Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

This guide will introduce you to the Kiuwan Governance Module. 

Contents

Children Display

Introduction to Kiuwan Governance

Image Added

Kiuwan Governance has been designed for Security/QA Engineers or IT Managers

...

.

It shows grouped results of the

...

analyses performed on the

...

account code grouped by portfolios

...

; a piece of essential information for managing the

...

applications at an executive level.

There are four default portfolios to help you manage your providers or development teams activity: 

  1. Business value

...

  1. Provider 
  2. Technology 
  3. Quality Model

...

Besides, you can create all the portfolios you need to sort your applications.

...

Image Added

Summary    

This screen has two parts: Indicators and Historic data.

On Summary screen you will see the information for the selected group of applications or portfolio.

Global Indicators

It shows aggregated indicators about riskquality and effort to target for all the applications in the portfolio. Its meaning is similar to those obtained in the same indicators at the Portfolio View.
It displays also other globally significant metrics, such as: total number of lines of code (LoC), total number of files or total number of defects found, considered very critical —very high—.

Historic values

In the bottom of the screen, Kiuwan shows the history of these three indicators, with the possibility of setting the time scale:
The data on this screen can be sent to a report in PDF format —see option on the top right—.

Decision Quadrant

Clicking on 'Decision Quadrant', you will land to a page where your applications will be showed in four different graphics, depending on their business value, failure probability, maintenance risk and security risk. You will be able to see any of these graphics clicking on the proper button: Business, Production, Development or Security.

Below each of these graphics, there are some metrics with data of your applications: the number of them, the total lines of code and the results of the main indicators. And then you will be able to see all your applications in a list, sorted by different criteria.

You can group the applications shown by portfolios, and so the graphics will vary.

Business

The business value decision quadrant is aimed to identify those applications in your portfolio that require immediate action based on their criticality for the business and their exposure to any of risks you are facing: Global Risk (Risk index), Failure Probability (Production Risk), Maintenance (Development Risk) and Security Risk.

You want to have all your applications as far to the left of the graph possible, regardless of the risk you are displaying. The higher the applications in the graph the more you want these applications closer to the left axis, since these are your most critical applications. The applications with higher and right most position are the ones needing immediate action (higher risk).

In the vertical axis we represent the business value (criticality) you have decided your applications have. It can have 5 different values, from critical to very low. The metric in the horizontal axis can be chosen from the 4 types of risk we calculate for your applications:

  • Global Risk (risk index): This index combines the application quality (taking into account all software characteristics), the effort to repair based on the target for each application and the application size. If the risk index is high you should invest in quality (redesign) the application.
  • Failure Probability (Production Risk): This indicates if applications are likely to provoke frequent errors in production. Applications with high Failure Probability could be a problem in the short term.
  • Maintenance Risk: This tells you if applications’ maintenance costs are going to be higher than expected, or if it is going to be complex and costly to add new functionality to them. If the Maintenance Risk is high it could be a problem in the midterm.
  • Security Risk: This indicated how vulnerable an application is to internal or external attacks based on the number of vulnerabilities found in the application’s code as listed by CWE and OWASP. A high Security Risk indicates that applications have more exploitable vulnerabilities that can yield to security breaches of all kinds.

 Image Removed

Production

The Production quadrant is aimed to identify those applications in your portfolio that could cause problems in production, and if they will be able to recover from these errors easily. The applications with higher exposure to this kind of risk will be those in the upper-right area of the quadrant.

In the vertical axis we represent Failure Probability. This indicates if applications are likely to provoke frequent errors in production. Applications with high Failure Probability could be a problem in the short term.

In the horizontal axis we represent application Complexity, a normalized (between 0 and 100) metric based on applications’ cyclomatic complexity by function, duplication of code and maintainability index.

 Image Removed

Development

The Development quadrant is aimed to identify those applications in your portfolio exposed in the midterm given the difficulty and associated cost to maintain them. The applications with higher exposure to this kind of risk will be those in the upper-right area of the quadrant.

In the vertical axis we represent the Maintenance Risk: this indicates if applications’ maintenance costs are going to be higher than expected, or if it is going to be complex and costly to add new functionality to them. It is based on the evidence gathered from the code for the maintainability index.

In the horizontal axis we represent application Complexity, a normalized (between 0 and 100) metric based on applications’ cyclomatic complexity by function, duplication of code and maintainability index.

 Image Removed

Security

The Security quadrant is aimed to identify those applications in your portfolio that are exposed to potential internal or external attacks, that can compromise the integrity of you organization, and if these potential vulnerabilities can be easily corrected. The applications with higher exposure to this kind of risk will be those in the upper-right area of the quadrant.

In the vertical axis we represent the Security risk: This indicated how vulnerable an application is to internal or external attacks based on the number of vulnerabilities found in the application’s code as listed by CWE and OWASP.

In the horizontal axis we represent application Complexity, a normalized (between 0 and 100) metric based on applications’ cyclomatic complexity by function, duplication of code and maintainability index.

Image Removed

Activity

On this screen, you can control and manage the activity of all your software providers, develpment teams, different applications technologies... In sort, you can filter the activity by any of the groups of portfolios you have in your account.

By selecting a time period you can access to all the information for that period of time: lines of code analyzed, risks, global indicators, effort to target…

The information displayed indicates the variation of that item within the selected period of time.

 Image Removed

Ranking

 Image Removed

In the Ranking screen we have all our applications sorted by their posicion in that ranking. You can group the applications in the ranking by portfolios. If we click on any of them, a dashboard will be displayed, showing us useful data, such as:

  • The number of files in that application.
  • The lines of code that application has.
  • The values of the quality main indicators: 
  • Effort to target
  • Quality indicator
  • The position of that application in the ranking, depending on its quality.
  • The distance to the top, measured in quality values.
  • The date of the last analysis run.
  • The quality model used in that last analysis.
  • The value of the complexity by function.
  • The number of defects found and the number of the ones muted, if any.
  • The duplicated code ratio.
  • The graphing of the quality main indicators mentioned above.
  • The graphing of the distribution in languages of the lines of code.

Reports

At Global View level, Kiuwan provides one preconfigured report in PDF format, which show the following information:

  • Introduction: Methodology.
  • Application & analysis information.
  • Risk index.
  • Quality.
  • Reparation efforts.
  • Main metric values.
  • Applications overview.

Crossings

On this screen you can see a table where you can pick the metric whose values you want to see, crossing the data of two different portfolios you want to compare.

This can help to make decisions depending on the crossing selected. For example, you can see the lines of code (metric) developed by your different providers (portfolio 1) according to the business value of the applications (portfolio 2):

Image Removed

...

 

Permissions to access Governance module

By default, only an Account Owner can access the Governance module.

However, the account owner can grant access to the Governance module to any user. In User Management, select the user and click on User privileges and select View governance

Info

IMPORTANT: By granting View governance privilege, the user is allowed to access the Governance module, but he/she will only see aggregated data from those applications that have "Read" permission.

 

Image Added

Please visit User management - Set administration privileges for help on managing administration permissions.