Sunday, 5 July 2009

Full Risk Based SDLC

In the testing sphere there is a lot about Risk Based Testing and methods about how to go about it. I have had a quick look on Google (it may be that I am just blind) but there doesn't seem to be much in the way of a similar thing for development.

The development side does have different things like pair programming, code reviews, code coverage, etc which are expensive to run all the time but could using the same data coming out from the Risk Based Testing data gathering sessions to gear their development. They may also place a a higher weighting/bias to the ones with a higher development risk due to complexity for instance. An example could be:
  • Low Risk
    • Unit Tests with 95% branch and statement coverage
    • Static analysis using something like Sonar for complexity, copy and paste and coding standards
  • Medium Risk
    • Everything in Low Risk plus
    • A code review by a peer
  • High Risk
    • Everything in Low Risk plus
    • Pair Programming
    • A code review by the tech lead

That way with Risk Based Development (RBD) and Risk Based Testing (RBT) the whole SDLC can be Risk Based. With Development and Test both using the Risk Data gathered the time spent gathering the data would be easier to justify as it will be used twice and should develop a better end product as the riskier areas of the product are better developed and tested.