Secure Coding mailing list archives
Re: Interesting article ZDNet re informal software development quality
From: "Bruce Ediger" <eballen1 () qwest net>
Date: Fri, 09 Jan 2004 14:47:11 +0000
On Thu, 8 Jan 2004, George Capehart wrote:
security. *That* is part of the requirements. If it's not a requirement, then the system owner signs off on it and accepts the risk. Developers are *not* risk managers. I agree 1000% with your position that part of good security is balancing the cost of the process and controls against features and risk. But the decision about how much residual risk will be accepted is up to the business owner of the system, *not* the developer . . . It's a business decision, not a technical one . . .
But in the context of the "interesting article" that lent its title to this thread, the "system owner" and the developer roles often belong to the same person. Or nobody in particular has the "system owner" role. Even in a corporate environment, the business owner of some system is often so lacking in tecnical savvy, or is more interested in jockeying for power than in actual managing. Risk managment devolves onto the developers in most or all corporate development. Just like failing to acknowledge the tensions between aspects of "quality", saying that a "business owner" or "system owner" of a system should perform risk management, and the developer should not, denies the reality of most software development. Holding such a position makes you part of the problem, not part of the solution.
Current thread:
- Re: Interesting article ZDNet re informal software development quality, (continued)
- Re: Interesting article ZDNet re informal software development quality Kenneth R. van Wyk (Jan 06)
- Re: Interesting article ZDNet re informal software development quality Crispin Cowan (Jan 06)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 06)
- Re: Interesting article ZDNet re informal software development quality Bruce Ediger (Jan 07)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 07)
- RE: Interesting article ZDNet re informal software development quality Alun Jones (Jan 07)
- Re: Interesting article ZDNet re informal software development quality Crispin Cowan (Jan 08)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 08)
- RE: Interesting article ZDNet re informal software development quality Alun Jones (Jan 08)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 08)
- Re: Interesting article ZDNet re informal software development quality Bruce Ediger (Jan 09)
- Re: Interesting article ZDNet re informal software development quality Brian Utterback (Jan 09)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 10)
- Re: Interesting article ZDNet re informal software development quality Kenneth R. van Wyk (Jan 06)
- Re: Interesting article ZDNet re informal software development quality Brian Hetrick (Jan 07)
- RE: Interesting article ZDNet re informal software development quality David Crocker (Jan 06)
- Re: Interesting article ZDNet re informal software development quality Crispin Cowan (Jan 09)