Unformatted Attachment Preview
Software defects have to be analyzed once reported. The analysis is essential for both
functional and economic reasons. Obviously, it is hard to make a decision about an
identified defect until it is understood. At the same time, defects are not of equal magnitude,
and it would be extremely resource-inefficient to simply fix problems as they crop up;
problems need to be formally prioritized. That decision should be made by knowledgeable
personnel within the organization. Otherwise, organizational time and resources could be
wasted by individuals addressing problems that only affect them, or that are less critical
when compared to other problems. Therefore, the decision to fix a problem should be
authorized by a person with sufficient knowledge of the overall process.
Your CISO and the management team all want to have more of a say about changes to the
applications that make up AAG's product line (model case is located in the Unit 6
Discussion item). Moreover, they want to be able to ensure that the organization's entire
application portfolio is evolved based on the company's business strategy, rather than the
whims of its programming staff. This level of control can be achieved if the owners of
applications are responsible for authorizing changes to the application.
Therefore, the CISO wants you to define a management approach that allows the
appropriate organizational role to authorize changes to applications. Organizationally, the
process you develop should be hierarchical since all changes are not at the same level of
importance. For example, programming managers should be allowed to make decisions
about minor technical changes, while just upper level managers should be responsible for
making decisions about major strategic changes to the product, such as new versions. That
is because the latter type of change might require a change to the entire product line and
perhaps even to the way the organization does business.
To begin this Discussion, go to Bugzilla and search for the term "security." Choose one item
from the results list.
In your post, identify the item you chose and answer the following questions:
• What is the appropriate role to authorize a requested change for this issue (e.g., upperlevel manager, manager, programming lead, programmer, etc.)?
• What criteria did you use to determine the appropriate role for approving fixes to your
• Why it is important to ensure that the right person makes the decision about this problem?
• If someone with the wrong role made the wrong decision, what might be the worst-case