要約
- The ISO/IEC 25010 framework is an international standard defining nine primary characteristics, such as functional suitability and reliability, to objectively evaluate and measure software quality.
- This model addresses software quality by providing a systematic language for developers and leaders to manage technical debt and ensure systems perform under stated conditions.
- Maintaining security and maintainability is critical in the AI era to prevent "AI slop" and ensure that high volumes of generated code remain effective and efficient.
- Organizations use these standards to overcome the "verification bottleneck," ensuring rapid AI-driven output meets enterprise-grade requirements for production-ready, reliable code.
Software quality is often difficult to define until an application fails in production, security vulnerabilities are discovered, or technical debt makes future development increasingly expensive. The ISO/IEC 25010:2023 standard provides a common vocabulary and structured framework for evaluating what makes software "high quality."
Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), the standard defines a comprehensive software product quality model consisting of nine quality characteristics. These characteristics enable organizations to objectively evaluate software products throughout planning, development, testing, deployment, and maintenance.
Rather than relying on subjective judgments, development teams can use ISO/IEC 25010 to establish measurable quality objectives, guide software verification, improve code review practices, and align engineering work with business outcomes.
Whether you're a software developer working inside your IDE, an application security engineer reviewing pull requests, or an engineering executive managing a portfolio of applications, understanding the ISO/IEC 25010:2023 model provides a foundation for building software users can trust.
The nine software product quality characteristics of ISO/IEC 25010:2023
ISO/IEC 25010:2023 defines nine software product quality characteristics that together provide a comprehensive model for evaluating software products. Each characteristic contains multiple sub-characteristics that enable organizations to assess software quality through static analysis, testing, code review, software verification, and continuous quality improvement.
Functional suitability
Functional suitability measures how well software provides functions that satisfy stated and implied user needs. At its core, it answers a simple question: Does the software perform the right functions correctly?
Functional suitability includes:
- Functional completeness: covering all required functionality
- Functional correctness: producing accurate and expected results
- Functional appropriateness: enabling users to accomplish their objectives efficiently
In modern software engineering—particularly when AI coding assistants generate large volumes of code—functional suitability requires more than successful compilation. Organizations increasingly rely on automated testing, static code analysis, and deterministic verification to confirm that generated implementations behave correctly under real-world conditions.
Maintaining strong functional suitability reduces production defects, improves customer satisfaction, and helps ensure that AI-generated code solves the intended business problem instead of simply producing syntactically valid output.
Performance efficiency
Performance efficiency evaluates how effectively software uses computational resources while meeting required levels of performance under specified conditions.
Its primary sub-characteristics include:
- Time behavior: response time, latency, and throughput
- Resource utilization: efficient use of CPU, memory, storage, and network resources
- Capacity: ability to handle expected workloads and growth
Performance problems often become a hidden source of technical debt. Poorly optimized algorithms, unnecessary complexity, and inefficient AI-generated implementations can significantly increase infrastructure costs while degrading user experience.
Modern engineering teams continuously monitor performance throughout development using automated testing, profiling, and static analysis to ensure applications remain responsive, scalable, and efficient as systems evolve.
Compatibility
Compatibility measures how effectively software operates alongside other systems while sharing data, infrastructure, and computing resources.
Compatibility consists of:
- Co-existence: operating efficiently alongside other software without conflict
- Interoperability: exchanging and using information across systems and services
Compatibility has become increasingly important as organizations adopt cloud-native architectures, distributed systems, APIs, microservices, and third-party integrations.
Strong compatibility improves software resilience while reducing integration failures, operational complexity, and security risks associated with incompatible interfaces or inconsistent data exchange.
Interaction capability
One of the most significant updates introduced in ISO/IEC 25010:2023 is the replacement of Usability with Interaction capability.
Interaction capability evaluates how effectively users can interact with software to accomplish their goals. While it encompasses traditional usability principles, the updated characteristic recognizes that modern software must support a broader range of users, interaction models, and accessibility requirements.
Interaction capability includes:
- Appropriateness recognizability
- Learnability
- Operability
- User error protection
- User engagement
- Inclusivity
- User assistance
- Self-descriptiveness
For modern applications—including AI-powered solutions—interaction capability extends beyond attractive user interfaces. Users must be able to understand system behavior, receive appropriate guidance, recover from mistakes, and successfully complete tasks regardless of their experience level or accessibility needs.
Organizations that prioritize interaction capability improve customer satisfaction, reduce support costs, increase adoption, and build greater trust in AI-assisted workflows.
Reliability
Reliability measures the degree to which software performs specified functions consistently under defined conditions over time without interruptions and failures.
Reliable software minimizes unexpected failures while maintaining service availability during both normal operations and adverse conditions.
The ISO/IEC 25010:2023 standard defines four primary sub-characteristics:
- Faultlessness
- Availability
- Fault tolerance
- Recoverability
As organizations increasingly deploy AI-generated code into production, reliability becomes even more important. While AI can accelerate software delivery, generated implementations may introduce subtle logic errors or edge-case failures that traditional reviews can overlook.
Continuous testing, automated verification, code review, and static analysis help organizations identify these issues before deployment, improving system resilience while reducing operational risk.
Security
Security measures the degree to which software protects information, systems, and services against unauthorized access, modification, disclosure, or disruption while ensuring that only authorized users and processes can perform permitted actions. It is a foundational characteristic of application security, secure coding, and software quality.
ISO/IEC 25010:2023 defines the following security sub-characteristics:
- Confidentiality: protecting information from unauthorized disclosure
- Integrity: preventing unauthorized modification of data
- Non-repudiation: ensuring actions and transactions cannot later be denied
- Accountability: enabling actions to be traced to responsible entities
- Authenticity: verifying the identities of users, systems, and services
- Resistance: withstanding, responding to, and recovering from attacks or malicious actions
As software supply chains become increasingly complex and AI-assisted development accelerates code generation, security must be embedded throughout the software development lifecycle rather than treated as a final validation step. Organizations increasingly rely on static code analysis, vulnerability scanners, software verification, and secure coding practices to identify vulnerabilities early, reduce remediation costs, and ensure applications remain resilient against evolving threats.
Maintainability
Maintainability measures how effectively software can be analyzed, modified, tested, and improved throughout its lifecycle. Highly maintainable software enables engineering teams to respond quickly to changing business requirements while controlling technical debt and preserving long-term software quality.
The maintainability characteristic includes:
- Modularity: separating functionality into well-defined components
- Reusability: leveraging existing assets across systems and projects
- Analyzability: efficiently diagnosing defects, vulnerabilities, and performance issues
- Modifiability: implementing changes without introducing unintended side effects
- Testability: verifying that changes behave as expected
Maintainability becomes increasingly important in AI-assisted software development. While generative AI can dramatically increase code production, it can also introduce unnecessary complexity, duplicated logic, inconsistent coding patterns, and fragile implementations.
Organizations that prioritize maintainability through continuous code review, static analysis, code cleanup, code refactoring, and automated testing can reduce technical debt while improving developer productivity, software verification, and long-term application sustainability.
Flexibility
ISO/IEC 25010:2023 replaces the previous Portability characteristic with Flexibility, reflecting the growing need for software that can evolve alongside changing technologies, deployment environments, and business requirements.
Flexibility measures the degree to which software can adapt to new environments, changing workloads, evolving infrastructure, and future operational needs.
Its sub-characteristics include:
- Adaptability: adjusting to different operating environments and configurations
- Installability: enabling efficient deployment and installation
- Replaceability: substituting components or systems with minimal disruption
- Scalability: maintaining performance and functionality as workloads increase
Modern software increasingly runs across hybrid cloud, multi-cloud, containerized, and distributed environments. Flexibility allows organizations to reduce vendor lock-in, modernize infrastructure, support cloud migrations, and scale applications efficiently while maintaining software quality.
For engineering leaders, flexibility helps future-proof software investments by ensuring systems can evolve without requiring expensive rewrites or disruptive architectural changes.
Safety
One of the most significant additions in ISO/IEC 25010:2023 is Safety, recognizing that software quality extends beyond reliability and security to include protection against unintended harm.
Safety measures the degree to which software avoids causing unacceptable risk to people, organizations, property, or the environment during normal operation and foreseeable misuse.
Safety includes sub-characteristics such as:
- Operational constraint: preventing operation outside safe limits
- Risk identification: recognizing hazardous conditions before failures occur
- Fail-safe behavior: transitioning to safe operating states during failures
- Hazard warning: informing users and operators of unsafe conditions
- Safe integration: ensuring interactions with other systems do not introduce unacceptable risks
Although safety has traditionally been associated with industries such as healthcare, automotive, aerospace, manufacturing, and critical infrastructure, it is becoming increasingly relevant across enterprise software. AI-enabled applications, autonomous systems, and software that influences business or operational decisions can all introduce risks that extend beyond conventional software defects.
By incorporating safety into software quality evaluation, organizations can better assess operational risks, improve system resilience, and build greater trust in AI-assisted software systems.
Why the ISO/IEC 25010:2023 framework matters in the AI era
Software engineering is entering an era where AI agents can generate code at unprecedented speed. While this acceleration enables organizations to deliver features faster than ever before, it also introduces new challenges. AI-generated code may be functionally correct yet inefficient, difficult to maintain, insecure, or inconsistent with organizational coding standards.
The result is a growing verification bottleneck: engineering teams can generate software faster than they can confidently verify its quality.
The ISO/IEC 25010:2023 framework provides a comprehensive model for addressing this challenge. Rather than evaluating code solely for correctness, organizations can assess software across nine complementary quality characteristics, including maintainability, security, reliability, interaction capability, flexibility, and safety.
This broader perspective helps engineering teams identify quality issues before they reach production, reduce technical debt, improve software verification, and ensure AI-generated code satisfies enterprise requirements.
As organizations adopt agentic development workflows, the ability to continuously evaluate software quality becomes a strategic advantage. AI may accelerate software creation, but only rigorous verification ensures that generated software is trustworthy, secure, maintainable, and ready for production.
How SonarQube helps organizations implement ISO/IEC 25010:2023
Implementing ISO/IEC 25010:2023 requires more than defining quality objectives—it requires continuously measuring and improving software quality throughout the software development lifecycle.
SonarQube helps organizations operationalize many of the quality characteristics defined by the standard by providing continuous code quality and security analysis directly within developer workflows and CI/CD pipelines.
By identifying bugs, code smells, security vulnerabilities, security hotspots, and maintainability issues through static code analysis, SonarQube enables developers to improve code before it reaches production. These capabilities directly support characteristics such as Functional suitability, Performance efficiency, Reliability, Security, and Maintainability while reducing technical debt and improving overall software quality.
SonarQube Cloud extends these capabilities with scalable cloud-based analysis for modern development environments, while SonarQube Server enables organizations to implement comprehensive code quality and security practices within self-managed infrastructures.
Integrating SonarQube for IDE into developers' daily workflows allows issues to be identified and resolved as code is written, reducing the cost of remediation and improving developer productivity. By providing immediate feedback, developers can continuously improve code quality without interrupting development flow.
As AI-assisted development becomes increasingly common, SonarQube plays an important role in verifying both human-written and AI-generated code. Organizations can apply consistent quality gates, enforce coding standards, detect vulnerabilities, and validate maintainability regardless of how code is produced.
While no single tool measures every ISO/IEC 25010 quality characteristic, SonarQube provides actionable insights across several of the model's most critical dimensions, helping organizations build software that is secure, reliable, maintainable, and ready for production while supporting continuous improvement across the software development lifecycle.
