19 May 2011
The engineering aspects of agile methodology – test-driven development and continuous integration – would definitely help avoid these types of security flaws (Lizamoon: will lessons be learned?). Prescriptive and restrictive waterfall methodologies such as Prince 2 tend to leave developers feeling less responsible for quality. With the emphasis on detailed up-front design and extensive testing at the end of a project, it is easy for people to assume that aspects such as security have been considered elsewhere.
Agile methods tend to be people- rather than process-oriented, engendering a greater sense of involvement and commitment in the project team. In this light, David Norton’s call for coding rules imposed by a third party is misguided. Such rules are easily circumvented – for example, mandating a certain level of test coverage leads to large unit tests that check nothing useful and merely improves the coverage metrics – and imposing external rules can be restrictive, leaving developers feeling unsatisfied with their work.
Agile methods encourage all project members – analysts, developers and testers – to co-operate and strive for improvement, allowing them to create a system that will adapt to the needs and priorities of a business, delivering high-quality software quickly and reliably.
Nick Hines, ThoughtWorks
Add your comment
