The Elements of a Software Assurance Programme

Programme Areas & Building Blocks

The building blocks of an effective assurance programme fall into three main areas:

• Implemented System Assessment -Taking the software produced by the development process and assessing it using dynamic testing, analysis tools and targeted implementation reviews.
• Generic Development Quality Control - Assessment & reviews performed on the system definition, design and implementation activities . This includes assessing the intended behaviour of the system, assessing the proposed architecture of the system and reviews of individual work products.
• Activities Focused on Specific-Operational-Risk - Threat identification and failure analysis focusing on the ways a system could go wrong that would be deemed disastrous. The focus depends upon the application and the nature of the system and could, for example, be in the areas of safety, privacy, fraud prevention or the accuracy of a key output.

Risk Based Assurance

Each programme requires a different mix of these activities. The appropriate mix depends upon the nature and intended use of the system. The assurance programme is inherently Risk Based ensuring the most effective use of available resources. Risk shapes the programme at three points:

• In the planning phase. The identification of specific-operation-risks and the activities to address them together with the choice of strategic test packages shape the programme around project risks.
• With the use of the output from any hazard / threat / failure analysis activities as a primary input to the assessment planning process. This helps to ensure that testing covers areas where there is a possibility of critical failures.
• In the use of an Analysis Led approach to the assessment of the implemented system. With this approach only strategic packages are explicitly identified during the early planning phases. Additional packages are defined after analysis of the system with packages chosen to address the highest priority test requirements identified by the analysis. This ensures effective use of resources - testing high risk areas rather than on performing generic classes of testing envisaged at the start of a project.

SQC Capabilities

We can define, manage and implement all aspects of an assurance programme.  We can deliver the programme using our own resources or working with a client's personnel. Our technical capabilities include all of the analysis, review, assessment and testing activities required for an effective programme.

Our engineers focus on identifying potential problems, and assessing their impact & probability. They assist developers attempting to engineer out / down the risk that they have identified. They establish checks / tests to ensure that any occurrence of the problem is detected and then eliminated.

We can provide quality assurance support across the complete lifecycle of a project. Alternatively we can provide assurance to address particular types of risk or undertake specific assurance activities within a larger programme. Involving SQC in a testing programme provides managerial and technical independence. This independence is one of the key requirements for a successful programme. SQC's involvement also ensures that appropriate resources are applied to the programme and that resources are not reassigned to mainstream development activities.

Software testing requires skills and approaches that are different to those required for development tasks. Effective testing also requires that the testers understand software, how it operates and how it fails. The best testers have both development experience and the testing skill set. The best test managers need to have managed software development.

SQC can provide this mix of skills - specialisation in software assurance combined with development and management experience. Our personnel focus on testing, have a testing mind set and have highly systematic approaches. We also have experience of the development side of software. Experience of specifying, designing and implementing software. We understand how software works and how it goes wrong. Experience of managing development enables us to achieve an appropriate balance of the competing demands of resources, schedule and quality.

Assignments are directed by Neil Hudson MBCS CEng a British Computer Society Registered Consultant. Neil has over 15 years real world experience of software assurance and software testing. He has also designed / implemented software and managed software development. He has evolved an effective pragmatic approach to software assurance based upon his experiences in this field. ( see Neil Hudson's Profile ).

The SQC track record is that we regularly find large numbers of faults in systems we test. This prevents end users encountering these faults and so it is a record we are proud of.