VeriPrism vs. Legacy Vendors


  • Run time¬†< 1 minute!
  • 100%¬†detection, all 109 rules
  • Next-generation deterministic¬† Intelligent Sizing Units¬†plus LOC/AFP/AEP sizing
  • Zero¬†onboarding
  • Zero¬†reconfiguration
  • Zero¬†limitations or metering
  • Avoids consulting¬†by design
  • Enterprise license¬†
  • Extra instances, resource fee only
  • Typical annual enterprise TCO
    $575K ‚Äď that‚Äôs it

Vendor 2

  • Run time 30x > VeriPrism
  • 55% detection of 109 rules
  • 94% detection of 64 claimed rules
  • LOC sizing only
  • Lines of code metered
  • Typically requires onboarding
  • May require reconfiguration
  • Vendor consulting organization
  • Licensed by LOC per instance
  • Minimum enterprise cost ~$130K
  • Typical annual enterprise TCO
    $250K ‚Äď $1M+¬†per instance

Vendor 3

  • Run time 74x > VeriPrism
  • 27% detection of 109 rules
  • 49% detection of ~59 claimed rules –¬†vendor does not disclose
  • LOC/AFP/AEP sizing
  • Minimum enterprise cost ~$500K
  • Onboarding required ($+)
  • Supports only onboarded apps
  • Reconfiguration assistance ($+)
  • Vendor consulting required ($+)
  • Complex unit-based licensing ($+)
  • ¬†Typical annual enterprise TCO
    $3M ‚Äď $5M++¬†per instance

Comparisons performed using identical Java code on a recommended platform for each product.  VeriPrism runs in a fixed configuration environment on the AWS cloud.  While precise speed differences will vary by installation, the relative speed of VeriPrism versus the competition is indicative regardless of competition platform. 

The VeriPrism Difference

While VeriPrism is indeed competitive to many or all of the software quality and measurement tools which have been around for decades, we like to think of ourselves as fully differentiated.  This can be seen in the competitive sweet spots identified in the chart as compared to the organizational benefits of solid software quality and security management. The difference is that measurement and reporting of the weaknesses in code is not our end result.  The data which VeriPrism provides contributes to the flow of value across multiple levels of the organization. Legal, purchasing, human resource, operations, and of course technical domains all stand to benefit from the information we provide.

VeriPrism is especially useful in maximizing the value of internal shared service center (SSC) or outsourcing arrangements.  Governance of these management constructs can be difficult without some source of objective, unquestionable, comparison to global standards.  VeriPrism was designed with the management and value of the software portfolio at the forefront.

Application Development Management

Consumer: ADM Executive

Value: Optimal Staff Utilization & Outsource Governance

AppDev VPs require identification of the factors affecting the costs of their applications and productivity of their developers. They need to know how technical debt is spread across their applications to determine where applying resources will yield the greatest return in reducing maintenance costs. They need intelligence on which practices and tools are producing the greatest benefit as they transform to an Agile/DevOps environment and automate the software production process. They need to identify the provenance and vulnerabilities of all the software components assembled internally or acquired through their software supply chain. They data from sequential builds and releases to spot trends that demand corrective action.

Up until now, ADM has largely been a function of managing dollars and bodies (whether payroll or contract) against user acceptance.¬† If the company accepts the price paid for the perceived value then all is good.¬† The ability to actually measure delivery from the inside out has largely been a function of lines of code and adherence to provided specifications.¬† Aspirational¬† claims of being “the measure” of software quality have turned out to be algorithmic¬† guestimates at best, or commonly agreed fact substitutes at worst.

By reducing software structure to fact-based metrics, VeriPrism eliminates a common point of disagreement between coders and purchasers of code. 

Utilizing a clean slate approach, VeriPrism takes advantage of leading edge evolving global standards while integrating decades old industry-accepted metrics.¬† For example, function points have been around since IBM created them in the 1970’s but until now there has been no simple, objective method of counting.¬† Whether your need is for complex sizing or quality managent VeriPrism provides accurate, objective, repeatable data simply and quickly.

Vendor Management

Consumer: Purchasing / Vendor Management Organization & Suppliers

Value: Objective SLA Management, ARC/RRC Validation

Vendor Managers can use thresholds set from the CISQ quality measures as the equivalent of Service Level Agreements in their contracts. Because CISQ measures are international standards, there is less room for argument and diverging interpretation. These measures along with OMG-standard sizing measures provided by AIP can be written into Requests for Proposals, Statements of Work, Contracts, and Acceptance Tests. Vendor managers can also specify CISQ weaknesses such as SQL Injection that are considered so severe they are not allowed to be in the delivered software. Progress can be tracked against these measures throughout performance period, and they can be used for setting award fees.

Software Suppliers need intelligence about the software they deliver to their customers to ensure they are meeting contractual requirements and service level agreements. When estimating the cost of maintaining a system for a customer, they need intelligence on the structural quality of the system to determine the level of effort required to achieve service level thresholds. To ensure they become a preferred supplier they can use this intelligence internally to improve the capability and knowledge of their development staff. Customers and suppliers can use software intelligence jointly to reach decisions on how best to manage the application portfolio and improve critical applications.

In this context, a “vendor” is either an outsourced development provider or an internal shared service center.¬† When trying to justify vendor charges or prove the continued value of internal resources it is critical to have an objective view of results.¬† In the past this has been accomplished by experienced techies talking to frequently non-technical consumers of the technical output.¬† Frequently, the party who tires first in the discussion wins their point – until the next bill or justification point arrives at which time the process repeats. This is especially prevalent in organizations where purchasing serves as the intermediary between providers and requestors.¬† In some respects, VeriPrism actually reduces code to functional collections of widgets (nodes if you are a techie) which can be valued and managed.¬†¬†

By decomposing code into Application DNA which is universal across any language, quality, sizing, and security metrics are fully exposed.  This renders all discussions of development performance down to delivered results.


Consumer: Legal

Value: Licenses, PCI, GDPR, HIPAA, and other exposures

Chief Counsels and their legal teams are concerned about compliance with laws, regulations, and licenses. For instance, they need intelligence on all the applications accessing confidential customer data in order to ensure compliance with laws such as GDPR and PII. Thus, they need verifiable evidence that all access points to these data have been secured to ensure customer privacy is properly protected. In addition, although developers enhance productivity by incorporating open source code in their applications, they can expose the enterprise to liabilities for violating licenses tied to these components. When software is acquired from third party sources it is difficult to know the provenance of all the components included. Thus, legal teams need several sources of intelligence to ensure full compliance.

The problem with managing thousands and millions of lines of computer code is that you end up with MBE РManagement By Exception. How about never going out of compliance?  How about maintaining compliance as an integrated and non-invasive step in your workflow without eating up days of wait time?  On individual modules, VeriPrism will take less time than the average coffee break and will analyze an entire system overnight.

Knowing that your software complies with international and corporate quality standards before you detect a fault reduces technical debt and increases reliability.  Assuring that your third party open source code is in similar compliance reduces hidden exposures.

Risk Reporting

Consumer: Audit

Value: Objective CISQ & Custom Quality Measures

Internal Auditors measure and report the primary risks to the business. Software-intensive systems now comprise a significant portion of corporate risk. The business can set risk tolerance thresholds using CISQ measures that can quantify the level of risk created by different systems. When combined with operational data, risk numbers can be correlated with operational incidents to predict the probability and cost of future incidents. Objective data from AIP enable external auditors to assess the credibility of internal risk audits.

Whether reporting to internal leadership, the markets, or the government it is important to avoid surprises while producing auditable, repeatable, results.

VeriPrism provides the ability to do full environment scans as often as needed.  We are not licensed per execution, per application, or per hardware.  When you are looking to eliminate likely risk exposures in your code environment, VeriPrism provides prompt objective reporting. 

We not only analyze your in-house code, we examine the NIST rating for each third party open source component in your environment.

IT Service Level Achievement

Consumer: Business Units

Value: Cost & Effort Estimates Based on Objective Observations

Business Management often places unreasonable demands on IT resulting in death march schedules that produce faulty software. In addition, constant demand for new functionality keeps IT from retiring technical debt from their applications, accelerating the growth of legacy systems that harm business agility. Software intelligence that is condensed for business leaders helps explains the sustainable pace at which trustworthy software can be delivered. It also reveals the necessity and cost of removing technical debt to sustain business competitiveness. Appropriately packaged software intelligence provides a foundation the business to build a better partnership with IT for achieving business objectives.

Achieving committed service levels requires knowing what you are working with to deliver the service.  If you are working at a 6 sigma company, with penalties for delivery below 5 sigma, but you are starting with 4 sigma code Рyou have a problem!

VeriPrism provides an objective method of obtaining current state before agreements are signed and tracking progress toward desired state over time.  This is critical in an AMS environment for both providers and recipients to properly manage costs and expectations. 

Cost Analysis

Consumer: CFO

Value: Total Cost of Ownership Reductions, Return on Investment Maximized

Chief Financial Officers must estimate future costs accurately to set IT budgets and control expenditures. CFOs need estimators for the costs for modernizing legacy applications, the amount of corrective maintenance required across the application portfolio, and the needed enhancements to business-critical systems. Summary data from deep analysis of their applications provides critical intelligence for understanding costs, making decisions, allocating resources, and estimating future expenditures. Without this intelligence, CFOs are at the mercy of subjective opinions. They cannot confidently assess the cost trade-offs involved in outsourcing, cloud migration, application modernization, and business transformation without knowing the sources of costs and their projected trends. Deep insight from software intelligence is key to understanding and managing software costs.

With most, if not all, software intelligence products on the market today Cost Analysis is a function of relative algorithmic estimation.  You got so many lines of code, it took so long, you paid so much, there were this many break/fix events, and this many minor and major outages.

How much function was provided in those lines of code?¬† How secure was the code? What is the accrued technical debt of the delivered code?¬† These kinds of arguments have been arduous and often based on the sense that something isn’t quite right with the performance or the output of the application.

Since VeriPrism essentially reduces your code to digital “widgets” you are suddenly able to manage and cost your code just like a manufactured product.¬† The entire development process is rendered more efficient with higher quality and less angst across the organization.

Organizational Performance

Consumer: CEO

Value: Maximize Value of Digital Assets

CEOs, COOs, and the Board of Directors need to demonstrate that they are performing their governance responsibilities over the primary risks to the emterprise and its profitability. One way to govern the risk of software-intensive systems is certification. Certifying business-critical applications against the CISQ measures (approved as international software quality standards by the Object Management Group, OMG) which are computed by AIP, certifies an application’s level of risk. When an application fails to achieve an enterprise’s risk tolerance thresholds on the CISQ measures, the executive team can direct IT to implement an improvement project.

Production Environment

Consumer: Operations

Value: Point of Failure Identification

Operations needs intelligence on the configuration and versioning of different layers and components in the application system as they are placed into production. They also need intelligence on the quality of the system and areas of risk to anticipate which parts of an application system may be most susceptible to incidents. In some cases, they will need tools to diagnose weaknesses in the application to restore it to operation quickly after a service interruption. As more of the development and production functions are merged during a DevOps transformation, the intelligence needs of operations staff will merge with those of developers. Intelligence will be needed to determine which tools and practices are most effective in accelerating a trustworthy production process.

Do you know the cost of less than top quality code in your environment?  What is the cost of remediation?  What is the cost of over-platforming to compensate for under-performing applications?  Asset costs, people costs, and organizational productivity are all impacted by code quality.  With objecting information from VeriPrism you can track cause and effect across the IT environment as a result of application quality and complexity.

Application Integrity

Consumer: Architects

Value: Blueprints, Software DNA, Diagnostics

System Architects benefit from deep insight into the structure and quality of their applications to ensure compliance with architectural rules. They need an accurate, detailed image of the as-built architecture to plan its migration to a more efficient and scalable architecture during modernization. Visual intelligence exposing redundancies in the software aid splitting out micro-services. System architects more than any other role need to visualize the entire application and the interactions among its component layers to ensure they are constructed to best serve the business strategy.

What is the relationship between break/fix and application quality?  Understanding why errors are happening in the environment leads to faster resolution Рor prevention Рand greater user satisfaction.

Whether you are performing incremental module scans during the programming day, or analyzing your entire environment overnight VeriPrism assists you in delivering quality on first delivery into production.

Portfolio Analysis

Consumer: CIO

Value: Summary Data, Trends, Continuity Plans

CIOs can not effectively manage their application portfolios without software intelligence. They need guidance on whether applications are ready to be shifted to the cloud, where they can efficiently modernize from monoliths to micro-services, and the hidden risks in scaling critical business applications. They need to identify which applications present the greatest operational risk to the business and be able to explain with facts the cost of remediation. To understand tradeoffs, prioritize projects within the IT budget, defend costs, balance investments between applications that run the business versus growing it, CIOs need intelligence based on hard data from analyzing of their application portfolio.

What issues will you encounter moving to Рor out of, or to another Рcloud? How much COBOL is left in your organization?  What hidden or embedded languages are in your code? Are the applications with the greatest backlogs plagued with the fewest resources?  How much third party exposure do you have?  Just exactly what do you have to manage and do you have the right resources to succeed?

If you have 15,000 applications and you would like to reduce that by 80% how many microservices can you harvest?  How many applications have overlapping functions?  What are the architectural considerations?  VeriPrism can help with all of these dynamics.

Code Quality

Consumer: Developers

Value: Point of Failure Identification

Developers do their best work when they receive two types of feedback. First, they need intelligence on the quality of the code they are committing to a build to avoid breaking it and to reduce maintenance effort. Second, they need intelligence on weaknesses they have created at the layer and system levels. Since large multi-layer, multi-technology systems are too complex for any single developer to understand, feedback from software analysis of the integrated system detects flawed interactions between layers and within the technology stack that cannot be detected without automated analysis. Software intelligence enables developers to learn about system interactions and see all the components affecting a transaction from the user interface to the database. Visual intelligence about software structure reduces search time when discovering system interactions. In addition, intelligence about the nature and location of defects speeds root cause analysis and problem resolution, causing quality improvement to ‚Äėshift left‚Äô.

The “Software Audit” is all relative.¬† How can an audit be relative?¬† If you are only looking at what you look at and not everything that should be looked at you are providing a limited scope assessment.¬† If you only sample a section of code, and then extrapolate your findings across the rest of the code – that is an estimate, not an audit.¬† If you examine less than 50% of the CISQ rules then, again, you are only providing a limited scope assessment and not an audit.¬† An informed best estimate is not an audit.¬† If you are only looking at about 80% of the code, and completely skipping over embedded alternate language code, you are not auditing but rather performing a general assessment.

VeriPrism provides objective counts of code components and tests OWASP and CISQ rules – ALL of the rules – against as much of your code as you wish to audit, up to an including ALL of your code.

System Quality

Consumer: Quality Assurance

Value: Code Hotspots, Security 

Quality Assurance must incorporate software analysis as a critical component of their overall quality strategy. Without the software intelligence emerging from deep analysis of an application, QA only knows about the functional or performance quality of a system, not its structural integrity and engineering weaknesses. Software intelligence comes from several sources, but it is woefully incomplete without the intelligence gleaned from structural analysis. Such intelligence provides quality measures for several software quality characteristics such as reliability, security, performance efficiency, cloud readiness, and maintainability. QA can use these numbers to summarize the quality and risks of applications throughout the portfolio.

System quality is different than code quality.¬† System quality refers to the manner in which your code interacts with all aspects of your technology environment.¬† Being able to observe I/O calls both in the code and across the network affects system quality.¬† Observing the manner in which one application interacts with another affects system quality.¬† Having a “tight and right” piece of code interacting with spaghetti code affects system quality.¬† By laying out all the facts affecting code quality and interaction, you achieve a picture of system quality.¬†

Digital Due Diligence

Consumer: M&A

Value: Inventory & Quality of Digital Assets

Merger and Acquisition Executives need intelligence about the quality of software-intensive systems and products when these represent a substantial portion of the value of an acquisition. Without performing due diligence on the architectural integrity and coding quality of business-critical systems, M&A executives frequently overpay for the assets they are acquiring. In some cases, software intelligence may indicate that the poor state of critical assets does not justify the acquisition. Since consolidating IT systems is critical to achieving an economy of scale from a merger, software analysis can provide critical intelligence to determine which applications should be continued and which should be dropped.

Especially when the code base is a significant source of value in an acquisition, or the foundation of an outsourcing/insourcing contract it is critical to perform due diligence.¬† Code that “seems to work” is not the same as working code.¬† Code which is wrongly included or excluded in a transaction can have significant consequences.¬† When acquiring or taking responsibility for a code base failure to have a clear picture of the portfolio can have expensive, if not disastrous, consequences.¬†¬†

VeriPrism makes it possible to obtain a fact-based inventory of the code base with minimal manual intervention.  Understanding not only the list of application names, but the languages, technologies, FTEs to support, and architectural quality is all part of competent due diligence.