Don't shoot the developer!

Date: 13-04-2010 15:21 | Author: Derek Glen | Category: Process improvement | Tags: management, process, supplier, robust, QA, vendor

A recent report on the top 25 most dangerous coding errors has been used in support of a push by IT security vendors to encourage customers to hold IT developers responsible for the security of their products.

As reported in the online press, this includes a contract template which includes the clause:

"Developer warrants that the software shall not contain any code that does not support a software requirement and weakens the security of the application..."

As the article notes, "In other words, when it comes to application security and QA, the buck stops with the developer. And that's in a contract that likely won't even be seen by the developer and will be signed on his behalf by his employer. It renders the contract unenforceable - so why add a clause like that in the first place?"

The article goes on to state that "management should be taking the lead to impose processes on development, rather than blaming the programmers for a breakdown in process."

This of course emphasises the need for sound development processes, but also demonstrates the purpose and value of effective QA to identify and eliminate defects, as well as to support and improve the use of expected processes and standards.

The Register article concludes: "It's good to see that QA has come back into fashion, despite being re-branded in the guise of security and the paranoia of an 'unseen enemy that cannot be defined'."

Of course, this has always been one of the fundamental elements of the CMMI model, and crucial to a successful process-based transformation programme. One of our clients is presenting a case study this summer about how the creation of a strong and principled QA team proved to be one of the key tipping points on their journey to maturity.

So don't shoot the developer - instead get your standards up to scratch using strong and effective QA.

[This might be a good time to mention Compita's 'QA and Vendor Management' training, which was developed specifically to support the improvement drive of a CMMI Level 3 organisation and embraces the topics of software quality assurance, internal auditing in an IT environment and supplier management. It can be run internally as a 3-day intensive workshop, or spread out and delivered over a longer period. Give us a call to discuss who, in your organisation, would benefit most from this workshop.]