SAMPLE REPORT

Roadmap to Cloud Native

Prioritized actions for modernizing custom applications for a PaaS environment
 Cloud Native Application Modernization

CHALLENGE:

Modernizing existing applications to become cloud native and deployed in a PaaS environment without re-developing an
entire software system can deliver on the promise of cloud – scalability, resiliency, performance, economics, access to
services such as AI/ML, DBaaS, containers, and more.

The process can be slow and risky, depending on accurate understanding of the existing application inner workings, required
to determine the following:

• The best modernization approach, such as Refactor, Rearchitect, Rebuild, etc.

• The blockers to PaaS deployment, required code changes and effort
• The specific cloud native services best suited for the applications to utilize once on the cloud
• The additional changes for improving software health, reducing open source risks, making the software greener

2
 Cloud Native Application Modernization

SCOPE:

• This document is a sample of automatically generated intelligence about a portfolio of 17 applications considered for
modernization to cloud native:

• Some of the applications are still on-premise and others have already been rehosted on cloud (IaaS)
• Key insights in this report include:
• Specific recommendations on how to modernize each application to be cloud native
• Specific recommendations on open source risks, software health, and green impact to be considered as part of the
modernization

CAST Highlight was used to produce the intelligence in a few hours by automatically understanding the source code and
capturing qualitative information via a built-in survey.

Contact us to
CAST Highlight website
learn more

3
 Contents

• Executive Summary (Pg 3)

• Portfolio Snapshot (Pg 5)
• Cloud Readiness (Pg 7)
• Software Health (Pg 18)
• Software Composition Analysis (Pg 23)
• Green Impact (Pg 31)
• Why CAST Highlight? (Pg 37)
• Appendix (Pg 39)
• Data Collection Process
• Metrics & Definitions

4
 Application Portfolio Snapshot

17
applications
10
technologies
5.1m
lines of code
527
open-source components
(programming languages)

A portfolio snapshot provides a summary of the

portfolio and top line metrics for all applications.
(All metrics are defined in the appendix.)
5
 Application Portfolio Snapshot

Technology Size (LOC) Resiliency Agility Elegance

Java 2.5M 53.44 58.94 36.88
C# 1.6M 78.91 57.41 61.97
Cobol 712K 45.10 56.00 37.86
VB 202K 54.15 63.27 49.52
C/C++ 104K 68.18 66.08 44.90
Javascript 26k 66.66 53.90 73.11
Python 20k 61.26 63.89 56.18
Ksh 11k 67.74 66.71 88.37
JSP 6k 52.93 68.74 98.15
T/SQL 1k 90.00 49.36 77.15

The portfolio snapshot also includes the portfolio demographics broken

down by technology and health scores (resiliency, agility, elegance).

6
Roadmap to Cloud Native - Sample Report

Cloud Readiness
 Cloud Readiness Section

This section of the report contains key insights generated by CAST Highlight on the
readiness of applications for adopting cloud native including:
• Recommended modernization approaches for each application (Refactor, Rearchitect, Rebuild)
• Blockers to PaaS deployment, estimated effort to remove them, and the required code changes
• Recommended cloud native services that applications can adopt when deployed in a PaaS environment
• Summarized action plan for the application portfolio

8
Portfolio Advisor for Cloud

The Portfolio
Advisor for Cloud
automatically
segments each
application and
recommends the
ideal
modernization
approach based
on fact-based
technical
characteristics (via
automated source
code analysis) and
qualitative criteria
such as business
impact (captured
via survey).

9
 Portfolio Advisor for Cloud

Additional statistics are

provided for each application
to further refine the roadmap. 10
 Top Blockers & Boosters

Below are the top three Boosters and Blockers to cloud

native found across the portfolio. Here are the top three
PaaS Blockers and Boosters
observed across the entire
portfolio.

Blockers are code level

issues that need to be
addressed before the
application can adopt cloud
native services. These are
described in more detail on
the following pages.

11
 Blocker Detail: Using Stateful Sessions

Rationale and Recommendation

For modern applications running in the Cloud, it is not recommended to be stateful, especially for sessions as
they’re not scalable, and are generally harder to replicate and fix bugs (server-side). Ideally, stateful sessions
should be replaced by stateless and client-side mechanisms such as cookies, client cache (e.g. Redis,
memcache…) or in an external cloud-based storage. This is an important architectural constraint of
microservices-style applications, as it enables resiliency, elasticity, and allows any available service instance to
execute any task.

Each Blocker is described

in detail including
remediation advice.

12
 Blocker Detail: Use of File System

Rationale and Recommendation

Cloud applications should not assume the local file system is accessible, as the directory structure might be
different from a traditional desktop or server machine and/or the Cloud application may not have sufficient
rights to access the local file system. Instead, use relative paths to application resources
(e.g. ../../reporting/reportBuilder.xml). Depending on your application context and the Cloud platform where it is
deployed, you could also consider using functions or classes like LocalResources to dynamically resolve file
paths.

Each Blocker is described

in detail including
remediation advice.

13
 Blocker Detail: Perform File Manipulation

Rationale and Recommendation

Manipulating local files requires specific permissions and usually assumes the file will be persisted over time. In
the Cloud, because the underlying infrastructure can be moved or removed, it is not possible to make such
assumptions. Instead of using the file system, store your temporary information in a dedicated Cloud-based
storage or in a NoSQL database.

Each Blocker is described

in detail including
remediation advice.

14
 Cloud Boosters & Blockers for Roslyn Application

Insights are available at the application level to understand the specific Blockers that occur
within each application and estimated effort to remove them so that the modernization
plan can be further refined based on individual application characteristics. 15
Cloud Native Service Recommendations for Roslyn Application

Specific cloud native

services on AWS, Azure,
Google Cloud, or IBM
Cloud are
recommended based on
each application’s
technical characteristics.

16
 Cloud Native Roadmap Recommendations

Applications to Refactor for PaaS (less effort):

• Roslyn, Shopizer, Unicorn, Product Management, IMDB, Budget, MultiCloud, Mando, Starlord

Applications to Rearchitect for PaaS (medium effort):

• Hadoop The cloud native adoption
recommendations are then
Applications to Rebuild for PaaS (most effort): summarized to develop the overall
• GCP-Client roadmap for the portfolio.

Applications to Retire:
• Cassandra, Groot

Top cloud native services to adopt on AWS:

• AWS Batch, Amazon EC2, Amazon ECS, Amazon EKS, Amazon S3

Addtional recommendatons:
• Investigate Health of each application to understand opportunities to improve resiliency and agility.
• Analyze Software Composition of each application to identify any open-source components that need to be upgraded
and/or replaced due to CVEs, license risk, or obsolesence.
• Investigate Green Impact of each application to identify opportunities for reducing energy consumption and carbon
emissions.

17
Roadmap to Cloud Native - Sample Report

Software Health
 Software Health Section

This section of the report contains key insights generated by CAST Highlight on the
Software Health of applications that should be addressed during modernization
including:
• Applications that are business critical and have low Resiliency
• Specific improvement opportunities within the code to improve Resiliency
• Summarized action plan for the application portfolio

19
 Software Resiliency vs Business Impact
DANGER ZONE
INDUSTRY AVERAGE
DANGER ZONE
Hadoop Loki
CONFIDENCE ZONE Hades IMDB
Grogu Shopizer
GCP-Client

CONFIDENCE ZONE
Business Impact

MultiCloud Product Management

Roslyn

VULNERABILITIES

Loki Mando
Hadoop GCP-Client

Detected Common Vulnerabilities from Software

Composition Analysis

Application Health insights

(such as Resiliency) are
analyzed to ensure
unhealthy applications are
improved while
modernizing.
Software Resiliency
20
 Software Resiliency for Loki Application

Unhealthy applications are analyzed at a deeper level to

understand specific code-level improvement opportunities.
21
 Software Health | Recommendations

Some applications have Resiliency scores that are severely low. Code alerts should be remediated before
modernization for cloud native on these applications:
• Hades
• Loki
• Grogu

Security Vulnerabilities were identified in a few applications and a deeper Software Composition Analysis should be
performed to investigate the open source components in these applications further:
• Loki
• Hadoop
• Mando
• GCP-Client

Additional recommendations on how to improve Software Health issues

and potential security vulnerabilities are summarized.

22
Roadmap to Cloud Native - Sample Report

Software Composition Analysis

 Software Composition Analysis Section

This section of the report contains key insights generated by CAST Highlight on the
Software Composition (open source risks) of applications that should be addressed during
modernization including:
• Security vulnerabilities to be addressed
• Risky open source licenses that create potential legal exposures
• Summarized action plan for the application portfolio

24
 Software Composition Analysis Overview

Open source is one of Open source licensing can Open source components can
the major entry points be complex and become out of date or
for hackers. It is critical confusing. Visibility on the unsupported resulting in
to identify if the third- licenses used by open operational risks and outages.
party components in source components is These out of date
use contain security required to detect any components must be
vulnerabilities. restrictive license detected and replaced with
compliance issues. supported components.

CAST Confidential
25 25
 Security Vulnerabilities Overview

Third-Party Component Vulnerabilities

Portfolio Insights & Top 5

88 159 169 13 23
CRITICAL HIGH MEDIUM LOW ADVISORY

Top 5 Business Impact Possible Vulnerabilities

hadoop 85.3 ■ 9 ■ 11 ■ 34 ■ 2 ■ 6
Grogu 71.6 ■1■0■2■0■0
Hades 68.3 ■ 0 ■ 10 ■ 3 ■ 0 ■ 3
GCP-Client 56.9 ■ 4 ■ 8 ■ 17 ■ 1 ■ 4
Loki 49.5 ■ 29 ■ 50 ■ 26 ■ 3 ■ 1

The number and criticality of open source security

vulnerabilities are identified across the portfolio.
26
 Security Vulnerabilities Detail

Vulnerabilities

Application Components

Hadoop cxf-rt-transports-http-jetty 3.0.3, slf4j-api 1.7.7, jsch 0.1.42

Grogu Microsoft.Practices.EnterpriseLibrary.Logging 4.1.0.0, Microsoft.Practices.EnterpriseLibrary.Common 4.1.0.0

Hades cxf-rt-frontend-jaxws 2.7.5

GCP-Client minimatch 3.0.0, useragent 2.1.12, qs 2.3.3, decamelize 1.1.1, parsejson 0.0.3, hapi 15.x.x,

tomcat-embed-core 7.0.73, slf4j-api 1.7.7, cxf-rt-frontend-jaxws 2.7.12, is-my-json-valid 2.12.0, ua-parser-js 0.7.12,
Loki
marked 0.3.6, minimatch 3.0.0, useragent 2.1.11, jquery 1.7.2, hibernate-validator 4.2.0.Final,

openjpa-persistence-jdbc 2.1.1, commons-fileupload 1.2.1, jackson-databind 2.5.3, dom4j 1.6.1, jsoup 1.8.1,
Other applications
derby 10.1.1.0 …

Specific open-source components with

vulnerabilities in each application are identified.
27
 License Risk Overview

Third-Party Component License Risk

Portfolio Insights & Top 5

531 25 50 412 12
Components HIGH RISK MEDIUM RISK LOW RISK Undefined

Top 5 Business Impact Licenses

hadoop 85.3 ■ 17 ■ 16 ■ 181 ■ 2
Mando 85.3 ■1■0■0■1
Grogu 71.6 ■0■0■2■0
Hades 68.3 ■ 1 ■ 16 ■ 106 ■ 4
roslyn 63.2 ■0■0■2■0

The number and risk levsls of open source

licenses are identified across the portfolio.
28
 License Risk Detail

License Risk

Application 3rd-Party Components Licenses

Hadoop 7 MIT License (2), Apache 2.0 (1), BSD-3 New

Mando 12 Apache 2.0 (3), GNU Affero GPL 3.0 (2)

Grogu 4 MIT License (2), ISC License (1)

MIT License (358), ISC License (39), Apache 2.0 (16), Eclipse 2.0 (1), BSD 2 (14), GNU Affero
Hades 379
GPL 3 (1), BSD 3 (1)

Roslyn 32 MIT License (2), Apache 2.0 (1), GNU GPL 3 (4)

Applications that use open source components

with risky licenses are highlighted.
29
 Software Composition Recommendations

Hadoop: Upgrade jsh component to latest version to reduce critical vulnerability risk

Hades:
• Upgrade hibernate component to latest version to reduce critical vulnerability risk
• Replace component that uses the GNU GPL license to avoid copyleft licensing risk

Mando: Replace component that uses the GNU GPL license to avoid copyleft licensing risk

Roslyn: Replace component that uses the GNU GPL license to avoid copyleft licensing risk

Specific recommendations on how to reduce open source

vulnerability and license risk are summarized.

30
Roadmap to Cloud Native - Sample Report

Green Impact
 Green Impact Section

This section of the report contains key insights generated by CAST Highlight on the Green
Impact of applications that should be addressed during modernization including:
• Prioritized actions to take for applications to improve green impact
• Green Deficiencies in the code, estimated effort to remove them, and the required code changes
• A view of the Green Impact score trends over time
• Summarized action plan for the application portfolio

32
 Portfolio Advisor for Green

The Portfolio Advisor for Green

automatically identifies opportunities to
improve sustainability and Green Impact of
applications across your portfolio.

33
 Green Deficiencies

The Green Deficiency patterns in the code that contribute

to excess resource utilization and energy consumption are
identified across the portfolio including number of
occurrences, effort to remediate, and the specific
applications where they occur.
34
 Green Deficiencies Detail for Mando Application

Insights are available at the application level to understand the specific Green Deficiencies
that occur within each application, estimated effort to remove them, and remediation
advice so that applications can be made more sustainable as part of the modernization.
35
 Green Impact Trends

Applications are continuously monitored to view

progress being made on green impact (and other
metrics) across all applications.

36
 Green Impact Recommendations

Shopizer: Remove the top 10 Green Deficiencies, less than one week of estimated effort

Quill: Remove top 2 Green Deficiencies, less than two weeks of estimated effort

Mando: Remove top Green Deficiency, two weeks of estimated effort

Applications to address in the future:

• Groot
• Roslyn
• Grogu

Review two “Role Model” applications to identify best practices to share across the team:
• MultiCloud
• Starlord

Specific recommendations on how to improve

Green Impact are summarized.

37
 Why CAST Highlight?

CAST Highlight gives enterprise leaders rapid insights across entire portfolios. Automated
source code analysis with built-in surveys for business context. Portfolio views. Instant
drilldowns. Recommendations. Operational in a week. Across hundreds of applications.

• Accelerate Cloud Migration • Manage Open Source Risk

• Improve Green Impact • Optimize Tech Due Diligence

Software Health Cloud Readiness Software Composition Green Impact

Resiliency Roadmaps OSS Vulnerabilities Deficiencies
Agility Blockers & Effort OSS IP / Licensing Risks Remediation Advice
Technical Debt Cloud Native Services SBOM Trends

Trusted By:

38
 Contact Us
to learn how to automatically generate an Visit the CAST Highlight web site.
application portfolio report
SAMPLE CO, INC.

Appendix

Date
 Data Collection for CAST Highlight
A simple, 3-step process…

Step 1 - Point CAST Highlight at your code Step 2 – Encrypted statistical Step 3 – Instant visibility with
repositories for automatic scanning and results uploaded to secure cloud automatically generated and
rapid analysis, updated continuously and (27001-certified), no code leaves customizable dashboards, integrate
automatically, complete survey for each the premises data with other systems via API
application to enhance context

41 CAST Confidential
 Key Metrics & Methodology Definitions

Key Metric Description Direct Interpretation Business Impact

Measure of software and organization Significant number of roadblocks found Opportunity to reduce cost, increase
CloudReady
characteristics to speed PaaS migration that could slow down a Cloud migration elasticity and embrace innovation

Measure the robustness and how bullet- Reflects presence of code patterns that Customer Satisfaction
Software Resiliency proof is the Software against production may comprise vulnerability of the Customer Confidence / Loyalty
failure software Opportunities & Revenue

Measure to indicate the easiness of a Reflects absence of embedded

Maintenance Cost
Software Agility development team to understand and documentation and code readability good
Transferability
maintain an application practices

Indicates decreased quality in code,

Measures the ability to deliver software Time to Market
Software Elegance resulting in higher defects that become
value with less code complexity Innovation
costly to fix

Analysis of open-source and 3rd-party

Measure risk associated with the use of
components in use that could include Reduce security risk, reduce legal
Open Source Safety 3rd-party components that comply
security vulnerabilities, risky licensing exposure, reduce operational risk
security, license, and age requirements.
requirements, or obsolete technology.

Identification of Green Deficiency patterns

Measure programming practices and Support ESG requirements, make
in the code of applications that contribute
Green Impact engineering principles that make software greener, more resilient, less
to excess resource utilization and energy
software more environmentally-friendly. expensive, and more performant
consumption.

42
 CloudReady Index Calculation Formula

Based on Based on
CloudReady Survey** CloudReady Scan***

CloudReady
13.4 77.1
45.2
(weight of 50%) (weight of 50%)
Code Patterns Score

Hundreds of Code Patterns

Boosters Blockers
Targeted to coding language (Java, C#, VB.Net, T-SQL, PHP, Python)
Positive (Boosters) or Negative (Roadblocks) contribution
Criticality level (critical, high, medium, low)
5.6 5.0
Impact area (Code, Framework, Architecture)
Based on Positive Based on Negative
Code Patterns Code Patterns
(weight of 10%) (weight of 40%)

**CloudReady Survey score - from 0 to 100 - relies on the answers provided by the Application Owner. Depending on the importance of a question, its answers may impact the score differently.
***CloudReady Code Scan score - from 0 to 100 - relies on both Booster and Blocker scores, where Booster and Blocker scores respectively account for 20% and 80% in the Code Scan score. 43