Saturday, February 28, 2009
Agile is the antithesis to security...
Consumers desire that enterprises to write their systems in a secure manner yet most IT professionals have no formal background in computer science, software engineering, etc. Combine this with the fact that most folks in charge of IT aren't truly IT professionals, consumers loosing their data is almost guaranteed.
Most IT professionals are self-taught and learned to program from books (some of which I have written) where companies are further scaling back the amount they spend on training. Others simply don't feel the need to expand their skillsets or thinking beyond banging the next line of code. If I consider my own employer who is gracious enough to provide space for our local OWASP chapter, how many people who work for IBM, Wipro, Cognizant, TCS, Accenture, Satyam and Infosys who are already in the building made the effort to attend? You get the point.
The Dot-Com period gave us the mantra of "make it work, make it work fast, make it scale, make it reliable" as if the last three characteristics can be bolted on after the fact. The Agile movement, while having the best of intentions, has sort of devolved into the overuse of refactoring to cover up the lack of engineering. Corporations have also completely devalued the title of Software Developer by bestowing it upon anyone who can write a shell script or web page.
The title of architect is far too often handed out to a lead developer with the hope that he/she will magically understand all of the technical and non-technical issues involved with application/system/enterprise architecture. So, if you have been promoted to Architect within the last several years, what kind of training did you receive?
While I don't dispute the popularity of the "Quality Triangle", I don't find it particularly useful when doing projects. It's usually used as an excuse for not pushing back on potentially disastrous projects before they start so from my perspective it's a fallacy that supports bad decision making. The real triangle that developers don't seem to have heard of involves three factors:
o Volume of Work to be Performed
o Delivery Schedule
o Resources Available
One cannot avoid the scoping exercise because management or the development team is in a hurry to start coding unless you like cost and schedule overruns. A lot. I still wonder why common sense, that fleeting commodity that should govern decisions, is increasingly uncommon. SCRUM is starting to become a four-letter word in many shops as IT is more about buy-in that developing higher quality software cheaply. When it comes to security, consumers You've been scrummed...