.</li> <li>Test code to verify functionality works as expected.</li> <li>Improve code by incorporating stakeholder feedback.</li> <li>Deploy (release) the software when actual system behavior matches expected behavior.</li> <li>Maintain the software as requirements evolve over time to ensure that functionality doesn't break.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/agile_values_and_principles-i.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/agile_values_and_principles-i_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/agile_values_and_principles-i_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/agile_values_and_principles-i.png 1280w" alt="Key values of the Agile development process. Diagram." height="859" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>These key values and principles of Agile development describe how teams should approach the software development process. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Examples of BDD scenarios"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Examples of BDD scenarios</h2> <p>Once requirements have been identified, BDD teams can write real-world scenarios and <a href="https://www.techtarget.com/searchsoftwarequality/definition/automated-software-testing">turn them into automated tests</a>. Typically, this involves using <a href="https://www.guvi.in/blog/understanding-gherkin/" target="_blank" rel="noopener">Gherkin</a>, a domain-specific language (DSL) that doesn't require team members to be experienced programmers.</p> <p>Instead, Gherkin scenarios use a Given-When-Then format to describe how software should behave. <i>Given</i> sets up the initial context or preconditions, <i>when</i> describes an action or event that triggers the behavior and <i>then</i> specifies the expected outcome or result.</p> <p>Here are two examples of such scenarios:</p> <p><b>Scenario: Successful login</b><br><i>Given</i> that the user is on the website's login page<br><i>When</i> the user enters a valid username and password combination and clicks the login button<br><i>Then</i> the user will be logged in successfully</p> <p><b>Scenario: Add item to a shopping cart</b><br><i>Given</i> the user is on a product page<br><i>When</i> the user clicks on "Add to cart"<br><i>Then</i> the item will be added to the user's virtual shopping cart</p> </section> <section class="section main-article-chapter" data-menu-title="Behavior-driven development testing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Behavior-driven development testing</h2> <p>In software development, traditional quality assurance (<a href="https://www.techtarget.com/searchsoftwarequality/definition/quality-assurance">QA</a>) testing verifies whether or not code complies with technical specifications. In behavior-driven development, however, acceptance testing verifies how code behaves in different scenarios. The emphasis on <a href="https://www.techtarget.com/searchsoftwarequality/definition/functional-specification">functional specifications</a> instead of technical specifications is beneficial for <a href="https://www.techtarget.com/searchapparchitecture/definition/microservices">microservice</a> deployments in <a href="https://www.techtarget.com/searchsoftwarequality/definition/continuous-integration">continuous integration</a> and <a href="https://www.techtarget.com/searchitoperations/definition/continuous-delivery-CD">continuous delivery</a> (CI/CD) pipelines. Microservices are modular software components that work together as part of a larger application. CI/CD pipelines are automated workflows that integrate code changes, run QA tests to validate the changes and move accepted changes to production quickly and reliably.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/w6Y19RWawc0?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0" loading="lazy"></iframe> </div> <p>In CI/CD deployments, behavior-specific <a href="https://www.techtarget.com/searchsoftwarequality/definition/acceptance-test">acceptance tests</a> are written before coding begins, so technically, they can be run at the beginning of a project, while a product is still in development or when it is completed. However, it's important to understand that most acceptance tests will fail at the beginning of a project because the functionality hasn't been developed yet. As the development project goes on, however, more tests are likely to pass, and once all acceptance criteria have been met, the software can be released to production.</p> <p>To facilitate behavior-driven testing, development teams should:</p> <ul class="default-list"> <li>Consider using the <a href="https://www.techtarget.com/whatis/definition/5-Whys">5 Whys principle</a> to help stakeholders align <i>needs</i> with <i>priorities</i> and <i>outcomes</i>.</li> <li>Practice writing user-focused scenarios.</li> <li>Consider using automation to turn user-focused scenarios into executable acceptance tests.</li> <li>Align acceptance tests with specific user needs and/or business goals.</li> <li>Provide a centralized repository for stakeholders to review BDD documentation and project progress.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Popular BDD tools and frameworks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Popular BDD tools and frameworks</h2> <p>Numerous tools and frameworks are available to help development teams adopt BDD and take advantage of its many benefits. Some of the most popular BDD tools include:</p> <p><b>Cucumber</b>. Development and test teams can use Cucumber to write acceptance tests in plain language and then run them automatically.</p> <p><b>Behave</b>. Behave is a BDD tool for <a href="https://www.techtarget.com/whatis/definition/Python">Python</a> developers. Like Cucumber, Behave lets development teams write scenarios in plain text using Gherkin and execute them automatically through step definitions. (A step definition is a snippet that connects a single line of Gherkin syntax to the automation code that executes it.)</p> <p><b>Behave Restful</b>. Python developers and testers can use Behave Restful to test microservices implemented in any language and validate REST APIs.</p> <p><b>JBehave</b>. JBehave is a BDD framework for writing and running <a href="https://www.theserverside.com/definition/Java">Java</a> tests. The framework can be integrated with different integrated development environments (<a href="https://www.techtarget.com/searchsoftwarequality/definition/integrated-development-environment">IDEs</a>), including <a href="https://www.techtarget.com/searchapparchitecture/definition/Eclipse-Eclipse-Foundation">Eclipse</a>, to streamline test creation and execution without leaving the development environment.</p> <p><b>Mocha.</b> Mocha is a popular <a href="https://www.theserverside.com/definition/JavaScript">JavaScript</a> test framework that runs on <a href="https://www.techtarget.com/whatis/definition/Nodejs">Node.js</a> and in web browsers. By default, Mocha executes tests serially to simplify reporting and ensure errors are mapped to the correct test cases. Mocha integrates with a wide range of third-party tools and plugins to support continuous testing and provide Agile workflows with feedback in real time.</p> <p><b>Concordion</b>. Concordion is a lightweight BDD framework for Java developers. Tests are written in <a href="https://whatis.techtarget.com/definition/dynamic-HTML">HTML</a> or <a href="https://www.techtarget.com/searchsoftwarequality/tip/Ultimate-Markdown-guide-Rules-to-know">Markdown,</a> and Java fixtures (classes) link specifications to executable test code.</p> </section> <section class="section main-article-chapter" data-menu-title="Behavior-driven development best practices"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Behavior-driven development best practices</h2> <p>Software development teams can take advantage of BDD's benefits while minimizing its challenges by adopting the best practices highlighted below:</p> <ul class="default-list"> <li>Write test scenarios before writing code.</li> <li>Encourage developers, testers and business stakeholders to collaborate on Gherkin scenarios.</li> <li>Write scenarios from the user's perspective.</li> <li>Keep scenarios short and focused on business, not technology.</li> <li>Ensure each scenario verifies a single, clear outcome.</li> <li>Reuse step definitions for different scenarios whenever possible.</li> <li>Organize scenarios with tags to make them easy to find and use.</li> <li>Shorten feedback loops by running scenarios in CI/CD pipelines.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Common challenges and drawbacks of BDD"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Common challenges and drawbacks of BDD</h2> <p>Although behavior-driven development has many benefits, it also has some challenges. One important challenge is that adopting and adjusting to a BDD approach can have a high learning curve. Developers and other stakeholders must learn how to write plain-language scenarios reflecting real-world concerns. They must also become familiar with using Gherkin in <a href="https://www.modernanalyst.com/Resources/Articles/tabid/115/ID/3871/BDD-An-introduction-to-feature-files.aspx" target="_blank" rel="noopener">feature files</a> that serve as living documentation and automated acceptance tests.</p> <p>Another challenge is that technical personnel may struggle to collaborate with non-technical personnel (and vice versa). In organizations with clear lines of demarcation between these two teams, overcoming the cultural differences between different departments can be almost as difficult as accommodating different levels of technical skills.</p> <p>Behavior-driven design can also be challenging for development teams that have traditionally used <a href="https://www.techtarget.com/searchsoftwarequality/tip/Waterfall-vs-Agile-methodology-Differences-and-examples">Waterfall development strategies</a>. BDD requires scenarios (and therefore acceptance tests) to be written before code, creating a major workflow shift. Larger or more complex projects can also slow the entire software development lifecycle because hundreds of user-focused scenarios can be time-consuming to develop and maintain.</p> <p>Because BDD can increase complexity and latency in the SDLC, it may not be the right approach for every development project. For small projects, prototypes or highly technical libraries, the additional challenges of BDD deployments may outweigh the benefits, especially in CI/CD pipelines that prioritize speed and simplicity over stakeholder communication.</p> <p><i>Learn more about the </i><a href="https://www.techtarget.com/searchsoftwarequality/CI-CD-pipelines-explained-Everything-you-need-to-know"><i>challenges of CI-CD pipelines and how to overcome them</i></a><i> in this comprehensive guide. </i></p> </section> Behavior-driven development (BDD) is an Agile development methodology that documents, designs and develops software around the behavior a user expects to experience when interacting with an app. https://cdn.ttgtmedia.com/visuals/digdeeper/1.jpg https://www.techtarget.com/searchsoftwarequality/definition/Behavior-driven-development-BDD Fri, 05 Sep 2025 09:00:00 GMT <p>The Capability Maturity Model (CMM) is a methodology used to develop and refine an organization's software development process. The model describes a five-level evolutionary path of increasingly organized and systematically more mature processes.</p> <p>CMM was developed and is promoted by the Software Engineering Institute (<a href="https://www.sei.cmu.edu/" target="_blank" rel="noopener">SEI</a>), a research and development center sponsored by the U.S. Department of Defense (DOD) and now part of Carnegie Mellon University. SEI was founded in 1984 to address <a href="https://www.techtarget.com/whatis/definition/software-engineering">software engineering</a> issues and, in a broad sense, to advance software engineering methodologies. More specifically, SEI was established to optimize the process of developing, acquiring and maintaining heavily software-reliant systems for the DOD. SEI advocates industry-wide adoption of the CMM Integration (CMMI), which is an evolution of CMM. The CMM model is still widely used as well.</p> <p>CMM is similar to <a href="https://www.techtarget.com/searchdatacenter/definition/ISO">ISO</a> 9001, one of the <a href="https://www.techtarget.com/searchdatacenter/definition/ISO-9000">ISO 9000</a> series of standards specified by the International Organization for Standardization. The ISO 9000 standards specify an effective quality system for manufacturing and service industries; ISO 9001 deals specifically with software development and maintenance.</p> <p>The main difference between CMM and ISO 9001 lies in their respective purposes: ISO 9001 specifies a minimal acceptable quality level for software processes, while CMM establishes a <a href="https://www.techtarget.com/whatis/definition/framework">framework</a> for continuous process improvement. It is more explicit than the ISO standard in defining the means to be employed to that end.</p> <section class="section main-article-chapter" data-menu-title="CMM's five levels of maturity for software processes"> <h2 class="section-title"><i class="icon" data-icon="1"></i>CMM's five levels of maturity for software processes</h2> <p>There are five levels to the CMM development process. They are the following:</p> <ol class="default-list"> <li><b>Initial.</b> At the initial level, processes are disorganized, ad hoc and even chaotic. Success likely depends on individual efforts and is not considered to be repeatable. This is because processes are not sufficiently defined and documented to enable them to be replicated.</li> <li><b>Repeatable.</b> At the repeatable level, requisite processes are established, defined and documented. As a result, basic <a href="https://www.techtarget.com/searchcio/definition/project-management">project management</a> techniques are established, and successes in key process areas are able to be repeated.</li> <li><b>Defined.</b> At the defined level, an organization develops its own standard <a href="https://www.techtarget.com/searchsoftwarequality/tip/A-guide-to-software-design-documentation-and-specifications">software development process</a>. These defined processes enable greater attention to documentation, standardization and integration.</li> <li><b>Managed.</b> At the managed level, an organization monitors and controls its own processes through <a href="https://www.techtarget.com/searchcio/definition/data-collection">data collection</a> and analysis.</li> <li><b>Optimizing.</b> At the optimizing level, processes are constantly improved through <a href="https://www.techtarget.com/searchsoftwarequality/tip/6-ways-to-catch-defects-in-software-tighten-feedback-loops">monitoring feedback from processes</a> and introducing innovative processes and functionality.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/5_levels_of_the_capability_maturity_model-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/5_levels_of_the_capability_maturity_model-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/5_levels_of_the_capability_maturity_model-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/5_levels_of_the_capability_maturity_model-f.png 1280w" alt="Diagram of the 5 levels of the Capability Maturity Model" height="213" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The Capability Maturity Model takes software development processes from disorganized and chaotic to predictable and constantly improving. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="CMM vs. CMMI: What's the difference?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>CMM vs. CMMI: What's the difference?</h2> <p>CMMI is a newer, updated model of CMM. SEI developed <a href="https://www.cmmiinstitute.com/" target="_blank" rel="noopener">CMMI</a> to integrate and standardize CMM, which has different models for each function it covers. These models were not always in sync; integrating them made the process more efficient and flexible.</p> <p>CMMI includes additional guidance on how to improve key processes. It also incorporates ideas from <a href="https://www.techtarget.com/searchsoftwarequality/definition/agile-software-development">Agile development</a>, such as continuous improvement.</p> <p>SEI released the first version of CMMI in 2002. In 2013, Carnegie Mellon formed the CMMI Institute to oversee CMMI services and future model development.</p> <p>ISACA, a professional organization for IT governance, assurance and cybersecurity professionals, acquired CMMI Institute in 2016. The next version -- CMMI V2.0 -- came out in 2018. It focused on establishing business objectives and tracking those objectives at every level of business <a href="https://www.techtarget.com/whatis/definition/maturity-model">maturity</a>.</p> <p>The current version of CMMI, Version 3.0, was released in 2023. It leverages comments from users and CMMI partners to improve various elements of the model, including changes to the architecture and development of new practice areas addressing people and <a href="https://www.techtarget.com/searchdatamanagement/definition/data-management">data management</a>, in addition to addressing <a href="https://www.techtarget.com/searchsecurity/tip/Remote-work-cybersecurity-12-risks-and-how-to-prevent-them">virtual (e.g., remote) work environments</a>.</p> <p>CMMI adds Agile principles to CMM to help improve development processes, software configuration management and <a href="https://www.techtarget.com/searchsoftwarequality/tip/Make-quality-a-priority-in-your-software-engineering-culture">software quality</a> management. It does this, in part, by incorporating continuous feedback and continuous improvement into the software development process. Under CMMI, organizations are expected to continually optimize processes, record feedback and use that feedback to further improve processes in a cycle of improvement.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/lHmHKh-QVNQ?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0" loading="lazy"></iframe> </div> <p>One criticism of CMM is that it is too process-oriented and not goal-oriented enough. Organizations have found it difficult to tailor CMM to specific goals and needs. One of CMMI's improvements is to focus on strategic goals and additional practice areas. CMMI is designed to make it easier for businesses to apply the methodology to specific uses than with CMM.</p> <p>Like CMM, CMMI consists of five process maturity levels. However, they are different from the levels in CMM.</p> <p>The process performance levels of CMMI are the following:</p> <ol class="default-list"> <li><b>Initial.</b> Processes are unpredictable and reactive. They increase risk and decrease efficiency.</li> <li><b>Managed.</b> Processes are planned and managed, but they still have issues.</li> <li><b>Defined.</b> Processes become more proactive than reactive.</li> <li><b>Quantitatively managed.</b> Quantitative data is used to craft predictable processes that fulfill <a href="https://www.techtarget.com/searchcio/definition/stakeholder">stakeholder</a> needs based on more accurate measurement of adherence to business goals.</li> <li><b>Optimizing.</b> The organization has a set of consistent <a href="https://www.computerweekly.com/feature/How-AI-is-helping-to-drive-business-process-optimisation">processes that are constantly being improved and optimized</a>.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/5_levels_of_the_capability_maturity_model_integration-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/5_levels_of_the_capability_maturity_model_integration-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/5_levels_of_the_capability_maturity_model_integration-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/5_levels_of_the_capability_maturity_model_integration-f.png 1280w" alt="Diagram of the 5 levels of the Capability Maturity Model Integration" height="241" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The Capability Maturity Model Integration combines various software develop maturity models into one process. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The Capability Maturity Model Integration combines various software development maturity models into one process.</p> </section> <section class="section main-article-chapter" data-menu-title="Pros and cons of CMMI"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Pros and cons of CMMI</h2> <p>The latest version of the CMMI offers some important advantages, including an updated framework for structured process management, increased scalability to address a wider variety of organizations, and by achieving CMMI certification, an improved competitive position and reputation for excellence.</p> <p>The above benefits also come with a few challenges, including the cost and time needed to achieve and maintain the CMMI model, complexity associated with the program implemented, and possible <a href="https://www.techtarget.com/searchcio/tip/The-importance-of-culture-in-digital-transformation">cultural resistance</a> to CMMI processes and their application.</p> </section> <section class="section main-article-chapter" data-menu-title="Preparing for CMMI assessment and certification"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Preparing for CMMI assessment and certification</h2> <p>Assuming an organization wishes to pursue CMMI accreditation, it must first complete a self-assessment which is followed by a third-party assessment and, hopefully, an <a href="https://cmmiinstitute.com/learning/certifications">CMMI certification</a> by the CMMI Institute.</p> <p>The process has several steps, which start by gathering data on the assessment and certification processes from CMMI Institute or one of its approved partner organizations. The candidate organization may elect to receive training on the CMMI process and then proceed to a self-assessment of its current practices as compared to CMMI requirements. Deficiencies uncovered by the assessment can then be addressed.</p> <p>Once the organization has completed the above steps and addressed the relevant assessment components, an appraisal can be scheduled by an approved third party. This can involve interviews, inspections, program and project reviews and other structured activities. Results of the appraisal report can be turned into an action plan to correct any issues. Working in concert with the third-party appraiser, the organization can then apply for certification by the CMMI Institute.</p> <p>A key consideration of self-assessment, appraisal and certification is that the CMMI process does not end with certification. Instead, CMII processes should be part of <a href="https://www.informationweek.com/it-leadership/why-your-it-organization-needs-to-embrace-continuous-improvement">an organization's continuous improvement</a> activities.</p> </section> <section class="section main-article-chapter" data-menu-title="Organizations that provide CMMI assessments and appraisals"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Organizations that provide CMMI assessments and appraisals</h2> <p>The CMMI Institute provides details on how to organize an assessment and/or appraisal. The CMMI Institute Partner Directory lists all partners worldwide. Following is a brief list of CMMI certified lead appraisers.</p> <ul class="default-list"> <li>ABI Consultants</li> <li>Abridge Technology</li> <li>Accenture LLP</li> <li>ACE Guides, LLC</li> <li>ActioNet, Inc.</li> <li>AFNOR Certification</li> <li>AG Kaizen Group</li> <li>Brightline Performance Group</li> <li>BVSLN System Services Private Ltd.</li> <li>Delivery Excellence, Inc.</li> <li>IBM</li> <li>Layermark</li> <li>Leading Edge Process Consultants, LLC</li> <li>Plowright International LLC</li> <li>Prescient Security</li> <li>RSK Consulting</li> <li>Sandhill Consultants Ltd.</li> <li>Shanghai Fancier Info Tech Ltd.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="The future of CMMI programs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The future of CMMI programs</h2> <p>Considering the latest iteration -- Version 3.0 -- of the CMMI model, its expansion into a global set of capability performance metrics, and a greater focus on <a href="https://www.techtarget.com/whatis/feature/Tips-for-learning-new-technologies">advanced technologies</a>, people management, virtual work, and environmental, social and governance (<a href="https://www.techtarget.com/whatis/definition/environmental-social-and-governance-ESG">ESG</a>) issues, the long-term view of CMMI is positive.</p> <p><i>As software permeates all aspects of life, developers have an ethical duty to their users. Learn how to </i><a href="https://www.techtarget.com/searchsoftwarequality/tip/5-examples-of-ethical-issues-in-software-development"><i>uphold this responsibility in software development</i></a><i>. Also, learn about </i><a href="https://www.techtarget.com/sustainability/feature/5-IT-sustainability-approaches-to-consider"><i>constructive approaches to enhancing IT sustainability</i></a><i>, such as prioritizing e-waste reduction and adopting responsible AI practices. </i></p> </section> The Capability Maturity Model (CMM) is a methodology used to develop and refine an organization's software development process. https://cdn.ttgtmedia.com/visuals/digdeeper/3.jpg https://www.techtarget.com/searchsoftwarequality/definition/Capability-Maturity-Model Wed, 03 Sep 2025 09:00:00 GMT <p>Skilled quality assurance analysts exhibit an inexhaustible curiosity that drives their work. Software testing is one of the few professions where people get paid to find out how something is supposed to work, then immediately try to break it -- and get praised for their efforts when they do.</p> <p>To get ahead in this somewhat wacky profession, <a href="https://www.techtarget.com/searchsoftwarequality/tip/Ten-skills-of-highly-effective-software-testers">software testers must get serious about setting goals</a>. Cultivate a passion for understanding how things work; that's a smart goal for QA analysts from the very start of their careers.</p> <p>Every <a href="https://www.techtarget.com/searchsoftwarequality/opinion/5-software-testing-books-QA-professionals-should-dig-into">QA analyst should learn more</a> about how and why things work, especially things that have nothing to do with computers and software. Ever wonder how mechanical cash registers kept a running tally of the day's sales? How were telephones connected using a patch panel matrix through a switchboard? These are great questions for testers to ponder and research. With that background, it becomes clearer how computers and the software that instructs them improved upon sales tracking, or how communication circuits can be established without human intervention.</p> <p>Curiosity is one thing, but <a href="https://www.techtarget.com/searchsoftwarequality/tip/13-common-QA-interview-questions-and-answers">advancement on a career path</a> is another. Read on for five <a href="https://www.techtarget.com/whatis/definition/SMART-SMART-goals">SMART</a> goals a tester can target to stand out.</p> <section class="section main-article-chapter" data-menu-title="What are SMART goals?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are SMART goals?</h2> <p>The SMART goals framework helps those who employ it set meaningful, realistic goals. To set SMART goals as a QA analyst, first learn what a SMART goal consists of:</p> <ul class="default-list"> <li><b>Specific. </b>Goals in this framework should be as specific, clear and focused as possible. Ambiguous goals leave margin for distraction or waste.</li> <li><b>Measurable. </b>A measurable goal provides information that lets teams track progress and gives concrete benchmarks for achievement.</li> <li><b>Achievable. </b>A SMART goal is achievable -- completing it within the allotted time frame is possible.</li> <li><b>Relevant. </b>The goal should align with the broader objectives of the team and organization.</li> <li><b>Time-bound. </b>The goal should have a target end date.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/what_does_smart_mean-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/what_does_smart_mean-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/what_does_smart_mean-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/what_does_smart_mean-f.png 1280w" alt="Diagram of the SMART goals framework" height="274" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>The SMART framework helps teams in any discipline ensure they're setting valuable goals. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="5 SMART goals for QA analysts"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5 SMART goals for QA analysts</h2> <p>With a basic understanding of the SMART framework, consider these five example SMART goals for QA analysts.</p> <h3>1. Get indoctrinated in business process mapping</h3> <p>This SMART objective is easier said than done, but worth the effort.</p> <p>For starters, lobby the test lead or QA management to spend time in the trenches. When testers spend time with business users who help work flow from input to output, both sides can learn from the experience. Understand the data that higher management needs to <a href="https://www.techtarget.com/searchbusinessanalytics/feature/6-big-data-benefits-for-businesses">make sound business decisions</a> and know when it's safe to hand off work from one team member to another.</p> <p>Don't just observe. Ask lots of questions about what constitutes individual units of work and how business users would like to see them improved.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">10 testing techniques for QA professionals</h3> <p>Software testers, embrace your creative and fearless side and learn <a href="https://www.techtarget.com/searchsoftwarequality/pro/10-Exploratory-Testing-Techniques-for-QA-Professionals?utm_source=widget&amp;utm_medium=download&amp;Offer=OTHR-Widget_OTHR-DLO_OTHR-Offer_2021May10_QATesting">how to do exploratory testing</a> with approaches for QA professionals of all skill levels.</p> </div> </div> <p>Use a <a href="https://www.techtarget.com/searchapparchitecture/tip/A-review-of-top-software-architecture-visualization-tools">flow chart tool</a>, such as Visio or Lucidchart, to create diagrams that highlight where key business decisions are made. Detail these decisions in terms that will help the development or test team later, automating a manual task or improving an existing algorithm, for example.</p> <p>This work is akin to what a business analyst might do, but it's also a worthy goal for a QA analyst. The tester's objective here is to become as much of a business subject matter expert as possible in how work is done in the organization. When creating test scenarios, they can determine what's in the software's critical path versus an <a href="https://www.techtarget.com/searchsoftwarequality/tip/The-importance-of-edge-case-testing-When-to-fix-the-bug">edge or corner case</a>.</p> <p>It might not be possible to shadow software's end users as they toil through the day, but learn any standard operating procedures that might be lying around. If no documentation for these procedures exists, draft some with an eye toward a QA audience. Ask why something is done a certain way, not how it is done.</p> <p>It's difficult to measure this individual goal. It's all about gaining an overall knowledge of how processes work on the business side. Understanding this bigger picture will yield better test scenarios, rather than simply improving test execution steps. One way to measure this goal is to see whether a tester can fill in for someone on the business side in an emergency or stand in for one during code deployment verification. The team could theoretically use the key performance indicators for that specific process to measure the QA analyst's performance as a stand-in. Trying to review or validate this measurement might result in a point of diminishing return, however</p> <h3>2. Understand the basics of programming logic</h3> <p>Though it's not a critical requirement for QA analysts, coding proficiency can help to keep up with changing test methodologies and improve automated testing.</p> <p>Traditional QA analysts and manual testers won't require <a href="https://www.techtarget.com/searchsoftwarequality/tip/Skills-an-SDET-needs">as much coding knowledge as SDETs</a> or automation QA engineers. After all, QA analysts don't write the code. However, programming logic is important for any QA profession. All programming languages have several basic logic structures in common:</p> <ul class="default-list"> <li>If-then-else.</li> <li>Case structure.</li> <li><em>Do-while.</em></li> <li><em>Do-until.</em></li> </ul> <p>Software testers need a basic knowledge of these programming language staples for continued career growth. Successful execution of <a href="https://www.techtarget.com/searchsoftwarequality/answer/Can-automated-application-testing-be-better-than-manual-QA">manual tests and automated scripts</a> is helpful, but testing activities only go so far. It's even more important to know the conditions under which data enters one of the programming structures, and what must happen for that data to exit it.</p> <p>Let's start with if-then-else logic. In this structure, <em>if</em> is whether a condition exists. If it does exist, then execute the <em>then</em> function. Otherwise, execute the <em>else</em> function -- or do nothing. The if-then-else structure works well when a condition is true or false.</p> <p>A case structure might be appropriate when a condition falls into one slot in a range of possibilities.</p> <p>A case structure expands on if-then-else by providing multiple functions to execute if certain conditions exist. For example, an if-then-else structure might check if a number falls in a range between 2-10 and, if it does, then the number is multiplied by five. If the number is not in that range, it will fall into the <em>else</em> condition and is not multiplied at all. A case structure specifies what to do when a number falls into one of many ranges. In this example, a number between 2-10 falls into <strong>Case A</strong> and is multiplied by five. If the number is between 11-20, it falls into <strong>Case B</strong> and is multiplied by four. If a number is 21 or higher, it falls into <strong>Case C</strong> and is multiplied by three. Case structures can get complex and involve branching into other parts of the code.</p> <p><em>Do-while</em> and <em>do-until</em> are basically loops. With <em>do-while</em>, a function is performed as long as a condition still exists. A <em>do-until</em> logic structure performs a function until a condition no longer exists.</p> <p>While <a target="_blank" href="https://www.goodreads.com/book/show/4775354-tools-for-structured-design" rel="noopener">the book itself</a> is a bit dated, <em>Tools for Structured Design: An Introduction to Programming Logic</em> by Marilyn Bohl and Maria Rynn, originally published in 1978, helps convey the ubiquitous precepts of all programming languages. A grasp of programming logic in a language-independent manner helps comprehend the entry and exit criteria to test discrete pieces of code. This domain knowledge marries a business process to the most appropriate programming structure. A yes/no decision point in a business process generally maps to an if-then-else structure, whereas a decision point that requires an answer to one of three or more questions might require a case structure.</p> <p>Read through the code with business requirements in mind. Is it more understandable than before? A QA analyst might work with developers in a test-driven development (<a href="https://www.techtarget.com/searchsoftwarequality/definition/test-driven-development">TDD</a>) environment to achieve this goal and implement process improvements. In TDD, the QA and development team collaborate on unit testing of discrete pieces of code. Code is written and made to fail an initial test, <a href="https://www.techtarget.com/searchsoftwarequality/tip/Essential-refactoring-techniques-to-know">then refactored</a> to get it to pass.</p> <h3>3. Brush up on QA history</h3> <p>When setting goals, don't repeat mistakes from the past. Learn what types of processes came before -- failed or successful -- and how those testing processes set the groundwork for existing ones.</p> <p>The way to measure understanding of the past is to see if it helps achieve better Agile performance. While the traditional software development lifecycle (<a href="https://www.techtarget.com/searchsoftwarequality/definition/software-development-life-cycle-SDLC">SDLC</a>) and Waterfall methodology eventually resulted in bloated products and documentation, lessons on the intent and approach might still be useful today. Borrow principles and concepts from the past and mold them into usable processes.</p> <p>Check out <a target="_blank" href="https://www.goodreads.com/book/show/1928410.Customer_Oriented_Software_Quality_Assurance" rel="noopener">the book</a> <em>Customer Oriented Software Quality Assurance</em> by Frank P. Ginac, originally published in 1998. This lightning-fast read shows how and why the Software Engineering Institute's Capability Maturity Model (<a href="https://www.techtarget.com/searchsoftwarequality/definition/Capability-Maturity-Model">CMM</a>) caught on with many organizations in the late 1990s. It might be eye-opening to realize that some CMM concepts are still relevant.</p> <p>A SMART goal might be to read the book and draw parallels between the book's subject matter and current practices, then use those parallels to improve Agile performance in the organization according to specific metrics.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">OKR examples for QA analysts</h3> <p>While it's helpful to pinpoint SMART goals for a QA analyst's career advancement, don't lose sight of objectives and key results (<a href="https://www.techtarget.com/searchhrsoftware/definition/OKRs-Objectives-and-Key-Results">OKRs</a>). OKRs are a collaborative means to define personal or project goals, set meaningful objectives and track key results to realize their outcomes.</p> <p>First, the QA analyst determines a testing objective and then defines the logical key results that will enable them to meet it. As with SMART goals, <a href="https://www.techtarget.com/searchsoftwarequality/tip/OKRs-vs-SMART-goals-in-software-development">track your OKRs</a> to see the best results.</p> <p>Here are some OKR examples for <a href="https://www.techtarget.com/searchsoftwarequality/feature/Skills-and-responsibilities-in-a-QA-engineer-role">QA engineers</a>.</p> <ul class="default-list"> <li>Objective: Increase test coverage for a new product release.</li> <ul type="circle" class="default-list"> <li>Key result 1: Work with developers to automate 75% of test cases.</li> <li>Key result 2: Boost code coverage to 90%.</li> <li>Key result 3: Use a device farm to test on many end-user devices simultaneously.</li> </ul> <li>Objective: Boost testing outside of the QA stage.</li> <ul type="circle" class="default-list"> <li>Key result 1: Implement test-driven development for early refactoring.</li> <li>Key result 2: Enhance automated regression testing.</li> <li>Key result 3: Test in production to catch bugs under real conditions but before users see them.</li> </ul> </ul> <p><strong>Editor's note: </strong><em>This sidebar was written by site editor David Carty and approved by contributor Jim Brown.</em></p> </div> </div> <h3>4. Become a master of conflict resolution</h3> <p>This SMART goal for a QA analyst is another one that isn't easy to measure but is nonetheless important for career success.</p> <p>A QA analyst's job is to find problems with the company's product -- ideally, before users do. Thus, the tester is often the bearer of bad news. Sometimes developers let out a sigh of relief when testers catch a bug before code moves into production. But there are also <a href="https://www.techtarget.com/searchsoftwarequality/tip/Improving-DevOps-collaboration-Challenges-and-tips">tussles between testers and developers</a>, the latter of whom are adamant that their code is not at fault when issues arise. Developers might argue that there's a bad or incomplete requirement, or that the testing wasn't done correctly.</p> <p>Acquire the ability to mediate conflicts. It is a skill that will help quash issues between team members over the root cause of a defect, especially when the added project time required for remediation and retesting can lead to additional stress. Set an individual goal to mediate a certain number of conflicts. Or, take a course on conflict resolution by a predetermined date, then seek to apply the skills learned in that course to disputes in the workplace.</p> <p>Conflict resolution is an art that requires confidence. Conflict raises anxiety, and it can breed animosity. Deflecting or avoiding conflict entirely is a goal worth attaining.</p> <h3>5. Boost project management skills</h3> <p>QA analysts run mini-projects within a project. Test planning, resource allocation, test execution time estimates, scheduling time for defect remediation and slotting time for retests -- these are all small, individual projects that contribute to the overall QA for the software project. All of these efforts require some project management skills.</p> <p>A project manager will block off time for test cycles, or sprints, within an overall project plan, but that person isn't always able to get to the minutiae that a QA analyst does. Some CMM practitioners require QA analysts to fill in the testing tasks and timelines in an overall test plan, lifting some of the burden from the project manager.</p> <p>To stay in tune and relevant today, look into the Projects In Controlled Environments (PRINCE) model, which has morphed into <a target="_blank" href="https://www.prince2.com/usa/blog/prince2-agile-is-here-but-what-is-it" rel="noopener">PRINCE2 Agile</a>. The PRINCE2 Agile strategy focuses on how project management and Agile product delivery combine as disciplines, making it relevant for QA analysts.</p> <p>One way to measure and achieve this SMART goal is to <a href="https://www.techtarget.com/searchcio/feature/Top-business-process-management-certifications">gain certification in a standard</a> such as PRINCE2, Certified Scrum Master or Professional in Project Management within a designated time.</p> <p>By meeting goals such as these, QA analysts can advance <a href="https://www.techtarget.com/searchsoftwarequality/tip/Top-software-testing-certifications">their career path</a> to a position where they can still apply their testing skills and keep their intuitive minds sharp.</p> <p><i>Jim Brown is a senior QA analyst at Boston University and a former technology journalist.</i></p> </section> QA testers can gain peer respect and influence through SMART goals. Take ownership of the software you work on, look up to good product managers and achieve these five goals. https://cdn.ttgtmedia.com/visuals/searchITChannel/manage_sales_business/itchannel_article_002.jpg https://www.techtarget.com/searchsoftwarequality/feature/Goal-1-for-the-QA-tester-Take-ownership Mon, 25 Aug 2025 16:47:00 GMT <p>If you want to prove your mettle as a cloud computing professional who can navigate their way through the Amazon Web Services management console, then the AWS Certified Cloud Practitioner exam is for you.</p> <p>Although it's considered an entry-level designation, the Cloud Practitioner exam is well respected in the industry. It's incredibly difficult and covers an impressively wide array of topics.</p> <p>Not as tightly focused on a specific domain like the <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/AWS-Certified-Developer-Exam-practice-questions-and-answers">Certified Developer - Associate</a> or Solutions Architect - Professional certifications, the Cloud Practitioner exam tests candidates on a wider array of topics than any other AWS exam.</p> <p>If you want to pass the AWS Certified Cloud Practitioner exam, you'll need to demonstrate foundational knowledge in a variety of topics, such as the following:</p> <ul class="default-list"> <li><a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/How-to-Transfer-a-Domain-to-Amazons-Route-53">Route 53</a> and domain name mapping.</li> <li>Kubernetes and <a href="https://www.techtarget.com/searchitoperations/video/Create-an-Amazon-EKS-cluster-and-deploy-Docker-containers">EKS clusters</a>.</li> <li>The role of <a href="https://www.techtarget.com/searchcloudcomputing/video/An-Amazon-Bedrock-tutorial-for-beginners">Amazon Bedrock</a> and SageMaker.</li> <li><a href="https://www.theserverside.com/video/Java-Spring-Boot-and-AWS-Elastic-Beanstalk">Python and Node Beanstalk</a> app deployment.</li> <li>Amazon <a href="https://www.theserverside.com/video/Host-a-static-website-on-AWS-with-Amazon-S3-and-Route-53">S3 static website hosting</a>.</li> <li>Container <a href="https://www.theserverside.com/video/How-to-deploy-Spring-Boot-apps-in-AWS">deployment to ECS</a>.</li> </ul> <p>Think you're ready to <a target="_blank" href="https://aws.amazon.com/certification/" rel="noopener">schedule the test</a>?</p> <p>Before you sign up, step through this 65-question AWS Certified Cloud Practitioner practice exam. If the questions make sense and you have no problem picking the correct answer, you are well on your way to not just passing the test, but possibly pulling in a 100% score.</p> <p><i>Cameron McKenzie has been a Java EE software engineer for 20 years. His current specialties include Agile development; DevOps; Spring; and container-based technologies such as Docker, Swarm and Kubernetes.</i></p> Looking to get AWS Cloud Practitioner certified? Then step through these 65 questions and prepare yourself for the test. https://www.theserverside.com/video/AWS-Certified-Cloud-Practitioner-practice-exam Mon, 25 Aug 2025 16:00:00 GMT <p>In this fast-paced world of AI-infused product development lifecycles, having strong product owners who truly understand Scrum and Agile product development is more important than ever.</p> <p>This video tutorial goes over 40 of the toughest Scrum product owner certification exam questions you'll encounter. It will also provide strategies on how to answer the toughest questions, and explanations of some of the most esoteric Scrum topics, including the following:</p> <ul class="default-list"> <li>The purpose of <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/Sprint-vs-Scrum-Whats-the-difference">Agile sprints</a>, <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/who-required-daily-scrum-necessarily-standup-must-developers-product-owner-master">daily Scrums</a>, <a href="https://www.theserverside.com/video/Sprint-review-vs-retrospective-Whats-the-difference">reviews</a> and <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/Are-the-4-Scrum-meeting-types-too-many">retrospectives</a>.</li> <li>The <a href="https://www.theserverside.com/tip/Product-owner-vs-product-manager-Whats-the-difference">role of the product owner</a> and how they optimize value.</li> <li>The <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/Agile-Scrum-Process-Steps-Methodology-Sprint-Flow-Principles-Values-Pillars-Guide">Agile Scrum process</a> and how it helps product development.</li> <li><a href="https://www.theserverside.com/tip/Who-should-be-the-product-owner-in-Scrum">Who should be the product owner</a> on a Scrum team?</li> <li>The importance of <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/What-is-a-Scrum-commitment">Scrum commitments</a>, the <a href="https://www.techtarget.com/whatis/feature/What-are-the-5-Scrum-values">five Scrum values</a> and the three pillars.</li> </ul> <p>If you're looking to advance your career, move into product development and learn about the <a target="_blank" href="https://www.scrum.org/resources/scrum-guide" rel="noopener">Scrum Guide</a>, this set of practice exam questions will not only provide you a better <a href="https://www.theserverside.com/video/Scrum-methodology-explained">understanding of Scrum</a>, it will also help you achieve the much prized and much coveted Certified Scrum Product Owner designation.</p> <p><i>Cameron McKenzie has been a Java EE software engineer for 20 years. His current specialties include Agile development; DevOps; Spring; and container-based technologies such as Docker, Swarm and Kubernetes.</i></p> Want to get Scrum product owner certified? This 40-question practice exam will test your mettle and prepare you for the exam. https://www.theserverside.com/video/Scrum-product-owner-certification-practice-exam-questions Mon, 25 Aug 2025 13:29:00 GMT <p>Not every company has the scale and skills of Intuit's Credit Karma, but the company's data science head has some advice on where others can begin devising their own AI governance framework.</p> <p>Credit Karma can use Intuit's <a href="https://www.techtarget.com/searchsoftwarequality/news/366627890/Intuits-Ashok-Srivastava-on-AI-agents-new-frontier">GenOS AI operating system</a>, with its catalog of AI models, agents and software development tools. With help from GenOS, teams at Credit Karma recently created a multi-agent system to automatically review AI outputs before allowing them to reach production.</p> <div class="imagecaption alignLeft"> <img src="https://cdn.ttgtmedia.com/rms/onlineimages/daianu_madelaine.jpg" alt="Madelaine Daianu, senior director of data science and engineering, Credit Karma">Madelaine Daianu </div> <p>These form the technical basis for the AI compliance initiative led by Madelaine Daianu, senior director of data science and engineering at Credit Karma. But these efforts began with hands-on human collaboration that other companies can and must emulate, as every company and industry must <a href="https://www.techtarget.com/healthtechanalytics/feature/How-health-systems-are-facilitating-AI-governance">devise its own tailored approach</a>.</p> <p>"Finding a balancing act between innovation and safety, compliance or whatever is relevant to them is extremely important, and taking the step to slow down a little bit before they run and move fast," Daianu said. "Have your internal red team go and break an LLM-generated response and learn from it, and develop a thorough, custom evaluation framework for your use case."</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Have your internal red team go and break an LLM-generated response and learn from it, and develop a thorough, custom evaluation framework for your use case. </figure> <figcaption> <strong>Madelaine Daianu</strong>Senior director of data science and engineering, Credit Karma </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>At Credit Karma, <a href="https://www.techtarget.com/whatis/definition/red-teaming">red teams</a> that broke workflows driven by large language models (LLMs) and identified their weaknesses devised a five-step evaluation framework for AI governance.</p> <p>The framework's stages include the following:</p> <ul class="default-list"> <li>Response quality and accuracy.</li> <li>AI safety, including detecting bias.</li> <li>Compliance, primarily with the contractual expectations of Credit Karma partners when it presents credit card and loan information to customers on its platform.</li> <li>Data provenance and accuracy.</li> <li>System metrics such as cost and latency.</li> </ul> <p>"Within this framework, compliance is where we had to get super innovative, because it would take us a very long time to [manually] check summaries from an LLM," Daianu said. "For instance, in the case of a credit card, we need to make sure that we represent the benefits of that card as mapped to the partner brand with the utmost accuracy. But to be able to do that, we had to extract the fields from the summary that are pertinent to, say, rates or fees."</p> <p>That's where the <a href="https://www.techtarget.com/searchenterpriseai/news/366623681/IBM-customers-assess-the-performance-of-AI-agents">multi-agent</a> system came in. Specialized AI agents check each specific data field within LLM-generated summaries and ensure that their presentation to users follows the partner brand. In this and other stages of the evaluation framework, LLMs are also used to judge the overall response quality from groups of agents.</p> <p>Those models were trained with human feedback from Credit Karma's customer success team, which still performs spot checks. According to Daianu, AI agents simply reapply that evaluation process to new summaries, up to 50 times faster.</p> <p>However, when evaluating AI tools, it's also important not to overuse them, Daianu said.</p> <p>"We are using GenAI as a judge in some elements of our framework, especially for compliance, but not everywhere," she said. "For AI safety, we can use traditional machine learning. Not overfitting GenAI ... is important, because that can oftentimes give you better accuracy, better explainability, and is not as much of a black box."</p> <p><em>Beth Pariseau, a senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? <a href="mailto:beth.pariseau@informatechtarget.com?subject=News%20tip">Email her</a> or reach out <a target="_blank" href="https://x.com/PariseauTT" rel="noopener">@PariseauTT</a>.</em></p> Start slow and break things -- that's how the head of data and AI at the fintech says enterprises should start building AI governance frameworks. https://cdn.ttgtmedia.com/rms/onlineimages/ai_g1183318665.jpg https://www.techtarget.com/searchitoperations/news/366628735/Credit-Karma-leader-shares-AI-governance-lessons-learned Thu, 07 Aug 2025 13:56:00 GMT <p>Ethical practices have not traditionally been a part of software development. Software didn't always have a direct impact on daily life, and the pace of development was slow.</p> <p>In modern society, people encounter software in all aspects of life. AI, big data and data analytics all have <a href="https://www.techtarget.com/searchenterpriseai/tip/Generative-AI-ethics-8-biggest-concerns">real ramifications for individuals</a>.</p> <p>Although software developers work primarily behind the scenes in businesses, their decisions in the course of a project can have an outsized impact in the world -- for better or worse -- in terms of compliance, fairness, integrity and trust. Everyone in the industry should be aware of social and ethical issues in software development.</p> <p>Below are some examples of ethical issues and how developers can address them:</p> <ul class="default-list"> <li>Addictive design.</li> <li>Corporate ownership of personal data.</li> <li>Algorithmic bias.</li> <li>Weak cybersecurity and personally identifiable information (<a href="https://www.techtarget.com/searchsecurity/definition/personally-identifiable-information-PII">PII</a>) protection.</li> <li>Overemphasis on features.</li> <li>Lack of transparency.</li> <li>Environmental impact.</li> <li>Human rights impact.</li> </ul> <section class="section main-article-chapter" data-menu-title="1. Addictive design"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. Addictive design</h2> <p>Every developer yearns to create programs that people love to use -- that's just <a href="https://www.techtarget.com/searchsoftwarequality/tip/UX-design-principles-Why-should-testers-know-them">good UX design</a>. The problem is that some teams craft apps that people love too much. There is an ethical concern about the role of digital platforms, such as social media.</p> <p>Critics such as Tristan Harris of the Center for Humane Technology argue that social media companies profit from outrage, confusion, addiction and depression -- and consequently put our well-being and democracy at risk. Harris notably went viral while working at Google with a presentation about the push for addictive technology design and companies' moral responsibility in society.</p> <p>Striking an ethical balance between products that consumers love and products that hijack their attention is more an art than a science. In product creation and updates, ask the following questions:</p> <ul class="default-list"> <li>Who benefits?</li> <li>How do they benefit?</li> <li>To what degree do they benefit?</li> <li>Are there safeguards for user health and sanity?</li> <li>How overt is monetization and customer data collection and use, including through <a href="https://www.techtarget.com/searchenterpriseai/tip/9-top-AI-and-machine-learning-trends">AI and machine learning</a>? How transparent are these practices?</li> </ul> <p>David K. Bain, founding executive director of the Technology Integrity Council, offers Duolingo and TikTok as two contrasting examples of app design. Both apps generate growth and revenue for their creators, but the nature of their benefit to users is different.</p> <p>Duolingo's clients gain language skills and are challenged with activities that enhance neuronal growth and <a target="_blank" href="https://faculty.washington.edu/chudler/plast.html" rel="noopener">brain plasticity</a>. TikTok users receive cultural knowledge as well as immediate gratification with video content that bathes the brain with intoxicating neurotransmitters. "Based on this, many adults would say that the true user benefit of Duolingo is greater than [that of] TikTok," Bain said, but added that his teenage daughter would disagree.</p> <p>The two apps have different attitudes toward usage limits meant to safeguard against addictive attachment. Duolingo encourages consistency and makes the strong case that its use is linked to optimized learning curves. Duolingo definitely grabs users by the lapels to meet their daily quota and maintain performance streaks. But once the daily activities are done, Duolingo releases the user. By contrast, TikTok entices users to stay with an essentially limitless buffet of consumable media.</p> <p>Apps often include user manipulation, monetization methods, user data collection for corporate use and machine learning algorithms to enhance the app. A transparent app provider would give users some level of knowledge and understanding about these practices.</p> <p>Here's how this ethical aspect plays out in the two example apps: "Duolingo's users are clearly willing victims of an enforced daily regimen, but are most certainly not aware that ads and usage data connect to a much larger advertising ecosystem," Bain said. "TikTok's users, especially the younger ones, I am quite sure are largely and happily oblivious to the methods and outcomes of their addictions."</p> </section> <section class="section main-article-chapter" data-menu-title="2. Questionable personal data ownership"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Questionable personal data ownership</h2> <p>AI-based processing of biometric and other contextual data about customers has increased with device and software evolution. Software can profile users and predict behaviors at a scary level of detail.</p> <p>"Usually, the ethical question is [one of] what to do with that data," said Miguel Lopes, chief product officer at TrafficGuard, an ad verification and fraud prevention platform. This ethical issue is a dilemma for developers in every kind of business -- not just the social media giants making the news.</p> <p>An algorithm directs information collection and profile building, but the subsequent actions are intentional. The developer is ordinarily aware of the power of this data in context.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Developers can help contextualize the impact of technical choices on ethical considerations for other roles within the company. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>One of the root causes of ethical concerns relates to how the business generates revenue and incentivizes developers and business managers, Lopes said. In many cases, companies look at user data as a valuable currency and want to monetize the data they store. "These factors might cause these organizations to <a href="https://www.techtarget.com/searchdatabackup/tip/5-common-data-protection-challenges-that-businesses-face">share their user data unethically</a>," he said.</p> <p>Developers face a hard decision regarding personal data and software design. They can create systems to exploit user data with the understanding that the liability lies with the organization, or they can raise concerns but face potential penalization for going against the project's aims. Modern technology companies' working culture should let developers come forward with <a href="https://www.techtarget.com/searchdatamanagement/feature/Top-3-data-privacy-challenges-and-how-to-address-them">personal data ownership concerns</a> without fear of retaliation.</p> <p>These kinds of concerns galvanized some rich discussion at the different organizations where Lopes has worked, which decided not to offer a free service tier. "We have analyzed the implications and prefer to sustain our operations by selling our service instead of our user data, and not subjecting our developer team with these difficult choices," Lopes said. Internal transparency within companies is a crucial factor. Developers should be aware of the entire context of the project they are working on, not just the module they need to complete.</p> <p>Companies should make it easy for developers to step forward with concerns. The HR department could create mechanisms where developers can express their concerns <a href="https://www.techtarget.com/searchhrsoftware/news/366588073/Catastrophic-AI-risks-highlight-need-for-whistleblower-laws">without the fear of retaliation</a>, such as an anonymous hotline for ethical concerns. The organization should then follow up and independently identify whether the use case is in breach of privacy, legal or ethical policies.</p> </section> <section class="section main-article-chapter" data-menu-title="3. Algorithmic bias"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. Algorithmic bias</h2> <p>Technology can amplify existing biases. "One of the more pressing ethical issues facing today's developers is bias," said Spencer Lentz, principal account executive at Pegasystems, a business automation platform.</p> <p>Bias often enters the system undetected -- Lentz compares bias to a virus. Computers themselves have no inherent moral framework. Software can only reflect the biases of its creators. Therefore, developers and data scientists must scrub bias from the training data and the algorithms they build. From a developer's perspective, bias often centers on eliminating options for the wrong reasons, Lentz said.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/bi_ezine-how_ai_systems_amplify_bias.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/bi_ezine-how_ai_systems_amplify_bias_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/bi_ezine-how_ai_systems_amplify_bias_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/bi_ezine-how_ai_systems_amplify_bias.png 1280w" alt="Visual depiction of bias amplification in AI systems." height="336" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>AI, when trained on incomplete and biased data, can produce biased results. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Reporting and research in recent years illustrates how <a href="https://www.techtarget.com/searchbusinessanalytics/feature/8-types-of-bias-in-data-analysis-and-how-to-avoid-them">bias within software systems</a> can perpetuate <a href="https://www.techtarget.com/searchcio/feature/Rooting-out-racism-in-AI-systems-theres-no-time-to-lose">systemic racism</a> against specific populations, which creates lost opportunity, worsens medical care and increases rates of incarceration. For example, in the book <i>Race After Technology</i>, Ruha Benjamin raised concerns about a case where developers failed to include Black people's voices in training AI speech recognition algorithms, under the belief that fewer Black people would use the app.</p> <p>Executives, data scientists and developers must create an organizational culture that establishes ethical guidelines and empowers individuals at any level of the business to speak up if they see something problematic.</p> <p>"By now, bias in models is so well known that <a href="https://www.techtarget.com/searchenterpriseai/tip/Why-does-AI-hallucinate-and-can-we-prevent-it">LLM hallucination</a> is a mainstream concept," said Peter Wang, chief AI and innovation officer and co-founder of Anaconda, a data science platform. "The greatest risk nowadays is that people are so swept up in the hype and a fear of falling behind that they don't take the time to diligently build evaluation mechanisms and implement governance. As an industry, we need to be more transparent about how high the failure rates are for enterprise AI projects so that managers and executives don't feel compelled to rush through extremely important topics like alignment, accuracy and safety."</p> <p>It's time to create a governing body for AI providers, similar to the American Medical Association for doctors, Wang argued. This body could establish industry-wide ethical guidelines and best practices. "These technologies are still relatively new in the business context, and we would all benefit from ethical standards derived from our collective intelligence and input, rather than leaving it up to each individual or organization to decide for themselves," he said.</p> </section> <section class="section main-article-chapter" data-menu-title="4. Weak security and PII protection"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. Weak security and PII protection</h2> <p>Application security is growing in importance as software plays a larger role in our online and offline environments.</p> <p>Developers might only <a href="https://www.techtarget.com/searchsoftwarequality/feature/DevSecOps-puts-software-development-and-security-on-equal-footing">address security</a> after code release, rather than during development. As a result, the software community lacks <a href="https://www.techtarget.com/searchsecurity/tip/How-to-use-security-as-code-to-achieve-DevSecOps">secure development standards</a>.</p> <p>"The emphasis is almost entirely on getting a product out to market," said Randolph Morris, founder and principal software architect at Bit Developers, a software development consultancy. Once a software product is publicly available, the focus shifts to new features and performance optimization, so security continues to have minimal prominence.</p> <p>Hackers and other malicious actors cause real damage to real people. A reactionary approach to application security that plugs vulnerabilities as they are found is neither practical nor pragmatic.</p> <p>To address this ethical responsibility for customer safety, developers need education, but typically only cybersecurity-specific classes address these topics. To start, educate your team about cybersecurity failures such as the landmark <a href="https://www.healthcaredive.com/news/massive-hack-at-anthem-may-be-largest-healthcare-breach-to-date/360898/">Anthem medical data breach of 2015</a>, where PII was stored as plain text in a database. "If this information was encrypted, it would not have been so easy to use and valuable to distribute," Morris said.</p> <p>Also, the industry needs revised security standards. Organizations can do more to embrace standards meant to protect PII. The Payment Card Industry Data Security Standard and HIPAA for healthcare apps are a good start, but developers should consider other forms of PII as well -- and <a href="https://www.techtarget.com/searchcustomerexperience/answer/How-do-companies-protect-customer-data">software designs that protect it</a>.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/compare_pii_pi_spi_and_npi-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/compare_pii_pi_spi_and_npi-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/compare_pii_pi_spi_and_npi-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/compare_pii_pi_spi_and_npi-f.png 1280w" alt="Chart explaining different types of personal information." height="588" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Explore the different types of personal information that businesses should handle responsibly in app design. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="5. Prioritizing features over impact"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. Prioritizing features over impact</h2> <p>At the center of many ethical issues is a decision that capabilities in software releases are more important than the effects they could have. But just because you can doesn't mean you should.</p> <p>"If the development team is measured on their rate of feature development, there's a high probability that the ethics of a given implementation might not be front of mind, either at the design or at the implementation phase," said Tim Mackey, head of software supply chain risk strategy at Black Duck, an application security platform.</p> <p>The business itself must set the tone for ethical standards in its software. Below are some ways businesses can achieve that:</p> <ul class="default-list"> <li>Reflect ethics priorities throughout the software lifecycle from design to operation.</li> <li>Train staff on ethical choices such as open source software licensing and use.</li> <li>Teach developers, architects, testers and other software team members about data management practices that <a href="https://www.techtarget.com/searchdatamanagement/tip/5-data-governance-framework-examples">comply with regulations</a> and customer expectations.</li> </ul> <p>Developers don't always follow news on the latest legislative actions in the jurisdictions where customers use their software, Mackey pointed out, but the business must ensure that they're informed.</p> <p>Collaboration between engineering leadership and legal teams can help avoid ethical shortcomings. For example, the business should focus on customers' personal data access and retention. Data access controls and logging mechanisms are enabled at software implementation time. Developers -- tasked with creating a functional, user-friendly product -- might view data access restrictions as the responsibility of another team. Instead, make sure that data protection is a feature included in the software design, inherently protecting against unauthorized access.</p> </section> <section class="section main-article-chapter" data-menu-title="6. Mirage of AI transparency"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6. Mirage of AI transparency</h2> <p>Large language models are playing a growing role in software development across tasks such as generating code and supporting unstructured data processing. Owing to the complexity of LLMs, it's easy to overlook <a href="https://www.techtarget.com/searchenterpriseai/tip/Explore-the-role-of-training-data-in-AI-and-machine-learning">how these systems are trained</a>, configured and deployed -- and what this means for users.</p> <p>"Software companies should always disclose how they are training their AI engines," Lopes said. "The way user data is collected, often silently and fed into LLMs, raises serious questions about consent, security and the ethical boundaries of automation."</p> <p>Several high-profile cases have emerged where user interactions on platforms have been used to quietly train AI without any notification. "We've seen companies harvest behavioral data without consent, essentially turning users into unpaid contributors to the very models that may one day replace their jobs," he continued.</p> <p>A properly trained AI agent requires deep configuration, supervision and expensive human talent. "The costs you think you're saving by skipping proper development are almost always eclipsed by the damage caused by a <a href="https://www.techtarget.com/searchsoftwarequality/news/366627829/Replit-AI-agent-snafu-shot-across-the-bow-for-vibe-coding">poorly specialized agent</a> -- whether it's security risks, misinformation or loss of customer trust," Lopes said.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ethical_ai_challenges_and_concerns-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/ethical_ai_challenges_and_concerns-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ethical_ai_challenges_and_concerns-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/ethical_ai_challenges_and_concerns-f.png 1280w" alt="List of AI ethics considerations." height="374" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>AI ethics frameworks aim at mitigating some of the above issues. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="7. Environmental impact"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7. Environmental impact</h2> <p>Concerns about the environmental impact of various activities are growing, fueled by increasing awareness of climate change's effects, including rising temperatures, floods, fires and other adverse weather conditions. The activities of technology companies can also decrease access to clean water, pollute the air and diminish biodiversity.</p> <p>The growing use of AI poses a risk of <a href="https://www.techtarget.com/searchdatacenter/feature/How-the-rise-in-AI-impacts-data-centers-and-the-environment">significantly increasing energy consumption</a> and, consequently, carbon emissions. It can also increase pressure on water systems used to cool data centers, thereby compromising local communities. Cloud providers are also starting to explore carbon-neutral energy sources, <a href="https://www.techtarget.com/whatis/feature/Three-tech-companies-eyeing-nuclear-power-for-AI-energy">such as nuclear fission plants</a>, while glossing over the still unresolved environmental costs associated with disposing of spent radioactive fuel.</p> <p>These are all big-picture concerns that typically fall outside the software development cycle, but they are worth considering when deciding on the potential <a href="https://www.techtarget.com/searchcio/news/366585653/CIOs-face-obstacles-when-scaling-generative-AI">impact of scaling new LLM-powered apps</a>. Other aspects include the potential for new software apps to encourage poor environmental choices. A fast-fashion app might drive revenues at the expense of more waste.</p> </section> <section class="section main-article-chapter" data-menu-title="8. Social and human rights impact"> <h2 class="section-title"><i class="icon" data-icon="1"></i>8. Social and human rights impact</h2> <p>Multiple dimensions for considering the human rights impact of software development practices include its potential effects on labor and communities.</p> <p>On the labor front, one concern has been the growth of so-called <a href="https://www.techtarget.com/whatis/definition/data-labeling">data labeling</a> sweatshops that involve exposing workers to toxic content to improve content moderation in AI systems. Although most enterprises are not directly involved in this process, they might overlook the practices used by their AI and data system vendors and contractors.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/icvD3gv2vGQ?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0" loading="lazy"></iframe> </div> <p>Additionally, it's essential to consider the potential impacts of optimizing apps for aspects that are relatively easy to quantify, such as warehouse throughput, compared with those that are more challenging to quantify, like worker health or mental well-being. The risk is that certain kinds of productivity optimizations might have adverse effects on the lives of workers and their contributions to their families and communities.</p> <p>The rise of AI systems in software development has been driving the growth of the data labeling industry, often with limited oversight. New apps also have the potential to disrupt the social fabric of communities.</p> </section> <section class="section main-article-chapter" data-menu-title="Best practices for ethical software development"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Best practices for ethical software development</h2> <p>Below are several ways to foster practices that have a positive societal impact:</p> <ul class="default-list"> <li><b>Proactivity.</b> Be curious about the impact and context of software engineering choices on ethical software development and the world at large.</li> <li><b>Honesty.</b> Consider how software engineering choices might conflict with ethical principles, even when it's uncomfortable for you personally or for the company.</li> <li><b>Accountability.</b> Identify ways to measure and communicate about ethical issues within the company to be sure that everyone is on the same page.</li> <li><b>Balance social responsibility with technical ability.</b> Remember that developers can help contextualize the impact of technical choices on ethical considerations for other roles within the company.</li> </ul> <p><i>George Lawton is a journalist based in London. Over the last 30 years, he has written more than 3,000 stories about computers, communications, knowledge management, business, health and other areas that interest him.</i></p> </section> As software becomes entrenched in every aspect of the human experience, developers have an ethical responsibility to their customers. Learn how to approach this responsibility. https://cdn.ttgtmedia.com/rms/onlineimages/check_g1199243271.jpg https://www.techtarget.com/searchsoftwarequality/tip/5-examples-of-ethical-issues-in-software-development Fri, 01 Aug 2025 12:00:00 GMT <p>In asking development teams what their primary objective is, they will most likely answer with some version of the goals below:</p> <ul class="default-list"> <li>Write <a href="https://www.techtarget.com/searchsoftwarequality/tip/9-techniques-for-fixing-bugs-in-production">bug-free code</a>.</li> <li>Meet <a href="https://www.techtarget.com/searchsoftwarequality/tip/A-guide-to-software-design-documentation-and-specifications">design specifications</a>.</li> <li>Prevent <a href="https://www.techtarget.com/searchsecurity/tip/How-to-use-security-as-code-to-achieve-DevSecOps">security issues</a> and vulnerabilities.</li> </ul> <p>So, how can teams review code to make sure that the three primary goals are met?</p> <p>Code analysis is the easy answer to the question, but should it be static code analysis? What about dynamic code analysis?</p> <p>Both static and dynamic code analysis have important roles to play as part of an integrated development and deployment process. Without each other, neither is likely to serve the team well.</p> <p>Let's examine how static and dynamic code analysis both play an important role in software development and how their differences help shape code.</p> <section class="section main-article-chapter" data-menu-title="How do static and dynamic code analysis differ?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How do static and dynamic code analysis differ?</h2> <p>Static code analysis examines code to identify issues within the logic and techniques. It looks for issues with the code before runtime. Dynamic code analysis involves running code and examining the outcome, which also entails testing possible execution paths of the code.</p> <p>Even in the most rudimentary fashion, when development teams test the code, they're performing dynamic analysis. When programmers review the code, they're performing static analysis. Regardless of which tools they use, developers and programmers are performing analysis that ultimately helps <a href="https://www.techtarget.com/searchsoftwarequality/answer/What-coding-standards-in-software-engineering-should-we-follow">create better code</a>.</p> <p>The differences between static and dynamic analysis make them complementary, with each technique addressing the other's weak points to improve code. Some of the main differences include the following:</p> <ul class="default-list"> <li><b>Timing of analysis.</b> Static code analysis begins as the code is developed, whereas dynamic analysis occurs after the code is written, so teams can execute and examine the workflow.</li> <li><b>Code execution.</b> Static code analysis occurs without executing the code, whereas dynamic code analysis requires executing test cases.</li> <li><b>Approach to defects.</b> The purpose of static code analysis is to prevent defects before code runs; dynamic analysis focuses on detecting defects in running code.</li> <li><b>Timing of detection.</b> Since static code analysis is the first test activity in the development lifecycle, it offers the earliest opportunity to find defects. Dynamic testing is meant to detect defects later in the test cycle.</li> <li><b>Types of issues detected.</b> Static code analysis verifies statement coverage, identifies issues with coding standards and potential security vulnerabilities, and finds dead code. Dynamic code analysis elucidates runtime errors, performance issues and integration issues.</li> <li><b>Runtime behavior.</b> Static code analysis focuses on reviews and inspections of the code; it does not validate the code's runtime behavior. Dynamic code analysis validates the actual behavior of the code by examining it during runtime.</li> <li><b>Resource requirements.</b> Developers usually perform static code analysis, whereas dynamic code analysis is within the realm of the test team.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/static_vs_dynamic_code_analysis-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/static_vs_dynamic_code_analysis-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/static_vs_dynamic_code_analysis-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/static_vs_dynamic_code_analysis-f.png 1280w" alt="Chart comparing static and dynamic code analysis." height="196" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Static and dynamic code analysis are both necessary for clean code. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Neither static code analysis nor dynamic code analysis by itself is the ideal option. To reap the full benefit -- clean, well-developed code -- teams should optimize both. Development teams shouldn't think of static and dynamic code analysis as alternatives, i.e., static vs. dynamic analysis. Teams should view them instead as complementary and symbiotic.</p> </section> <section class="section main-article-chapter" data-menu-title="Code review is similar to static analysis"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Code review is similar to static analysis</h2> <p>If, for some reason, a team decides it wants to omit static code analysis, that really means it does not plan to review the code. Think of <i>code review</i> and <i>static code analysis</i> as related terms. Code review helps find code issues without committing to expensive and time-consuming dynamic tests. Static code analysis, done in a code-review context, is the first and most essential step in developing and maintaining good software.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Both static and dynamic code analysis have important roles to play as part of an integrated development and deployment process. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Most static code analysis involves tools designed to <a href="https://www.techtarget.com/searchsoftwarequality/answer/Which-code-quality-metrics-should-devs-track">evaluate the code</a> and look for errors or nonrecommended techniques and practices. Organizations that treat static code analysis as an element of code review will likely conduct formal code reviews first, then apply the static code analysis tools, and finally review the results through the code review process of choice.</p> <p>If an organization decides to first review the code with a programmer and mentor, it might consider using static code analysis first. This approach will likely catch a significant portion of code errors and save the expert valuable time in identifying them.</p> <p>Static code analysis and review is particularly well suited to rapid development and <a href="https://www.techtarget.com/searchitoperations/definition/GitOps">GitOps</a> environments, where changes often apply to a single component. For example, if the software design properly isolates component behaviors, static analysis will catch most of the code errors.</p> </section> <section class="section main-article-chapter" data-menu-title="So, why dynamic analysis?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>So, why dynamic analysis?</h2> <p>Simply put, static analysis doesn't catch every code defect.</p> <p>It is particularly limited when it comes to addressing issues in complex, multicomponent applications. It also provides little to no value for measuring performance or testing policies for scaling and load balancing. These limitations are where dynamic code analysis comes into play.</p> </section> <section class="section main-article-chapter" data-menu-title="How to coordinate dynamic and static analysis"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to coordinate dynamic and static analysis</h2> <p>Just as development teams already use static code analysis routinely -- even if it's not formally mandated or managed -- they also use dynamic code analysis. Routine software testing and running software to verify a fix or validate the initial implementation are forms of dynamic code analysis.</p> <p>So, it's not a matter of static code analysis vs. dynamic code analysis. Teams likely already use both. The question becomes how to use both effectively.</p> <p>Static code analysis is best paired with code review. Dynamic code analysis is suited to some form of <a href="https://www.techtarget.com/searchsoftwarequality/A-comprehensive-test-automation-guide-for-IT-teams">automated testing</a> and test data generation. Teams should focus dynamic code analysis first on areas where static analysis is likely to be ineffective, such as component performance, application performance, application logic, security validation and crossing component boundaries.</p> </section> <section class="section main-article-chapter" data-menu-title="Tools for static and dynamic code analysis"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Tools for static and dynamic code analysis</h2> <p>Since static code analysis is <a href="https://www.techtarget.com/searchsoftwarequality/tip/Verification-vs-validation-in-software-testing">primarily for verification</a> and dynamic code analysis is for validation, static analysis tools and dynamic analysis tools are designed for specific purposes. For example, <a href="https://www.techtarget.com/searchsoftwarequality/tip/Understanding-code-linting-techniques-and-tools">code linters</a> -- tools that analyze code for errors -- are an important part of static analysis and are not generally associated with dynamic analysis. However, there are a few tools that are suited to both types of analysis. Below are some of the tools for each process.</p> <h3>Tools for static code analysis</h3> <ul class="default-list"> <li><b>ESLint.</b> This open source linter is designed to find and fix JavaScript code issues. It is part of most text editors and can test JavaScript that is written with or without a framework.</li> <li><b>Pylint.</b> This is a linter for Python. It performs code analysis and makes suggestions on how the code issues might be fixed.</li> <li><b>SonarQube.</b> An open source tool for code inspections, this tool is programming language agnostic and provides automatic code quality and coding standard reviews. It can integrate with most CI tools and has commercial versions.</li> <li><b>RuboCop.</b> This tool is an analyzer for Ruby code that focuses on finding and fixing issues in coding style and formatting.</li> <li><b>CodeSonar.</b> CodeSecure's CodeSonar is specifically designed to review and <a href="https://www.techtarget.com/searchsecurity/tip/Top-4-source-code-security-best-practices">fix security vulnerabilities in source code</a>.</li> <li><b>DeepSource.</b> This platform can be integrated into the <a href="https://www.techtarget.com/searchsoftwarequality/CI-CD-pipelines-explained-Everything-you-need-to-know">CI/CD pipeline</a> to automatically perform static analysis. It identifies not only performance and security issues, but also code standard and format issues.</li> </ul> <h3>Tools for dynamic code analysis</h3> <ul class="default-list"> <li><b>Java VisualVM.</b> This tool provides detailed information about Java applications that are running on a Java Virtual Machine, including configuration, runtime behavior and memory usage.</li> <li><b>Python cProfile.</b> This tool is used for determining the length of time various code modules and functions take to execute.</li> <li><b>Dynatrace.</b> This platform offers <a href="https://www.techtarget.com/searchitoperations/tip/Top-observability-tools">real-time monitoring for observability</a> and security vulnerabilities, as well as code and infrastructure issues. The tool provides an assessment of potential vulnerability impacts and displays them on a dashboard.</li> <li><b>AppDynamics.</b> This tool focuses on application performance management, especially in the areas of availability, performance and user experience. Dynamic code analysis is executed in the runtime environment.</li> <li><b>New Relic.</b> This cloud-based program focuses on observability in mobile and website applications.</li> </ul> <h3>Tools for static and dynamic code analysis</h3> <ul class="default-list"> <li><b>Fortify.</b> Originally developed as a static application security testing (<a href="https://www.techtarget.com/searchsoftwarequality/definition/static-application-security-testing-SAST">SAST</a>) tool, Fortify provides a comprehensive set of code analysis tools focused on early detection of security vulnerabilities.</li> <li><b>Veracode.</b> This platform provides both <a href="https://www.techtarget.com/searchsoftwarequality/tip/SAST-vs-DAST-vs-IAST-Security-testing-tool-comparison">SAST and dynamic application security testing tools</a> with AI components that find and fix security vulnerabilities, as well as web app runtime errors throughout the entire SDLC.</li> <li><b>vFunction.</b> This platform focuses on architectural observability. It provides static and dynamic code analysis focused on the architecture of the application under test.</li> </ul> <p><b>Editor's note: </b><i>This article was updated in 2025 to improve the reader experience and include additional content.</i></p> <p><i>Gerie Owen is a QA engineering manager at Roobrik. She is a conference presenter and author on technology and testing topics, and a certified Scrum master. Tom Nolle is founder and principal analyst at Andover Intel, a consulting and analysis firm that looks at evolving technologies and applications first from the perspective of the buyer and the buyer's needs. By background, Nolle is a programmer, software architect, and manager of software and network products. He has provided consulting services and technology analysis for decades.</i></p> </section> While every programmer wants to deliver high-performing, secure, bug-free and compliant code on the first try, that's not possible. Effective code analysis techniques will help. https://cdn.ttgtmedia.com/rms/onlineimages/keyboard_g1140860048.jpg https://www.techtarget.com/searchsoftwarequality/tip/Static-and-dynamic-code-analysis-Complementary-techniques Fri, 25 Jul 2025 10:00:00 GMT <p>The key difference between the sprint backlog and the product backlog is that the sprint backlog represents the work developers expect to complete in the next few weeks, while the product backlog represents the work required to complete the product.</p> <p>In Scrum, products are developed <a href="https://www.theserverside.com/video/The-Scrum-framework-or-Agile-software-development">both incrementally and iteratively</a>.</p> <p>Development is incremental because a team of developers collectively works on a few product backlog items at a time -- presenting them to the client once they <a href="https://www.theserverside.com/tip/Acceptance-criteria-vs-definition-of-done-Whats-the-difference">meet the definition of done</a> -- and continuously adds them to the product under development.</p> <p>Scrum is also said to be iterative because the process of selecting product backlog items, working on them and completing them happens in every sprint, and this cycle repeats until the product is finished.</p> <section class="section main-article-chapter" data-menu-title="What is the sprint backlog?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the sprint backlog?</h2> <p>The unit of iteration in Scrum is called a sprint. A <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/How-long-is-a-Sprint-in-Agile">sprint typically lasts</a> two to three weeks and never more than a month. To begin a sprint, the team articulates an overarching goal for the sprint. Developers then examine the long list of product backlog items and select the ones they believe can be completed within the sprint. They also create a plan to ensure those items are delivered.</p> <p>The sprint goal, the selected items and the actionable plan are collectively referred to as the sprint backlog.</p> <p>The sprint backlog is not set in stone. Teams can add or remove items based on personnel capacity, completion rates and how effectively the item or items contribute to achieving the sprint goal.</p> <p>However, the sprint goal itself cannot change. If the originally defined sprint goal becomes obsolete, the product owner is expected to cancel the sprint and call for a new sprint planning meeting, in part to create a new goal, backlog selection and development plan.</p> </section> <section class="section main-article-chapter" data-menu-title="What is the product backlog?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the product backlog?</h2> <p>By contrast, the product backlog is a list of all the features, fixes and work required to consider the product complete. Once every item in the product backlog is done, there's no more development work to do.</p> <p>For large, long-term projects, the product backlog likely won't contain every potential feature from day one. One of <a href="https://www.techtarget.com/whatis/feature/What-are-the-5-Scrum-values">Scrum's core values</a> is focus, and if a feature isn't likely to be worked on in the next six months, it probably doesn't belong in the product backlog. Instead, a "parking lot" or "dream board" is a more <a href="https://www.techtarget.com/searchsoftwarequality/tip/Making-requirements-walkthroughs-more-effective-and-fun">appropriate place for those long-term ideas</a>. The product backlog should stay focused and actionable.</p> <p>Likewise, if items have been in the product backlog untouched for several months, it might be time to remove them. Product owners and stakeholders should regularly reassess priorities. <a href="https://www.techtarget.com/searchsoftwarequality/tip/What-productive-backlog-grooming-sessions-entail">Backlog grooming or refinement</a> is often scheduled for this purpose.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/the_agile_scrum_process_flow-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/the_agile_scrum_process_flow-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/the_agile_scrum_process_flow-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/the_agile_scrum_process_flow-f.png 1280w" alt="Flow chart showing the major Scrum framework events." height="288" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>The sprint backlog and product backlog are part of the overall flow of events in the Scrum framework, and are useful indicators of the team's progress. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Key differences between the product and sprint backlog"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key differences between the product and sprint backlog</h2> <p>To boil all this down, here are the five key differences between the product backlog and the sprint backlog as part of the <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/Agile-Scrum-Process-Steps-Methodology-Sprint-Flow-Principles-Values-Pillars-Guide">Scrum process flow</a>:</p> <ol class="default-list"> <li>The product backlog is an evolving list of what's needed to improve the product, while the sprint backlog represents the current work plan for the development team.</li> <li>The product goal is the long-term objective of the Scrum team. The sprint goal is a short-term objective that guides work during a single sprint.</li> <li>The product backlog is owned by the <a href="https://www.theserverside.com/tip/Who-should-be-the-product-owner-in-Scrum">product owner</a>; the sprint backlog is owned by the developers.</li> <li>There is only one product backlog, and it spans the entire product development effort. A new sprint backlog is created for every sprint.</li> <li>All items in the sprint backlog must originate from the product backlog.</li> </ol> <p>Iterative and incremental development is central to Scrum, and the sprint backlog and product backlog are essential to maintain consistent, visible progress over time.</p> <p><i>Darcy DeClute is a technical trainer and Agile coach who helps organizations apply Scrum-based principles to adopt a modern DevOps stack. She is a certified Professional Scrum Master, Professional Scrum Developer and Professional Scrum Product Owner, as well as author of Scrum Master Certification Guide.</i></p> </section> The sprint backlog and product backlog are important elements of Scrum and essential to iterative and incremental development. Here's how they are distinct and also work together. https://cdn.ttgtmedia.com/rms/onlineimages/check_g638976392.jpg https://www.theserverside.com/tip/Product-backlog-vs-sprint-backlog-Whats-the-difference Wed, 23 Jul 2025 13:00:00 GMT <p>When application source code becomes unmanageable due to patches, bad maintenance, freewheeling feature additions or other consequences of long operation, developers must either refactor or rewrite.</p> <p>In a refactor, developers make micro changes to clean up the existing code. With a rewrite, they throw almost everything away, and the coding process essentially starts anew.</p> <p>Both of these options have advantages and disadvantages. <a href="https://www.techtarget.com/searchsoftwarequality/tip/Essential-refactoring-techniques-to-know">Refactoring code</a> helps to keep it manageable without major overhauls, but might not set the app up for new development technologies or application languages. Rewriting code enables foundational changes to the code, but risks confusing developers or even breaking the product.</p> <p>Don't think in absolutes for refactoring vs. rewriting code. Instead, determine which one is better for the particular project. This choice depends on factors such as the type of application as well as the team's capabilities, long- and short-term goals for the application, and appetite for risk.</p> <p>Let's examine the pros and cons of both refactoring and rewrites, and <a href="https://www.techtarget.com/searchsoftwarequality/tip/When-and-how-to-refactor-code">guidelines to make the right decision</a>.</p> <section class="section main-article-chapter" data-menu-title="Advantages and disadvantages of refactoring code"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Advantages and disadvantages of refactoring code</h2> <p>When a programmer refactors software, the goal is to improve the internal structure of the code without altering its external behavior. For example, engineers remove redundant code or break a particularly task-heavy application component into several objects, each with a single responsibility.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/code_refactoring_process-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/code_refactoring_process-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/code_refactoring_process-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/code_refactoring_process-f.png 1280w" alt="Diagram of the code refactoring process." height="213" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Refactoring makes comparatively minor code changes to improve maintainability without changing functionality. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The extreme programming development approach, a concept known as merciless refactoring, stresses the need to continuously refactor code. Theoretically, programmers who refactor continuously make sections of code look better with every change.</p> <p>Refactored code should be easily understood by other people, so developers can turn code that scares people into code that people can understand and feel comfortable updating on their own.</p> <h3>Advantages of refactoring</h3> <ul class="default-list"> <li><b>Programmers' choice.</b> Refactoring is always an option. The engineers who work on the code don't need anyone's permission to refactor it.</li> <li><b>Works for any architecture.</b> You can refactor any <a href="https://www.techtarget.com/searchapparchitecture/tip/Types-of-software-architecture-design-worth-knowing">software architecture type</a>, from tightly monolithic to massively distributed.</li> <li><b>Doesn't duplicate resources.</b> It can improve the quality of the code without slowing down progress. Programmers can refactor while they also move forward with deployment processes. Unlike a rewrite, refactoring does not require developers to maintain two separate codebases.</li> <li><b>Low cost.</b> If developers are only working on one part of the codebase, they can choose to clean up only the part they are working on. It does not add a great deal of cost for the business.</li> </ul> <h3>Disadvantages of refactoring</h3> <ul class="default-list"> <li><b>Limited reach.</b> While refactoring can improve a piece of code, it cannot fix <a href="https://www.techtarget.com/searchapparchitecture/tip/When-not-to-use-microservices-Challenges-to-consider">underlying architecture problems</a>. For instance, code written in Visual Basic 6 is still written in Visual Basic 6 at the end of the refactor.</li> <li><b>No new functionality.</b> Because it maintains the status quo of architecture and code, refactoring does not open opportunities to add new functionality into an application.</li> <li><b>Requires discipline.</b> Refactoring requires skill, discipline and courage. Programmers who have never been exposed to the complexity of <a href="https://www.theserverside.com/tip/Code-refactoring-patterns-with-examples">refactoring patterns</a> might be unable or unwilling to dive in. Making these changes is scary without a unit test suite, and programmers unfamiliar with basic refactoring concepts might perceive that it slows them down.</li> <li><b>Creates more code to manage.</b> Because it breaks code into smaller chunks, refactoring creates a lot more code to manage and unit test. It changes complex functions into many simpler ones.</li> </ul> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> When the codebase in question contains hundreds of thousands of lines, it's time to move to the next level: a code rewrite. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>The discipline of refactoring is helpful when a system relies on thousands of lines of code. Refactoring breaks that up into abstracted, high-level objects, adds testability to those objects and keeps the functions reasonably small.</p> <p>However, when the codebase in question contains hundreds of thousands of lines, it's time to move to the next level: a code rewrite.</p> </section> <section class="section main-article-chapter" data-menu-title="Advantages and disadvantages of rewriting code"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Advantages and disadvantages of rewriting code</h2> <p>Rather than read and analyze complex, ugly code for refactoring, programmers can opt to just write new code altogether. Unlike refactoring, code rewrites sound relatively straightforward, since the programmers just start over and replace the functionality. However, it isn't nearly that simple.</p> <p>To successfully rewrite software, engineers should form two teams: one that maintains the old app and another that creates the new one. This means duplicating resources. Worse, the old system is still in production and needs updates to keep it working. As such, the rewrite team must constantly reconfigure plans for the future product to match those changes in the existing one.</p> <h3>Advantages of rewriting</h3> <ul class="default-list"> <li><b>Creates new functionality.</b> One of the benefits of writing code from scratch is that it opens the door for new users, markets, platforms and technologies. For example, rewriting is a way to move client-facing applications from a Windows desktop platform to a web-based or mobile platform. Rewrites eliminate the headache of attempting to retrofit original code to meet demand for different new technologies and application functions.</li> <li><b>Enables a fresh start.</b> A rewrite lets new developers instantly implement code they are comfortable with. This advantage is especially attractive after a merger or acquisition. The rewrite creates a new, clean project -- a chance for developers to make their mark or complete a masterwork. It's also a chance to <a href="https://www.techtarget.com/searchcio/feature/The-negative-impact-of-technical-debt">remove technical debt</a>.</li> <li><b>Prepares code for emerging technology.</b> Rewrites put the application on a platform that will make it easier to adapt to new development technology and approaches. Rewriting banishes legacy code, which decreases the gap between the existing system and emerging code options.</li> </ul> <h3>Disadvantages of rewriting</h3> <ul class="default-list"> <li><b>Time-consuming.</b> Rewrites take time. You're essentially writing new software based on strict requirements. You should only commit to a rewrite if there is plenty of time to rebuild the application's code. As mentioned above, rewrites split resources between a team that manages the original code and a team that creates the new code. The maintenance team might not have sufficient experience with the old code to manage it appropriately.</li> <li><b>Can introduce defects.</b> Old code is ugly and can get uglier. To rewrite the software, developers need to examine the old version of the code, find the functions that should remain in the new product and copy them. But another team is maintaining the old application code. In attempts to fix, update and clean the live code, programmers could potentially introduce defects. Those defects require bug fixes to improve performance, and each bug fix makes the code a little bit uglier.</li> <li><b>Can result in more unruly code.</b> Rewrites might not solve the problem of ugly code. <a href="https://www.techtarget.com/searchenterpriseai/opinion/Can-AI-write-code-A-developer-experiments-in-two-languages">Using an automated tool</a> to port the application's code to another language is a viable option for rewrites and might save some time. However, using these tools sometimes results in code that is exceptionally hard to read or maintain. The problem arises from an attempt to merge languages together.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to choose between refactoring and rewriting"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to choose between refactoring and rewriting</h2> <p>Engineering teams should ultimately make the choice to rewrite or refactor based on several factors:</p> <ul class="default-list"> <li><b>Time.</b> Refactoring is a gradual, <a href="https://www.techtarget.com/searchsoftwarequality/tip/Iterative-vs-incremental-development-Whats-the-difference">incremental process</a>. This makes it suitable for projects with tight deadlines or continuous delivery requirements. Rewriting is a more disruptive, time-intensive process that comes with more drastic changes. Teams will need to work on rewriting the new code while simultaneously maintaining the old codebase. Choose the approach that most closely aligns with the project timeline and the team's experience and risk appetite.</li> <li><b>Goals.</b> The organization's long-term goals are a critical consideration. If the goal is simply to improve maintainability, refactoring might be the answer. If the organization aims to support new technologies or reach new markets that the current codebase cannot accommodate, choose a rewrite.</li> <li><b>Budget.</b> Budget is also an important factor to consider. Refactoring requires a much lower upfront investment as developers can refactor incrementally while delivering new features. Rewriting demands more financial commitment, as teams need to maintain two codebases simultaneously and potentially wait for new features until the rewrite is finished.</li> <li><b>Architecture.</b> The codebase design is also important to consider. If the fundamental architecture is sound, but the implementation is not, teams can restore code quality without starting from scratch. If the architecture has become obsolete, or unable to support modern development or business practices, teams should commit to a rewrite to create the foundation they want.</li> </ul> <p>Refactoring is best for the following:</p> <ul class="default-list"> <li>Projects with limited time and budget constraints.</li> <li>Applications with sound architecture but messy implementation.</li> <li>Continuous delivery initiatives.</li> </ul> <p>Rewriting is best for the following:</p> <ul class="default-list"> <li>Applications that need fundamental platform or technology changes.</li> <li>Projects that need to reach new markets or users.</li> <li>Projects with the resources to maintain two codebases simultaneously.</li> </ul> <p><b>Editor's note:</b><i> This article was updated in 2025 to improve the reader experience.</i></p> <p><i>Matt Heusser is managing director at Excelon Development, where he recruits, trains and conducts software testing and development.</i></p> </section> At some point, all developers must decide whether to refactor code or rewrite it. Base this choice on factors such as architectural soundness, time, money and goals. https://cdn.ttgtmedia.com/rms/onlineimages/code_g1196680867.jpg https://www.techtarget.com/searchapparchitecture/tip/Refactor-vs-rewrite-Deciding-what-to-do-with-problem-software Tue, 10 Jun 2025 12:00:00 GMT <p>A cookie is a text file carrying some information that a website places on a user's computer. It allows the website to identify the user and improve their future web browsing experience.</p> <p>A web server generates cookies, also known as <i>browser cookies, web cookies, HTTP cookies</i> or <i>internet cookies,</i> and sends them to the user's web browser. They store limited information from a web browser session on a given website; the website can then retrieve them when the user opens it in the future.</p> <p>Cookies first appeared in 1994 as part of the (now-defunct) <a href="https://www.techtarget.com/whatis/definition/Netscape">Netscape</a> Navigator web browser. They helped the browser understand if a user had already visited a given website. Netscape developer Lou Montulli invented the initial cookie implementation. He was granted U.S. Patent No. 5,774,670A, with the description, "Persistent client state in a hypertext transfer protocol-based client-server system."</p> <section class="section main-article-chapter" data-menu-title="Purpose of cookies"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Purpose of cookies</h2> <p>The most common <a href="https://www.techtarget.com/searchsoftwarequality/definition/use-case">use cases</a> for cookies are user tracking, user experience (<a href="https://www.techtarget.com/searchcio/definition/UX-user-experience">UX</a>) personalization and session management.</p> <p>Consider user tracking and UX <a href="https://www.techtarget.com/searchenterpriseai/tip/How-AI-personalization-creates-customized-user-experiences">personalization</a>. A website that collects and then stores cookies can remember some useful information about a user. More importantly, it can retrieve this information when the user returns to the site to identify the user and present them with more relevant content and experiences.</p> <p>For example, an <a href="https://www.techtarget.com/searchcio/definition/e-commerce">e-commerce</a> website might use a persistent cookie to remember details about a book purchased by User A in January 2025. Then, when User A returns to the site in May 2025, the browser will retrieve and read the cookie and the site will present User A with a list of <i>other</i> books on the same topic or by the same author. These lists might enable User A to save time as they shop. User A might also see ads for similar books or other related products.</p> <p>Similarly, the web browser will store User A's username for the website within a session cookie. When User A loads that website the next time, the web browser sends the information to the web server, which will then prompt User A to log in with that username. Once User A logs in, the site will load their account content and might even display a personalized message on the homepage, such as "Welcome, [User A]."</p> </section> <section class="section main-article-chapter" data-menu-title="How cookies work"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How cookies work</h2> <p>When a user opens a website, such as <a href="https://www.techtarget.com">https://www.techtarget.com</a>, the web server generates cookies. These information files contain information about the user and are stored in a designated file on the user's device for a certain time, such as the length of the user's session on that website or for a few months.</p> <p>When the user opens a session with the website in the future -- in general, makes some future request of the same web server -- the cookies are attached to the request. The information in the cookie file enables the website to "recognize" the user and, accordingly, personalize and enhance their browsing experience.</p> <p>Here is a step-by-step explanation of how website cookies work:</p> <ul class="default-list"> <li>The user visits a website.</li> <li>Information about the user, such as their username, pages visited, content viewed, etc., is stored in a small information file.</li> <li>The file is linked to the user and the user's computer, meaning it is assigned a <a href="https://www.techtarget.com/iotagenda/definition/unique-identifier-UID">unique ID</a>;</li> <li>The file is then stored on the website's server and remains there even if the user leaves the site.</li> <li>When the user returns to the site later, the user's browser gives the cookie to the website.</li> <li>The website reads the cookie, identifies the user and device from the unique ID, and assembles the user's activity data.</li> <li>Finally, the website presents relevant and personalized data and content to the user.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Types of cookies"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of cookies</h2> <p>There are multiple types of cookies that run in modern web browsers with specific use cases to enable certain capabilities. These include the following:</p> <ul class="default-list"> <li><b>HTTP cookies.</b> This is the overall category of computer cookies used with modern web browsers. HTTP cookies are used to capture user data during a website session, track users and user activity, and deliver personalized content and customized browsing experiences. Some cybercriminals also use HTTP cookies to spy on users and steal user information. All the cookies in this list -- except for flash cookies -- are forms of HTTP cookies.</li> <li><b>Session cookies.</b> A session cookie is only persistent while the user is navigating or visiting a given website. Its purpose is to track a user's single website session, so it is deleted when the session ends. A session will end when the user either exits the website completely or logs out of their account on that website. Session cookies are stored in the computer's RAM instead of its HD, and have no expiration date. These features tell the browser the session cookie should be deleted when the session ends.</li> <li><b>Persistent cookies.</b> Also known as <i>permanent cookies</i>, persistent cookies are not deleted at the end of the user's website session. They endure for a configurable time or until a certain date set by the web server. The expiration date of the persistent cookie tells the browser when to delete it. Persistent cookies are mainly used to authenticate users (confirm that they are who they say they are), to track a user's visits to the same site over time, and to personalize each of those visits.</li> <li><b>Authentication cookies.</b> These persistent cookies are generated when a user logs in to their account on a specific website. The cookies ensure that sensitive user information (especially passwords) is delivered to the correct sessions to authenticate the user and prevent unauthorized users from logging in to the account.</li> <li><b>Tracking cookies.</b> These cookies record user activity over multiple visits to a website on behalf of a tracking service. Based on this information, the tracking service builds a user profile to understand the user and improve their browsing experiences over time.</li> <li><b>Zombie cookies.</b> This refers to a type of persistent cookie that persists, even after the user attempts to delete it. While many zombie cookies are harmless and simply annoying to the user, some help hackers infect user systems with viruses or malware.</li> <li><b>Flash cookies.</b> These are not browser or HTTP cookies but, rather, a specific type of cookie that works with <a href="https://www.techtarget.com/whatis/definition/Flash">Adobe Flash</a>. With the decline in the use of Flash and the discontinuation of Flash Player support by Adobe in January 2021, these cookies are no longer widely used.</li> <li><b>Secure cookies.</b> These are first- and third-party cookies that can only be sent over encrypted HTTPS connections.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="First-party cookies vs. third-party cookies"> <h2 class="section-title"><i class="icon" data-icon="1"></i>First-party cookies vs. third-party cookies</h2> <p>Cookies can be accessed by the site a user is on (first-party cookies) or by a third-party site (third-party cookies).</p> <p>First-party cookies are also known as SameSite cookies because the cookie and information it contains are restricted to the same site on which it was set. These cookies are created by the website the user is currently visiting. Thus, when User A opens <a href="https://www.techtarget.com">https://www.techtarget.com</a> on their browser, the origin server for the TechTarget website creates a first-party session cookie to remember User A.</p> <p>First-party cookies are usually used to do the following:</p> <ul class="default-list"> <li>Remember user settings like language preferences, login details or pages visited.</li> <li>Improve site functionality for that user.</li> <li>Personalize user experiences during subsequent visits to that site.</li> </ul> <p>These cookies are not very intrusive and are generally safe because they are only used on the website the user is currently visiting. However, they <i>can</i> pose a security risk if the website is not reputable.</p> <p>Third-party cookies are not restricted to the initial site where the cookie was created. They enable entities other than the original site. So, when User A visits a site <a href="http://www.site.com">http://www.site.com</a>, a cookie from both site.com and example.ad-company.com might get stored in their browser. The former is a first-party cookie; the latter is a third-party cookie. The third-party cookie enables, for example, an ad company to track users and then target them for personalized ads.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/cust_ex-web_cookies_different_flavors-f.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/cust_ex-web_cookies_different_flavors-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/cust_ex-web_cookies_different_flavors-f_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/cust_ex-web_cookies_different_flavors-f.png 1280w" alt="A chart describing the differences between first-party cookies and third-party cookies." height="271" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>A summary of key differences between first-party cookies and third-party cookies. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Due to the security and privacy concerns posed by third-party cookies, many browsers, including <a href="https://www.computerweekly.com/news/366596475/Chrome-cookies-reprieved-amid-Google-Privacy-Sandbox-changes">Google Chrome</a> and <a href="https://www.techtarget.com/searchenterprisedesktop/feature/Web-browser-comparison-How-Chrome-Firefox-IE-Edge-stack-up">Mozilla Firefox</a>, let users manage and control them through their browser settings. Similarly, many devices, including Android and Apple devices, also allow users to disable third-party (and first-party) cookies.</p> <p>Third-party cookies are not the only way to provide targeted advertising and marketing to internet users; there are <a href="https://www.techtarget.com/searchcustomerexperience/feature/Get-to-know-cookieless-tracking-marketing-options">viable alternatives</a>.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/alternatives_to_third_party_cookies-h.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/alternatives_to_third_party_cookies-h_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/alternatives_to_third_party_cookies-h_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/alternatives_to_third_party_cookies-h.png 1280w" alt="A chart listing several ways to facilitate targeted advertising without third-party cookies." height="244" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>Targeted advertising does not depend on third-party cookies. Here are five alternatives. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Are cookies safe?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Are cookies safe?</h2> <p>Cookies have been part of daily internet operations for decades and are generally safe. However, third-party cookies are sometimes seen as intrusive and can put a user's privacy and information at risk of leaks and <a href="https://www.computerweekly.com/news/366623874/Australian-data-breaches-hit-record-high-in-2024">breaches</a>.</p> <p>Third-party cookies enable entities such as advertisers to track user activity to provide targeted ads to the user. However, they often collect this information in a way that users are not aware of, thus deliberately and clandestinely infringing on the user's privacy. This is a huge concern for many who <a href="https://www.techtarget.com/searchsecurity/tip/How-to-maintain-digital-privacy-in-an-evolving-world">don't want to be tracked</a> or have their browsing habits shared.</p> <p>There is also the potential for <a href="https://www.computerweekly.com/opinion/Threat-actors-look-to-stolen-credentials">threat actors</a> to hijack third-party cookies. This would give them access to user information and enable them to launch other types of attacks, such as session hijacking, cross-site scripting (<a href="https://www.techtarget.com/searchsecurity/definition/cross-site-scripting">XSS</a>) and cross-site request forgery.</p> <p>Unsecured cookies can also be a security risk for users and website operators. Unlike secure cookies that only send information using secure HTTPS connections to the origin website or to a third party, unsecure cookies are transmitted unencrypted over less-secure HTTP connections. The risk of information leaks or privacy breaches is minimal if the information is something simple, such as whether the user has visited the site before. However, some sites use cookies to store sensitive user information -- including personally identifiable information (<a href="https://www.techtarget.com/searchsecurity/definition/personally-identifiable-information-PII">PII</a>) such as authentication credentials and payment card details. If such data is sent unencrypted, a criminal can intercept it.</p> <p>The SameSite attribute can mitigate these risks. By using this attribute in the HTTP cookies, web servers can also specify whether or when third-party cookies can be sent. This attribute controls when a browser sends a cookie with a cross-site request (a request where the site sending the cookie request is different from the site the user is currently visiting). In doing so, it prevents cross-site data leaks and cross-site forgery attacks and preserves user privacy.</p> <p>Many privacy regulations also incorporate cookie-related considerations to reduce the privacy risks of HTTP cookies. Cookies that can identify users are now subject to strict rules under the <a href="https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR">General Data Protection Regulation</a> (GDPR) and <a href="https://www.techtarget.com/searchcio/definition/California-Consumer-Privacy-Act-CCPA">California Consumer Privacy Act</a> (CCPA) regulations.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/vH_CGDesE4Y?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0" loading="lazy"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="How to manage cookies on different web browsers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to manage cookies on different web browsers</h2> <p>Every major web browser has a set of controls to help users configure what types of cookies to accept and delete. Here's how to block third-party cookies in Apple Safari, Google Chrome, Microsoft Edge and Mozilla Firefox.</p> <h3>To block third-party cookies in Apple Safari</h3> <p>Here is how to block third-party cookies in Safari:</p> <ol class="default-list"> <li>Open <a href="https://www.techtarget.com/searchmobilecomputing/opinion/Safari-13-brings-WebAuthn-and-drops-legacy-browser-extensions">Safari</a>.</li> <li>Click <b>Safari</b> <b>&gt;</b> <b>Preferences</b> in the upper left-hand corner of the screen.</li> <li>Click on the <b>Privacy </b>tab.</li> <li>Next to Cookies and website data, the <b>Block all cookies</b> option appears. Check this option to disable all cookies.</li> <li>Restart Safari.</li> </ol> <p>Unchecking the <b>Block all cookies</b> option will enable all cookies. Under this option, there is a box marked <b>Manage Website Data</b>; this is where all the collected cookies can be viewed and managed.</p> <p>In Safari, all first-party cookies are set to expire after seven days by default.</p> <h3>To block third-party cookies in Google Chrome</h3> <p>In Chrome, users can block third-party cookies by doing the following:</p> <ol type="1" start="1" class="default-list"> <li>Open Chrome.</li> <li>In the top-right corner, click <b>Settings</b>.</li> <li>Click <b>Privacy and security.</b></li> <li>Click<b> Third-party cookies, </b></li> <li>Three options are available:</li> <ul class="default-list"> <li>Allow third-party cookies.</li> <li>Block third-party cookies in <a href="https://www.techtarget.com/whatis/feature/Anonymous-browsing-explained-What-you-need-to-know">Incognito mode</a>.</li> <li>Block third-party cookies.</li> </ul> <li>Select option #3 to block all third-party cookies.</li> </ol> <p>This procedure will disable third-party cookies in Chrome on a Windows PC, MacBook and Android mobile devices.</p> <h3>To block third-party cookies in Microsoft Edge</h3> <p>Follow these steps to block third-party cookies in the Edge browser:</p> <ol type="1" start="1" class="default-list"> <li>Open <a href="https://www.techtarget.com/whatis/definition/Microsoft-Edge">Microsoft Edge</a>.</li> <li>In the top-right corner, select <b>Settings</b>.</li> <li>Select<b>Cookies and site permissions</b>.</li> </ol> <ol class="default-list"> <li>Under Cookies, select <b>Cookies and site data.</b></li> <li>Enable<b> Block third-party cookies.</b></li> </ol> <p>Disabling<b> Allow sites to save and read cookie data </b>(under Cookies and site data) will block <i>all</i> cookies, including first-party cookies.</p> <p>Edge also allows users to block cookies from specific sites:</p> <ol class="default-list"> <li>Navigate to <b>Cookies and site data.</b></li> <li>Navigate to the <b>Block</b> section.</li> <li>Select <b>Add</b> to block cookies for a site by entering its URL.</li> </ol> <h3>To block third-party cookies in Mozilla Firefox</h3> <p>In Firefox, users can block third-party cookies in this way:</p> <ol type="1" start="1" class="default-list"> <li>Open <a href="https://www.techtarget.com/whatis/definition/Firefox">Firefox</a>.</li> <li>In the top-right corner, click <b>Settings</b>.</li> <li>Click <b>Privacy &amp; Security</b>.</li> <li>Select one of the options to manage cookies and maintain privacy: <b>Standard</b>, <b>Strict</b> or <b>Custom.</b></li> <li>If the Standard or Strict options are selected, Firefox automatically blocks all cross-site (third-party) cookies. With the Custom option, the user can choose which trackers and scripts to block, including cookies and other types of tracking content.</li> </ol> <p>Besides using these settings, users can also choose to delete cookies when Firefox is closed. This can be done by checking the box for <b>Delete cookies and site data when Firefox is closed</b> under Cookies and Site Data.</p> <p>To clear <i>all</i> cookies saved to the computer:</p> <ol class="default-list"> <li>Navigate to <b>Cookies and Site Data</b>.</li> <li>Click on <b>Clear Data</b>.</li> <li>Check the box for <b>Cookies and site data</b>.</li> </ol> <p><i>First-party cookies play a significant role in tracking user engagement, while third-party cookies are integral to various marketing and sales strategies. It's interesting to note that, despite their different applications, the two types of cookies also have several similarities worth considering. Explore how </i><a href="https://www.techtarget.com/searchcustomerexperience/tip/First-party-vs-third-party-cookies-Whats-the-difference"><i>first-party versus third-party cookies</i></a><i> are similar and different. Also, learn what a </i><a href="https://www.techtarget.com/searchsecurity/definition/supercookie"><i>supercookie</i></a><i> is and read about the danger of the cyberattack known as </i><a href="https://www.techtarget.com/searchsecurity/definition/cookie-poisoning"><i>cookie poisoning</i></a><i>.</i></p> </section> A cookie is a text file carrying some information that a website places on a user's computer. https://cdn.ttgtmedia.com/visuals/digdeeper/4.jpg https://www.techtarget.com/searchsoftwarequality/definition/cookie Fri, 06 Jun 2025 14:30:00 GMT <p>Today's organizations need to prioritize agility so that they can respond to changing customer needs and market trends. Transitioning from a project mindset to a product mindset can enable this.</p> <p>The terms <i>project mindset</i> and <i>product mindset</i> might sound interchangeable in the realm of <a href="https://www.techtarget.com/searchsoftwarequality/tip/Developer-vs-DevOps-engineer-similarities-and-differences">software development and DevOps</a>. After all, most software products are managed through projects, and most development projects create a product.</p> <p>But there are significant differences between a project mindset and a product mindset -- and between the related practices of <a href="https://www.techtarget.com/searchcio/definition/IT-project-management">project management</a> and product management. Let's break down the distinctions, with a focus on explaining why modern teams tend to prefer a product-oriented approach.</p> <section class="section main-article-chapter" data-menu-title="Project mindset vs. product mindset"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Project mindset vs. product mindset</h2> <p>A project mindset and a product mindset can both serve the same end goal of creating quality software. However, they approach this task in fundamentally different ways:</p> <ul class="default-list"> <li>A project mindset focuses on achieving predefined goals based on specific timelines. In a project mindset, the project deliverables lay the foundation for how developers and other stakeholders work.</li> <li>A product mindset prioritizes building a product that creates as much business value as possible, even if doing so requires deviating from project plans.</li> </ul> <p>These differences in approach give rise to other important distinctions between project and product mindsets, including the following:</p> <ul class="default-list"> <li><b>Deliverables vs. outcomes.</b> A project mindset focuses on implementing deliverables on time and within budget. In contrast, a product mindset emphasizes working toward positive outcomes, such as product improvement. It affords more tolerance for missing deliverables as long as the product is improving.</li> <li><b>Lifecycle and timeline.</b> Project mindsets usually emphasize adherence to predefined timelines to achieve specific deliverables. In a product mindset, teams typically treat timelines as more flexible; as long as they are making changes that improve the product, they consider their work successful, even if they miss preset deadlines.</li> <li><b>Business-IT alignment.</b> Projects usually come with preassembled teams of developers. This can make it harder to integrate other stakeholders, such as business users who can offer perspective on how best to implement a new feature. Excluding business users from the project at the start can lead to poor <a href="https://www.techtarget.com/searchsoftwarequality/tip/Improving-DevOps-collaboration-Challenges-and-tips">alignment between the business and the IT organization</a>. Product mindsets are more flexible in this regard as they can more easily integrate stakeholders from outside IT.</li> <li><b>Job roles.</b> Although both mindsets require code contributions from developers, there are differences in other job roles. With a project mindset, a project manager or management team usually oversees operations. With a product mindset, direction comes from a product manager.</li> <li><b>Scope.</b> Projects usually have a predefined scope -- such as "implement X and Y new application features." In contrast, a product mindset encourages an open-ended, ongoing approach through which developers continuously improve the application.</li> </ul> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Project management vs. product management</h3> <p>To understand the differences between a project mindset and a product mindset more fully, it's helpful to distinguish project management from product management.</p> <ul class="default-list"> <li>Project management is the practice of overseeing completion of a specific project. A project manager makes sure that stakeholders complete tasks on time as a team works toward achieving its deliverables.</li> <li>Product management, by contrast, focuses on managing all aspects of a product over the long term. Product managers' main objectives are to determine which product enhancements will serve customer needs and create business value.</li> </ul> <p>Importantly, project management and product management are not mutually exclusive. On the contrary, they usually go hand in hand. Project managers are important for coordinating the efforts of various developers as they work toward improving a product. Product managers can help to identify which deliverables a project should include.</p> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="Drawbacks of a project mindset"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Drawbacks of a project mindset</h2> <p>Most modern enterprise organizations have come to recognize the disadvantages of a project mindset -- namely, that everyone focuses less on the product and user needs.</p> <p>A perfect project management system can complete every task and still fail when it's time to go to market. This is because a successful project does not necessarily make for a successful product.</p> <p>As an example of the drawbacks of a project mindset in the real world, consider Apple, which has a history of both project and product mindsets. Some of Apple's most significant achievements -- such as the introduction and rapid early improvement of the iPhone -- stemmed from a product mindset that let the company innovate quickly and respond to user needs.</p> <p>However, <a target="_blank" href="https://www.cnbc.com/2025/01/11/mark-zuckerberg-slams-apple-on-its-lack-of-innovation-and-random-rules.html" rel="noopener">some critics</a> now accuse Apple of releasing a nearly carbon-copy iPhone each year -- an approach that indicates a project mindset. According to these critics, product quality for these phones has stagnated, as Apple finishes projects with little or no consideration for product outcomes. This reliance on project-oriented thinking could leave Apple vulnerable and <a href="https://www.lightreading.com/smartphones-devices/apple-sales-drop-4-1b-after-iphone-market-share-loss">give another company the edge</a> in mobile phone innovation.</p> <p>Modern teams must prioritize the product while listening for shake-ups in the market. If a project takes too long and the team blindly adheres to the project timeline, the product might already be obsolete by the time the software is available to the consumer. With a product mindset, the business stays adaptable. The team constantly takes direct feedback from the target user and adjusts.</p> </section> <section class="section main-article-chapter" data-menu-title="Benefits of a product mindset"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of a product mindset</h2> <p>The key advantage of a product mindset is that it puts the emphasis on customers and value, rather than proxy metrics and activities.</p> <p>In this way, product management and delivery help enable key DevOps goals as established by Gene Kim, known as the <a href="https://www.techtarget.com/whatis/definition/The-Three-Ways">Three Ways</a> of DevOps:</p> <ul class="default-list"> <li><b>Flow</b>, which prioritizes how the system -- not an individual segment -- performs.</li> <li><b>Feedback</b>, which organizations use to improve products.</li> <li><b>Continual learning</b>, which encourages innovation, risk and experimentation.</li> </ul> <p>Organizations can't adopt a faster release cadence through just <a href="https://www.techtarget.com/searchsoftwarequality/CI-CD-pipelines-explained-Everything-you-need-to-know">CI/CD</a>. Instead, they must concentrate on how software development affects the business and the customer. In this way, organizations can scale the principles of DevOps to the business.</p> <p>As digital-first companies such as Uber and Airbnb disrupt longstanding industries, more companies recognize the value of a product mindset. For traditional enterprise organizations, moving to product-minded development is a matter of survival.</p> <p>Project mindsets involve a top-down, command-and-control approach that can put enterprise organizations at a disadvantage. Many larger companies risk falling behind if they don't adapt to the innovative approaches taken by disrupters.</p> </section> <section class="section main-article-chapter" data-menu-title="Examples of a product mindset"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Examples of a product mindset</h2> <p>As an example of what a product mindset looks like in practice and how it can benefit DevOps teams, imagine the following scenario.</p> <p>Inspired by the buzz surrounding generative AI, an IT software vendor sets out to add a GenAI-powered capability to a <a href="https://www.techtarget.com/searchitoperations/feature/Compare-8-tools-for-IT-monitoring">monitoring tool</a> that lets IT analysts ask questions about log files using natural language. The vendor plans to implement the feature by feeding user queries and log data into a third-party GenAI service, which will then parse log data to respond to the query. The company defines deliverables for building this integration and assigns developers to complete them.</p> <p>A couple of months into the project, however, product managers receive feedback from clients that some are uncomfortable with the way the new feature is designed. It would require users to expose potentially sensitive log files to a third-party GenAI service, which some clients deem to be insecure despite the service's data security policies. In addition, the company's CFO expresses concern about the cost required to pay for the GenAI service. They are not convinced that the <a href="https://www.techtarget.com/searchenterpriseai/tip/How-can-AI-drive-revenue">revenue created by the new feature</a> will outweigh the expense.</p> <p>Based on this feedback from both external and internal stakeholders, the product managers realize that the feature they are currently building is not a good fit for customer needs. Nor is it a cost-effective capability for the company to offer.</p> <p>In response, they change focus. They abandon the original project deliverables and decide instead to implement the log query feature by <a href="https://www.techtarget.com/searchenterpriseai/feature/How-AI-is-transforming-project-management">building their own GenAI service</a>. This approach avoids the need for customers to expose data to a third-party service. It will also save the company money in the long run because it won't have to pay for external GenAI integration.</p> <p>In this scenario, a product mindset saves the DevOps team from wasting time and money on a losing feature. With a project mindset, it would have been more difficult to abandon the original deliverables and adopt a new approach.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/itops-devops_infinity_loop-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/itops-devops_infinity_loop-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/itops-devops_infinity_loop-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/itops-devops_infinity_loop-f.png 1280w" alt="Diagram of the DevOps infinity loop." height="308" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The DevOps infinity loop enables organizations to incorporate feedback into product enhancements. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>A real-world example of a product mindset is <a href="https://www.techtarget.com/searchdatacenter/definition/Linux-operating-system">Linux</a>, the open source kernel operating system project. When Linux appeared in the early 1990s, few observers thought that a loosely organized group of volunteers, working without any traditional project management structures, could produce a viable product. At the time, most software was developed by commercial companies, which used a project mindset to manage the work of small teams of professional coders. Yet by the mid-1990s, Linux-based operating systems had become <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Comparing-the-Linux-kernel-vs-the-Windows-kernel">major competitors to proprietary alternatives</a> such as Windows NT.</p> <p>Arguably, Linux and similar open source projects accomplished this feat in large part because they were built by contributors who operated according to a product mindset. The contributors wanted to improve an open source product, and they did so by making changes that they felt would create the most value for users of the product. These users included most of the developers themselves. A project mindset, in which open source programmers worked according to rigid schedules and preplanned deliverables that risked becoming irrelevant by the time developers implemented them, would likely not have proved so effective.</p> <p>The advent of Linux predated <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/Agile-vs-DevOps-differences-similarities-compare-deployment-culture-silos">Agile and DevOps</a> by a decade. But open source projects such as Linux provided early proof that a product mindset could result in faster, more efficient development, setting an important precedent that the Agile and DevOps movements would later endorse.</p> </section> <section class="section main-article-chapter" data-menu-title="How to hire for a product mindset approach"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to hire for a product mindset approach</h2> <p>An essential step in implementing a product mindset is making sure that a company hires for two key roles: a product manager and a product owner. Some organizations combine these roles, but there are distinct <a href="https://www.theserverside.com/tip/Product-owner-vs-product-manager-Whats-the-difference">differences between a product manager and product owner</a>.</p> <ul class="default-list"> <li><b>Product managers operate at a strategic level.</b> They focus on long-term <a href="https://www.techtarget.com/searchenterpriseai/podcast/Google-head-of-product-on-generative-AI-strategy">product strategy</a> that the company's objectives, the product's vision, market trends and competition all determine. For commercial software, the product manager's responsibilities include marketing, sales support, budgeting, forecasting, customer care and delivery team support.</li> <li><b>Product owners are tactical.</b> Part of the <a href="https://www.techtarget.com/searchsoftwarequality/definition/Scrum">Scrum</a> framework for Agile software development teams, the <a href="https://www.techtarget.com/searchsoftwarequality/definition/product-owner">product owner</a> provides direction on what developers should build based on the product's vision. The product owner creates a shared understanding between the business side and the development team. They describe and prioritize backlog items and determine satisfactory delivery.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/software_quality-product_manager_vs_project_owner-f.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/software_quality-product_manager_vs_project_owner-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/software_quality-product_manager_vs_project_owner-f_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/software_quality-product_manager_vs_project_owner-f.png 1280w" alt="Table comparing product owner vs. product manager." height="281" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>The difference between a product manager and a product owner. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Project-based skills have a place on Agile product teams. Project managers can become Scrum masters; business analysts can become product owners. But the shift to a product-oriented role involves more than a title change. Product-based roles require rapid and <a href="https://www.techtarget.com/searchsoftwarequality/tip/Iterative-vs-incremental-development-Whats-the-difference">iterative delivery models</a> and, thus, a dedicated, cross-functional team. For example, software engineers and testers often work in the same product team to <a href="https://www.techtarget.com/searchsoftwarequality/tip/5-key-ways-to-fulfill-the-role-of-QA-in-DevOps">ensure quick QA</a> and feedback.</p> <p>Some companies take the approach of pairing a product leader with a development leader. The two together define a product strategy and roadmap, prioritize work, define release timelines, build an investment model and take accountability for product success. This approach provides the team with clear ownership over a product and makes sure that both product management and product development are completely aligned on a plan.</p> </section> <section class="section main-article-chapter" data-menu-title="6 best practices to adopt a product mindset"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6 best practices to adopt a product mindset</h2> <p>Beyond hiring for the right roles, here are six practical ways an organization can prioritize product over project.</p> <h3>1) Set clear responsibilities</h3> <p>Give team members clear responsibilities that align with a product mindset. Senior leaders should create teams that understand their responsibility to own the product over the long term. Product leaders should seek regular updates on strategy, as well as measure and report on the business metrics that define product success.</p> <p>These teams must evaluate whether the product delivers the desired business outcome, from its initial ideation phases to an eventual decision on product end of life. Clear delineation of work is essential to avoid short- and long-term confusion.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/software_quality-6_steps_product_mindset-h.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/software_quality-6_steps_product_mindset-h_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/software_quality-6_steps_product_mindset-h_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/software_quality-6_steps_product_mindset-h.png 1280w" alt="List of six steps to a product mindset." height="312" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>Six best practices for a product mindset. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>2) Design with the customer in mind</h3> <p>Establish channels for constant communication with end users. The goal is always to gather customer insights through techniques such as UX monitoring, <a href="https://www.techtarget.com/searchitoperations/answer/When-to-use-canary-vs-blue-green-vs-rolling-deployment">canary releases</a> and beta testing. Product-minded teams devote a significant portion their time to understand, validate and even challenge every user insight. Organizations that use Agile or DevOps adjust their strategies according to the feedback.</p> <p>Enterprise organizations must invest in qualitative and quantitative feedback to empower developers and QA teams to adjust and make decisions on the fly. Qualitative data might include satisfaction scores, feature requests, bug reports and focus groups -- these measure how a user feels about an app. Quantitative data provides objective feedback, such as load time and usage metrics. This feedback can help the organization decide whether to iterate on a feature or <a href="https://www.techtarget.com/searchsoftwarequality/tip/How-to-deprecate-software-features-without-bothering-users">shelve it</a>.</p> <h3>3) See the bigger picture</h3> <p>Each development decision affects the product. Consider the ramifications of each choice over the long term. Agile or DevOps organizations should develop and release products that are easy to test, deploy and support. If the team doesn't think about ongoing support during the build, for example, support costs will skyrocket when the product faces issues in production.</p> <p>Instill a sense of product ownership in all team members. Each person should feel like they have ownership of the product.</p> <h3>4) Invest in organizational change</h3> <p>The hardest aspect of a product overhaul is getting everyone to buy in. The transition to a product mindset is a <a href="https://www.techtarget.com/searchitoperations/tip/Target-tangible-IT-goals-during-a-DevOps-culture-shift">culturally challenging effort</a>.</p> <p>It requires many people to change their habits, especially people in positions of authority. Start at the top. Executives should evangelize the change, lay out a roadmap, allocate funding for training and new staff, and periodically update the organization on progress.</p> <p>Next, identify the product leaders. Find progressive-thinking, product-minded people and recruit them to help lead the change. Also, invest in training. Onboarding a critical mass of employees to Agile thinking is critical for the product mindset to take root and flourish.</p> <p>Don't let the organization lapse back into old, project-thinking ways. That will only leave it vulnerable to more agile, product-oriented competitors. A product transformation with many processes still mired in the project mindset will <a href="https://www.techtarget.com/searchsoftwarequality/tip/The-prevailing-Agile-pitfalls-that-prevent-true-adoption">create impediments</a>.</p> <h3>5) Build the right product for today</h3> <p>There's a big difference between project and product managers' approach to failure. Project managers try not to fail. Product managers find ways to <a href="https://www.techtarget.com/whatis/definition/fail-fast">fail fast</a>, learn from the experience and move on. The project mindset assumes failure is expensive, so value is all about reducing cost and risk.</p> <p>When it comes to building a product the right way, product-minded development teams assume the definition of "right" will change over time. The business, customers and market always evolve. Development teams build the right product for today, with the flexibility to adapt to emerging needs.</p> <p>A project release attempts to cram a lot into one big burst, which carries risk. Each element in that single release raises the stakes of failure for the entire collection. Product-minded development uses shorter and iterative cycles that constant feedback guides. The product approach not only increases a team's release cadence and overall speed, but also enables testing at an earlier, less expensive stage.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Rather than fix their problems, many organizations simply dress them up. ... A product mindset requires a shift throughout the organization. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <h3>6. Fix the pig</h3> <p>Rather than fix their problems, many organizations simply dress them up. As the idiom goes, it's like putting lipstick on a pig. A product mindset requires a shift throughout the organization -- a holistic focus on results, not on processes.</p> <p>Convince the C-suite that fixing the pig is cheaper and faster in the long run than cosmetic changes, even if it requires investment upfront. Expect pushback. Change doesn't happen overnight.</p> <p>Metrics are the most important components in this product revolution. Measure success according to business goals, not IT service-level agreements. Don't settle for tracking mandated uptime. Measure metrics such as deployments per year or call center volume -- any statistics that determine product value.</p> <p>Business leaders don't know -- or care -- much about specs, servers and <a href="https://www.techtarget.com/searchnetworking/definition/software-defined-networking-SDN">software-defined networks</a>. They care about business wins. So, too, must the product team. Make an effort to speak their language, and the C-suite will get on board.</p> </section> <section class="section main-article-chapter" data-menu-title="Why DevOps teams favor product mindset"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why DevOps teams favor product mindset</h2> <p><a href="https://www.techtarget.com/searchitoperations/tip/The-benefits-of-uniting-product-management-with-DevOps">DevOps teams prefer a product mindset</a> because it enables more adaptability and empowers developers to work toward whatever results in a better product, rather than achieving project goals even if those goals don't benefit the product.</p> <p>Prior to widespread adoption of the <a href="https://www.techtarget.com/searchsoftwarequality/definition/agile-software-development">Agile methodology</a>, the project mindset reigned supreme in the world of software development. Businesses typically defined a set of changes they wanted to make to software projects, such as implementing various new features and releasing them as an updated version of an application. Then, the business would work toward them based on a prescribed timeline and using a specific team.</p> <p>But times have changed. Rather than releasing new features on a periodic basis, it's common today to embrace practices such as continuous delivery and continuous improvement, which entail updating applications on a frequent, regular basis. A product mindset enables this approach because it helps teams focus on evolving software continuously over time instead of working within the confines of a rigidly defined project.</p> <p><b>Editor's note:</b><i> This article was updated in 2025 by Chris Tozzi to improve the reader experience.</i></p> <p><i>Chris Tozzi is a freelance writer, research adviser, and professor of IT and society. He has previously worked as a journalist and Linux systems administrator. George Lawton is a journalist based in London. Over the last 30 years, he has written more than 3,000 stories about computers, communications, knowledge management, business, health and other areas that interest him.</i></p> </section> Agile and DevOps highlight the differences between project and product approaches to software development. Establish these roles and principles to deliver business value. https://cdn.ttgtmedia.com/rms/onlineimages/collab_a78129054.jpg https://www.techtarget.com/searchsoftwarequality/feature/Compare-a-product-vs-project-mindset-for-software-development Wed, 28 May 2025 12:00:00 GMT <p>A penetration test, also called a <i>pen test</i> is a simulated <a href="https://www.techtarget.com/searchsecurity/definition/cyber-attack">cyberattack</a> on a computer system, network or application to identify and highlight vulnerabilities in an organization's <a href="https://www.techtarget.com/searchsecurity/definition/security-posture">security posture</a>.</p> <p>Also known as <i>ethical hacking</i>, these tests are often carried out by <a href="https://www.techtarget.com/searchsecurity/definition/ethical-hacker">ethical hackers</a>. These in-house employees or third parties mimic the strategies and actions of an attacker to evaluate the hackability of an organization's computer systems, network or web applications. Organizations can also use pen testing to evaluate their adherence to compliance regulations.</p> <p>Penetration testing is considered a <a href="https://www.techtarget.com/searchsecurity/feature/Build-a-proactive-cybersecurity-approach-that-delivers">proactive cybersecurity measure</a> because it involves consistent, self-initiated improvements based on the reports the test generates. This differs from nonproactive approaches, which don't fix weaknesses as they arise. A nonproactive approach to cybersecurity, for example, would involve a company updating its <a href="https://www.techtarget.com/searchsecurity/definition/firewall">firewall</a> after a <a href="https://www.techtarget.com/searchsecurity/definition/data-breach">data breach</a> occurs.</p> <p>The goal of proactive measures, such as pen testing, is to minimize the number of retroactive upgrades and maximize an organization's security.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/TA0TbzyU8GY?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0" loading="lazy"></iframe> </div> <section class="section main-article-chapter" data-menu-title="Why is pen testing important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is pen testing important?</h2> <p>A test run of a cyberattack, a penetration test offers insights into the most vulnerable aspects of a system. It also serves as a mitigation technique, enabling organizations to close the identified loopholes before threat actors get to them.</p> <p>The following are four reasons why organizations should conduct pen testing:</p> <ol type="1" start="1" class="default-list"> <li><b>Risk assessment. </b>The rate of distributed denial of service (<a href="https://www.techtarget.com/searchsecurity/definition/denial-of-service">DoS</a>), <a href="https://www.techtarget.com/searchsecurity/definition/phishing">phishing</a> and <a href="https://www.techtarget.com/searchsecurity/definition/ransomware">ransomware</a> attacks is dramatically increasing, putting most companies at risk. Considering how reliant businesses are on technology, the consequences of a <a href="https://www.techtarget.com/searchsecurity/news/252500684/DarkSide-The-ransomware-gang-that-took-down-a-pipeline">successful cyberattack</a> have never been greater. A ransomware attack, for instance, could block a company from accessing the data, devices, networks and servers it relies on to conduct business. Such an attack could result in millions of dollars of lost revenue. Pen testing uses the hacker perspective to identify and mitigate cybersecurity risks before they're exploited. This helps IT leaders perform informed security upgrades that minimize the possibility of successful attacks.</li> <li><b>Security awareness.</b> As technology continues to evolve, so do the methods cybercriminals use. For companies to successfully protect themselves and their assets from these attacks, they need to be able to update their security measures at the same rate. The caveat, however, is that it's often difficult to know which methods cybercriminals are using and how they might be used in an attack. But by using skilled ethical hackers, organizations can quickly and effectively identify, update and replace the parts of their systems that are particularly susceptible to modern hacking techniques.</li> <li><b>Reputation.</b> A data breach can put a company's reputation at stake, especially if it goes public. Customers can lose confidence in the business and stop buying its products, while investors might be hesitant to invest in a business that doesn't take its cyberdefense seriously. Penetration testing protects the reputation of a business by offering proactive mitigation approaches.</li> <li><b>Compliance.</b> Industries such as healthcare, banking and service providers take compliance and regulation seriously and include pen testing as part of their compliance efforts. Common regulations such as <a href="https://www.techtarget.com/searchsecurity/tip/Pen-testing-guide-Types-steps-methodologies-and-frameworks">System and Organization Controls 2</a>, the <a href="https://www.techtarget.com/searchhealthit/definition/HIPAA">Health Insurance Portability and Accountability Act</a> and the <a href="https://www.techtarget.com/searchsecurity/definition/PCI-DSS-Payment-Card-Industry-Data-Security-Standard">Payment Card Industry Data Security Standard</a> require pen tests to be compliant. Therefore, by performing regularly scheduled pen testing, organizations can stay on top of their compliance needs.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="Benefits of penetration testing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of penetration testing</h2> <p>Penetration testing offers a wide range of benefits for organizations looking to improve their security posture and resilience. Here are some common benefits of conducting penetration testing:</p> <ul class="default-list"> <li><b>Identification and prioritization of vulnerabilities.</b> Penetration tests provide a deeper analysis than automated scans, revealing complex and exploitable weaknesses in systems, networks and applications. They also help classify and prioritize vulnerabilities according to their potential effects and ease of exploitation, enabling organizations to concentrate their remediation efforts on the most significant issues.</li> <li><b>Real-world security assessment.</b> By simulating actual attack scenarios, pen testing offers a realistic evaluation of an organization's security posture. This helps identify weaknesses in defense mechanisms and provides a better understanding of how an attacker might succeed when trying to infiltrate a system.</li> <li><b>Improved security controls and processes.</b> The findings of a penetration test offer organizations the information needed to fine-tune their security defenses, such as firewalls, <a href="https://www.techtarget.com/searchsecurity/definition/intrusion-detection-system">intrusion detection systems</a> and access management. Additionally, it helps facilitate improvements to the security guidelines, operational processes and overall security architecture of the organization.</li> <li><b>Business continuity and reduced downtime. </b>Pen testing can uncover weaknesses that could lead to system failures or disruptions. Addressing these vulnerabilities helps ensure <a href="https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity">business continuity</a> and minimizes potential downtime caused by security incidents.</li> <li><b>Cost savings.</b> Proactively addressing vulnerabilities through penetration testing is more cost-effective than dealing with the aftermath of a cyberattack. Penetration testing helps organizations identify and <a href="https://www.techtarget.com/searchsecurity/tip/Close-security-gaps-with-attack-path-analysis-and-management">close security gaps</a> before they're exploited, thereby preventing the financial losses associated with data breaches and system downtime.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Who performs penetration tests?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Who performs penetration tests?</h2> <p>Pen testing is typically performed by pen testers known as ethical hackers. These ethical hackers are IT experts who use hacking methods to help companies identify possible entry points into their infrastructure. By using different methodologies, tools and approaches, organizations can perform simulated cyberattacks to test the strengths and weaknesses of their existing security systems. <i>Penetration</i>, in this case, refers to the degree to which a hypothetical threat actor, or hacker, can penetrate an organization's cybersecurity measures and protocols.</p> <p>Most pen testers are experienced developers or security professionals with <a href="https://www.techtarget.com/searchsecurity/feature/On-a-penetration-tester-career-path-flexibility-and-curiosity-are-key">advanced credentials and pen testing certifications</a>. It's always best to hire penetration testers who have little to no experience with the system they're trying to infiltrate. For example, a developer performing pen testing on their own source code might miss a few blind spots that a tester from outside can catch.</p> </section> <section class="section main-article-chapter" data-menu-title="Team methodology in penetration testing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Team methodology in penetration testing</h2> <p>In penetration testing, the team methodology refers to the structured approach and collaboration among various specialized groups or teams to simulate real-world cyberattacks or exercises effectively. Here's a breakdown of common teaming approaches and <a href="https://www.techtarget.com/searchsecurity/answer/What-is-red-and-white-hat-hacking">types of ethical hackers</a>:</p> <ul class="default-list"> <li><b>Red team.</b> The <a href="https://www.techtarget.com/whatis/definition/red-teaming">red team</a> is the core penetration testing team that simulates real-world attackers. Their goal is to identify and exploit vulnerabilities to gain unauthorized access, mimicking the tactics, techniques and procedures (TTPs) of actual threat actors. The red team operates offensively.</li> <li><b>Blue team.</b> The blue team is the internal security team of the organization being tested. Their role is to detect, prevent and respond to the red team's activities, just as they would with a real attack.</li> <li><b>Purple team.</b> This team facilitates collaboration between red and blue teams, ensuring that insights from simulated attacks are effectively communicated and used to enhance defensive strategies.</li> <li><b>Green team.</b> The green team is responsible for developing and maintaining secure systems and applications. They integrate secure coding practices and conduct regular security reviews to identify and prevent vulnerabilities.</li> <li><b>Yellow team.</b> This team's main responsibility is to focus on <a href="https://www.techtarget.com/searchsecurity/definition/social-engineering">social engineering</a> tactics, testing the organization's susceptibility to phishing and other manipulation techniques.</li> <li><b>White team.</b> The white team oversees the entire penetration testing process, ensuring that ethical guidelines are followed, and that testing aligns with legal and organizational policies.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What are the types of penetration testing?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the types of penetration testing?</h2> <p>There are various types of pen testing strategies, each offering pen testers a certain level of information they need to carry out their attack.</p> <ol class="default-list"> <li><b>White box testing. </b>White box testing provides testers with all the details about an organization's system or target network and checks the code and internal structure of the product being tested. <a href="https://www.techtarget.com/searchsoftwarequality/definition/white-box">White box testing</a> is also known as open glass, clear box, transparent or code-based testing.</li> <li><b>Black box testing</b>. This is a type of behavioral and functional testing where testers aren't given any knowledge of the system. Organizations typically hire ethical hackers for <a href="https://www.techtarget.com/searchsoftwarequality/definition/black-box">black box testing</a> where a real-world attack is carried out to get an idea of the system's vulnerabilities.</li> <li><b>Gray box testing. </b>Gray box testing<b> </b>is a combination of white box and black box testing techniques. It provides testers with partial knowledge of the system, such as low-level credentials, logical flow charts and network maps. The main idea behind gray box testing is to find potential code and functionality issues.</li> <li><b>Targeted testing. </b>This type of testing is<b> </b>a collaborative effort between an organization's IT staff and external testers, who share an understanding of the testing's scope, objectives and timeline to enable real-time communication and immediate feedback. The main goal is to simulate realistic attack scenarios on critical systems, such as web applications, databases or internal networks to identify vulnerabilities that could be exploited by malicious actors.</li> <li><b>Web application testing. </b>This testing is conducted to find security weaknesses in web-based applications. This involves testing the application's endpoints, databases, source code and backend network. The main objective is to identify run-time vulnerabilities and check for <a href="https://www.techtarget.com/searchsoftwarequality/definition/SQL-injection">SQL injections</a>, cross-site scripting (<a href="https://www.techtarget.com/searchsecurity/definition/cross-site-scripting">XSS</a>) and authentication issues.</li> <li><b>Insider threat testing.</b> <a href="https://www.techtarget.com/searchsecurity/definition/insider-threat">Insider threat</a> testing focuses on simulating attacks originating from within an organization. Unlike external threats, these attacks are carried out by individuals who have authorized access to the organization's systems, such as employees, contractors or business partners. The primary goal is to identify vulnerabilities that could be exploited by insiders, whether maliciously or unintentionally.</li> <li><b>Wireless testing.</b> This type of testing is used to assess the security of <a href="https://www.techtarget.com/searchmobilecomputing/definition/Wi-Fi">Wi-Fi</a> networks and wireless protocols and the devices connected to them. This test examines the encryption methods, access controls and network configurations to identify weaknesses that could be exploited by unauthorized users.</li> <li><b>Internet of things testing. </b><a href="https://www.techtarget.com/iotagenda/tip/An-introduction-to-IoT-penetration-testing">IoT testing</a> is conducted to examine the security of IoT devices and networks, including vulnerabilities in devices, protocols and data transmission.</li> <li><b>Cloud testing. </b><a href="https://www.techtarget.com/searchstorage/definition/cloud-testing">Cloud testing</a><b> </b>evaluates the security of cloud-based infrastructure and services, including infrastructure-as-a-service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Infrastructure-as-a-Service-IaaS">IaaS</a>), platform-as-a-service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Platform-as-a-Service-PaaS">PaaS</a>) and software-as-a-service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Software-as-a-Service">SaaS</a>) options. Testers evaluate the configuration settings, access controls and data encryption mechanisms used within cloud environments to identify vulnerabilities and misconfigurations.</li> <li><b>Physical testing. </b><a href="https://www.techtarget.com/searchsecurity/tip/Physical-pen-testing-methods-and-tools">Physical pen testing</a><b> </b>is done to simulate real-world threats by attempting to bypass physical security controls, such as locks, alarms and security cameras, to gain unauthorized access to facilities or systems.</li> <li><b>API testing. </b><a href="https://www.techtarget.com/searchapparchitecture/definition/API-testing">API testing</a><b> </b>focuses on testing the security of APIs, which are crucial for modern application communication. It typically includes identifying vulnerabilities in authentication, authorization and data handling.</li> <li><b>Mobile testing. </b>A mobile application penetration test is a security assessment specifically focused on identifying vulnerabilities in mobile applications, such as those on Android and iOS and their related backend systems and APIs. It simulates real-world attacks to uncover weaknesses in the app's design, implementation and infrastructure that malicious actors could exploit.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="What are the stages of pen testing?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the stages of pen testing?</h2> <p>Pen testing can be divided into the following six stages:</p> <ol class="default-list"> <li><b>1.</b> <b>Reconnaissance and planning.</b> Testers gather all the information related to the target system from public and private sources. Sources might include incognito searches, social engineering, domain registration information retrieval and nonintrusive <a href="https://www.techtarget.com/searchnetworking/definition/network-scanning">network and vulnerability scanning</a>. The information is vital for the testers, as it provides clues into the target system's attack surface and open vulnerabilities, such as network components, operating system details, open ports and access points.</li> <li><b>2.</b> <b>Scanning.</b> Based on the results of the initial phase, testers might use various scanning tools to further explore the system and its weaknesses. Pen testing tools -- including war dialers, <a href="https://www.techtarget.com/searchsecurity/answer/What-is-a-port-scan-attack">port scanners</a>, security vulnerability scanners and network mappers -- are used to detect as many vulnerabilities and loopholes as possible. The vulnerabilities are then shortlisted for exploitation.</li> <li><b>3.</b> <b>Obtaining entry.</b> During this stage, testers exploit vulnerabilities assessed in the previous phase by making a connection with the target. The testers conduct common web application security attacks -- including a DoS attack, SQL injections and backdoors, session hijacking and XSS -- to expose the system's vulnerabilities, which are then <a href="https://www.techtarget.com/searchsecurity/feature/Why-companies-should-focus-on-preventing-privilege-escalation">exploited through privilege escalations</a>, traffic interception or data stealing techniques.</li> <li><b>4.</b> <b>Maintaining access.</b> This stage ensures that the penetration testers stay connected to the target for as long as possible and exploit the vulnerabilities for maximum data infiltration. This stage imitates an <a href="https://www.techtarget.com/searchsecurity/definition/advanced-persistent-threat-APT">advanced persistent threat</a>, which can stay active in a system for prolonged periods to steal sensitive data and cause further damage.</li> <li><b>5. Analysis.</b> The testers analyze the results gathered from the penetration testing and builds them into a report. The report details each step taken during the testing process, including the following:</li> </ol> <ul class="default-list"> <li>The vulnerabilities the testers exploited.</li> <li>The type of sensitive data the testers accessed.</li> <li>The amount of time the testers stayed connected to the target.</li> </ul> <ol class="default-list"> <li><b>6. Cleanup and remediation.</b> Once the testing is complete, the pen testers should remove all traces of tools and processes used during the previous stages to prevent a real-world threat actor from using them as an anchor for system infiltration. During this stage, organizations should start remediating any issues found in their security controls and infrastructure.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="How often should pen tests be performed?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How often should pen tests be performed?</h2> <p>How frequently pen testing should be conducted depends on many factors, but most security experts recommend doing it <a target="_blank" href="https://static.fortra.com/core-security/pdfs/guides/fta-cs-2024-pen-testing-report-gd.pdf" rel="noopener">at least once a year</a>, as it can detect emerging vulnerabilities, such as <a href="https://www.techtarget.com/searchsecurity/definition/zero-day-vulnerability">zero-day threats</a>.</p> <p>Organizations should consider the following factors when scheduling pen testing:</p> <ul class="default-list"> <li><b>Company size.</b> Larger organizations can suffer greater monetary and reputational losses if they fall prey to cyberattacks. Therefore, they should invest in regular security testing to prevent these attacks.</li> <li><b>Budget.</b> Pen testing should be based on a company's budget and how flexible it is. For example, a larger organization might be able to conduct annual pen tests, whereas a smaller business might only be able to afford them once every two years.</li> <li><b>Regulations.</b> Depending on the industry and regulations, certain organizations are required to conduct mandatory penetration testing. Examples include banking and healthcare organizations.</li> <li><b>Scope and objectives.</b> Organizations should ensure that the systems, applications and data that are being tested are within the scope of the pen test. This could include internal networks, web applications, cloud services or specific databases.</li> <li><b>Risk tolerance.</b> Companies should identify the acceptable level of risk for the organization, which will influence the scope and intensity of the test.</li> </ul> <p>In addition to regularly scheduled penetration testing, organizations should also conduct security tests when the following events occur:</p> <ul class="default-list"> <li>New network infrastructure or appliances are added to the network.</li> <li>Upgrades are performed on existing applications and equipment.</li> <li>Patches are installed for security.</li> <li>New office locations are established.</li> <li>End-user policies have been modified.</li> <li>Integrations are made with third-party services.</li> <li>A merger or an acquisition happens.</li> <li>After major cybersecurity events such as ransomware attacks.</li> <li>New and emerging technologies are adopted.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to perform a penetration test"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to perform a penetration test</h2> <p>Pen testing is unique from other cybersecurity evaluation methods, as it can be adapted to any industry or organization. Depending on its infrastructure and operations, an organization might want to use a certain set of hacking techniques or tools. These techniques and their methodologies can also vary based on the IT personnel and their company standards. Using the following adaptable six-step process, pen testing creates a set of results that can help organizations proactively update their security protocols:</p> <ol type="1" start="1" class="default-list"> <li><b>Preparation.</b> Depending on the organization's needs, this step can either be simple or elaborate. If the organization hasn't decided which vulnerabilities it wants to evaluate, a significant amount of time and resources should be devoted to combing the system for possible entry points. These in-depth processes are usually only necessary for businesses that haven't already conducted a complete audit of their systems. Once a <a href="https://www.computerweekly.com/feature/Vulnerability-assessment-done-Now-What">vulnerability assessment has been conducted</a>, however, this step becomes much easier.</li> <li><b>Construct an attack plan.</b> Before hiring ethical hackers, an IT department designs a cyberattack -- or a list of cyberattacks -- that its team should use to perform the pen test. During this step, it's also important to define what level of system access the pen tester has.</li> <li><b>Select a team.</b> The success of a pen test depends on the quality of the testers. This step is often used to appoint the ethical hackers who are best suited to perform the test. Companies can make these decisions based on employee specialties. For example, if a company wants to test its cloud security, a cloud expert might be the best person to evaluate its cybersecurity properly.</li> <li><b>Determine the stolen data type.</b> What is the team of ethical hackers stealing? The data type chosen in this step can have a profound effect on the tools, strategies and techniques used to acquire it.</li> <li><b>Perform the test.</b> This is one of the most complicated and nuanced parts of the testing process, as there are many automated tools and techniques testers can use, including Kali Linux, Nmap, <a href="https://www.techtarget.com/searchsecurity/tip/Using-Metasploit-for-real-world-security-tests">Metasploit</a> and <a href="https://www.techtarget.com/searchsecurity/tip/Wireshark-tutorial-How-to-sniff-network-traffic">Wireshark</a>.</li> <li><b>Integrate the report results.</b> Reporting is the most important step of the process. The results the testers provide must be detailed so the organization can incorporate the findings.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-pen_testing-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-pen_testing-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-pen_testing-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-pen_testing-f.png 1280w" alt="Diagram showing the steps involved in penetration testing." height="560" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Penetration testing at a glance. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="What happens after a pen test?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What happens after a pen test?</h2> <p>After a pen test is successfully concluded, an ethical hacker shares their findings with the information security team of the target organization. Ethical hackers usually <a href="https://www.techtarget.com/searchsecurity/tip/How-to-rank-network-security-vulnerabilities-in-your-system">rank and categorize the findings with a severity rating </a>so that the issues with the highest rating are given precedence during remediation.</p> <p>The organization uses these findings as a basis for further investigation, assessment and remediation of its security posture. The decision-makers and stakeholders also get involved at this stage and the organization's IT or security team creates deadlines to ensure all security issues are dealt with promptly.</p> <p>After completing remediation efforts, organizations conduct verification testing to ensure fixes effectively address vulnerabilities. They update security documentation and adjust policies as needed, incorporating lessons learned into their strategy. The process concludes with a review meeting for key stakeholders to discuss findings, options and plans for ongoing security improvements to maintain a strong security posture.</p> </section> <section class="section main-article-chapter" data-menu-title="What is the difference between pen testing and vulnerability assessments?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the difference between pen testing and vulnerability assessments?</h2> <p>Although pen tests aren't the same as <a href="https://www.techtarget.com/searchsecurity/definition/vulnerability-assessment-vulnerability-analysis">vulnerability assessments</a>, which provide a prioritized list of security weaknesses and how to amend them, they're often performed together.</p> <p>The main characteristics of pen testing and vulnerability assessments are as follows:</p> <h3>Pen testing</h3> <ul class="default-list"> <li>Pen testing is more in-depth compared to vulnerability assessments and is often conducted with a particular goal in mind. These goals typically fall under one of the following three objectives: identify hackable systems, attempt to hack a specific system or carry out a data breach.</li> <li>Each objective focuses on specific outcomes that IT leaders are trying to avoid. For example, if the goal of a pen test is to see <a href="https://www.techtarget.com/searchsecurity/feature/6-data-breach-prevention-strategies-to-defend-against-attack">how easily a hacker could breach</a> the company database, the ethical hackers would be instructed to try to carry out a data breach.</li> <li>The results of a pen test will communicate the strength of an organization's current cybersecurity protocols, as well as present the available hacking methods that can be used to penetrate the organization's systems.</li> <li>Penetration testing is generally live and manual, making it more accurate.</li> <li>It takes longer to complete a pen test, typically a day to a few weeks.</li> <li>Pen testing can be expensive, and the price varies depending on the type of test conducted. According to RSI Security, on average, pen testing costs anywhere from $4,000 to $100,000.</li> </ul> <h3>Vulnerability assessments</h3> <ul class="default-list"> <li>Vulnerability assessments do passive scanning to search for known vulnerabilities in the system and report potential exposures.</li> <li>Scans are typically automated or scheduled.</li> <li>Vulnerability assessments can be completed in a few minutes to several hours.</li> <li>Vulnerability assessments are affordable and depending on the vendor, they can average $1,000 to $5,000 per assessment. Vulnerability assessments sometimes generate false positives.</li> </ul> <p><i>Discover how penetration testing helps identify security vulnerabilities and learn about the </i><a href="https://www.techtarget.com/searchsecurity/tip/11-open-source-automated-penetration-testing-tools"><i>top open source tools</i></a><i> used by ethical hackers for testing network, application and device security controls.</i></p> </section> A penetration test, also called a 'pen test,' is a simulated cyberattack on a computer system, network or application to identify and highlight vulnerabilities in an organization's security posture. https://cdn.ttgtmedia.com/visuals/digdeeper/3.jpg https://www.techtarget.com/searchsecurity/definition/penetration-testing Wed, 14 May 2025 09:00:00 GMT <p>Asynchronous programming in Python enables programmers to write code that can handle multiple tasks at the same time without multiple threads or processes.</p> <p>The asyncio library, and asynchronous constructs such as coroutines, help Python applications efficiently perform nonblocking I/O operations. This is especially useful for tasks such as handling thousands of network requests, file operations or other I/O-bound processes where waiting for responses bogs down total execution time.</p> <p>However, async is often misunderstood as multithreading, which leads to incorrect assumptions about its <a href="https://www.theserverside.com/tip/Tips-to-improve-Python-performance">performance benefits</a>.</p> <section class="section main-article-chapter" data-menu-title="Async vs. multithreading: Similarities and differences"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Async vs. multithreading: Similarities and differences</h2> <p>A common misconception is that asynchronous programming is the same as multithreading. Although both approaches aim to achieve concurrency, they are fundamentally different in how they work.</p> <p>In multithreading, multiple threads run in parallel, ideally utilizing multiple CPU cores. However, Python's Global Interpreter Lock (GIL) prevents true parallel execution of threads when working within the standard Python implementation. As a result, threads in Python are often limited by context switching overhead <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/Is-Pythons-GIL-the-software-worlds-biggest-blunder">and the GIL itself</a>, particularly when performing CPU-bound tasks.</p> <p>Asynchronous programming, on the other hand, is not about parallelism, but rather efficient management of tasks that involve waiting, such as I/O operations. Async code enables a program to continue running other tasks while it waits for an operation such as a network request or file read to complete.</p> <p>Importantly, Python remains single-threaded in both synchronous and asynchronous code. Async functions do not magically turn Python into a parallel-processing machine. Instead, they help the single thread to handle more operations concurrently, pausing tasks that await external events and resuming them when ready. This makes async ideal for I/O-bound tasks, but not for CPU-intensive work.</p> </section> <section class="section main-article-chapter" data-menu-title="Python async examples"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Python async examples</h2> <p>The best use cases for async programming in Python are those dominated by I/O operations. Examples include the following:</p> <ul class="default-list"> <li><a href="https://www.techtarget.com/whatis/feature/How-to-scrape-data-from-a-website">Web scraping</a> large numbers of pages.</li> <li>Making concurrent API requests.</li> <li>Reading and writing large files.</li> <li>Handling multiple client connections in a web server.</li> <li>Database queries, especially over a network.</li> </ul> <p>These scenarios all spend a lot of time waiting for external systems to respond. Traditional synchronous code would block and wait, and effectively stop the execution of the program. Async code, however, can initiate many such operations simultaneously, and efficiently switch between them as responses come in.</p> <h3>When not to use async in Python</h3> <p>On the other hand, tasks that are mostly CPU-bound are poor candidates for async. Here are some examples:</p> <ul class="default-list"> <li>Image processing.</li> <li>Data analysis and mathematical computation.</li> <li>Machine learning model training.</li> <li>Complex algorithms, such as simulations or sorting large data sets.</li> </ul> <p>Async won't speed up these tasks because the bottleneck is the processor, not I/O. Attempts to use async in CPU-heavy scenarios most likely will degrade performance, adding overhead without any benefit. For these cases, <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/How-Python-multiprocessing-can-boost-performance">parallelism through multiprocessing</a> or other options that <a href="https://www.techtarget.com/searchitoperations/video/No-GIL-Python-is-a-mistake">bypass the GIL</a> is a better approach.</p> </section> <section class="section main-article-chapter" data-menu-title="Implementing async in Python"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Implementing async in Python</h2> <p>Python provides the <a target="_blank" href="https://docs.python.org/3/library/asyncio.html" rel="noopener">asyncio library</a> as the standard way to write asynchronous code. With asyncio, a developer can define coroutines, which are special functions that can be paused and resumed, to run concurrently within a single thread.</p> <p>The basics of how asyncio works are as follows:</p> <ul class="default-list"> <li><samp>async def</samp> defines an asynchronous function, also called a coroutine.</li> <li><samp>await</samp> suspends execution of the current coroutine until the awaited coroutine completes.</li> <li><samp>asyncio.run()</samp> runs the top-level coroutine and automatically manages the event loop.</li> </ul> <p>Example:</p> <pre class="language-python"><code>import asyncio async def fetch_data(): print("Fetching data...") await asyncio.sleep(2) # Simulate some IO delay print("Data fetched") return "Sample Data" async def main(): result = await fetch_data() print(result) asyncio.run(main())</code></pre> <p>This simple program fetches data without blocking the entire application. The <samp>asyncio.sleep()</samp> call represents a nonblocking delay, which lets other coroutines run during that time.</p> <h3>Coroutines and subprocesses</h3> <p>Coroutines are the foundation of Python async programming. These functions can pause execution at certain points and resume later, which enables efficient concurrency. They are lightweight and more memory-efficient compared with threads.</p> <p>Subprocesses, on the other hand, run separate programs or commands in their own operating system processes. In asyncio, subprocesses can be managed asynchronously, so the main application can stay responsive while it waits for external programs to complete.</p> <p>Example:</p> <pre class="language-python"><code>import asyncio async def run_command(): process = await asyncio.create_subprocess_shell( 'ls -l', stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await process.communicate() print(stdout.decode()) asyncio.run(run_command())</code></pre> <h3>Network IO and process communication</h3> <p>One of the most powerful uses of asyncio is to handle network I/O. Whether it's to manage HTTP requests, WebSockets or TCP connections, async enables efficient processing of thousands of connections without spawning thousands of threads.</p> <p>For interprocess communication, asyncio also interacts with pipes, sockets and queues asynchronously to facilitate seamless communication between processes without blocking the event loop.</p> <p>The following example shows network I/O using <samp>aiohttp</samp>:</p> <pre class="language-python"><code>import aiohttp import asyncio async def fetch_url(url): async with aiohttp.ClientSession() as session: async with session.get(url) as response: return await response.text() async def main(): content = await fetch_url('https://example.com') print(content) asyncio.run(main())</code></pre> <h3>Code synchronization and queues</h3> <p>Async applications often need synchronization mechanisms, especially when multiple coroutines produce or consume shared resources. Asyncio provides an <samp>asyncio.Queue</samp> that supports safe, nonblocking queue operations.</p> <p>Generally, one implements this using the producer-consumer design pattern. Producers can add data to the queue while consumers process it concurrently, all within the same event loop.</p> <p>The following example shows how to produce and consume data without blocking the flow of the program:</p> <pre class="language-python"><code>import asyncio async def producer(queue): for i in range(5): await queue.put(i) print(f'Produced {i}') await asyncio.sleep(1) async def consumer(queue): while True: item = await queue.get() print(f'Consumed {item}') queue.task_done() async def main(): queue = asyncio.Queue() await asyncio.gather(producer(queue), consumer(queue)) asyncio.run(main())</code></pre> </section> <section class="section main-article-chapter" data-menu-title="Async for Python: Best for apps reliant on I/O, not CPU"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Async for Python: Best for apps reliant on I/O, not CPU</h2> <p>Asynchronous programming in Python is a powerful tool to improve performance in I/O-bound applications. Apps that employ asyncio can handle thousands of tasks concurrently, which vastly improves efficiency for web servers, scrapers and network services.</p> <p>However, it is crucial to understand that async is not multithreading. Python remains single-threaded when running async code, and async provides no advantages for CPU-bound tasks. In fact, trying to use async in computationally heavy scenarios can introduce unnecessary complexity and actually degrade performance.</p> <p>In summary, async is best used for tasks that spend time waiting on external resources. For CPU-bound problems, traditional multiprocessing or compiled extensions remain the better choice.</p> <p><i>David "Walker" Aldridge is a programmer with 40 years of experience in multiple languages and remote programming. He is also an experienced systems admin and infosec blue team member with interest in retrocomputing.</i></p> </section> Asynchronous programming in Python improves efficiency for I/O-bound applications, but it's not a performance cure-all. Here's how async in Python works and when to use it. https://cdn.ttgtmedia.com/rms/onlineimages/code_g1255337870.jpg https://www.theserverside.com/tutorial/Asynchronous-programming-in-Python-tutorial Mon, 14 Apr 2025 15:43:00 GMT <p>Regression testing is a type of software test that assesses if changes to an application, or other related software components, introduce defects. A quality assurance (<a href="https://www.techtarget.com/searchsoftwarequality/definition/quality-assurance">QA</a>) engineer performs these exercises to see if modifications to code break or hinder the way in which the application works or how it consumes resources.</p> <p>An application change or addition can cause unintended side effects, called regressions, that might even pop up in components or systems separate from the altered code <a href="https://www.techtarget.com/searchapparchitecture/tip/The-vicious-cycle-of-circular-dependencies-in-microservices">due to dependencies</a>. A regression test flags these adverse effects. An application change or code modification that necessitates regression tests can include the following:</p> <ul class="default-list"> <li>The introduction of a new feature or functionality.</li> <li>A fix for a defect.</li> <li><a href="https://www.techtarget.com/searchapparchitecture/definition/refactoring">Refactoring</a> to boost performance.</li> <li>Alterations to an application's hosting environment.</li> </ul> <p>A QA engineer executes a regression test at any of four test levels:</p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsoftwarequality/definition/unit-testing">Unit testing</a> -- a software development process in which the smallest testable parts of an application, called units, are individually and independently scrutinized for proper operation.</li> <li><a href="https://www.techtarget.com/searchsoftwarequality/definition/integration-testing">Integration testing</a> -- a software development process in which program units are combined and tested as groups in multiple ways.</li> <li><a href="https://www.techtarget.com/searchsoftwarequality/definition/system-testing">System testing</a> -- determines how the various components of an application interact together in the full, integrated system or application.</li> <li><a href="https://www.techtarget.com/searchsoftwarequality/definition/acceptance-test">Acceptance testing</a> -- determines to what degree an application meets end users' approval. Depending on the organization, acceptance testing might take the form of beta testing, application testing, field testing or end-user testing.</li> </ul> <p>Typically, a regression test occurs late in each test cycle, close to release; that said, don't discount the importance of <i>unit regression testing</i>, which narrowly addresses one unit of code at a time and reruns unit tests.</p> <p>Regression testing must keep up with the speed at which an organization delivers software. Regression testing can be time-consuming and repetitive, requiring hours or days to complete. For this reason, a software team might choose to <a href="https://www.techtarget.com/searchsoftwarequality/definition/automated-software-testing">automate tests</a>, both to reduce test execution time and free up workers for other tasks.</p> <section class="section main-article-chapter" data-menu-title="Regression test techniques"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Regression test techniques</h2> <p>Test case management helps a software development team determine whether a regression test is effective. A team assembles or orders its collection of test cases into a test suite.</p> <h3>Retest-all regression testing</h3> <p>One approach to regression testing is the <i>retest-all </i> -- not to be confused with <i>retesting</i> -- technique, which, as the name suggests, entails the execution of every regression test case the team has written. While this method is thorough, it might be overkill for smaller releases. Contexts that call for the retest-all technique include when software is adapted for a new platform, language or culture, and when an operating system receives a major update.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/visuals/WhatIs/regression testing vs re-testing.PNG"> <img data-src="https://www.techtarget.com/visuals/WhatIs/regression testing vs re-testing_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/visuals/WhatIs/regression testing vs re-testing_mobile.png 960w,https://www.techtarget.com/visuals/WhatIs/regression testing vs re-testing.PNG 1280w" alt="Regression testing vs. retesting comparison table." height="274" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Regression testing is an automated process that checks if changes to software break the software, whereas retesting confirms whether a fix was successful. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>If a software development team opts to build a tailored test suite for each test cycle, they can choose test cases according to their place in a priority system. A testing team might define a <a href="https://www.techtarget.com/searchsoftwarequality/tip/How-to-write-test-cases-one-component-at-a-time">high-value test case</a> as, for example, one with a high failure rate, or one that pertains to end-to-end or customer-facing aspects of the software. A test case that relates to added functionality, or checks critical application features, might also receive high priority.</p> <h3>Partial regression testing</h3> <p>A software development team can also follow a <i>partial regression testing</i> strategy, where they run just select test cases, but include tests related to any major features. This sort of approach is referred to as <i>regression test selection (RTS)</i> by some. For those who see a distinction between the two terms, with RTS a team only executes test cases that might be affected by -- or associated with -- the most recent changes to the code. With partial regression, the test suite also contains those tests that pertain to critical features.</p> <p>To determine how widespread of an effect a change or build has on the software, the team can perform an <i>impact analysis</i>. Accordingly, an impact analysis informs the collection of test cases for the subsequent test cycle.</p> <p>A <a href="https://www.techtarget.com/searchsoftwarequality/definition/smoke-testing">smoke test</a>, which typically precedes a regression test, only determines if the basic functionality of an application works. Regression test cases examine the software more exhaustively.</p> <p>Whenever a test elicits a previously undiscovered defect, a tester should write a test case that similarly induces the bug.</p> </section> <section class="section main-article-chapter" data-menu-title="Regression testing tools"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Regression testing tools</h2> <p>An IT team can use a tool or platform to execute and optimize regression tests. A test management tool helps testers apply script automation, as well as trigger smoke and regression tests. In many cases, a regression testing tool leaves some level of manual test work for QA.</p> <p>The regression testing tool market includes options with support for different programming languages and <a href="https://www.techtarget.com/searchsoftwarequality/definition/Build-Server">CI servers</a> -- and by extension <a href="https://www.techtarget.com/searchsoftwarequality/CI-CD-pipelines-explained-Everything-you-need-to-know">the CI/CD process</a>. Teams can choose between low-cost or free, open source options and feature-heavy commercial tools.</p> <p>Open source regression testing options include Watir, Sahi and Selenium.</p> <p>SmartBear's TestComplete and Ranorex Studio -- two commercial options -- test web, mobile and desktop applications. TestComplete is a front-end and functional testing platform, while Ranorex Studio is a GUI test automation framework. Each product integrates with a variety of CI systems and enables automated regression testing within them. Functionize uses <a href="https://www.techtarget.com/searchenterpriseai/definition/machine-learning-ML">machine learning</a> as part of its test automation capabilities and integrates with CI/CD tools.</p> </section> Regression testing is a type of software test that assesses if changes to an application, or other related software components, introduce defects. https://cdn.ttgtmedia.com/visuals/digdeeper/3.jpg https://www.techtarget.com/searchsoftwarequality/definition/regression-testing Thu, 03 Apr 2025 00:00:00 GMT <p>The key differences between camel case, snake case, pascal case and kebab case are how these programming naming conventions use capitalization and whitespace to make variable names more readable.</p> <section class="section main-article-chapter" data-menu-title="Snake case and kebab case"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Snake case and kebab case</h2> <p>The snake case and kebab case naming conventions separate words with an underscore and a dash, respectively: snake_case and kebab-case. When a programmer uses only capital letters with these naming formats, they are called SCREAMING_SNAKE_CASE and FLAMING-KEBAB-CASE. Otherwise, snake case and kebab case place no requirements on the casing of letters.</p> </section> <section class="section main-article-chapter" data-menu-title="Pascal case and camel case"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Pascal case and camel case</h2> <p><a href="https://www.theserverside.com/answer/Pascal-case-vs-camel-case-Whats-the-difference">Pascal case and camel case</a> don't employ whitespace, but instead use capitalization. With pascal case, the first letter of every word in the name of a variable is capitalized, including the first letter: PascalCase. Camel case follows a similar convention, except the first letter can be either uppercase <a href="https://www.techtarget.com/whatis/definition/lowerCamelCase">or lowercase</a> -- CamelCase or camelCase -- depending on the use case.</p> <p><a href="https://www.theserverside.com/feature/Java-naming-conventions-explained">Naming conventions</a> are important in every programming language because they help make code more readable, which makes the code easier to maintain, troubleshoot and document.</p> <p>Keep in mind, though, that every programming language has its own set of conventions. What's standard in Java won't necessarily be acceptable as a naming convention in Python or <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/First-Mojo-Program-AI-ML-Hello-World-Number-Guesser-Modular">Mojo</a>.</p> <p>To learn more about the most popular code naming conventions, watch this full video on the differences between pascal case, camel case, kebab case and snake case.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.theserverside.com/rms/onlineimages/naming_conventions_in_java-f.png"> <img data-src="https://www.theserverside.com/rms/onlineimages/naming_conventions_in_java-f_mobile.png" class="lazy" data-srcset="https://www.theserverside.com/rms/onlineimages/naming_conventions_in_java-f_mobile.png 960w,https://www.theserverside.com/rms/onlineimages/naming_conventions_in_java-f.png 1280w" alt="Chart comparing the naming conventions used in Java." height="370" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The use of programming naming conventions like camel case, pascal case, snake case and kebab case vary from language to language. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p><i>Cameron McKenzie has been a Java EE software engineer for 20 years. His current specialties include Agile development; DevOps; Spring; and container-based technologies such as Docker, Swarm and Kubernetes.</i></p> </section> Want to know the differences between common code naming conventions like camel case, pascal case, snake case and kebab case? This quick tutorial has all the answers. https://www.theserverside.com/video/Camel-case-vs-pascal-case-vs-snake-case-vs-kebab-case Fri, 14 Mar 2025 12:37:00 GMT <p>Application lifecycle management (ALM) is the process of managing a software lifecycle from creation to its end of life. By combining and organizing the elements of an application's lifecycle, ALM improves product quality, optimizes productivity and eases the management and maintenance burden for related products and services.</p> <p>ALM itself consists of an integrated system of people, tools and processes that supervise a software application from its initial planning and development, through testing and maintenance, to eventual decommissioning and retirement. The process provides a <a href="https://www.techtarget.com/searchsecurity/tip/The-top-secure-software-development-frameworks">software development framework</a> while helping organizations manage their software over its lifecycle.</p> <p>Application lifecycle management tools automate software development and deployment processes, help ensure compliance is achieved and maintained, and create a standardized environment where all teams involved in the application lifecycle can communicate and collaborate.</p> <section class="section main-article-chapter" data-menu-title="Why is application lifecycle management important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is application lifecycle management important?</h2> <p>ALM provides organizations with a structured approach to managing software development. It ensures that appropriate project requirements are set as well as met, and it helps developers adjust development processes and goals during the software lifecycle.</p> <p>In addition, by ensuring that all teams -- including development, <a href="https://www.techtarget.com/searchitoperations/definition/IT-operations">operations</a> and security -- collaborate effectively, organizations are better positioned to produce the best possible software.</p> <p>Application lifecycle management helps businesses achieve high efficiency and gain a competitive edge by accelerating workflows and ensuring that top-quality products get deployed.</p> </section> <section class="section main-article-chapter" data-menu-title="What is application lifecycle management used for?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is application lifecycle management used for?</h2> <p>ALM provides a framework for setting requirements and establishing processes, governance and methodologies before deploying software. In essence, it supplies the scaffolding within which software gets developed, tested and maintained.</p> <p>By design, it also includes safeguards and checkoffs to ensure software meets compliance, governance, efficiency, usability, performance and other benchmarks before being released into production. Finally, ALM provides ongoing opportunities to review and adjust costs to meet changing budget requirements and productivity assessments, ensuring that companies realize their <a href="https://www.techtarget.com/searchcio/definition/ROI">return on investment</a> objectives for software development.</p> </section> <section class="section main-article-chapter" data-menu-title="What is the application lifecycle management process?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the application lifecycle management process?</h2> <p>The ALM process gives <a href="https://www.techtarget.com/searchitoperations/definition/DevSecOps">DevSecOps</a> teams, plus executive staff and <a href="https://www.techtarget.com/searchcio/definition/stakeholder">stakeholders</a>, ongoing opportunities to do the following:</p> <ul class="default-list"> <li>Set and manage requirements as well as establish processes and procedures.</li> <li>Set and manage governance and compliance needs across the lifecycle.</li> <li>Establish methodologies to manage and control development, testing and maintenance activities.</li> <li>Ensure that testing meets functionality, performance, usability and security needs.</li> </ul> <p>As explained in the next section, the ALM process explicitly establishes and manages all aspects of all application lifecycle management stages.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/sWF-PuAlkI0?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0" loading="lazy"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Stages of application lifecycle management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Stages of application lifecycle management</h2> <p>Application lifecycle management consists of five stages:</p> <h3>1. Defining requirements</h3> <p>When defining requirements, all stakeholders gather to declare what they need from the application to support their <a href="https://www.techtarget.com/whatis/definition/business-case">business cases</a>. A design of the application is created based on their expressed needs. Requirements can include a range of factors, including the business needs of the stakeholders as well as compliance and governance requirements.</p> <p>Specifying requirements usually happens top-down, meaning the needs start with the most general and move into the more specific and detailed. As a result, case requirements are often in a hierarchical tree structure, with each node representing a more specific sub-requirement for a more general parent node. However, other development approaches, such as the iterative <a href="https://www.techtarget.com/searchsoftwarequality/definition/agile-software-development">Agile development</a> process, use less hierarchical structures to list requirements, with the defined needs identified as use cases.</p> <h3>2. Development of the product</h3> <p>Development begins once the team agrees to the requirements. At this stage, the product moves from an idea and design to a real, working application. The development team must first break down the application requirements into pieces and phases to create a development plan.</p> <p>During this time, it is beneficial to incorporate representatives from all related teams, including sales, product marketing, IT and testing. This helps ensure that the created product satisfies all defined needs and is easy to use, test and deploy.</p> <p>A wide variety of development methodologies can be used during this stage. The most popular are <i>sequential</i> -- for example, the <a href="https://www.techtarget.com/searchsoftwarequality/definition/waterfall-model">Waterfall model</a> -- or <i>iterative</i>, such as Agile development.</p> <h3>3. Testing and quality assurance</h3> <p>Testing and quality assurance (<a href="https://www.techtarget.com/searchsoftwarequality/definition/quality-assurance">QA</a>) often overlap with the development stage. Testers should begin preparing their test cases and testing environments before the product is formally released. Testers should also be available to provide feedback on the application throughout development. Furthermore, integration and <a href="https://www.techtarget.com/searchsoftwarequality/definition/unit-testing">unit tests</a> should be incorporated into programming activities. Development teams often use <a href="https://www.techtarget.com/searchsoftwarequality/definition/continuous-integration">continuous integration</a> systems.</p> <p>During the formal testing and QA stage, testers must verify that the application fulfills the requirements defined in the first stage of the process. Testers should also check for all other stakeholders' expectations that the app will need to support throughout its lifecycle. This stage also includes full <a href="https://www.techtarget.com/searchsoftwarequality/definition/integration-testing">integration testing</a> and addressing all issues or bugs discovered and reported by the development team.</p> <p>The development and testing stages conclude when the product reaches quality and stability that is good enough for release. The product marketing team defines this level.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/software_quality-application_lifecycle_management-f.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/software_quality-application_lifecycle_management-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/software_quality-application_lifecycle_management-f_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/software_quality-application_lifecycle_management-f.png 1280w" alt="diagram of the five stages of application lifecycle management (ALM)" height="287" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Application lifecycle management is made up of an initial defining stage, a development stage, a testing and QA stage, deployment, and then a stage of continuous maintenance and eventual retirement. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>4. Deployment</h3> <p>The deployment stage involves releasing the product to users. This process varies depending on application type because each product type requires different attributes and specifications. For example, <a href="https://www.techtarget.com/searchcloudcomputing/definition/Software-as-a-Service">software-as-a-service</a> apps must be deployed on the company's internal servers, while users can access <a href="https://www.techtarget.com/searchsoftwarequality/definition/Web-application-Web-app">web apps</a> through the internet.</p> <h3>5. Continuous maintenance and improvement of the product</h3> <p>Continuous maintenance and improvement of the product occur after deployment to monitor and manage the performance of the released application. The team resolves any remaining bugs during this stage while planning and prioritizing new updates.</p> <p>Maintenance is frequently the longest stage of ALM, but it might also require the least participation from the development team if previous steps were effective.</p> <p>An important element of the maintenance stage is defining the system's retirement. In other words, teams must decide when work should be stopped and moved to a newer version of the product or migrated to a different product entirely.</p> </section> <section class="section main-article-chapter" data-menu-title="Benefits of application lifecycle management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of application lifecycle management</h2> <p>Some key benefits of ALM include the following:</p> <ul class="default-list"> <li><b>Increased visibility into workflow.</b> Application lifecycle management provides an organization with a clear direction for its workflow before developers begin building the app. During the first stage -- defining requirements -- companies create a business case, determine the app's lifespan and plan the necessary resources before committing to development. This saves the organization time and money by avoiding unnecessary work and expensive mistakes.</li> <li><b>Enhanced compliance.</b> ALM tools can help organizations track and document compliance measures throughout the software development lifecycle (<a href="https://www.techtarget.com/searchsoftwarequality/definition/systems-development-life-cycle">SDLC</a>).</li> <li><b>Faster deployments.</b> ALM can streamline the development process by automating workflows and improving collaboration between teams, which enables faster releases.</li> <li><b>Higher-quality products</b>. ALM practices commonly include structured development cycles, frequent testing and continuous monitoring that help solve issues before deployment.</li> <li><b>Efficiency.</b> The integrated system created by ALM is more efficient than a collection of unconnected tools and processes spread across various teams. This integration also benefits organizations by improving communication and collaboration and by aligning software objectives with any business value or corporate goal.</li> <li><b>Better collaboration.</b> The ability for teams to collaborate ensures that each worker understands the project and its stage. ALM tools enable workers to track strategies, changes, requirements and project status in real time, regardless of location. ALM tools also prioritize the various team goals and help define the various skill sets needed for different processes.</li> <li><b>Improved decision-making.</b> ALM improves teams' decision-making abilities when dealing with aging software. Most ALM tools include <a href="https://www.techtarget.com/whatis/definition/version-control">version control</a> and real-time planning, helping team leaders to map the application's future easily. This capability can also eliminate confusion for companies dealing with multiple applications.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Challenges to application lifecycle management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Challenges to application lifecycle management</h2> <p>ALM does come with some challenges, however. These can include the following:</p> <ul class="default-list"> <li><b>Scalability.</b> Managing multiple applications, teams and processes in an ALM framework can be complex and difficult to scale.</li> <li><b>Visibility.</b> Visibility can be challenging when workloads are spread across multiple clouds or in a hybrid cloud system.</li> <li><b>Security.</b> Integrating security into every step of the ALM process can be challenging.</li> <li><b>Need for increased communication between teams.</b> Coordinating communication efforts between teams such as developers, operations and security can be difficult.</li> <li><b>Need for increased agility.</b> Balancing governance, control and flexibility might become enough of a challenge that it becomes difficult to increase or maintain the agility needed for rapid deployments.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Application lifecycle management tools"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Application lifecycle management tools</h2> <p>Numerous ALM tools, which encompass a collection of project management tools that integrate people and processes, are available for tracking application changes. These tools range from dedicated ALM products that monitor an application from inception to completion, automatically sorting files into logical buckets, to simple <a href="https://www.techtarget.com/whatis/definition/wiki">wikis</a> requiring team members to manually record changes.</p> <p>Organizations should look for several key features when choosing an ALM tool:</p> <ul class="default-list"> <li>Version control.</li> <li>Team communication and planning in real time.</li> <li>Estimation and application development planning.</li> <li>Requirements management.</li> <li>Test management and QA.</li> <li>Source code management.</li> <li>Automated deployment.</li> <li>Application portfolio management.</li> <li>Maintenance and support.</li> </ul> <p>ALM tools enable users to define project requirements and develop <a href="https://www.techtarget.com/searchsoftwarequality/definition/user-story">user stories</a>, which can then be prioritized, scheduled and broken down into detailed tasks used for resource tracking. Resource tracking analyzes how well an organization uses its resources throughout the app's lifecycle. ALM tool users can also attach documents, screenshots and URLs to all <a href="https://www.techtarget.com/searchsoftwarequality/definition/artifact-software-development">artifacts</a> as well as customize all graphs and reports in various formats -- including Adobe Acrobat and HTML.</p> <p>ALM tools enable users to create, modify and perform test cases; manage automated and manual tests; track issues, bugs, risks and enhancements related to the source code repository; and access a complete audit history of all changes made to the application.</p> <p>ALM tool dashboards can be personalized, and the reporting that appears can be customized to benefit specific users.</p> <p>Some popular examples of ALM tools include the following:</p> <ul class="default-list"> <li>Jama Connect.</li> <li>MeisterTask.</li> <li>Codebeamer.</li> <li>Visure Requirements ALM Platform.</li> <li>Jira.</li> <li>Microsoft Azure DevOps.</li> <li>Tuleap.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How ALM affects DevOps"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How ALM affects DevOps</h2> <p>As a software delivery approach, <a href="https://www.techtarget.com/searchitoperations/definition/DevOps">DevOps</a> is all about communication. The term is a portmanteau to describe the collaborative approach that development and operations teams are meant to take. This is an <a href="https://www.forbes.com/councils/forbestechcouncil/2023/03/07/the-importance-of-devops-today-how-to-choose-the-right-platform-for-your-team/" target="_blank" rel="noopener">important practice</a>, as it promotes better communication and collaboration between these teams to improve software quality and development outcomes.</p> <p>Both ALM and DevOps practices are complementary. They share the goal of increasing software delivery speed and quality while also increasing collaboration and communication between teams.</p> <p>The ALM tools used to automate software development and deployment processes also align with DevOps core principles. They help to promote communication, as they typically enable multiple teams to collaborate throughout the application lifecycle. For example, implementing ALM development and maintenance tools in a software's lifecycle can help further streamline DevOps teams.</p> </section> <section class="section main-article-chapter" data-menu-title="Application lifecycle management vs. software development lifecycle"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Application lifecycle management vs. software development lifecycle</h2> <p>The <i>software development lifecycle</i> refers to the processes or procedures involved in creating a high-quality software product. Application lifecycle management is similar to the SDLC, but it incorporates a wider range of processes.</p> <p>ALM covers the entire application lifecycle, incorporating the perspective of what the business needs from an application, while the SDLC focuses more narrowly on software development and maintenance. In other words, ALM includes all five stages of the app's lifecycle -- requirements, development, testing, deployment and maintenance -- but the <a href="https://www.techtarget.com/searchsoftwarequality/answer/How-does-ALM-differ-from-SDLC">SDLC only focuses on a fraction of ALM</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="Application lifecycle management vs. product lifecycle management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Application lifecycle management vs. product lifecycle management</h2> <p>Product lifecycle management (PLM) is the process of managing a product throughout its entire lifecycle. It's a very similar idea to ALM, with similar principles, but some unique identifiers make the two processes different.</p> <p>The biggest difference is that, while ALM applies to software, PLM applies to physical hardware. ALM focuses on the entire software development lifecycle, including development, testing, deployment and maintenance, while PLM focuses on the entire lifecycle of physical products, including product design, production, maintenance and disposal.</p> <p>Manufacturers also commonly use PLM software that can track, store and update data related to a product.</p> <p><i>ALM and PLM tools are very similar concepts. Learn more about the </i><a href="https://www.techtarget.com/searcherp/tip/PLM-vs-ALM-Compare-the-differences"><i>differences between ALM and PLM</i></a><i>. </i></p> </section> Application lifecycle management (ALM) is the process of managing a software lifecycle from creation to its end of life. https://cdn.ttgtmedia.com/visuals/digdeeper/4.jpg https://www.techtarget.com/searchsoftwarequality/definition/application-lifecycle-management-ALM Tue, 11 Feb 2025 11:45:00 GMT <p>The spiral model is a systems development lifecycle (<a href="https://www.techtarget.com/searchsoftwarequality/definition/systems-development-life-cycle">SDLC</a>) method used for <a href="https://searchcompliance.techtarget.com/definition/risk-management">risk management</a> that combines the iterative development process model with elements of the <a href="https://www.techtarget.com/searchsoftwarequality/definition/waterfall-model">Waterfall model</a>. The spiral model is used by software engineers and is favored for large, expensive and complicated projects.</p> <p>When viewed as a diagram, the spiral model of software development looks like a coil with many loops. The <a href="https://www.techtarget.com/searchcio/definition/project-management">project manager</a> designates the number of loops, which varies based on the project. Each loop of the spiral is a phase in the software development process model.</p> <p>The spiral model enables gradual releases and refinement of a software product through each phase of the spiral. This risk-driven approach also enables the ability to build prototypes at each phase. The most important feature of the model is its ability to manage potential risks after the project has commenced; creating a prototype makes this feasible.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/whatis-spiral_model.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/whatis-spiral_model_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/whatis-spiral_model_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/whatis-spiral_model.png 1280w" alt="Diagram showing the four spiral model phases"> <figcaption> <i class="icon pictures" data-icon="z"></i>The spiral model includes four distinct phases that are necessary to build, refine and release a product. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <section class="section main-article-chapter" data-menu-title="Uses of the spiral model"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Uses of the spiral model</h2> <p>The spiral model is best used in large projects. It compartmentalizes them into phases with different people involved in each phase. Larger issues are broken down into smaller problems to solve and departments or teams are assigned specific tasks that they're responsible for. Other uses include the following:</p> <ul class="default-list"> <li>Projects in which frequent releases are necessary.</li> <li>Projects in which changes are required at any time.</li> <li>Long-term projects that aren't feasible because of altered economic priorities.</li> <li>Medium to high-risk projects, where iterative refinements are needed to ensure potential risks are mitigated.</li> <li>Projects in which cost and <a href="https://www.techtarget.com/searchsecurity/definition/risk-analysis">risk analysis</a> are important.</li> <li>Projects that would benefit from the creation of a prototype to demonstrate the functionalities to stakeholders.</li> <li>Projects with unclear or complex requirements.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Real-world examples of spiral model projects"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Real-world examples of spiral model projects</h2> <p>Various industries rely on the spiral model to iteratively improve projects. Examples include the following:</p> <ul class="default-list"> <li><b>Software development. </b>Developers iteratively test software projects while adhering to feedback to guide improvements. This is especially true of mobile apps, where functionality changes rapidly and requires debugging to adhere to user and stakeholder expectations.</li> <li><b>Gaming. </b>Game developers use this iterative model to test gameplay and improve graphics before a final product is released. Such refinements are based on customer feedback as well.</li> <li><b>Retail. </b><a href="https://www.techtarget.com/searchcio/definition/e-commerce">E-commerce</a> website developers use spiral modeling to continuously evolve and add new features to improve the <a href="https://www.techtarget.com/searchcustomerexperience/definition/customer-experience-CX">customer experience</a> based on consumer preferences and market trends.</li> <li><b>Healthcare. </b>The spiral model is used to ensure <a href="https://www.techtarget.com/searchhealthit/definition/electronic-health-record-EHR">electronic healthcare records</a> systems meet industry standards and comply with existing regulations, such as the Health Insurance Portability and Accountability Act.</li> <li><b>Space. </b>Space exploration systems, such as satellites and rovers, start as prototypes and undergo simulations for testing before being used in space. The spiral model guides their development to ensure they aren't prone to issues.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Phases of the spiral model"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Phases of the spiral model</h2> <p>When looking at a diagram of a spiral model, the radius of the spiral represents the cost of the project, and the angular degree represents the progress made in the current phase. Each phase begins with a goal for the design and ends when the developer or client reviews the progress.</p> <p>Every phase can be broken into four quadrants: identifying and understanding requirements, performing risk analysis, building the prototype and evaluating the software's performance.</p> <h3>Identifying and understanding requirements</h3> <p>Phases begin in the quadrant dedicated to the identification and understanding of requirements. The overall goal of the phase is determined, and all objectives are elaborated and analyzed. It's important to also identify alternative solutions in case the attempted version fails to perform.</p> <h3>Risk analysis</h3> <p>Risk analysis is performed on all possible solutions to find any faults or vulnerabilities -- such as running over budget or areas within the software open to <a href="https://www.techtarget.com/searchsecurity/tip/6-common-types-of-cyber-attacks-and-how-to-prevent-them">different forms of cyberattacks</a>. Each risk is resolved using the most efficient strategy.</p> <h3>Building the prototype</h3> <p>In the next quadrant, the prototype model is built and tested. This step includes architectural design, module design, physical product design and the final design. It takes the proposal that has been created in the first two quadrants and turns it into software that can be used.</p> <h3>Performance evaluation</h3> <p>In the fourth quadrant, the test results of the newest version are evaluated. This analysis lets programmers stop and understand what worked and didn't work before progressing with a new <a href="https://www.techtarget.com/searchsoftwarequality/definition/build">build</a>. At the end of this quadrant, planning for the next phase begins and the cycle repeats. At the end of the spiral, the software is deployed in its respective market.</p> </section> <section class="section main-article-chapter" data-menu-title="Steps of the spiral model"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Steps of the spiral model</h2> <p>While the phases are broken down into quadrants, each quadrant is further broken down into steps. The steps in the spiral model are as follows:</p> <ul class="default-list"> <li>The new system requirements are defined in as much detail as possible. This usually involves interviewing several users representing all the external or internal interests and other aspects of the existing system.</li> <li>A preliminary design is created for the new system.</li> <li>The first prototype of the new system is constructed from the preliminary design. This is usually a scaled-down system that represents an approximation of the characteristics of the final software product.</li> <li>A second prototype emerges from a fourfold procedure: (1) evaluating the first prototype's strengths, weaknesses, and risks; (2) defining the requirements of the second prototype; (3) planning and designing the second prototype; (4) constructing and testing the second prototype.</li> <li>The entire project is aborted if the risk is deemed too great. Risk factors might include development cost overruns, operating cost miscalculations and other factors that could result in a less-than-satisfactory final product.</li> <li>The existing prototype is evaluated in the same manner as the previous prototype and, if necessary, another prototype is developed from it according to the fourfold procedure outlined above.</li> <li>The preceding steps are iterated until the customer is satisfied that the refined prototype represents the desired final product.</li> <li>The final product is constructed, based on the refined prototype.</li> <li>The final product is thoroughly evaluated and tested. Routine maintenance is carried out on a continuous basis to prevent large-scale failures and <a href="https://www.techtarget.com/searchdisasterrecovery/tip/Prepare-for-planned-and-unplanned-downtime">minimize downtime</a>.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Advantages of the spiral model"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Advantages of the spiral model</h2> <p>The spiral model is a great option for large, complex projects. The progressive nature of the model lets developers break a big project into smaller ones and tackle one feature at a time, ensuring nothing is missed. The prototype building is done progressively, so the cost estimation of the whole project is sometimes easier.</p> <p>Other benefits of the spiral model include the following:</p> <ul class="default-list"> <li><b>Flexibility.</b> Changes made to the requirements after development has started are easily adopted and incorporated.</li> <li><b>Risk management.</b> The spiral model involves risk analysis and handling in every phase, improving security and the chances of avoiding attacks and breakages. The iterative development process also facilitates <a href="https://www.techtarget.com/searchdisasterrecovery/definition/risk-mitigation">risk mitigation</a>.</li> <li><b>Customer satisfaction.</b> The spiral model facilitates customer feedback. If the software is being designed for a customer, then the customer will be able to see and evaluate their product in every phase. This lets them raise concerns and request changes before the product is fully built, saving the development team time and money.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Disadvantages of the spiral model"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Disadvantages of the spiral model</h2> <p>Limitations of the spiral model include the following:</p> <ul class="default-list"> <li><b>High cost.</b> The spiral model is expensive and therefore not suitable for small projects.</li> <li><b>Dependence on risk analysis.</b> Successful completion of a project depends on effective risk management. Given that, it's necessary for those involved with the project to have expertise in risk assessment.</li> <li><b>Complexity.</b> The spiral model is more complex than other SDLC options. For it to operate efficiently, protocols must be followed closely. Furthermore, increased <a href="https://www.techtarget.com/searchsoftwarequality/tip/A-guide-to-software-design-documentation-and-specifications">documentation</a> is required to keep track of the intermediate phases.</li> <li><b>Time management challenges.</b> Going into the project, the number of required phases is often unknown, making time management almost impossible. Therefore, there's always a risk of falling behind schedule or going over budget.</li> </ul> <p><i>The spiral model exists alongside various </i><a href="https://www.techtarget.com/searchsecurity/tip/The-top-secure-software-development-frameworks"><i>secure software development frameworks</i></a><i> and lifecycle models. Learn the basics of these frameworks.</i></p> </section> The spiral model is a systems development lifecycle (SDLC) method used for risk management that combines the iterative development process model with elements of the Waterfall model. https://cdn.ttgtmedia.com/visuals/digdeeper/3.jpg https://www.techtarget.com/searchsoftwarequality/definition/spiral-model Mon, 27 Jan 2025 00:00:00 GMT <p>Six Sigma is a business methodology for quality improvement that measures how many defects there are in a current <a href="https://www.techtarget.com/whatis/definition/process">process</a> and seeks to systematically eliminate them.</p> <p>In 1984, a Motorola engineer named Bill Smith developed the Six Sigma management system to reduce the variations in Motorola's electronic manufacturing processes that were causing product defects.</p> <p>Since then, the strategies, tools and cultural norms that support the management system have been adopted by upper management and project teams in a wide variety of industries to increase operational excellence. Additionally, the meaning of the word <i>defect</i> has broadened to include any deficiency in business processes that prevents a company from meeting its customers' needs.</p> <p>Six Sigma's methodologies have become a cornerstone in industries such as manufacturing, healthcare and IT, helping organizations achieve consistency, efficiency and customer satisfaction.</p> <section class="section main-article-chapter" data-menu-title="How does Six Sigma work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does Six Sigma work?</h2> <p>In <a href="https://www.techtarget.com/whatis/definition/statistical-analysis">statistical analysis</a>, the Greek letter <i>sigma</i> (Σ) is used to denote a standard deviation from the mean. In the 1920s, statistical process control pioneer Walter Shewhart proposed that in lean manufacturing, three sigma from the mean is the tipping point that indicates there are too many defects and that process improvement is required.</p> <p>This was the accepted norm for many years until Smith proposed gathering and analyzing data at a more granular level and making six sigma the point at which a process has to be corrected.</p> <p>Because it is almost impossible to achieve zero defects -- a concept known as infinity sigma -- six sigma allows for 3.4 defects per million opportunities for a defect to occur. In contrast, three sigma allows for 66,807 defects per million opportunities.</p> <p>Once the necessary data has been gathered, a company that is implementing Six Sigma methodologies uses statistics to create a baseline sigma. The baseline illustrates how close -- or how far -- the company is from achieving Six Sigma and serves as a measuring stick for assessing future improvement.</p> <p>Advanced Six Sigma tools, such as statistical software and <a href="https://www.techtarget.com/searchbusinessanalytics/feature/AI-in-business-intelligence-Uses-benefits-and-challenges">AI-driven analytics</a>, now enable organizations to streamline data collection and analysis, further enhancing accuracy and decision-making.</p> </section> <section class="section main-article-chapter" data-menu-title="What is the importance of Six Sigma?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the importance of Six Sigma?</h2> <p>Six Sigma proponents claim that its business strategy benefits include up to 50% process cost reduction, cycle time improvement, less waste of materials, a better understanding of customer requirements, increased customer satisfaction and value stream, and more reliable products and services.</p> <p>Motorola holds the federal trademark for Six Sigma, and it is generally acknowledged that Six Sigma can be costly to implement and can take several years before a company begins to see bottom-line results.</p> <p>In 1995, <a href="https://www.techtarget.com/searcherp/feature/GE-Digitals-transformation-rocky-but-ongoing">General Electric</a> CEO Jack Welch's public endorsement of Six Sigma helped businesses outside of manufacturing understand how Six Sigma methodologies can be used to improve customer satisfaction in any industry.</p> <p>More recently, organizations have adopted Six Sigma alongside <a href="https://www.techtarget.com/searchcio/definition/digital-transformation">digital transformation</a> initiatives to optimize processes, increase agility and adapt to changing market demands.</p> </section> <section class="section main-article-chapter" data-menu-title="What are the key principles of Six Sigma?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the key principles of Six Sigma?</h2> <p>The key principles are the following:</p> <ul class="default-list"> <li><b>Customer focus.</b> Ensuring processes align with customer expectations.</li> <li><b>Use data.</b> Employing statistical analysis for decision-making.</li> <li><b>Improve continuously.</b> Encouraging a culture of ongoing refinement.</li> <li><b>Involve people.</b> Engaging teams at all levels.</li> <li><b>Be thorough.</b> Implementing detailed process analysis.</li> </ul> <p>These principles form the foundation of Six Sigma's methodologies and ensure consistent, measurable outcomes.</p> </section> <section class="section main-article-chapter" data-menu-title="Benefits of Lean Six Sigma"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of Lean Six Sigma</h2> <p><a href="https://www.techtarget.com/searchcio/definition/lean-Six-Sigma">Lean Six Sigma</a> combines Six Sigma's focus on reducing defects with the Lean <a href="https://www.techtarget.com/searchcio/definition/project-management">project management</a> methodology's emphasis on eliminating waste. Together, they help organizations do the following:</p> <ul class="default-list"> <li>Streamline workflows by removing inefficiencies.</li> <li>Reduce costs through better resource utilization.</li> <li>Improve product quality and customer satisfaction.</li> <li>Adapt processes quickly to meet evolving demands.</li> </ul> <p>This hybrid approach is particularly effective in industries such as healthcare, <a href="https://www.techtarget.com/searcherp/definition/logistics">logistics</a> and manufacturing.</p> </section> <section class="section main-article-chapter" data-menu-title="Six Sigma methodologies"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Six Sigma methodologies</h2> <p>The above principles can be applied with one of two improvement methodologies: Six Sigma DMAIC and Six Sigma DMADV. Each name is derived from the major steps in its process, but each has its own use.</p> <ul class="default-list"> <li>DMAIC (define, measure, analyze, improve, control) is used to correct a process that already exists.</li> <li>DMADV (define, measure, analyze, design, validate) is used to create a new process.</li> </ul> <h3>DMAIC</h3> <p>Here is a step-by-step breakdown of Six Sigma DMAIC:</p> <ol class="default-list"> <li><b>Define.</b> Identify the project goals and all customer deliverables.</li> <li><b>Measure.</b> Understand current performance.</li> <li><b>Analyze.</b> Determine root causes of any defects.</li> <li><b>Improve.</b> Establish ways to eliminate defects and correct the process.</li> <li><b>Control.</b> Manage future process performance.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/DMAIC.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/DMAIC_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/DMAIC_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/DMAIC.jpg 1280w" alt="Six Sigma DMAIC process diagram." height="493" width="519"> <figcaption> <i class="icon pictures" data-icon="z"></i>A step-by-step breakdown of the DMAIC process. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>DMADV</h3> <p>Here is a step-by-step breakdown of Six Sigma DMADV:</p> <ol class="default-list"> <li><b>Define.</b> Identify the <a href="https://www.techtarget.com/searchcio/definition/project-scope">project scope</a> and all customer deliverables.</li> <li><b>Measure.</b> Understand current performance.</li> <li><b>Analyze.</b> Determine root causes of any defects.</li> <li><b>Design.</b> Create a process that meets customer needs and expectations.</li> <li><b>Verify.</b> Ensure processes perform adequately and are designed to meet customer needs.</li> </ol> <p>The first three steps of this methodology are identical to DMAIC. Because the two acronyms are so similar, some companies use the acronym DFSS (design for Six Sigma) in place of DMADV.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/DMADV.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/DMADV_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/DMADV_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/DMADV.jpg 1280w" alt="Six Sigma DMADV process diagram." height="158" width="519"> <figcaption> <i class="icon pictures" data-icon="z"></i>A step-by-step breakdown of the Six Sigma DMADV process. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>When contemplating Six Sigma DMAIC versus DMADV, it is important to understand the circumstances in which each should be used. The DMAIC methodology should be used when an existing product or service is not meeting customer needs or performing to its highest standards. The DMADV methodology should be used when an organization is developing a new product or service, or when using DMAIC for a current project or process has failed.</p> </section> <section class="section main-article-chapter" data-menu-title="Six Sigma certification and resources"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Six Sigma certification and resources</h2> <p>All Six Sigma processes are executed by the following, per the terms created by Motorola:</p> <ol class="default-list"> <li>Six Sigma White Belts are entry-level participants focused on basic principles.</li> <li>Six Sigma Yellow Belts are team members who understand specific projects.</li> <li>Six Sigma Green Belts are midlevel practitioners who lead projects under supervision.</li> <li>Six Sigma Black Belts are leaders of complex projects with extensive expertise.</li> <li>Six Sigma Master Black Belts are overseers of multiple projects and strategy alignment.</li> </ol> <p>The International Association for Six Sigma Certification (IASSC) and other organizations <a target="_blank" href="https://iassc.org/lean-six-sigma-certifications/" rel="noopener">provide certifications</a> to validate expertise in Six Sigma methodologies.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/sigma_belts.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/sigma_belts_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/sigma_belts_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/sigma_belts.jpg 1280w" alt="Diagram of the hierarchy of roles for Six Sigma implementation." height="209" width="519"> <figcaption> <i class="icon pictures" data-icon="z"></i>Hierarchy for Six Sigma implementation, as dictated by Motorola. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>At IASSC, Yellow, Green and Black Belt exams are designed to measure a person's knowledge of topics contained within IASSC's Lean Six Sigma Body of Knowledge.</p> <p>Another Six Sigma training organization <a target="_blank" href="https://www.6sigma.us/training-classes/six-sigma/" rel="noopener">offering</a> certification is 6Sigma.us.</p> </section> <section class="section main-article-chapter" data-menu-title="How to implement Six Sigma"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to implement Six Sigma</h2> <p>To implement Six Sigma within an organization, the first step is to properly make the case for statistical tools like Six Sigma and its potential benefits to get <a href="https://www.techtarget.com/searchcio/definition/stakeholder">stakeholder</a> buy-in. Additionally, it's important to set the expectation that being entirely defect-free is not realistic. However, there are some best practices that can help to ensure as much improvement as possible.</p> <p>Once management understands the potential behind the methodology, the following eight steps can help to implement a Six Sigma project and ensure a clean rollout:</p> <ul class="default-list"> <li>Step 1. Motivate stakeholders by highlighting quality losses.</li> <li>Step 2. Implement project management and obtain the necessary resources.</li> <li>Step 3. Educate team members on the Six Sigma management method.</li> <li>Step 4. Create a quality control chart and identify priorities.</li> <li>Step 5. Assign ownership for all team members involved.</li> <li>Step 6. Ensure measurement of the right <a href="https://www.techtarget.com/searchcustomerexperience/definition/business-metric">metrics</a> and indicators.</li> <li>Step 7. Perform a <a href="https://www.techtarget.com/searchitoperations/definition/root-cause-analysis">root cause analysis</a> to understand the defect.</li> <li>Step 8. Govern the program to ensure proper implementation and continuous improvement.</li> </ul> <p>Please note that these steps can vary depending on whether you are using Six Sigma or Lean Six Sigma.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/4eteSMuum6k?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0" loading="lazy"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Real-world applications of Six Sigma"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Real-world applications of Six Sigma</h2> <p>Six Sigma is widely used in various industries to solve unique challenges, such as the following:</p> <ul class="default-list"> <li><b>Healthcare.</b> Reducing patient wait times and improving care delivery.</li> <li><b>Manufacturing.</b> Enhancing product quality and reducing defects.</li> <li><b>Retail.</b> Optimizing inventory management and streamlining supply chains.</li> <li><b>IT and software development.</b> Identifying and resolving system inefficiencies.</li> </ul> <p>By tailoring Six Sigma tools to their specific needs, organizations can achieve significant improvements in efficiency and customer satisfaction.</p> </section> <section class="section main-article-chapter" data-menu-title="What is the difference between Six Sigma vs. Lean Six Sigma?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the difference between Six Sigma vs. Lean Six Sigma?</h2> <p>The purposes of Six Sigma and Lean Six Sigma are different. The Six Sigma method is focused on limiting fluctuation within business processes and quality management of process output by implementing problem-solving statistical methods.</p> <p>Conversely, the primary focus of Lean Six Sigma is to eliminate waste and improve existing processes.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/how_does_lean_six_sigma_work-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/how_does_lean_six_sigma_work-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/how_does_lean_six_sigma_work-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/how_does_lean_six_sigma_work-f.png 1280w" alt="Diagram of how Six Sigma and Lean methodologies combine in Lean Six Sigma." height="258" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Lean Six Sigma combines the best of both Six Sigma and the Lean manufacturing process. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p><em>Learn about the <a href="https://www.techtarget.com/whatis/definition/5-Whys">Five Whys</a>, which is used in the Analyze phase of the Six Sigma DMAIC methodology; <a href="https://www.techtarget.com/searchcio/definition/SIPOC-diagram-suppliers-inputs-process-outputs-customers">SIPOC</a>, which is often used during the Define phase; and <a href="https://www.techtarget.com/whatis/definition/fishbone-diagram">fishbone diagrams</a>, which are one of the basic quality tools used in the Analyze phase. Also, check out <a href="https://www.techtarget.com/searchcio/feature/Top-5-digital-transformation-trends-of-2021">top digital transformation trends</a>.</em></p> </section> Six Sigma is a business methodology for quality improvement that measures how many defects there are in a current process and seeks to systematically eliminate them. https://cdn.ttgtmedia.com/visuals/digdeeper/2.jpg https://www.techtarget.com/searchcio/definition/Six-Sigma Fri, 27 Dec 2024 12:00:00 GMT <p>Quality assurance (QA) is any systematic process of determining whether a product or service meets specified requirements. QA establishes and maintains set requirements for developing or manufacturing reliable products.</p> <p>A quality assurance process is meant to increase customer confidence and a company's credibility while improving work processes and efficiency. It also helps a company compete in its market.</p> <p>The International Organization for Standardization (<a href="https://www.techtarget.com/searchdatacenter/definition/ISO">ISO</a>) is a driving force behind QA practices and mapping the processes used to implement QA. QA is often paired with the <a href="https://www.techtarget.com/searchdatacenter/definition/ISO-9000">ISO 9000</a> international standard. Many companies use ISO 9000 to ensure their QA system is in place and effective.</p> <p>The concept of QA as a formal practice started in the manufacturing industry. It has spread to most industries, including software engineering.</p> <section class="section main-article-chapter" data-menu-title="Importance of quality assurance"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Importance of quality assurance</h2> <p>There are three primary reasons why effective QA implementation is essential:</p> <ul class="default-list"> <li><b>Customer satisfaction.</b> QA helps a company create products and services that meet customers' needs, expectations and requirements.</li> <li><b>Public trust. </b>QA yields high-quality product offerings and services that build <a href="https://www.techtarget.com/searchcustomerexperience/feature/How-to-efficiently-measure-customer-loyalty">trust and loyalty</a>.</li> <li><b>Product quality. </b>QA programs define standards and procedures that proactively prevent product defects and other issues before they arise.</li> </ul> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/software_quality-quality_assurance.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/software_quality-quality_assurance_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/software_quality-quality_assurance_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/software_quality-quality_assurance.png 1280w" alt="List of seven steps in quality assurance" height="283" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>There are multiple steps to perform as part of a quality assurance process. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Quality assurance methods"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Quality assurance methods</h2> <p>QA processes are built using one of three methods:</p> <ul class="default-list"> <li><strong>Failure testing.</strong> This approach continually tests a product to determine if it breaks or fails. For physical products that need to withstand stress, this could involve testing the product under heat, pressure or vibration. For software products, failure testing might involve placing the software under high use or load conditions.</li> <li><strong>Statistical process control.</strong> SPC is a methodology based on objective data and analysis. It was developed by Walter Shewhart at Western Electric Company and Bell Telephone Laboratories in the 1920s and 1930s. This methodology uses statistical methods to manage and control the product production.</li> <li><strong>Total </strong><strong>quality management system</strong><strong>. </strong><a href="https://www.techtarget.com/searchcio/definition/Total-Quality-Management">TQM</a> applies quantitative methods as the basis for <a href="https://www.techtarget.com/searcherp/definition/kaizen-or-continuous-improvement">continuous improvement</a>. It relies on facts, data and analysis to support product planning and performance reviews.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Quality assurance vs. quality control"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Quality assurance vs. quality control</h2> <p>Some people may confuse the term QA with quality control (<a href="https://www.techtarget.com/whatis/definition/quality-control-QC">QC</a>). The two concepts are similar, but there <em>are</em> important distinctions between them.</p> <p>QA provides guidelines that can be used anywhere. QC promotes a production-focused approach to processes. QA is any systematic process for ensuring a product meets specified requirements, whereas QC addresses other issues, such as individual inspections or defects.</p> <p>In software development, QA practices seek to prevent malfunctioning code or products. QC implements testing and <a href="https://www.techtarget.com/whatis/definition/troubleshooting">troubleshooting</a> and fixes code.</p> </section> <section class="section main-article-chapter" data-menu-title="QA standards"> <h2 class="section-title"><i class="icon" data-icon="1"></i>QA standards</h2> <p>QA and ISO standards have changed and been updated over time to stay relevant to today's businesses.</p> <p>ISO 9001:2015 is the latest standard in the ISO 9000 series. It provides a stronger customer focus, top management practices, and guidance on how management practices can change a company. ISO 9001:2015 also includes improvements to the standard's structure and more information for risk-based decision-making.</p> <p>ISO 9001 helps organizations improve and optimize processes, efficiently resolve customer queries and complaints, and increase overall customer satisfaction. The standard encourages organizations to regularly review their QA processes to identify areas for improvement.</p> </section> <section class="section main-article-chapter" data-menu-title="Quality assurance in software"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Quality assurance in software</h2> <p>Software quality assurance (SQA) systematically identifies patterns and the actions needed to improve development cycles. However, finding and fixing coding errors can have unintended consequences; fixing one issue can cause problems with other features and functionality.</p> <p>SQA has become an important way for developers to avoid errors before they occur, saving development time and expenses. But even with SQA processes in place, an update to software can break other features and cause defects -- known as <a href="https://www.techtarget.com/searchsoftwarequality/definition/bug">bugs</a>.</p> <p>There have been numerous SQA strategies. For example, the <a href="https://www.techtarget.com/searchsoftwarequality/definition/Capability-Maturity-Model">Capability Maturity Model</a> is a performance improvement-focused SQA model. CMM ranks maturity levels of areas within an organization and identifies optimizations that can be used for improvement. Rank levels range from being disorganized to being fully optimal.</p> <p>Software development methodologies that rely on SQA include <a href="https://www.techtarget.com/searchsoftwarequality/definition/waterfall-model">Waterfall</a>, <a href="https://www.techtarget.com/searchsoftwarequality/definition/agile-software-development">Agile</a> and <a href="https://www.techtarget.com/searchsoftwarequality/definition/Scrum">Scrum</a>. Each development process seeks to optimize work efficiency.</p> <h3><strong>Waterfall</strong></h3> <p>This methodology takes a traditional linear approach to software development. It's a step-by-step process that typically involves gathering requirements, formalizing a design, implementing code, code testing, remediation and release. It's often seen as too slow, so alternative development methods were developed.</p> <h3>Agile</h3> <p>This approach is team-oriented, with each step in the work process treated as a sprint. Agile software development is highly adaptive but less predictive because the scope of the project can easily change.</p> <h3>Scrum</h3> <p>This method combines the Waterfall and Agile approaches. Developers are split into teams to handle specific tasks, and each task is separated into multiple sprints.</p> <p>The first step in choosing a QA methodology is to set goals. Then, consider the advantages and tradeoffs of each approach, such as maximizing efficacy, reducing cost or minimizing errors. Management must be willing to implement process changes and work together to support the QA system and establish quality standards.</p> </section> <section class="section main-article-chapter" data-menu-title="QA team"> <h2 class="section-title"><i class="icon" data-icon="1"></i>QA team</h2> <p>SQA career options include <a href="https://www.techtarget.com/searchsoftwarequality/feature/Skills-and-responsibilities-in-a-QA-engineer-role">SQA engineer</a>, SQA analyst, SQA manager and SQA test automation. Software quality engineers monitor and test software through development. An SQA analyst monitors the implications and practices of SQA over software development cycles. SQA test automation pros create programs to <a href="https://www.techtarget.com/searchenterpriseai/feature/How-AI-changes-quality-assurance-in-tech">automate the SQA process</a>.</p> <p>These programs compare predicted outcomes with actual outcomes. They ensure software quality standards are consistently met. An SQA manager oversees the entire process and examines outcomes to verify that the software is production-ready. Therefore, having a QA team in place means a comprehensive approach to quality assurance.</p> </section> <section class="section main-article-chapter" data-menu-title="SQA tools"> <h2 class="section-title"><i class="icon" data-icon="1"></i>SQA tools</h2> <p>Software testing is an integral part of software QA. Testing saves time, effort and cost, and it facilitates the production of a quality end product. Developers can use numerous software tools and platforms to automate and orchestrate testing to facilitate <a href="https://www.techtarget.com/searchsoftwarequality/feature/Goal-1-for-the-QA-tester-Take-ownership">SQA goals</a>.</p> <p>Selenium is an open source software testing program that runs tests in various popular software languages, such as C#, Java and Python.</p> <p><a href="https://www.techtarget.com/searchsoftwarequality/definition/Jenkins">Jenkins</a> is another open source program that enables developers and QA staff to run and test code in real time. It's suited for a fast-paced environment because it automates tasks related to the building and testing of software.</p> <p>For web apps or <a href="https://www.techtarget.com/searchapparchitecture/definition/application-program-interface-API">application programming interfaces</a>, Postman automates and runs tests. It's available for Mac, Windows and Linux and supports Swagger and RAML formatting.</p> </section> <section class="section main-article-chapter" data-menu-title="QA uses by industry"> <h2 class="section-title"><i class="icon" data-icon="1"></i>QA uses by industry</h2> <p>The following are examples of how QA is used in various industries:</p> <ul class="default-list"> <li><strong>Manufacturing.</strong> Manufacturing formalized the QA discipline. Manufacturers must ensure that final products have no defects and meet the defined specifications and requirements.</li> <li><strong>Food production.</strong> Food production uses X-ray systems, among other techniques, to detect physical contaminants in the food production process. The X-ray systems ensure that contaminants are removed and eliminated before products leave the factory.</li> <li><strong>Pharmaceutical.</strong> Healthcare and pharmaceutical companies use different QA approaches during each drug development stage. QA processes include reviewing documents, approving equipment calibration, examining training and manufacturing records, and investigating market returns.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="QA vs. testing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>QA vs. testing</h2> <p>Multiple aspects of QA are <a target="_blank" href="https://www.forbes.com/sites/forbestechcouncil/2022/08/12/the-distinction-between-testing-and-quality-assurance-in-the-software-industry/?sh=3bb5e6cc391d" rel="noopener">different from testing</a>. They include the following:</p> <ul class="default-list"> <li><b>Purpose. </b>QA is more focused on process improvement and procedures to ensure a product meets quality requirements, while testing is focused on the logistics of examining a product to find defects. QA is broader than testing; it encompasses testing as well as other processes, such as iteratively improving products. Meanwhile, testing is specific, revolving around the tactical process of validating a product's fundamental function and identifying issues.</li> <li><b>Length of time required. </b>Testing examines one version of a product and fixes immediate defects: it's a short-term process with a short-term focus. QA codifies procedures and processes to empower teams to prevent issues before they arise in the long term.</li> <li><b>Teams involved. </b>Specific employees and smaller teams are designated product testers. A larger <a href="https://www.techtarget.com/searchcio/definition/product-development-or-new-product-development-NPD">product development</a> team uses QA. It includes project managers and others who can provide unique perspectives.</li> <li><b>Deliverables. </b>Testing documentation is helpful in the short term as it reports and logs the results of examining one product version at a time. QA deliverables are transcribed procedures that all employees can use indefinitely to ensure the quality of current and future products.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Pros and cons of QA"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Pros and cons of QA</h2> <p>The quality of products and services is a critical competitive differentiator. QA ensures organizations create and ship products that are free of defects and meet customers' needs and expectations. High-quality products result in good customer experiences, which leads to customer loyalty, repeat purchases, upselling and advocacy.</p> <p>QA also cuts the costs of remediating and replacing defective products and mollifying dissatisfied customers. Defective products mean higher <a href="https://www.techtarget.com/searchcustomerexperience/definition/customer-service-and-support">customer support</a> costs when receiving, handling, and troubleshooting problems. They also result in additional service and engineering costs to address the defect, test any fixes required and ship the replacement product to customers.</p> <p>QA requires an investment in people and processes. QA team members must define a process <a href="https://www.techtarget.com/searchcio/definition/workflow">workflow</a> and oversee its implementation. This can be a time-consuming process that affects product delivery dates. With few exceptions, the disadvantage of QA is more of a requirement -- a necessary step that must be undertaken to ship a quality product. More serious issues arise without QA, such as product bugs and customer dissatisfaction.</p> </section> <section class="section main-article-chapter" data-menu-title="History of ISO and QA"> <h2 class="section-title"><i class="icon" data-icon="1"></i>History of ISO and QA</h2> <p>Although simple QA concepts can be traced back to the Middle Ages, these practices became important in the U.S. during World War II. High volumes of munitions had to be inspected before they could be sent to the battlefield.</p> <p>After World War II ended, the ISO opened in Geneva in 1947 and published its first standard in 1951 on reference temperatures for industrial measurements. The ISO gradually grew and expanded its scope of standards. The ISO 9000 family of standards was published in 1987; each 9000 number offers different standards for different scenarios.</p> <p>Computer hardware was inspected throughout the mid-20th century, but SQA standards began when the groundwork for Waterfall was laid in the 1970s. Although not called by that name, the approach of separating software development into distinct phases was established and followed for many years.</p> <p>Agile was first used in 2000 as a different approach to more efficient software development and delivery. It ultimately led to modern DevOps practices that emerged in the late 2000s.</p> </section> <section class="section main-article-chapter" data-menu-title="The future of QA"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The future of QA</h2> <p>AI, <a href="https://www.techtarget.com/searchenterpriseai/definition/machine-learning-ML">machine learning</a>, and low- and no-code tools have gained traction recently and are playing roles in QA and quality improvement. Whether in SQA or manufacturing processes, AI and machine learning are used to inspect products and machinery during performance monitoring or predictive maintenance. <a href="https://www.techtarget.com/whatis/definition/algorithm">Algorithms</a> are used to analyze real-time data and make predictions. This is helping developers and industrial workers identify quality issues before they arise.</p> <p>Because testing is integral to QA, low- and no-code platforms are being increasingly used to automate and streamline what were once tedious testing processes. When the right tools are in place to simplify and automate as many QA processes as possible, employees with programming expertise can spend more time on meaningful tasks.</p> <p><i>New technologies aren't typically easy to integrate into existing processes. Learn how to </i><a href="https://www.techtarget.com/searchsoftwarequality/tip/How-to-gradually-incorporate-AI-in-software-testing"><i>gradually incorporate AI into software testing</i></a><i>.</i></p> </section> Quality assurance (QA) is any systematic process of determining whether a product or service meets specified requirements. https://cdn.ttgtmedia.com/visuals/digdeeper/2.jpg https://www.techtarget.com/searchsoftwarequality/definition/quality-assurance Mon, 23 Dec 2024 00:00:00 GMT 60 webmaster@techtarget.com