Quality Management and Security
In software development, quality management encompasses everything from Quality Assurance (QA) to Quality Control (QC) and, ultimately, Quality Engineering (QE). All of these areas play a role in application security and compliance. Quality is often perceived as a cost for organizations, so when budgets are cut, these areas usually bear the brunt. This is a slippery slope for a company, especially if it is trying to meet specific standards required for various security compliance regulations. Reducing quality from the budget will have far-reaching consequences over time.
Look, I’ve been there. Quality work is a cost, and many clients don’t feel they need to pay for these services. I have heard every excuse.
“Why do we need to pay for testing when the software is working just fine?”
“Why don’t your developers just test it as they go?”
“If testing is already automated, then why do you need a quality engineer anymore?”
The problem is that the cost they may save by reducing quality checks leads to expensive defects and a loss of client confidence. Quality should be considered a pure check on how the application is working. It is agnostic to the company’s state. Too many times, I have been in a “crunch” situation where quality is sacrificed due to budgetary or time constraints. No developer should be the final sign-off on their code either. I have experienced developing something and thinking it is perfect, only to have someone check my work and tear it apart. There is nothing wrong with someone from the outside questioning our work and offering solutions we haven’t thought of. That is the definition of collaborative work and is a primary tenet of Agile development.
As for the last question, I have automated myself out of a job. The organizations that have done so have paid dearly when they released me (and others in the field) and found out that, as new features and changes are developed, those automated tests need to be maintained. As changes are made, automated tests will break. If you do not have someone to support them, they will become useless to your organization and will not be able to identify the defects you are releasing. Bringing someone back that you laid off to fix these issues is going to cost you, even if the personnel are interested in returning. Many will have moved on, or the situation will result in even higher costs.
When I discuss quality with others, it isn’t just assurance and testing. That is only a part of the conversation. Other subjects, such as code and data quality, security vulnerabilities, and so on, are also discussed. Believe it or not, the individuals who work in Quality and Security often collaborate on various aspects. Audits will have line items that are covered in quality, so your quality personnel need to anticipate what will be required and prepare accordingly.
For instance, if your organization wishes to pursue a Service Organization Control Type 2 (SOC 2) certification, there are several line items that fall squarely under the Quality department. Test cases, coverage, and their pass/fail metrics are part of the audit. It isn’t just something you can say, “Sure, we do that.” You will need to prove it and provide those metrics. If you are a small organization, this may not seem like a significant issue. If you are growing your organization and find yourself needing an audit, it is better to have the information available upfront. Otherwise, you will run the risk of having to backfill the data, which will cost significantly more than if you had done it already.
The quality department also assists with risk analysis, security testing, and ensuring that code practices are conducted securely. I have no idea how many times I have seen things like usernames and passwords directly in the code for an application, but it has been many times. If your organization claims to be secure, then you had better be able to back that up. Otherwise, you will open yourself up to litigation.
There are many tools available that help detect issues, but you still need someone who understands the problems and knows how to fix them. Your organization may say it cannot afford quality, but I would like to push back and ask, “But can you afford defects, loss of client confidence, or lawsuits?”
