The Nature of Software Development
Software development is often considered a solitary effort; a programmer sits with a specification or design and grinds out line after line of code. But in fact, software development is a collaborative effort, involving people with different skill sets who combine their expertise to produce a working product. Development requires people who can
· specify the system, by capturing the requirements and building a model of how the system should work from the users' point of view
· design the system, by proposing a solution to the problem described by the requirements and building a model of the solution
· implement the system, by using the design as a blueprint for building a working solution
· test the system, to ensure that it meets the requirements and implements the solution as called for in the design
· review the system at various stages, to make sure that the end products are consistent with the specification and design models
· document the system, so that users can be trained and supported
· manage the system, to estimate what resources will be needed for development and to track when the system will be done
· maintain the system, tracking problems found, changes needed, and changes made, and evaluating their effects on overall quality and functionality
One person could do all these things. But more often than not, a team of developers works together to perform these tasks. Sometimes a team member does more than one activity; a tester can take part in a requirements review, for example, or an implementer can write documentation. Each team is different, and team dynamics play a large role in the team's success.
Keep in mind the kinds of sophisticated attacks described in the previous section. Balfanz reminds us that we must design systems that are both secure and usable, recommending these points:
· You can't retrofit usable security.
· Tools aren't solutions.
· Mind the upper layers.
· Keep the customers satisfied.
· Think locally; act locally.
We can examine product and process to see how both contribute to quality and in particular to security as an aspect of quality. Let us begin with the product, to get a sense of how we recognize high-quality secure software.