What does BonCode actually do?
We analyse source code using our in-house developed toolset. These analyses indicate issues on maintainability and security of custom build software. Our customers use this analysis data to manage the risk that their custom build software systems become unmaintainable over time.

Who uses your data?
We serve multiple audiences. In our daily practice it comes down to three roles in our customers organization: Primarily we serve software managers, product owners or program managers. They typically oversee larger software development projects or oversee a portfolio of software systems and need to be in control of the long-term health of their systems. More importantly: they need to be able to demonstrate that they are in control.
Besides that, we serve the software development teams. We help them to demonstrate the software quality they deliver. And we help them to direct them – in a very detailed manner- where software quality issues have been detected. We create top-10 lists, so issues can be resolved fast and accurately. We create software architectural diagrams, so engineers know what the impact is of their modifications.
The third audience is Steering committee or Board level: We inform them -in a non-technical way- on the health of their projects and systems.

How can different roles in my organization benefit from the same BonCode data? That doesn’t seem logical.
That is true but it is very logical. We tailor our dashboards to the specific role we serve. The key thing is that all roles receive the same data, but in a way that matches their specific responsibility. Steering committees get highly aggregated scores, while software engineers get detailed measurements. In a way it is like your financial reporting system. Any role will be interested in a specific view, but it is all the same data-just on other aggregation levels. We have learned that providing an information framework like this is the only way to build a culture that is focused on long term health of your software portfolio.

How long does it take to get results from BonCode?
Once we have set up our tooling, the measurements indicate the health of your software directly. This can be achieved in hours. But this is the raw data, and it is helpful to understand the context of a software system. You simply cannot assess risks if you know nothing about the project. So, a full software assessment takes a lead-time of about three to five weeks. In this period, we measure your software, validate our findings, and assess the risks and issues we may find. Finally, we prepare an understandable report for technical people and it will also be understandable for people who have less knowledge of software engineering.

What do I get if I hire BonCode?
We have two services: First is a Software Assessment, which is a thorough research exercise. The end deliverable is a Presentation providing an answer to your research questions. This is typically useful to support your decision-making process.
Our second service is a Software monitor. Which is typically a license to our technology. You can analyze your software as often as you like, with as many users as you like. Results are presented in dashboards. Dashboards come in a variety of formats: either specific for your project, or more focused on a portfolio of projects, technologies, or technology providers.

Is BonCode a consultancy or a technology company?
We consider ourselves tool-based consultants. Like a doctor who has his medical analysis tools. But you can also license our tools, so we are both. Consulting based on technology.

Can you support us with designing, testing, or building our software?
We could – but we will not. Our customers trust our findings for two reasons. 1: They are derived from source code analysis, therefore factual. 2: We are neutral, independent and objective. We have no interest in the outcome of our research other than that it is useful and correct. This neutrality would be impacted if we participated in your projects. Referees do not participate in the game.

Is BonCode more useful for back-end or front-end systems?
There is no real difference. It is all source code. Back-end systems tend to have a longer life than front-end systems, so one might be more interested in safeguarding maintainability to assure that these systems will be adaptable for the longer future. On the other hand: front-end systems tend to need more adaptability, so you would be interested in keeping these systems as maintainable as possible to facilitate fast changes.

Is there CI/CD integration? SSO?
Yes: we integrate via APIs with all common CI/CDs. Single-Sign-On is also supported.

How long does an assessment take?
In most cases, we can deliver in four to five weeks’ time, depending on the availability of customers’ resources. For our Software Due diligence service, we see that lead-times are shorter because of the dynamics of the M&A/PE sector.

Why does BonCode focus on maintainability of software, I’m more interested in the changeability of my software?
Good question, as you could for example also ask about the performance or security of the system. We believe maintainability is even more important because it is the prerequisite for all quality aspects. Software that is hard to maintain will have a negative impact on the scalability, security, adaptability etc of the system.

My software development environment also has the possibility to measure quality, what does BonCode add to this?
Software development environments (SDE) report to individuals who specifically use the SDE and are not adapted to managers, including project managers or CIO’s. BonCode provides quality measurements aggregated and adjusted to the level of the different stakeholders. From engineering level to boardroom and thus providing one integrated version of the truth in your software project. BonCode should be seen as a quality management system on code-, architectural- and project level.

Can BonCode measure any type of technology, or just some subset?
BonCode’s tooling is technology agnostic, meaning we can onboard almost any technology. Having said that, if BonCode cannot currently measure it today, it might be bleeding edge technology or very rarely used technology, with its own risk profile.

What is your business model?
For assessments, BonCode works exclusively on a fixed price basis, based on the research questions and scope of technology we need to research. For licenses we have a fair use license model based on the number of projects we monitor.

There’s a ton of open-source tooling available in the field of software quality, what does BonCode add?
We value these tools; they are helpful for software engineers. But they are personal tools, that do not help to build an organizational culture that is aimed at delivering quality as a team. That’s where we come in. There is a big difference of a team of software engineers, all using their own personal tools, or a team that is using one analysis platform that provides data on personal, system or portfolio level. Do you allow your sales reps to have their own CRM system, or do you want them to use a centralized system? Does everyone have his own financial system, or do you prefer a corporate general ledger? Do you want individual quality tools, or a corporate wide platform?
And besides that: BonCode adds the interpretation of software metrics from an independent technology agnostic perspective. Quality management relies on independent measurements.

Can BonCode provide software quality certificates?
No, we can’t, and our customers do not mind. Aiming for certification leads to the certificate being the main objective which often leads to a dogmatic software metric harnass. BonCode believes high quality software should be the main objective.

Is Team productivity something you can measure in an objective manner?
Yes, that is very doable and usable. The process here is that a set fixed interval (eg per sprint), we measure all code that has been added, removed, or modified (we call this churn). For LowCode platforms like OutSystems we use Automated Function Point Analysis to determine how much functionality has been added, removed, or modified. For more traditional technologies we use LOC. If you correlate this with the amount of time your team allocated on the work, the productivity is objectively determined in terms of Function Points/hour or LOC/hour. We’ve learned that this type of analysis is very usable for internal or external benchmarking.

We are considering investing in a company. Can you support us in getting a clear picture of the quality of the software assets?
Yes. It is our specialty to provide fact-based insight into the risks and opportunities of software. This is our Software due diligence service.

Does BonCode also assess security risks? Do you provide a SBOM?
Yes. Security is a multi-headed monster so we will never be able to provide 100% assurance that a software system is secure. That said, we assess security risks on source code and architectural level based on The Open Web Application Security Project (OWASP) or customers’ own policies. Key component in our offering is the delivery of a Software Bill of Materials (SBOM). Our SBOM helps you understand what third party software is being included in your code base, and what the risks are.

How do you protect our source code?
BonCode is ISO/IEC 27001 certified, to ensure information security management and appropriate levels of confidentiality, integrity, and availability of your data.

We use low-code platforms, can BonCode analyze that?
Yes.

What kind of metrics do you measure? What is the meaning of them?
Hmm, this is asking your doctor what he measures. How to summarize tens of years of science into one answer? In short: we measure what is needed and our measurements are rooted in ISO25010. We will give three examples: 1. Unit size: the rationale is that the larger the smallest unit is, the lower the readability, testability, and maintainability. 2. Duplication: the rationale is that if you have duplicated code, the maintenance effort is duplicated, the risk for errors is duplicated, etc. 3. Complexity of code: rationale is that overly complex modules are not well understandable, testable, readable, and adaptable.

Can I interpret the measurements myself?
Yes. Of course: for the more detailed measurements, knowledge of software engineering is necessary. But for the more aggregated scores it is not needed (everyone understands that a score of 85/100 is better than 75/100).

We develop software in an agile way, so how would software quality be relevant?
Well, working agile means that you acknowledge that your future functional requirements are unpredictable and that you therefore need a software development methodology aimed at adaptability. Shouldn’t your software product not be highly adaptable? That is what good software quality brings you.

Can we integrate BonCode’s measurements in our own -already existing- quality assurance program? How?
Yes. We export our measurements to any system of your choice.

We have an external service provider developing our software, why should we bother on quality delivery? Isn’t that their responsibility?
Yes, of course this is their responsibility. But in case your external developer delivers suboptimal software, you still must cope with the effects of that result from there. You can outsource activities, but you cannot outsource responsibility.

Where is your service hosted?
BonCat, our analyzing tool, is hosted on AWS datacenters in Dublin, Frankfurt and Osaka.

Do you offer an on-premises solution?
Yes.