Policy Verification Through the Life Cycle

I thought it might be helpful to share how I think about the problem of "policy verification through the life cycle." I use policy as a mapping for "rules", "building codes" or requirements.

For simplicity, I think about requirements as either user, system requirements or business. I also break it down by business requirements, operational constraints, technological requirements, organizational and industry compliance. From a life cycle perspective, I break the rules up into design, implementation, and deployment. This helps me very quickly parse and prioritize the space. It also helps me use the right tool for the job and right-size my efforts.

How does this help? It helps when you evaluate your approaches.

What are the most effective ways to verify design rules? (for example manual design inspections)
What are the most effective ways to verify implementation rules? (for example, FX Cop and Code Analysis, for low-hanging fruit, combined with manaul code inspections)
What are the most effective ways to verify deployment rules? (for example, deployment inspections)

Published 28 January 07 01:14 by J.D. Meier

Filed under: Security, Software Engineering

Comments

# J.D. Meier's Blog : 2007 Post Roundup said on February 22, 2008 6:00 AM:: PingBack from http://blogs.msdn.com/jmeier/archive/2008/02/05/2007-post-roundup.aspx

J.D. Meier's Blog

Policy Verification Through the Life Cycle

Comments

Search

This Blog

Tags

Archives

Best Of

My Articles

My Blogs / Wikis

My Books

Personal Development

Syndication