Secure Coding mailing list archives
Re: Interesting article ZDNet re informal software development quality
From: George Capehart <gwc () acm org>
Date: Sat, 10 Jan 2004 14:51:04 +0000
On Friday 09 January 2004 12:02 am, Bruce Ediger wrote:
On Thu, 8 Jan 2004, George Capehart wrote:security. *That* is part of the requirements. If it's not a requirement, then the system owner signs off on it and accepts the risk. Developers are *not* risk managers. I agree 1000% with your position that part of good security is balancing the cost of the process and controls against features and risk. But the decision about how much residual risk will be accepted is up to the business owner of the system, *not* the developer . . . It's a business decision, not a technical one . . .But in the context of the "interesting article" that lent its title to this thread, the "system owner" and the developer roles often belong to the same person. Or nobody in particular has the "system owner" role.
But there *is* a system owner. The business owner, or the DAA in C&A parlance, is the person who is accountable for the risk that he creates for the organization by using the system. Notice that I said "system." Not just software.
Even in a corporate environment, the business owner of some system is often so lacking in tecnical savvy, or is more interested in jockeying for power than in actual managing.
Technical savvy doesn't enter into it. The business owner needs to manage risk. There are *all* sorts of risk that have to be managed, IT risks are only a small subset, and those that are generated by software are a small proportion of the overall IT risk. The manager doesn't have to/shouldn't be the one to detail and quantify each and every risk. He/she has specialists in the different disciplines to do that. It is the subject matter experts job to present the manager with the risk scenarios and a cost/benefit analysis. The manager then has to choose the tradeoffs that cause the least amount of pain. Jockeying for power is another matter. That means that that manager's boss is not doing his/her job . . . and is creating risk for the company.
Risk managment devolves onto the developers in most or all corporate development.
That may be. That it does points to poor or non-existent corporate governance and risk management.
Just like failing to acknowledge the tensions between aspects of "quality", saying that a "business owner" or "system owner" of a system should perform risk management, and the developer should not, denies the reality of most software development. Holding such a position makes you part of the problem, not part of the solution.
I'd turn it the other way around. The risk is *not* the developer's to manage. It is the business/system owner's (whether he/she knows it or not. If the organization suffers losses from the use of the system, it is not the developer who is accountable. There is much more to the topic than I think you are aware. It would be very hard to do the subject justice via the email channel, much less in one message. If you'd like to pursue the topic, let me know off-list and we try it over the phone . . . /g
Current thread:
- Re: Interesting article ZDNet re informal software development quality, (continued)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 06)
- Re: Interesting article ZDNet re informal software development quality Bruce Ediger (Jan 07)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 07)
- RE: Interesting article ZDNet re informal software development quality Alun Jones (Jan 07)
- Re: Interesting article ZDNet re informal software development quality Crispin Cowan (Jan 08)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 08)
- RE: Interesting article ZDNet re informal software development quality Alun Jones (Jan 08)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 08)
- Re: Interesting article ZDNet re informal software development quality Bruce Ediger (Jan 09)
- Re: Interesting article ZDNet re informal software development quality Brian Utterback (Jan 09)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 10)
- Re: Interesting article ZDNet re informal software development quality Brian Hetrick (Jan 07)
- RE: Interesting article ZDNet re informal software development quality David Crocker (Jan 06)
- Re: Interesting article ZDNet re informal software development quality Crispin Cowan (Jan 09)