Feeds

Blog: Capturing and testing Business Policy.

Perhaps the biggest issue with legacy is separating out the business policies it embodies

3 Big data security analytics techniques

I've just had an interesting email from Bill Nicholls in Washington State prompted by my piece on legacy systems here.

He wants me to put more emphasis on the “testing” phase, although he doesn’t like calling it “testing” because (I think) “testing” no longer implies (if it ever did) any particular attention to test design, coverage or completeness.

I have some sympathy with this view – I’ve met people who think that running a few million more-or-less sanitised “live production data” through a system is an adequate test before going into production. Well, it tests something, but it may only represent a very few equivalence classes repeated many times and the sanitising process (usually about making account numbers, names and personal data unrecognisable) may hide many data-dependent defects. So, after such testing, what can you really say about the risk associated with going live? Not much – so perhaps formal “quality assurance” is a better goal.

Bill identifies a real issue, which I think may be addressed in “model driven development processes” (such as the OMG’s MDA) used properly, as these should help to abstract business policy from the generated code. He says:

“The real killer problem in systems design and programming IMNSHO is dealing with policy changes which happen after a program is in production, usually encapsulating in hard code the then current version of policy. This particular bear trap can be devilishly difficult to get out of, sometimes requiring major code changes for a minor policy change. Policy really has to be isolated in systems. It is a part of the design process that requires high level input from management, rarely gotten in my experience. And it should be isolated in the software so that it may be easily changed, as parameters if possible, by small [discrete] code changes if not. The actual processing steps are relatively simple, it's all the policy and exception handling that generates the hardest code to verify.”

Amen to that – and it is especially relevant in modern loosely-coupled “service oriented” systems, where much of the complexity and opportunity for expensive defects may lie on the “dark path” of compensating transactions, invoked when something goes wrong. Just what is the business’ policy concerning compensating customers for errors? And, remember, that developers tend to concentrate on the positive, the “light path” through their systems; it’s the nasty cynical QA people who say “but what if…”.

Bill suggests that top (business) manager of the group being automated (or updated), someone empowered to make policy decisions which will stick, should to be included in design and reviews of the policy part of an automated system - because that is the part that they will change on minimal notice. That’s a familiar idea, because in a past life I was involved in introducing a JAD process (Joint Application Design, originally promoted by IBM, I think), which (as I understood it) involved locking the top managers (empowered to make policy decisions) with the developers, a "scribe" and a "CASE" tool in a hotel room, until the essential business policy framework for the development was captured.

Top managers couldn't be "captured" by the analysts on an ad hoc basis as needed; but they could schedule a concentrated requirements capture session. As I met it, the process was soon compromised as IT management allowed top managers to send along non-empowered representatives, which then allowed IT to get its own agenda "rubber stamped". However, I did learn something from the experience, if only that you can achieve nothing without informed top-management buy-in.

And I think that if you think that capturing policy separate from code is important, you should have a look at JAD. Or MDA. Or, perhaps the DSDM (Dynamic System Development) process; it's not anything much like JAD, but I think it has learned both from the JAD legacy and from Agile practice...

Top three mobile application threats

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.