Re: Interesting article ZDNet re informal software development quality

["Bruce Ediger" <eballen1 () qwest net>]

On Thu, 8 Jan 2004, George Capehart wrote:

> security.  *That* is part of the requirements.  If it's not a
> requirement, then the system owner signs off on it and accepts the
> risk.  Developers are *not* risk managers.  I agree 1000% with your
> position that part of good security is balancing the cost of the
> process and controls against features and risk.  But the decision about
> how much residual risk will be accepted is up to the business owner of
> the system, *not* the developer . . . It's a business decision, not a
> technical one . . .

But in the context of the "interesting article" that lent its title
to this thread, the "system owner" and the developer roles often
belong to the same person.  Or nobody in particular has the "system
owner" role.

Even in a corporate environment, the business owner of some system
is often so lacking in tecnical savvy, or is more interested in
jockeying for power than in actual managing.  Risk managment devolves
onto the developers in most or all corporate development.

Just like failing to acknowledge the tensions between aspects of
"quality", saying that a "business owner" or "system owner" of
a system should perform risk management, and the developer should
not, denies the reality of most software development.  Holding such
a position makes you part of the problem, not part of the solution.