Channels ▼


Assurance & Agile Processes

Emergent Properties

In the foreword to High Assurance Design (by Cliff Berg; Addison-Wesley Professional, 2005), Neumann states that "Security and reliability are both emergent properties of an entire system..." A consequence of this is that many kinds of tests that must be performed to verify security and reliability are so-called "negative tests" that verify that something cannot be done, rather than verifying that something can be done. To do these kinds of testing, a complex testing configuration might be necessary that is best left in the hands of professional testers. As Brian Marick put it, "good programmers do functional testing, and testers should do everythingelse" ( classic/mistakes.html).

While considering a holistic system design, you must be careful to avoid falling into the pit of "big design up-front" (BDUF). You should be able to accomplish this if you follow agile principles regarding how the design is developed. Specifically, the criteria in Table 1 should be met for a design to be "agile."

1. Create the minimal design that is necessary at the time.
2. Maintain only those parts of the design that need to be maintained to satisfy the mission of the application—Update Only When It Hurts (see Agile Modeling).
3. Define success criteria—tests—that the design must meet from the beginning, in a manner analogous to test-driven development (TDD), and require the design to be "tested" with each build of the system.

Table 1: Agility criteria for design.

As an example of item 3 in Table 1, consider an application for which the design includes a layer to protect an underlying resource, and for which the design includes a rule that "no module may directly access the resource except for the protection layer." Any code that violates this rule puts the entire protection scheme at risk. Therefore, verification of compliance with this rule must be achieved if it is to be successful. Because this rule cannot be tested by using functional tests, another means must be used. The testing of this design rule—its verification—can be achieved through any or several means, including the methods in Table 2.

1. Manual inspection of the entire code that might be able to directly access the resource.
2. Automated inspection, using code scanning or parsing tools.
3. Runtime checking, using dynamic tools.
4. Sufficient awareness on the part of developers, so that they know not to violate the rule.

Table 2: Design compliance verification methods.

The choice should be made in consideration of the project's unique circumstances, including the level of maturity of the team, the size of the project, and the complexity of the overall code base.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.