Tuesday, August 12, 2008
Is CMMi evil?
Many folks know that I am currently project leader for the OWASP Maturity Model Project and am looking for volunteers. The hardest part is to avoid CMMi-like thought processes which exist solely to create consistent suckage...
Robert McIlree: champion of Heavyweight Process
Agilist that doesn't "get" CMM
Robert McIlree: champion of Heavyweight Process
Agilist that doesn't "get" CMM
Robert McIlree: champion of Heavyweight Process
Agilist that doesn't "get" CMM
Robert McIlree: champion of Heavyweight Process
| | View blog reactionsRobert McIlree: champion of Heavyweight Process
Enclosed please find draft of Blowhard Jamboree procedure. The document lists major steps in Useless Lifecycle System. Please send me your comments (additional activities, check list points, etc.)
+++ Attachment: 20 pages long document, complete with title page, table of contents and glossary of terms, describing the XYZ procedure. It also contains a one page Excel sheet with all the steps listed. Meaning of each step listed would be obvious to any practitioner in the field. +++
Agilist that doesn't "get" CMM
I am coming from this perspective: "long procedure documents full of obvious statements are evil, because they distract the reader with trivial details. Therefore nobody will read them more than once and most people will not read them at all". So, although it gives a nice feeling to champion some such document (at least, it does that to me), it rarely adds value. The essence of all the writing is Appendix A (the checklist). In my humble opinion, this is the only documentation that we really need to manage Process Governance. Probably "task owner" column should be added to it; probably Appendix B "Ground rules" is also nice to have attached. Primary purpose of the kick-off meeting, again IMHO, should be then to pull out the previous version's checklist and consider in what ways it has to be altered for the new version. We were dealing on that basis with
Robert McIlree: champion of Heavyweight Process
We can't embrace lighterweight ways of developing high-quality secure working software as we are a large company.
Agilist that doesn't "get" CMM
Hmmm. You seem to have forgot to mention the fact that we are also conservative :-)
Robert McIlree: champion of Heavyweight Process
Even if I thought deeply and concluded that IT exists is to deliver high-quality secure working software to the business, I can't possibly deliver something so simple to the business. I couldn't justify my existence as a consultant by doing the simplest thing possible and showing them Excel with 20 lines outlining the procedure. The thud factor has to be enormous for me to feed my family.
Agilist that doesn't "get" CMM
Your brilliance and overwhelming use of hand waving has convinced me that I am wrong for referrring to CMM as evil.
Robert McIlree: champion of Heavyweight Process
You cannot simply state that CMM is evil. Making that statement without an auditable artifact flow is against evil best practice. Please create an Evil Requirements Definition document to be submit to an Evil Review Committee as directed in the Evil Development Life Cycle Manual. Once you have obtained the appropriate signatures of the Evil Personnel, you can begin to prepare and Evil Design Document that must be reviewed not once but at least twice. Once you have completed and Evil Preliminary Design Review and an Evil Critical Design Review and again received the necessary Evil Signatures, you can begin to develop your Evil Statement. Once complete, you will have to submit your Evil Statement to an Evil Independent Test consisting of testers who do not know what Evil is but have read through your Evil Requirements Definition.
Of course, Evil is flexible. Feel free to generate your own tailored versions of the thousands of pages of standard Evil Procedures. These will be carefully reviewed by the Evil Process Waiver Committee and rejected after wasting even more time and effort.
These processes are necessary so that an outside Evil Auditor can review our Evil Artifact trail without having a clue as to what we do. Remember, it is not enough to say we are Evil, if we are ever to reach Evil Level 5, Continuous Evil, we need to stop all activity not directly related to creating Evil Artifacts, especially wasteful things like deliverable products.