Feeds

Blog: Capturing and testing Business Policy.

Perhaps the biggest issue with legacy is separating out the business policies it embodies

Secure remote control for conventional and virtual desktops

I've just had an interesting email from Bill Nicholls in Washington State prompted by my piece on legacy systems here.

He wants me to put more emphasis on the “testing” phase, although he doesn’t like calling it “testing” because (I think) “testing” no longer implies (if it ever did) any particular attention to test design, coverage or completeness.

I have some sympathy with this view – I’ve met people who think that running a few million more-or-less sanitised “live production data” through a system is an adequate test before going into production. Well, it tests something, but it may only represent a very few equivalence classes repeated many times and the sanitising process (usually about making account numbers, names and personal data unrecognisable) may hide many data-dependent defects. So, after such testing, what can you really say about the risk associated with going live? Not much – so perhaps formal “quality assurance” is a better goal.

Bill identifies a real issue, which I think may be addressed in “model driven development processes” (such as the OMG’s MDA) used properly, as these should help to abstract business policy from the generated code. He says:

“The real killer problem in systems design and programming IMNSHO is dealing with policy changes which happen after a program is in production, usually encapsulating in hard code the then current version of policy. This particular bear trap can be devilishly difficult to get out of, sometimes requiring major code changes for a minor policy change. Policy really has to be isolated in systems. It is a part of the design process that requires high level input from management, rarely gotten in my experience. And it should be isolated in the software so that it may be easily changed, as parameters if possible, by small [discrete] code changes if not. The actual processing steps are relatively simple, it's all the policy and exception handling that generates the hardest code to verify.”

Amen to that – and it is especially relevant in modern loosely-coupled “service oriented” systems, where much of the complexity and opportunity for expensive defects may lie on the “dark path” of compensating transactions, invoked when something goes wrong. Just what is the business’ policy concerning compensating customers for errors? And, remember, that developers tend to concentrate on the positive, the “light path” through their systems; it’s the nasty cynical QA people who say “but what if…”.

Bill suggests that top (business) manager of the group being automated (or updated), someone empowered to make policy decisions which will stick, should to be included in design and reviews of the policy part of an automated system - because that is the part that they will change on minimal notice. That’s a familiar idea, because in a past life I was involved in introducing a JAD process (Joint Application Design, originally promoted by IBM, I think), which (as I understood it) involved locking the top managers (empowered to make policy decisions) with the developers, a "scribe" and a "CASE" tool in a hotel room, until the essential business policy framework for the development was captured.

Top managers couldn't be "captured" by the analysts on an ad hoc basis as needed; but they could schedule a concentrated requirements capture session. As I met it, the process was soon compromised as IT management allowed top managers to send along non-empowered representatives, which then allowed IT to get its own agenda "rubber stamped". However, I did learn something from the experience, if only that you can achieve nothing without informed top-management buy-in.

And I think that if you think that capturing policy separate from code is important, you should have a look at JAD. Or MDA. Or, perhaps the DSDM (Dynamic System Development) process; it's not anything much like JAD, but I think it has learned both from the JAD legacy and from Agile practice...

Choosing a cloud hosting partner with confidence

More from The Register

next story
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!
Version 12 first major-number Suse release since 2009
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.