Stuart King's posting on the importance of process reminded me of the important issue of software development standards. I believe it's time for a big change, for a fresh approach. Because our legacy standards are no longer fit for purpose.
Back in the 80's the US Department of Defense established the Software Engineering Institute (SEI) at Carnegie Mellon University to address the issue of software quality. The SEI built on some emerging concepts from Total Quality Management to develop the first Capability Maturity Model (CMM) - a major breakthrough. Wonderful stuff, except that it was developed to solve the problems of large-scale Defense programmes. And in such environments, implementing and certifying development processes against several hundred pages of controls was no problem at all.
Fast-forward to 2007 and much of the critical software we depend on is developed by small start-up companies with no more than a dozen programmers operating in a highly informal environment. Does the Carnegie Mellon model fit this environment? Absolutely not. It remains a useful benchmark for any organisation that seeks to off-shore their software development. But it does not fit the shrink-wrapped package world, operating out of a Silicon Valley garage or a backstreet Soho office.
In addition we now have to accommodate the new science of security vulnerability management. No code should be cut today without meeting tough security standards to remove exposures to buffer-overflow and other nasty vulnerabilities. Microsoft has set the standard in this direction and they should rightly be applauded. But not everyone else gets it. And even then, we have a big hill to climb in order to update our System Development Lifecycle (SDC) methodologies and train our designers and programmers in how to develop security architectures and cut secure code.
So we need a new approach. We need a new software development standard that's lightweight enough to be adopted by small technology companies, but captures all the essential new security practices. Any ideas on how we get there?
Comments (1)
Good article!
About 6 years ago I was looking at eXtreme Programming and other so called lightweight or agile methods for software development and was trying to persuade colleagues and friends that something's not right. I was trying to find a way to apply quality standards on top of these methods. Even then I realized it is a difficult task as you would not want to make the agile too heavy and you still want to secure the code. Unfortunately my investigation ended when I joined a large blue chip company and started traveling to different sites, but this article reminds me that the problem is still not solved. Excellent reading!
Posted by Plamen Balkanski | March 21, 2007 1:17 PM
Posted on March 21, 2007 13:17