What are the root causes of software bugs?  By looking into the root causes of software bugs and where and when the bugs appear, we can establish better ways to avoid them in the first place.

Bugs in code are not just caused by faulty code.  They can be caused by poor requirements, poor implementation, poor configuration, poor documentation, poor design, inadequate testing and of course poor attention to code quality.

This table represents the main root cause of software defects:

Defect Origin Best Average Worst
Requirements 0.34 0.70 (16.5%) 1.35
Architecture and Design 0.67 1.05 (25%) 1.78
Code 0.44 1.15 (27%) 2.63
Security flaws 0.18 0.25 (6%) 0.4
Documents 0.20 0.45  (10.5%) 0.54
Bad fixes 0.39 0.65 (15%) 1.26
Total 2.22 4.25 7.96

Measured in defects per function point.

Source: p. 256. Capers Jones, Quantifying Software, 2018 CRC Press.

It is interesting to note from the graph above that more defects come from pre-coding work,  than once the coding starts.   That is, the sum of the defects from requirements, architecture and design is greater than the coding defects. Given that the code is built on the foundation of the previous three, we will end up coding the wrong thing or in the wrong way unless we fix those pre-coding defects first.  In agile projects we can see as much as 40% of overall effort is due to rework caused by insufficient or poor quality on the pre-coding work.

The single most time consuming aspect of software development is finding and fixing bugs.  Anything that can be done to avoid them in the first place should be taken seriously.

Update 2021

In January 2021 Accenture acknowledged at the Software Intelligence Forum that as many as 35% of production defects are caused by requirements problems, according to their data based on 1000 projects.  What this means is that on most projects, requirements quality assurance work is failing.   Further more requirements problems are amongst the most expensive to fix once coding has begun.  Finding ways to fix requirements problems is achievable through a combination of education, time, attention to quality and automation.  This is where ScopeMaster can help,  ScopeMaster can reliably find 50% of requirements problems, and help you fix them quickly too.  Overall, using ScopeMaster helps you find and fix problems ten times faster than attempting to do the same manually.

We should start with the premise that a team developing software will not do perfect work, but can do excellent work.  On average, however, they will do average work.   And with any knowledge work, mistakes will creep in.  It is very useful to consider the idea of defect potential.  Defect potential is the idea that a given piece of software is likely to have a probably number of defects unless and until those defects are removed.  Defect potentials vary by size.  That means that a large application has a greater tendency to be buggy than a small one.  For a 1000 FP software project ($750k – $1.4m) D