Last night, I saw RIchard Monson-Haefel talk on 9 things every software architect should know. The funniest line was on EJB "I feel like I had a kid and he grew up and went on a crime spree", Richard's list of 9 things:
1. People are the plarform (ui is often the weakest link)
2. "All solutions are legacy" (My old partner used to say nothing more permanent than a temporary solution)
3. Data is forever (everything changes - new technology, new processes, but data is evergeen)
4. Flexibility breeds complexity (My security corollary is you empower developers you empower attackers
5. Nothing works as expected (Finally a security principle - design for failure)
6. Know the business
7. Maintain the vision. Should be cto but how can they do it? They are in too many meetings
8. Software architects should also be coders
9. There is no substitute for experience
I think its a good list, I think #5 is under emphasized of course. Securing software often comes down to developers and security people, but this is not enough. Software people don't know enough about security and security people don't know enough about software. So we need another layer to resolve this. Software architects are supposed to own the non-functional requirements like scalability and security, but too often security is just network firewalls and SSL. Software architects are in a good position to see the failure modes and drive projects to fix vulnerabilities and establish countermeasures.
Comments