Thursday, July 11, 2013

Why Do Software Defects Exist? (Part 2)

(Originally published at
In Part 1, I proposed that application release decisions are not actually time-based but are instead risk-based.  To summarize, when the Lines of Business demand a specific time to release (from project inception) the Project Lead considers the risk to the business of releasing the application at that time.  This is illustrated to the right.

Application Development Constraints

Let's take a quick look at the "risks to the risk."  These are also known as constraints of the application development process.  I'll start by describing them as they are defined in the book Reality is Overrated (link goes to Amazon).
  • Incomplete Development refers to the fact that software that a developer requires to validate their own code production is unavailable, requiring that developer to stub downstream systems.  The net result is that testing coverage early on is very sparse and puts the onus on the Quality Assurance team to find every defect, something that rarely happens if at all.
  • Infrastructure Unavailability refers to the fact that hardware that is required to run software that a developer requires to validate their own code is unavailable with the same result.  An additional side effect is that sometimes the infrastructure that is unavailable is required to run the developer's own code, meaning they are "dead in the water."
  • Third Party Access Fees refers to the fact that integration with other, internal applications (in situations where charge back policies are in effect) or external applications where fees are assessed for test accounts or, worse, per test transaction.  What I've personally seen happen is that a self-imposed availability constraint is put into effect to avoid "funding bleed" and the inevitable question, "why didn't you hire more consultants?"
  • Finally, Test Data and Scenario Management refers to the long turnaround times when production quality test data is requested.  The slow responses are due to the fact that the DBAs have other, higher priority activities to attend to typically plus the effort to scrub production data to remain in conformance with regulatory requirements (PII, PHI, etc.) is no small feat.
Availability is "Risk to the Risk"

I've defined these four constraints in these specific ways with the intention of highlighting that every one of them, at their core, is a problem of availability:  unavailable software components or applications; unavailable infrastructure; and unavailable test data.  It is this availability problem that is the "risk to the risk" for the following reason:  every time an availability problem manifests itself, a delay in the SDLC is introduced.

What does this mean?  This means that the original assessment of being able to, in our example, deliver the application at 6 months with 75% correctness is no longer valid.  Instead, the inability of the development team to complete their normal activities prevents them from ensuring correctness, so the point in time where 75% correctness is achieved may be 7, 8, 9 months or more from project inception.

The Net Impact

This puts the Project Lead in a bad position because they had the chance to negotiate timelines at the outset.  Now either the delivery date gets pushed in the name of risk while making the Project Lead and their management (who committed the date to the Lines of Business) look unreliable, or the project is released "on time" with quality that's further reduced.

Regardless of which road is taken, quality is not improving and frequently declines in applications released to production.  This adds to the risk that the business will suffer a production outage and ultimately has the possibility of materially impacting revenue; causing a decline in brand equity; or even resulting in shareholder lawsuits in severe enough instances.

Obviously, alleviating the availability constraint in any or all of its four forms has a snowball effect on the quality of the result.  It is the removal of this constraint that the discipline of Service Virtualization effects.  You'll find more excellent material on the industry leading Service Virtualization solution provided by CA Technologies at as well in the few discussion groups on LinkedIn.

No comments:

Post a Comment