What Is ISO 5055?
ISO/IEC 5055:2021, titled “Information technology — Software measurement — Software quality measurement — Automated source code quality measures”, is a software quality standard. Software flaws at the technology and system level account for 8% of total errors, but consume over half the effort spent fixing problems that lead to 90% of the most serious production issues. ISO 5055 has been designed to directly measure those critical software flaws.
Here, we explain what is ISO 5055, why it is important, and how to use it to ensure software quality.
Read along or jump ahead to the section that interests you the most:
- What Is ISO 5055?
- Why Is ISO 5055 Important?
- How CWE Relates to ISO 5055
- ISO 5055 Overview
- How Does ISO 5055 Relate to ISO 25000 series?
- ➡️ Start Your Free Static Code Analysis Trial
What Is ISO 5055?
ISO 5055 is a software quality standard that calculates quality measures based on the number of critical weaknesses in the software. Specifically, it looks at four software quality characteristics: security, reliability, performance efficiency, and maintainability.
📕 Related Resource: Learn more about which software quality metrics matter >>>
Why Is ISO 5055 Important?
ISO 5055 is important because it helps determine the trustworthiness, dependability, and resilience of software application at both a system and component level. This enables organizations — such as financial institutions, governments, telecoms, and manufacturers — to avoid disruptions, reputational damage, or excessive IT costs. In addition to IT systems, it is also applicable to embedded software which is important due to the growth of embedded devices and the Internet of Things.
ISO 5055 can also be used as an indicator of the amount of risk that an organization is exposed to through its software applications.
How CWE Relates to ISO 5055
Each of the software quality characteristics — security, reliability, performance efficiency, and maintainability — are measured by a prespecified set of weaknesses that are defined in the Common Weakness Enumeration (CWE) list. The CWEs included in ISO 5055 are those identified as the most critical, such as SQL injection and buffer overflow.
The full list of CWE weaknesses included in ISO 5055 can be found here.
ISO 5055 Overview
The following table outlines the major categories of weaknesses measured for each of the software quality characteristics.
Software Quality Characteristic
How ISO 5055 Relates to ISO 25000 series
ISO 25010 presents a software quality model which defines a set of software quality characteristics. ISO/IEC 25023 defines software measures for the quality model in ISO 25010, but only at the behavioral level. ISO 5055 supplements this by defining measures to be applied at source code level for the software quality characteristics: security, reliability, performance efficiency, and maintainability to conform to the definitions in ISO 25010 which adds product level measurement.
Use Static Code Analysis to Support ISO 5055
A static code analysis tool — such as Helix QAC and Klocwork — is essential for ensuring software quality. By using a static code analysis tool, you are able to identify software security weaknesses, verify compliance with coding guidelines, and provide evidence of that compliance.
By identifying the weaknesses described in CWE and the use of coding standards such as AUTOSAR, and MISRA you can detect both security issues and general deficiencies in your code. In addition, by using a static code analysis tool, you are also able to verify compliance with coding standards and provide evidence that compliance requirements have been met.
- Enforcing coding standards and detecting rule violations.
- Detecting weaknesses, errors, and compliance issues earlier in development.
- Accelerating code reviews and manual testing efforts.
- Reporting on compliance over time and across product versions.
See how Helix QAC and Klocwork can help you improve your software quality, sign up for an on-demand demo.