tags:

views:

1161

answers:

20
+61  Q: 

How to define code quality in a contract?

At my workplace we want to outsource some parts of our software development project to an external contractor (another company with multiple developers). Our greatest fear is that although all functional requirements will be met, the code may be very bad, as it is often the case with outsourced software projects.

We can't use any of the conventional methods to ensure code qualitity, like peer review or pair programming, so our first idea was: "Hey, make code quality part of the requirements."

But how can we actually do that?

Even if we review the code, we must be able to say: This is not what we agreed. So we need something which can be quantified, something that isn't open for debate.

On the other hand we don't want to scare off every contractor, because the definitions are impractically strict. We don't want perfect code, but at least a minimum of code qualitity should be ensured.

+2  A: 

To solve the copy-paste-pasta problem you could ask for specific code-formatting standard, variable naming and such. At least they'll have to re-read what they pasted and - who knows? - maybe they'll think twice before doing this.

klez  2010-08-20 11:32:00
A: 

you could define a maximum error/warning rate for tools like checkstyle or pmd

Nikolaus Gradwohl  2010-08-20 11:32:45
how would that fix poorly designed functions?
0A0D  2010-08-20 11:48:10
it would prevent several common errors, or very complex functions - i don't think there is a method to guarantee 100% cool code
Nikolaus Gradwohl  2010-08-20 12:51:54
Agree. But that is his question.
0A0D  2010-08-20 13:00:26
i know. you can measure some quality aspects using pmd or checkstyle and that is what you can define in a contract very easy. you can't get a 100% certainty but measurring the quality aspects is better than nothing and you can at least enforce some codestyle rules or quality measures
Nikolaus Gradwohl  2010-08-20 13:38:09
+13  A: 

Have you checked out FxCop or StyleCop?

They are good at sniffing out 'bad smells' and can be integrated into your build.

David Christiansen  2010-08-20 11:33:29
and can be customized to enforce any rule as lonag as noncompliance can be found using static analysis
Rune FS  2010-08-20 13:18:16
A: 

If it's not going to be reviewed, it's not possible. There's no automated program that can determine code quality.

Defining something like maximum errors in a static analysis tool doesn't buy you a thing to determine code quality.

Wade Williams  2010-08-20 11:33:39
Of course we would review it, the problem arises when we say: *"this is bad"* and they say: *"please show us the page of the contract where it says 'this is bad'"*
DR  2010-08-20 11:56:36
Write into the contract that your lead developer must accept the code, and is willing to work with them on a fluid description of acceptable code.
Dean J  2010-08-20 13:50:55
+9  A: 

If you want particular code quality then you'll have to provide your outsourcer with your coding guidelines and ensure your contract includes a clause stating that these must be followed or code may not be accepted.

Lazarus  2010-08-20 11:34:42
If it takes you five years to become a senior dev, and four years of college before that, "writing code quality into a single document" is the equivalent of "writing down every bit of important experience you've gained over the last decade into one document. you have a week." It's really, really easy to say, and almost impossible to do well on a deadline.
Dean J  2010-08-20 13:47:54
@Dean-J : You are over-engineering a coding guideline document, it doesn't attempt to distil the experience and knowledge of a senior dev, that's a ludicrous idea. It set out a framework of guidelines within which the 'supposedly' experienced outsourced dev can work. I work for a global enterprise, this is what they do.
Lazarus  2010-08-20 18:08:24
+4  A: 

You could use some form of metrics to measure cyclomatic complexity and coupling and give an overall target, say, 60/100 (in the VS default metrics tool). Its not foolproof however and the only way to really know the quality is to review it.

edit: Actually, on second thoughts you might be better off taking a different approach. Try to gauge the quality of other code that company has produced and estimate what your product will be like from that. I read something yesterday about outsourcing to India and how it generally produces poor code. Go for a company with a good reputation - youll get what you pay for. I think it's too difficult to measure otherwise.

rmx  2010-08-20 11:37:16
Do you have a link/reference to that article? We had bad experiences with India a few years ago, too, but my boss still thinks all problems we had were one-time problems because of bad luck. (And not because outsourcing software projects to the lowest bidder is risky in general)
DR  2010-08-20 12:14:16
I will look around - it might have even been on SO.
rmx  2010-08-20 12:14:56
Here you go: http://www.diovo.com/2008/08/why-outsourcing-sucks/
rmx  2010-08-20 12:20:35
There are some very good programmers in India. There are some very cheap programmers in India. I haven't seen evidence that those sets have any common members. Since outsourcing is generally driven by short-term cost measures, outsourcers tend to wind up using the cheapest, and hence worst, Indians available. What would happen if the company hired the cheapest programmers available in the US?
David Thornley  2010-08-20 14:19:26
Ah I didn't mean to come off as discriminatory. I'm sure India has both good and bad but it's just common that when you hear 'outsourcing', you think of India.
rmx  2010-08-20 14:38:32
@David: 100% ACK. The given article (written by an Indian) just states the same thing. Nevertheless the association exists, just like Germany and lederhosen or France and champagne.
DR  2010-08-20 14:44:43
@rmx: I wasn't implying discrimination, but rather explaining why outsourcing to India generally produces poor code. It's unfortunate that this gives some people the idea that Indian programmers are bad, of course, because that certainly isn't the case.
David Thornley  2010-08-20 16:07:50
+2  A: 

Code quality is so subjective, especially if all the functional requirements are actually met. The best you can do is request certain concrete things like using an MVC pattern.

Perhaps you can require checkpoints for code review.

But a large part depends on hiring the right people to do the job.

Edit: I tried to find quantifiable items/checklists for code quality, and the best I could do is Wikipedia's list on code quality factors. If the developers still don't want to fix they're code, these factors might not hold up, but they're at least more specific than just saying "quality".

Jon Smock  2010-08-20 11:49:11
+3  A: 

Require a minimum of 100% unit test coverage (or as close as is reasonable for your situation) and establish a baseline cyclomatic complexity score. Class/Method/Variable naming standards should also be established and adhered to and all methods and classes should be documented with standard comments (not normally a fan but in this case it will help ensure they're at least reading what they're copying/pasting from expertsexchange and here)

All those things can be quickly checked and, while not perfect, can at least establish a baseline. I would also require real-time access to the work, daily check-ins, and do a weekly code review of one or two random files. That way you have some chance of catching stuff before it goes horribly wrong.

Chuck  2010-08-20 11:55:57
though I agree that test coverage should be part of the deal it's very shaking. Depending on the culture/people developing. I've used that approach and gottan tests that only executed code and had no assertions but only comments like: "This test is to increase coverage" if only it was possible to measure _test_ coverage and not just _execution_ coverage
Rune FS  2010-08-20 13:17:04
Good point. I'd rather have no test than a test that is there simply to "increase coverage". At least with no tests you aren't misled.
Chuck  2010-08-20 14:41:26
100% test unit coverage is almost impossible, and in most cases, 30-40% of those tests will be pointless. 100% coverage of /important/ code I can live with. Of course, then you have to set up guidelines to what is considered important code.
Cthulhu  2010-09-10 07:38:50
+12  A: 

Use a test balloon: Let them start with a small package first containing only a small feature set (equivalent to a very first milestone). Indicate clearly in the contract, that you expect a high quality of the code.

They might possibly get that a successful delivery will lead to a new contract and deliver high quality. If you are not satisfied you might decide to do the work yourself or find somebody else without having wasted too much money yet.

In addition, it might be useful if you have someone regularly reviewing the code. It's better to define smaller work packages that can easily be reviewed than having one big milestone where it would be too late to ask for any changes.

0xA3  2010-08-20 11:58:43
I like this idea - make them work for the contract. If they can deliver on a small portion, then you can give them a bigger assignment. Of course, this depends on the size of the eventual project and its costs.
Cthulhu  2010-09-10 07:37:21
+1  A: 

I'll suggest another carrot/stick approach.

First of all you have to define what is good code quality. If you can't do that then you can't measure it. (There have been some other replies that have mentioned various tools for measuring complexity etc.) This is probably the hardest thing to actually do.

Then you have to define your contract. Not a code contract, but a business-to-business-real-life-in-the-flesh contract that is physically signed by both parties. This contract needs to state that the outsourced code has to meet you minimum metrics for quality or you will either apply a payment penalty or withhold payments until they correct their work and bring it up to your standards.

The carrot part of this contract would have clauses like bonuses for meeting quality requirements in under the agreed time frame.

If you don't have a physical contract with penalties then there is no incentive for the outsourcing company to supply code to meet your standards.

Peter M  2010-08-20 12:21:50
"First of all you have to define what is good code quality" - The question was: how do you define it? As far as I can see, you don't answer that question, do you?
nikie  2010-08-20 13:13:05
@nikie - I can't define code quality for someone else as it is entirely subjective. Only the OP knows what his quality requirements actually are, and his question was framed as how does he manage/enforce those requirements.
Peter M  2010-08-20 13:20:37
If it takes you five years to become a senior dev, and four years of college before that, "writing code quality into a single document" is the equivalent of "writing down every bit of important experience you've gained over the last decade into one document. you have a week." It's really, really easy to say, and almost impossible to do well on a deadline.It's why outsourcing is often incredibly flawed.
Dean J  2010-08-20 13:50:15
@Dean - I don't think that outsourcing is flawed per se as after all manufacturing has been outsourcing for years. Also you effectively outsource when ever you go to the supermarket and buy food rather than grow it in house. However software outsourcing industry seems to think that quality is not an issue - something that all other industries that outsource have long since dealt with.
Peter M  2010-08-20 14:03:43
@Peter M: Manufacturing and programming are entirely different things. Manufacturing consists of "Make me two million copies of this", and the design should suggest quality tests. With software, making copies is trivial; instead, you need new things that are properly designed. It's much harder to outsource design (even fairly routine design) than duplication.
David Thornley  2010-08-20 14:11:55
@David - I agree but I believe that what you are highlighting is that the outsourcing industry is saying "software quality is hard, so we won't even attempt it". That position wouldn't fly in any other industry.
Peter M  2010-08-20 14:24:32
@Peter M: it's very easy to specify an LED, or a physical part of any kind. I want a diode light 5mm wide, with a 9mm and 10mm pin of 22 gauge solid core wire, that produces a 5400k light in reference blue, lasts 100,000 on/off cycles, and takes .03 amp. Done. It's harder to specify an entire car. It's impossible to specify software with that level of precision, without it being cheaper for the people doing specifications to write it in-house.
Dean J  2010-08-23 13:54:19
A: 

+1 for Lazarus.

Provide coding & development standards and make them sign up to follow those. Allow them to review those standards in advance. What you are trying to achieve is cheaper coding to the same standard that you would deliver yourself. Make sure that those standards tie up with what you do and don't go easy on them or try and make life harder for them than it is for you. If you feel comfortable with it, show them evidence that you review compliance yourselves but you don't have to do that because you are the customer.

The standards can include test case coverage, review coverage, pass rates, or indeed anything that is right for you in your organisation.

Reserve the right to audit compliance with your standards where there are issues. If they deliver quality on time, leave them to it. Where they deliver defects, audit the code, the code review and their standards compliance. Reserve the right to penalties or termination once they fall below a compliance threshold. The same applies if they are late but take care not to put delivery ahead of quality.

If they wont sign up to that, walk away. Outsourcing companies are ten a penny.

dwarFish  2010-08-20 12:33:30
+33  A: 

Controlling an outsourced project quality

If you want a particular project quality, you will have to :

  • Integrate clear quality objectives in your contract
  • Have a clear vision of the project's quality during the development
  • Use an independent system that acts as a trusted third party to validate the level of quality

Clear quality objectives

To help your contractor to comply with your objective, translate your exigencies into concrete technical requirements tailored to your issues.

  • Selects the best practices that must be follow based on the technologies used (Fxcop, StyleCop rules for .NET / Findbugs, PMD, Checkstyle for Java)
  • Sets appropriate tolerance thresholds to achieve the optimal level of quality :
    • Cyclomatic Complexity must be below 20
    • Method size must be below 50 lines
    • No duplicated block with a size superior to 10 lines
    • Test coverage must be superior to 80%

(Indicative threshold, you should adapt the value based on the expected quality. Overquality isn't good either for your project $$$)

Clear vision of the project's quality

In your contract, ask for regular delivery. Evaluate the delivery from your contractors to ensure that they are following your requirements and that they will produce the level of quality necessary for the success of the project. If not pull them back on track.

How to ?

Manually using a bunch of tools

You could use a bunch of tools (For Java : Findbugs, JavaNCSS, Simian...) and manually analyze the project with the right configuration (the specified one). Your contractor will do the same to ensure the quality of the project before delivery.

Using a platform to manage quality

The easiest way to do all that, is to use an existing quality managing software. This software must be available to you and to your contractor. It'll be used as an independent system that acts as a trusted third party to validate the level of quality.

Examples :

madgnome  2010-08-20 13:07:11
+1 for taking the time to correctly format a long answer. :)
mizipzor  2010-08-20 13:26:55
"No duplicated block with a size superior to 10 lines": this is absolutely crucial. I've seen seventeen separate copies of a "formatZipCode" method that all did the same thing in different ways. The one bit I think needs more detail here: "Coverage must be superior to 80%"; define coverage. We also had one developer - out of many - who simply wrote tests that returned true. "Covered!"
Dean J  2010-08-20 13:49:20
@Dean J: Now, define "duplicated block". Character by character duplication? Duplication if you normalize whitespace and character names? What about slightly different function use? Copy-paste coding is bad. Doing much the same thing without using copy-paste can be worse.
David Thornley  2010-08-20 14:15:39
Detecting "doing much the same thing without using copy-paste" could be difficult and could result to a lot of false positive masking the real duplicate (copy-paste one).
madgnome  2010-08-20 14:20:29
@David Thornley: Definitely character by character and normalizing whitespace and variable names. It's harder to automatically spot slight variations, but you're absolutely right; rewriting code without copy and paste is worse, but unfortunately harder to catch.
Dean J  2010-08-23 13:56:23
Good answer, but I still don't think it will work. All metrics can be gamed and outsourcing companies are *great* at this. A metrics is only a proxy for what you *really* want, which is ease of maintenance. To use the "duplicated code" example again: what if they copy/paste a method and then make small changes to the logic (eg. subtract instead of add a number)? What's worse is that in some cases this approach is actually justified, because it's more maintainable than the alternative - but that kind of decision is pretty much impossible to put into a metric.
Evgeny  2010-09-08 23:05:57
Metrics should be a guideline / preference, not a hard requirement - else you'll get funky tricks to, for example, reduce a method length to less than 50, or different formatting in copy/pasted code. Of course, that's based on only checking that using the tools - if you find that out from your own code reviews, you can still refuse the code.
Cthulhu  2010-09-10 07:28:22
+5  A: 

This is not a technical issue. It is about trust.

I suggest concentrating your efforts on finding the right partner. Attempting to manage risks by focusing on effects instead of causes is not a very good approach.

Being open about your concerns and speaking frankly with your potential subcontractor helps also.

Take a couple a days to brainstorm with your team and come up with, say, 10 useful guidelines for code quality as you see it and present those to the other side. Take note of their reactions.

Find the right people. When you are not sure, accept the risks or walk away. Communicate. The is no silver bullet on the technical side for ensuring code quality.

Saul  2010-08-20 13:23:38
+1, As a contractor, I would be hesitant to bid on a project with an amorphous concept of 'code quality' as one of the requirements. I always work to write quality code, as I put my professional reputation on the line whenever I deliver code to a client. Interview a contractor like you would interview a potential hire and remember that software consulting should be a collaborative process; when it becomes confrontational, both sides clamp down in an attempt to reduce risk and the process becomes much less pleasant and productive.
Dan Bryant  2010-08-20 14:51:43
+1 Communication and having the right people who are of the same viewpoint as you goes a long way
InSane  2010-08-20 15:21:48
+1  A: 

I'd argue that if you put a quality metric in a contract, it's always possible to write low-quality code that formally fits these metrics. Simply because a quality metric in a contract has to be a formal criterion, and quality isn't a formal criterion.

My advice would be: Split the projects into small parts. Review each part when it is completed. If the part is up to your coding standards, fine, the contractor can do the next part too. If it's not, give the contractor two choices: Either (a) she improves the code or (b) she won't get a contract for the next part. That way, you can say "this isn't good enough, please improve it", even if there's no contract-ready quality criterion.

nikie  2010-08-20 13:25:02
+2  A: 

I just went through this, and it's a crapshoot. As the "example that worked" to explain this to management, management definitely requires a four year bachelors degree to write code here. They hire senior developers with 5-7 years experience as a minimum for a technical lead.

So, if you have your best developer, who has a minimum of nine years of experience doing just this, you're asking that developer to distill everything they've learned into a single document that can be easily used to verify other developer's code.

It's not impossible, but it's a really, really hard thing to do well.

FindBugs and PMD are code checkers that report back possible problems. Make absolutely sure, above all else, to run something like PMD-CPD, a copy and paste detector. Have a cyclomatic complexity cap.

If it's an option, split requirements, coding, and testing to three separate contracts and companies; do not let the testers write the code or requirements, or have close contact with those that do.

Require enough comments in the code that someone can follow what's going on. Make incorrect comments - those copied from another place without updating them - be something that will slow down payment to the contractor.

In general, make quality a requirement of them getting paid, and make that very clear up front. Review potential contractor's sample code for quality ahead of hiring them, if that's an option. Largely, we had to teach our outsourced team quality from scratch, as they'd really, really, really never written any maintainable code before; each new version that they were paid for was previously largely a rewrite, so paying them to improve the software was billed at their cost for redoing everything.

That works fine... on simple applications; the problem is several versions in, when they didn't quite plan for any future of your project.

Dean J  2010-08-20 13:46:46
A: 

The problem with quality metrics as a criterion for acceptance is that a low quality developer will simply write the code in the way that they know best to write it, then muck with it until it passes all of the metrics. Metrics also can't capture some of the most important aspects of code quality, such as whether the names of symbols are meaningful and lead to easy comprehension and maintenance of the code.

It's reasonable to expect a certain standard of quality and even to include it in the contract, but the consulting relationship requires a certain degree of trust. If you try to reduce risk by giving yourself 'escape hatches' to avoid low quality code, this will likely discourage higher-quality developers from bidding on your project, as they are also interested in managing risk.

Dan Bryant  2010-08-20 15:14:23
+4  A: 
InSane  2010-08-20 15:38:18
+1  A: 

Whatever tools one uses, the following will always be the problem. He will never be able to distinguish the code which was designed well and the code which seem to be OK but which is wrong from architectural point of view without the proper analysis. Proper analysis means involving tech experts, and this in fact means more money and time spent. I can't see the other way if one wants flexible, reliable and maintainable code from outsourcing.

denis_k  2010-08-20 16:20:50
A: 

NASA Documents Online lists some of the industry/academic articles on software quality. Scroll down to the Software section.

Matthew Sposato  2010-08-25 12:46:16
A: 

Use NDepend and its Code Query language (CQL). CQL is dedicated to write code quality rules that can be verified live in Visual Studio, or that can be verified during build process and through a report. Here are a few samples of CQL rules:

I don’t want that my User Interface layer to depend directly on the DataBase layer:

WARN IF Count > 0 IN SELECT METHODS WHERE CyclomaticComplexity > 15 AND PercentageComment < 10

I don’t want that my User Interface layer to depend directly on the DataBase layer:

WARN IF Count > 0 IN SELECT NAMESPACES WHERE IsDirectlyUsing "DataLayer" AND NameIs "UILayer"

Static fields should not be named m_XXX (Custom naming conventions):

WARN IF Count > 0 IN SELECT FIELDS WHERE NameLike "^m_" AND IsStatic

Methods out of MyAssembly and MyAssembly2 should not have more than 30 lines of code:

WARN IF Count > 0 IN SELECT METHODS OUT OF ASSEMBLIES "MyAssembly1", "MyAssembly2" WHERE NbLinesOfCode > 30

Public methods should not be removed to avoid API breaking changes:

WARN IF Count > 0 IN SELECT METHODS WHERE IsPublic AND IsInOlderBuild AND WasRemoved

Types tagged with the attribute MyNamespace.FullCoveredAttribute must be thoroughly covered by tests:

WARN IF Count > 0 IN SELECT TYPES WHERE HasAttribute "MyNamespace.FullCoveredAttribute" AND PercentageCoverage < 100

Patrick Smacchia - NDepend dev  2010-10-19 10:39:47

related questions

My client is new to the software biz, what should they read to understand development projects and process?
IT Making Contact with Software Dev - Where to find good programmers
What types of software development tasks can be easily outsourced?
Where to Find Freelance Programmers
Does a business that is serious about its online strategy need an in house development team?
Tips for successful, long distance development?
Shortage of programmers?
How to find software development resources for a startup company?
sites for outsourced, task-orientated coding resources
Does outsourcing make you worry about the security of your job?
How to work with subcontractors
Should certification matter when hiring or outsourcing a person, or should we look further?
Outsourcing a project that needs an improvement in code quality
Outsourcing Classes by Supporting Unit Tests
How to safeguard an inside software development team from being outsourced?
Outsourcing and your job.
What is the one most important reason projects fail when done by external systems integrators?
Should you enforce coding practice on your third party development team?
Outsourcing
How do you handle poor quality code from a third party contractor in another country?
Hiring a Freelance Graphics Person
What to charge
Multi-site development
Is there a better alternative to rentacoder for developers?
Outsourcing