risk-management

Is it worth mitigating security risks in every application

As web developers our applications are vulnerable to a number of security holes (xss, sql-injects,etc...). I'm a firm believer that if you're writing an app it should be protected from all of these well known vulnerabilities. However, I'm having a hard time convincing my team (and management) that it's worth the effort. This leads me...

How does a good developer keep from creating code with a high bus hit factor?

Look at the picture above. This could be a programmer going to be hit by a bus. According to Wikipedia, in software development a software project's "bus factor" (or "bus hit factor") is an irreverent measurement of concentration of information in a single person, or very few people. The bus factor is the total number of key...

What issues carry the highest risk in a software project?

Clearly, software projects are different from other industries in terms of many things like for instance, quality assurance, project progress measurement, and many other things. Unique characteristics of software projects also makes the risk management process unique. Lots of issues in a project might lead it to unacceptable delay or f...

What are your risk management strategies?

We're a small web development business and we eventually want to release web applications as well. Right now, we're doing some risk assessment and would like to know what other companies do for security and risk management. What are your risk management strategies and practices, technical and otherwise? Here's what I have so far (and I'...

What is the difference between risk analysis and risk mitigation?

What is the difference between risk analysis and risk mitigation and when(before coding or after coding?) and by whom(QA/analyst/developer?) should they be performed in the Software Development Life Cycle? Opinions, links or document templates would be helpful. EDIT If I follow meade's comment: "According to Tom DeMarco - Risk Manag...

Risk Management Profile for Web Software Projects?

Hi, I'm about to start working on a "Software as a Service" website project. This is the first project of this kind I am going to work on, so while I am trying to anticipate any possible risks, I'm sure there will be many more I will not take into account. Does anyone know of a suitable risk profile boilerplate for this kind of proje...

Test what you fly, fly what you test. [NASA Principle]

Hi, I just stumbled on a principle I can't understand. Does "Test what you fly, fly what you test" mean that you should develop and test for the real thing all the time? Thinking about this, make me wonder Should we prepare for production conditions in advance? Should we launch the system on day one? (may be not inform end users) ...

Daily risk estimation for your team

Assume that you leads team of 4 developers. How often would you estimate the risk of the project? What do you think about the daily estimation? Do you think that the daily updates of the potencial problems (based on the morning stand-up meetings with the team) released as a short summary e-mail is good idea? Maybe you would consider an a...

Sources for Software as Risk Management

I'm looking for my own research for sources that look at software as a way to manage risk. I don't mean risk management for software development projects, I mean how working software can automate the management of risk. My interest is more philosophical: how do people put software in action to practically get control over factors that o...

Risk Management

Please provide your inputs as management perspective. What initiatives one should take to make sure every project manager is following risk management processes. I would like to follow Risk Driven Project Management across all projects? what should I do to implement RDPM successfully in my org? What are the approaches? ...

DVCS and data loss?

After almost two years of using DVCS, it seems that one inherent "flaw" is accidental data loss: I have lost code which isn't pushed, and I know other people who have as well. I can see a few reasons for this: off-site data duplication (ie, "commits have to go to a remote host") is not built in, the repository lives in the same director...

Usage of open source libraries in high governance and risk-averse large organizations (banks, financials etc)

Does anyone have any good stories of these kinds of organizations being open to using open source dependencies (and also tools). Many staff I've encountered have little or no exposure to open source/systems and open source is treated with great suspicion. Some reasons given for this are lack of support and robustness, which is ironic gi...

Development Environment in a VM against an isolated development/test network

I currently work in an organization that forces all software development to be done inside a VM. This is for a variety of risk/governance/security/compliance reasons. The standard setup is something like: VMWare image given to devs with tools installed VM is customized to suit project/stream needs VM sits in a network & domain that i...

Rails Modeling: Trying to sort out proper associations for Risk Assessment system

I am trying to implement Rails as a Asset Management/Risk Assessment system. I have been trying to work out the best way to model this. A picture of what I am thinking right now. I would like to automate as much of the treating process as possible. Ideally, someone would fill in the information for a new asset, and rails would fill...

What other RM methodologies are well know besides FMEA??

Risk management is defined trough several processes that pretend to identify and control the possible risks that may affect the succes of a project. The most common methodology for RM is Failure Mode Effect Analysis. Does anybody know some other methodologies used in the management of risk?? ...

How relevant is to analyze a software project from the economic point of view in order to generate a risk management plan??

what should be the most important points to analyze from the economic point of view? Of course I mean if the project is a software development or implementation Hope someone can understand my question. Thanks ...