FW: A Question of Quality

["Nevil Patel" <nevil.patel () gmail com>]

These issues need to be handled first at the client end with due diligence
in terms of their project management, vendor management and outsourcing
processes. 

Plus the ability of their Managers to get the needed finances to do a good
job.

Whether outsourcing or in-sourcing software quality depends on the processes
being followed.
These processes are definitely not limited to guidelines on how to build the
software, they include hiring, training, etc.
If quality is important, it would be prudent for one to outsource work to a
minimum CMMI Level 3 company to do the development. Preferably one that is
also ISO certified - because then they are externally audited ever 6-12
months
Plus has a long list of Client references. 

Obviously they will charge more for following additional processes and
testing procedures that ensure better quality.

The level of security required is a different issue, it must be clearly
specified as (nonfunctional) requirements in the Functional Specs document
which then becomes part of the contract that the client signs with the
developer. 

Depending on the level of security required there will obviously be an
impact on the software architecture and thus the price of the project.



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Robert Hajime Lanning
Sent: Monday, November 03, 2008 12:24 AM
To: Security Basics; Web Application Security
Subject: Re: A Question of Quality

On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed () gmail com> wrote:
> Why isn't Quality Assumed?
> Why isn't Security Assumed?
> Why are these concepts thought of as add ons to Applications and Services?
>
> Why do they need to be specified, when they should be taken for granted?
>  - Input Validation
>  - Boundary Conditions
>  - Encrypt Data as necessary
>  - Least Privilege Access
>  - White lists are better than Black lists

I believe one of the issues is, pride of ownership in the end product.

A lot of the coding is now outsourced to cheap code houses.  These people
do not have ownership or attribution.  They have no reason to take any extra
steps, that are not specified in the contract.  If it is not in the
contract, they
are not being paid for it.

It's like a building contractor.  If it is not in the blue prints, it
does not go into
the finished building.  That is why a building spec is a thick book, that
goes
all the way to specifying the exact screw to use.

-- 
And, did Galoka think the Ulus were too ugly to save?
                                         -Centauri