TEAM Zarate Tarrani Notes From the Field

Product links in this blog use an Amazon affiliate tag. Clicking them costs you nothing, but does generate a small amount of revenue.

I have moved to Process Notes, which is a forum. I may be adding content here from time to time, but the forum is a more interactive vehicle.

Magic? Mystery? Why have five weeks worth of entries suddenly appeared? Answer:we've been adding the content, but didn't release it until a few minutes ago. Among the reasons for this are work, my trips to Florida and Texas, and Linda's busy schedule which includes frantic preparations for her OCP examination and a plethora of other issues.

Appreciation. One gentle voice who encouraged us to release the backlog of entries is Nikhil Joshi of Pune, India. Thank you for your support and encouragement Nikhil, and rest assured that we will try to not get so far behind again.

But ... The content for Postcards from the Revolution is going to take an additional day before we're ready to release it. Please be patient.

Quality and Testing. Rarely do I stray far from these topics, and the reason I am back in this entry is to share an excellent book titled Software Quality and Software Testing in Internet Times.

This book is a collection of papers that address the full spectrum of testing issues and challenges in rapid development/rapid deployment environments. Although the title implies that this book is about quality and testing of web applications, many of the papers go well beyond that narrow scope.

The papers are divided into five categories:

1. Managing for Optimal Time to Market. This categories contains an obligatory paper on high-speed web testing, which does address the key challenges. However, two of the papers are exceptional: Using QA for Risk Management in Web Projects drives home the relationship between QA and project risk, and Establishing Quality Procedures for Incremental Software Development is essential reading for anyone who needs to integrate testing into methodologies such as the Rational Unified Process or any other incremental/rapid development approach.
2. Processes. This section of the book has papers covering topics ranging from how to use Extreme Programming to manage project risks to adapting test processes to web applications. In many respects the papers in this section capture the essence of the book's theme.
3. Testing from the User's Perspective. This is my favorite section, especially the papers on business oriented testing for e-commerce and the paper titled "Strategic Testing: Focus on the Business". All of the material here reinforces my own experience and observations, and clearly shows the relationships among meeting business requirements, quality and project success.
4. Technical Testing. Test professionals will get the most from this section because it provides techniques. My favorite is "Securing E-Business" because this important aspect of testing is usually given superficial treatment (if it's covered at all) in most testing books. Another paper I liked in this section is "The Back-End Side of Web Testing: Integration of Legacy Systems", which is applicable to enterprise application integration and e-business system testing. In addition to papers on testing techniques, other aspects of quality are covered in this section, such as performance monitoring (more aligned to capacity planning and performance management than testing, but certainly applicable to quality and service level management).
5. Test Automation Techniques and Tools contains a single paper titled "Automated Testing of mySAP Business Processes". If you're involved in web-enabled ERP or portal quality this paper is a treasure.

Although this book is an anthology, the topics and editing make it coherent and focused. It is not a book that covers quality or testing as a unified methodology. If you're seeking such a book read Quality Web Systems: Performance, Security, and Usability by Elfriede Dustin, Jeff Rashka and Douglas McDiarmid does go into details and is one of the best books on end-to-end web systems quality.

Capability Maturity. Most books on the CMM assume that you're headed for Level 5 and then proceed to write a confusing and overwhelming guide for getting there from ground zero. Implementing the Capability Maturity Model is different.

The author of this excellent book give a realistic roadmap to achieving CMM levels 2 and 3, which are major hurdles in capability maturity, especially level 2 from a culture-shock point of view.

What makes this book realistic is the way you're lead through the important steps, with a complete focus on what it takes instead of theory. The book starts off with an obligatory overview of the CMM, but quickly segues into the steps needed to attain level 2 (repeatable), which are creating the structures, processes, training program and policies. While each of these are important, I especially like the inclusion of policies because they are necessary to codify goals and are frequently overlooked. This section also includes subcontractor management, which is important for aligning those with whom you are using on projects with your own organizational capabilities. This makes sense because if your organization is repeatable and your subcontractor(s) aren't, then you either need to go shopping for more compatible subcontractors, or get dragged back into ad hoc approaches.

The same approach to graduating to level 3 is used, with slight changes. In the section that covers level 3 the first topic is about focusing on organizational process improvement, followed by an in-depth chapter on defining organization processes. These reflect the key changes between level 2's repeatable goals and level 3's focus on defined processes. After these are clearly and completely explained the same formula - structures, processes, training program and policies - is addressed for level 3.

Following the steps to get to levels 2 and 3, the next section is centered on implementation and assessment. This section prepares you for the assessment process itself, and offers excellent advice on how to get through it. Additional information of value is provided in appendices B (Annotated Level 2 Preassessment Questionnaire) and C (Samples of Level 2 Policies), both of which are provided in PDF format from the book's associated web site.

One key question that needs to be answered: Which is better, this book or CMM Implementation Guide: Choreographing Software Process Improvement by Kim Caputo? My opinion is that both books are equally important and both should be read because they cover two different aspects of attaining CMM levels 2 and above. This book concerns itself with the nuts and bolts of processes, where Caputo's book is more focused on organizational change. I recommend both books, and think that they nicely complement each other.

Production Matters. The most critical phase in a systems life cycle is the transition to production. Done wrong and all of the work performed in the requirements, design and development phases count for very little, no matter how well the work was managed and how mature the processes. A book that specifically addresses this make-or-break event is The Unified Process Transition and Production Phases. In the Unified Process (or any systems life cycle) the milestones/phases up to transition are well documented, but these represent the tip of the iceberg with respect to determining project success and total cost of ownership. This unique book examines the transition and production support requirements, addressing some of the deficiencies in the Unified Process (production support is all but ignored), and can be applied to other development life cycle models, nearly all of which have the same blind spots.

Many of the ideas and the approach for this book were born in the author's earlier book, More Process Patterns, which examined the very transition and support requirements in a more generic manner. In fact this book, like the earlier one, is a collection of best practice patterns that cover the transition and production milestones. After an introduction that explains the rationale and approach, the book covers the workflows and patterns in the sequence in which they will occur: testing, deployment and environment, operations and support, project management and infrastructure management.

What makes this book important is that it extends the Unified Process to include the key milestones that account for cost and quality, and goes into great detail about what is required and how to avoid failure. If you work in operations and support you will find the material in this book invaluable - you should also buy copies for key members of the project team that is delivering your system so they have an understanding of and appreciation for the task of supporting their creation. While this book will obviously benefit shops that employ the Unified Process, the information and workflows are equally useful in any development approach.

Data Warehousing. Two books that will interest architects, developers and DBAs are:

1. Data Warehousing Fundamentals. This is one of the best introductory books on data warehousing I've read. The authors make few assumptions of reader knowledge beyond the fact that they are IT professionals who have a technical background that doesn't necessarily include database and data warehouse knowledge. They do assume a basic knowledge of IT operations, project management skills and systems analysis and design - skills that IT professionals are expected to have.
   The book is divided into five parts: Overview and Concepts, Planning and Requirements, Architecture and Infrastructure, Data Design and Data Preparation, and Implementation and Maintenance. These follow a development life cycle, making the structure of the book easy to follow.
   What I like about this book is it doesn't just cover the theory and concepts (which it does do well), but sets data warehousing in the context of a larger architecture designed to meet specific business requirements. I also like the way the authors address real world issues such as planning and managing a data warehouse project, and the issues and factors surrounding adding a data warehouse into an existing technical architecture. This information is what IT professionals are seeking when they are faced with a technology with which they may not have strong knowledge, and it makes this book useful to the intended audience.
   Among the chapters that I most liked are: Principles of Dimensional Modeling, Data Extraction, Transformation, and Loading, and Data Quality: A Key to Success. These capture the essence of data warehousing in my opinion and are topics that IT professionals without a data background need to understand. I also thought that each of the appendices were useful. They provided a finishing touch by covering project life cycle steps and checklists, critical success factors and guidelines for evaluating vendor solutions - each of which provide practical information.
2. Data Warehousing and Web Engineering. This is a collection of papers that cover salient issues in data warehousing with an emphasis on business intelligence, data mining and knowledge management applications. While many of the papers in this book are more useful to technical professionals, there is a lot of material that will also be useful to marketing and competitive intelligence specialists in the business domain.
   Some of the papers are more basic and introductory, such as "Justification of Data Warehousing Projects", "An Introduction to Information Technology and Business Intelligence" and "Some Issues in Design of Data Warehousing Systems". Some, however, address advanced topics such as "Data Mining Methods Databases and Statistics Point of Views" and "Incremental Data Allocation and Reallocation in Distributed Database Systems".
   My personal favorite papers were "Specification of Components Based on the WebComposition Component Model" (reflecting professional interests in component-based development), "Complementing the Data Warehouse with Information Filtered from the Web", and "Using Business Rules Within a Design Process of Active Databases" (another area of professional interest).
   In addition, the papers cover topics in data mining, data quality and knowledge management, which means that there is at least a few papers that will intersect with a reader's professional interests. The best audience for this book includes academics (the papers are citable), consultants who specialize in business intelligence and data mining, and organizations that have a solid base of experience with advanced uses of data warehousing.

Note: This book is also available as an eBook in PDF format.

Softer Side of Risk. I find much comfort in quantitative methods because numbers are unambiguous. However, numbers alone only tell part of the story. Experience is a good teacher and it is from experience that we grow as professionals. Coping With IS/IT Risk Management This is probably one of the most unique books on IT project risk management in that it doesn't go into the process and techniques of risk management, but in the common risks and how to deal with them.

Don't expect qualitative or quantitative risk assessment methods, or even a risk management process that is almost an obligatory part of most project management books. Do expect the collective wisdom of real people who were interviewed, and their recommendations for dealing with the real risks.

These risks range from misaligned or unwarranted expectations to slippery requirements. If you've managed an IT project many of the risks will be familiar. How the PMs who were interviewed handled them will be illuminating.

Aside from the fact that this is a highly readable book that is packed with wisdom and advice, the appendices also add a considerable value. Appendix 1 cross references the risks (constructs) by theme making it easy to quickly find the solution to a particular issue. Appendix 2 gives 5 hypothetical project profiles that reinforce the information in the body of the book, and Appendix 3 is a collection of strategies from the body of the book.

Regardless of whether you are preparing to manage your first project or are seasoned and battle-scared, this book provides knowledge and advice that you can use.

Tools of the Trade. Since I've dragged a business-oriented discussion into this weblog, I'll continue until Linda jumps in and changes the direction. One of the most valuable skills an analyst can develop and build upon is decision making. Not making snap decisions based on gut feeling, but doing it the right way. The foundation for decision making is in Decision Analysis for the Professional.This book is an excellent intermediate-level text on decision analysis that deals with both uncertainty and risk. It uses realistic examples that working professionals will appreciate and to which they can relate.

It's written as a tutorial that uses two tools, Sensitivity, which is used with the chapters dealing with decisions under uncertainty, and Supertree for developing decision trees related to risk analysis. Instructions on obtaining the student versions of these programs are included in the book. Note that the student version of Supertree accommodates trees with up to 250 endpoints, and the student version of Sensitivity performs sensitivity for up to 12 variables.

My most used text on decision analysis is Making Hard Decisions by Robert T. Clemen. Where that book is more comprehensive, it's also less suitable for the working professional who needs a refresher and a desk reference. Therein lies the main value of this book - it's more aligned to real world problems that you'll find in the workplace and is written to be both a tutorial and a reference.

Consultant, Manage Thyself - Part II. In my last entry I discussed Building Professional Services. This book, in my opinion, is the best starting point for anyone who is involved in establishing and managing technical services or starting a consulting company. PSA: Professional Services Automation by Rudolf Melik, et al is the second book you should read because of the way both books complement one another. Actually, one should follow the other because PSA: Professional Services Automation is about automating the professional services organization after it has been established.

In the past I gleaned information and techniques from books about managing professional services from the perspective of law firms and other industries - good information to be sure, but fell short of the realities of technical services.

What I like about this book is the complete look at professional service management, with an emphasis on both personnel and cost management. I especially like the way the authors show how to go beyond mere cost management to optimize revenue and profit. The information and strategies they provide reflect extensive experience and a strong focus on the business aspects of professional services. I also like the ties to customer relationship management and various types of services, and the PSA components. This first decomposes the components of professional services management (manual or automated) into the critical success factors, then reconnects them into a coherent whole.

Although this book is about automating professional services management, most of the information, especially part 2, can be used effectively without automation. Therein lies the main value of this book and the reason why I think it's simply the singlemost important book a professional services manager can have. In order to get the information collected between the covers of this book you'd have to purchase a pile of related books from other industries, and spend a significant amount of time reading articles and surfing the net. If you are a professional services manager you already know that you don't have time for that. If you're being placed in a professional services management position you need this book.

Something New. If you are a consulting, and particularly if you manage a services group, you'll find that Building Professional Services fills a sorely needed gap in the computer consulting industry, and is especially valuable for start-up consulting companies, established companies that want to achieve higher profitability, and for internal IT organizations that are seeking a way to move from a cost center to a profit center.

Regardless of your goals or motivations, the first two chapters helps you to clarify your objectives, decide on the appropriate business model and mission statement, and introduces key concepts that will be used throughout the book. One of the most effective techniques in this section of the book is the way the authors lead you through framing your mission and goals and employing a service alignment risk factor to test the clarity of your mission and how it aligns to other business processes. This is especially important if technical services is not your core business.

Chapters 3 and 4 are, in my opinion, the heart of the book because they address revenue and profitability, and organizational structure - two areas with which many companies struggle. The information in these chapters will show you what you need to do to become and remain profitable, as well as how to best organize your resources to deliver in accordance with your chosen business model. For start-ups Chapter 3 provides an excellent framework for business plan pro formas. Chapter 5, Selling, thoroughly covers the critical success factors and metrics for selling services.

In chapters 6 through 8 services delivery, productizing and promotion are given the same thorough and insightful treatment. Of particular value is the customer engagement workflow that is provided in Chapter 11, and the four phases of professional services given in chapter 12. The phases provide a path by establishing basic implementation services as a service offering, then building upon these to provide integration services, consulting services and productized services - each phase represents an increase in what you offer customers (external or internal). For each of the phases the authors address the following factors: value proposition, profitability triangle focus, critical skills, required operational infrastructure, target mix, revenue growth rate, target gross margin and target operating profit.

I like the way that these (and all of the chapters) end with sample budgets and issues to watch, and the key financial models provided in Appendix D.

You can get more information about this book, including associated articles and PowerPoint presentations, from the author's webpage.

Building a Bridge. Building systems in a vacuum results in technical achievements that fail to meet business requirements. In other words, a disaster. One book, Totally Integrated Enterprises, bridges the business and IT domains. It educates business process owners on the capabilities and technologies that provide tools to support operations, and gives IT insights into how to best develop and deploy systems that meet business requirements.

Integration is assumed to be within the context of ERP systems, which are enterprise-wide in scope. The level of detail is kept reasonably high so that both audiences can easily grasp the key issues and understand the challenges and needs of the other. What I like about the book is the fact that it never loses sight of business requirements, and the manner in which it stays focused on quality and real world issues. I also like the way case studies are used to reinforce some of the more abstract aspects of enterprise integration.

Highlights of this book that will interest both business and IT include:

• Totally Integrated Enterprise Goals and Agile Enterprise, which give a business framework for the technology solutions that are discussed later in the book.
• Methodology for Understanding Enterprises, which places integration and technology into the context of meeting business requirements.
• Business Development and Product Management, which provide insights to IT about the challenges that their business constituents face and their support requirements.

Because this book is a high level view of enterprise integration many details that support the decision to employ integrated systems and how to implement them are missing. However, the true value of this book is the way it brings together business and technical information and the way the authors have managed to address both groups that are normally widely separated.

If you are seeking a book about deciding whether of not to implement an enterprise-wide system I recommend Enterprise Resource Planning Systems: Systems, Life Cycle, Electronic Commerce, and Risk by Daniel Edmund O'Leary. If you are more interested in an implementation methodology I recommend E-Business and ERP: Rapid Implementation and Project Planningby Murrell G. Shields.

Then There's That Stuff in the Middle. One of the biggest challenges in designing, building and implementing an enterprise-wide system is the middleware component. Enter The Complete Book of Middleware, which is a collection of papers divided among eight major topic areas, each on a specific middleware category. The main value of this book is the wide range of technologies and vendor solutions, and the fact that it's up to date.

I like the complete coverage of both transaction and queuing approaches, and the vendor-specific information that includes Microsoft's .NET and Sun's Java, as well as everything in between. The sections database middleware and middleware performance are especially valuable because they are more generic and applicable to a wider audience than the MS- and Java-centric sections.

While individual papers have a slight vendor bias, the book as a whole is vendor neutral. This is not a book for learning about middleware as much as a good description of what's currently available and their strengths and weaknesses. If you are looking for a more general book I recommend Chris Britton's IT Architectures and Middleware: Strategies for Building Large, Integrated Systems for the fundamentals, and David Linthicum's B2B Application Integration for a detailed text on how to employ middleware in practice. However, this book will give vendor-specific details and a more up-to-date view of middleware that are missing from Britton's and Linthicum's books. If you're a system architect or consultant this book is an excellent desk reference.

It's About the Data. The foundation of any system, standalone, single-user, or enterprise-wide, is the data. Manufacturing Data Structures is an essential reference for ERP analysts, developers and DBAs. It is unique in that it addresses data requirements for materials management within the context of manufacturing processes, with an emphasis on bills of materials.

The chapter on engineering change control stands out because this aspect of both data structures and process change management are not covered (or only lightly touched upon) in other ERP references. This chapter and its companion on implementing change add significant value to the book and reflect mature and best practices. I also liked the chapter on new product introduction and custom manufacturing because these aspects of the manufacturing process come with a different set of challenges and requirements from steady production processes.

Regardless of whether you're using SAP, Baan or another ERP package (or are developing custom applications to automate manufacturing materials management) this book will expose the relevant details of the data structures, which are the foundation of any application.

Integrating the Enterprise. My next few entries are going to deal with some of the better books about enterprise systems. One such book is Enterprise Systems Integration.The audience for this book consists of architecture and integration group members, making this book an ideal addition to group libraries. The focus is on ERP architecture, although the range of topics overlap into non-ERP domains, and is best used as a desk reference because it's a collection of short papers written by 70+ authors instead of a book that focuses on a specific approach or methodology. The papers comprising this desk reference are organized in logical groupings that are akin to layers in an enterprise architecture.

Each section is devoted to carefully chosen papers, some of which reflect individual authors' experience. The strength of this approach is that you benefit from a rich diversity of viewpoints and deep subject matter knowledge. The weakness is that some of the material is inconsistent with what precedes or follows in the book.

Since this is a technology-focused book the highlights are that the information is current and reflects issues, methods and technologies that are valid as of the date this review was written. The editors ensured that information that is not commonly used in ERP integration, such as web services, are not addressed. This doesn't imply that web services will not play a future key role (such as in PeopleSoft 8), but that most ERP implementations are integrated using middleware, XML and other methods. The more typical integration methods are covered in great detail, and the sections on database servers and data warehousing are especially informative.

I also like the section on Internet commerce, which covers topics ranging from web-based testing and capacity planning to XML-based B2B commerce - topics that are not commonly found in other ERP texts. The section on project and systems management also contained excellent information, such as the paper titled "Service Level Management Links IT to the Business", which touches upon a critical aspect of integration. Each of the four papers in the Component-Based Development section also included information that should be carefully considered by large enterprises, especially those that are using off-shore development of off-site contractors to develop modules. This section goes into each of the major critical issues, including economic considerations, domain engineering, server-side Java development and object library management.

Some of the information in this book is time sensitive in that it will be rendered obsolete as web services play a larger role in ERP systems (which is already happening in a sense), and XML and/or ebXML emerge as a core component of all of the major packages, such as SAP, PeopleSoft, Baan, etc. If you have a defined architecture or integration group this book will make a good investment because of the wide array of topics covered. If, however, you are seeking a book that provides a methodology or focused technology description this book may not be for you.

Project management is a core skill that all IT professionals need to master in order to achieve increasing levels of responsibility and professional growth. There is another facet to project management in software, which is how to align project management processes and procedures to an enterprise operational model. One unique book that deals with this is Software Project Dynamics. This is not a book about project management per se, but a book about how to integrate project management processes into a large software development organization using analysis based on system dynamics.

If you are not familiar with system dynamics, it's a methodology for studying and managing complex feedback systems using time graphs and causal loops, and more formal analytical methods such as simulation and exploring alternatives in a structured manner.

This book uses those techniques to align project management processes to software development. The best way to determine if this book is right for you is to answer the following questions:

• Is your core business software development?
• Is your organization at approximately the same level as that described by SEI's CMM for level 3 or above?
• Is there a commitment to implement an integrated process that is driven by the executive or board level and does this commitment have a strong sponsor?

If the answer to at least two of the above questions is yes, then this book will be valuable. Also note that some knowledge of system dynamics is assumed. If you need to become familiar with this discipline I recommend Business Dynamics: Systems Thinking and Modeling for a Complex World by John D. Sterman. This book addresses system dynamics from public policy and strategy points of view, but will provide a thorough understanding of the subject.

Those who will benefit most from this book are organizations that have found existing PM methodologies to not fully meet objectives. For example, the U.S. standard based on the Project Management Institute's Project Management Body of Knowledge (PMBOK) is too generic for software development, and the U.K. standard called PRINCE2 is not as well suited for product-line and software vendor approaches to development. While the PMBOK and PRINCE2 contain processes and procedures that can be used, the system dynamics approach defined in this book gives a method for selecting, evaluating and integrating the processes and procedures borrowed from these two standards. Moreover, since the CMM and related models identify key process areas for project management, they do not prescribe how they are to be implemented. This book will provide the tools and techniques for tailoring the techniques to PM process areas.

If your objective is to find a book that describes a complete project management maturity model you will be better served by Strategic Planning for Project Management Using a Project Management Maturity Model by Harold Kerzner; if you are looking for an off-the-shelf methodology to use with iterative processes such as the Rational Unified Process I recommend Software Project Management: A Unified Framework by Walker Royce. However, if you are seeking to develop and implement a best-in-class, tailored project management methodology that is seamlessly integrated into your software development processes this book will show you how to achieve that goal.

More About Components. It appears that Linda and I are locked into some spiral, because my chosen topic before she posted was also about components. Foundations of Component-Based Systems is an excellent secondary companion to Component Based Software Engineering: Putting the Pieces Together by Heineman and Councill. It is a secondary text for practitioners and academics that will provide insights into a narrow slice of component-based software engineering issues. Organization is a collection of papers that are grouped in four sections:

1. Frameworks and Architectures. Consists of four papers of which I particularly liked Key Concepts in Architecture Definition Languages and Acme: Architectural Description of Component-Based Systems because of professional interests in ADLs.
2. Object-Based Specification and Verification. The three papers in this section were focused on narrow topics; however, I gained much from Modular Specification and Verification Techniques for Object-Oriented Software Components. This paper alone made the book worthwhile to me, but this is a subjective remark with which you may not agree.
3. Formal Methods and Semantics. Each of the three papers in this section were, in my opinion, valuable. My favorite, Toward a Normative Theory for Component-Based System Design and Analysis, contained a viable framework and approach to component design, which is a topic that receives little coverage in other component-based books.
4. Reactive and Distributed Systems. The two papers in this section are interesting in that their topics intersect nicely with the discipline of semantic web engineering. If your interests or work also includes that knowledge area then the papers (Composition of Reactive System Components and Using I/O Automata for Developing Distributed Systems)will 'connect the dots' in a manner of speaking.

Much of the material in this book is academic and/or theoretical, but is backed up with results from projects and supporting project data. What I like most is that the material uses tools and technologies that are hot topics, such as UML, EJB and COM.

The second book is Component-Based Product Line Engineering with UML. Where most books on the subject cover the component-based development life cycle at a high level with an emphasis on the development, deployment and QA aspects, this one is about requirements and design. That is what sets it apart and an important work. It becomes even more important if you are using or trying to adapt the Unified Process to a component-based environment. Obviously if your environment also includes product line development the value of this book increases even more.

The book contains five parts which build upon each other. Part 1 is a thorough, 60-page introduction that compares and contrasts development life cycles, summarizes the approach the book proposes, and the concepts, artifacts and process associated with "KobrA" (a German abbreviation for "Component-based application development".

Part 2 is devoted to component modeling based on the KobrA component model, and covers all aspects in 153 pages. This part ends with an excellent introduction to patterns and UML, which lays the groundwork for the next part. The information in this part drills down into requirements and specifications, which is one of the reasons I cited above that sets this book apart.

In Part 3 (Embodiment) refinement and translation, component reuse and incremental development are covered in detail. Part 4 introduces and covers product line, framework and application engineering. It is here that the KobrA foundation laid in the previous parts begins to become coherent and the viability of the approach becomes apparent.

Part 5 is my favorite because, like Part 2, it gives a view of component-based development that most books gloss over. In particular, the chapters on maintenance and QA are filled with information that reflects the realities of component-based development, and the chapter on quality modeling is among the best treatments of the topic in any book or paper I've recently read. The 60 pages of appendices are also valuable sources of information and knowledge about metamodels, maintenance and process. I found this book to be an invaluable reference and recommend it to anyone who is heavily involved in component-based software engineering in conjunction with product line development.

Back to Me? Linda is absolutely correct - the foundation of any process improvement or quality initiative is measurement. There are two excellent books on the subject that are specifically for software professionals:

1. Applied Statistics for Software Managers. If you're working in SQA or managing software development projects this book is an excellent introductory text to statistical analysis.
   What I like about this book is that it's a tutorial on the statistical skills and knowledge that you'll need, and it combines this learning goal with the basics of software metrics and how they can be employed to measure productivity, estimate projects, and manage costs and organizational quality. The core approach is data analysis, and the main tools that the book employs are multi-variate techniques, regression analysis and correlation and sensitivity tests. The author has a talent for clearly explaining a dry subject, and while it will take a good deal of effort to master the material because of its nature, the excellent writing and illustrations will make it easy to quickly grasp statistical fundamentals and put them to use.
   The lessons are taught within the framework of four case studies that are realistic and apply to the real world. The case study topics are: productivity analysis, analysis of time to market factors, development cost analysis, and maintenance cost drivers. These cover the full range of both internal development and product-line software engineering. I especially like the inclusion of maintenance costs as a topic of study because this area contributes significantly to total costs of ownership, but is often overlooked.
2. Measuring the Software Process. This book contains the keys to meeting core CMM level 5 requirements, which defines key processes for optimizing and continuous improvement, and for achieving 6-sigma processes. However, you need not be striving for either (or both) of these goals to use the techniques and approach in this book to full advantage.
   Implementing and employing statistical process controls are the basis of this book. The authors lead you through the steps and techniques necessary to implement and use SPC, starting with background information on processes and a process measurement framework, and moving through topics such as planning your measurement strategy, data collection and analysis, and developing and interpreting process behavior charts using common SPC chart types. The most common controls are x-bar (mean) and r (range) charts. Be aware that any SPC approach requires two conditions to be met:
   • defined processes
   • the processes are in statistical control (meaning that the data points being measured have settled into a normal distribution that are randomly clustered around a mean and have defined upper and lower control limits)
   New processes, or processes that are not managed well enough to have these characteristics are not candidates for SPC.
   This book requires knowledge and skills in basic statistical analysis. If you require a refresher I recommend reading Visual Statistics before tackling this book.

Deciding which of the two books is better is a matter of assessing your needs. The key strengths of Measuring the Software Process are the tutorial nature and the wide range of case studies that are used to reinforce the learning. The key strengths of Applied Statistics for Software Managers are that it goes much deeper into analysis and also includes statistical process controls and other techniques that are present in highly mature development organizations. Regardless of which book you choose (or if you choose both), the information and knowledge to be gained is the foundation of SQA and best practices in project management.

On Software Process Improvement. Before we become mired down in Oracle topics I am going to take an abrupt turn back towards quality and process improvement. One excellent book on the subject that covers both process assessment and improvement, is Software Process Improvement. With exceptions that I've noted below this is an in-depth examination of standards, initiatives and methods for software process improvement (SPI) and software process assessment (SPA).

The book is divided into twelve chapters, each of which contains two or more papers written by top experts in the field, including Mark Paulk (of CMM fame), Watts S. Humphrey (creator of PSP and TSP, and prolific author of software engineering process papers), Robert B. Grady (author of three standard references on metrics), and others who key players, but are not as widely known outside of the SPI and SPA community.

Chapter 1 covers software process assessment with an article by Paulk that surveys the more common models for SPI and SPA, and a reprint of Sarah Sheard's excellent article from CrossTalk Magazine titled "The Frameworks Quagmire". Chapter 2 contains three articles on the SW-CMM, which seems to be the centerpiece of this book. Chapter 3, "Other Approaches to Software Process Assessment" contains four articles that add balance by covering non-CMM approaches that are in common use, especially in Europe (Bootstrap). I especially liked the article by David N. Card titled "Sorting out Six Sigma and the CMM", which combines two hot topics. One of the exceptions that I cited at the beginning of this review is the article on Trillium, which in my opinion has been superseded by TL 9000 in the telecommunications industry.

The three articles in Chapter 4 (Software Process Improvement: How To Do It) address common concerns and barriers to any SPI initiative, and each add well thought out ideas, especially Sandra McGill's "Overcoming Resistance to Standard Processes, or, Herding Cats", and William Florac's "Statistically Managing the Software Process".

Watts Humphrey's Personal and Team Software Processes, and CMMI are the key topics in Chapter 5, which covers developments inspired by the SW-CMM. All of Chapter 6's Software Product Evaluation articles were my favorites from among the collection in this book, and I particularly liked Jørgen Bøegh's "Quality Evaluation of Software Products" and Geoff Dromey's "A Model for Software Product Quality" because they go to the heart of key issues in both product line engineering challenges and user acceptance testing.

Chapter 7, ISO 9000 Series and TickIT, is the second exception that I previously noted. Much has changed in ISO 9000 with the 2000 standard, which renders this entire chapter moot in my opinion. I also thought the five articles in Chapter 8, The SPICE Project, would have been a better fit in Chapter 3. The same goes for Chapter 9, Experiences of Software Process Assessment, which is nearly an extension of Chapter 8, and is closely related to Chapter 3.

Two other favorite chapters are 10 (Software Process Improvement for Small Organizations) and 11 (Benefits of Software Process Improvement). Chapter 10's three articles dispell any notion that SPI is only feasible for large organizations, and the three articles in Chapter 11 focus on the benefits of SPI, especially Herb Krasner's article titled "Accumulating the Body of Evidence for the Payoff of Software Process Improvement". I also liked the final chapter, which covers software processes in general, including an excellent article on modeling. I felt that this chapter should have been at the beginning of the book instead of the end.

Overall, this is a book for those of us who are nearly religious about SPI; but is not a good introductory text. It's main value will be to IT consultants who specialize in either SPI or SPA (or both), and who need to be familiar with the mainstream standards and approaches.

A Challenge. In my last entry I didn't really take Linda's spot - XLM and Oracle (or any database) have a natural affinity. XML is the magic. You can stuff the results of a SQL query into a DTD, which is the stuff of application and database integration. However, there are also security challenges. The topic of this entry is XML and database security, and is based on two excellent books I recently finished reading.

The first book is Translucent Databases. This book contains an innovative and viable approach to securing databases, and one that I've not encountered anywhere else. In a nutshell the author provides techniques, based on standard SQL and Java, for securing sensitive data without restricting general access of less sensitive data to authorized users. The core of this approach is based on encryption and one-way functions, including PKI and secure hashing, and accepted authentication techniques such as digital signatures.

What makes this book unique is that while it's based on solid theoretical ground, the material is practical. As the techniques are discussed they are illustrated by 15 different scenarios, all of which contain problems faced by e-commerce, HIPAA and other high security environments, and code examples that show how to solve the problems. I like the way the author shows how to implement his solutions in common database environments (PostgreSQL, MySQL and Oracle - the approach should also work in the MS SQL Server environment). As I read this book I saw interesting possibilities for implementing role-based access controls and securing against SQL-based statistical attacks using the author's approach.

This book is essential reading for DBAs, system architects and IT security professionals, especially those in healthcare who are struggling with meeting HIPAA requirements, and in e-commerce who are challenged by protecting credit card and account information. This book shows the DBA how to secure his or her database, and the system architects and security professionals what is possible using SQL and Java. The book also has an associated web site which is supposed to have soft copies of all of the source code contained in the book. As of this entry the link to the source code is on the site, but the code itself is not yet available. When it is the value of this book will increase even more because of the time it will save by not having to manually create the code from scratch.

If you are new to the cryptographic techniques introduced in this book I recommend Cryptography Decrypted by H. X. Mel and Doris M. Baker, which is one of the best introductions to this complex subject. I also recommend reading Secrets and Lies: Digital Security in a Networked World by Bruce Schneier, which covers the technical, organizational and social aspects of security and gives a clear description of the technical underpinnings discussed in this book.

The second book is XML Security. Given the fact that XML is a key component of web services, and extensively used in e-commerce and enterprise applications integration, this book addresses a genuinely important topic. For one reason, XML is text-based and can expose proprietary information, which is a vulnerability for competitive intelligence specialists and corporate spying.

Before going into what the book contains it's important to know that much of the material is based on RSA's view of the security. This isn't a criticism, but an up-front statement of fact because if you're looking for a book that is 100% vendor neutral you are going to have to wait until one is written - this is the only book I know of that is solely about XML security.

The book starts with primers on security and XML to set the context. It then covers, in succession, digital signatures (chapters 4, 5 and 6), and XML encryption. These chapters are consistent with work and specifications produced by XML Signature WG (joint the Working Group IETF and W3C for digital signatures) and the W3C working group for XML Encryption.

Chapter 8 is specific to RSA products. It shows how to implement XML encryption using RSA BSAFE© Cert-J, which can be downloaded in a trial version from RSA's website. Chapter 9 covers XML key management specification, which are consistent with the W3C working group's specifications, and how XML security relates to web services.

Despite the slight bias towards RSA this book is an invaluable reference. It provides an in-depth discussion of major security issues, as well as how they are being addressed by the W3C. It goes without saying that anyone who is responsible for system architecture, design and/or security should carefully read this book.

Taking Linda's Spot. The boxed set of Oracle books that Linda discussed in her last entry are a bargain for someone who is immersed in a training program. However, who really has the time to wade through thousands of pages and a stack of CD ROMs? (Unless you're facing a certification exam). What if you merely want to gain basic Oracle skills and are overwhelmed by the six inch thick books out there? A refreshingly slender book is So You Want to Be an Oracle DBA?. First, you need to know that this book is based on version 9i and is focused on the UNIX environment. If you're using Oracle 8i and have no immediate plans to upgrade you will find that the previous edition to be more suitable.

The ideal audience for this book is the new Oracle DBA or UNIX system administrators who have either inherited DBA responsibilities or who want to gain cross-functional skills. Experienced DBAs will find much of this book too basic, and may complain that it doesn't cover the full range of database administration topics.

In my opinion the relatively narrow scope of this book is one of its strengths. Instead of overwhelming the new DBA with hundreds of pages it sticks to the essentials. Another point in its favor is that the author doesn't attempt to go into gory details about how things work (information that you can get from other books as your comfort level and self-confidence improve), but remains focused on what you need to do in order to effectively manage and support an Oracle 9i instance.

While I liked the Getting Started and Some DBA tasks (Sections I and II) that start this book, I especially liked Section III, which covers tuning. This is the essence of what a DBA does, and the basics are well covered. This section also gives some excellent scripts that the new DBA will find invaluable. Section IV, is somewhat useful, but Section V is another favorite because it shows how to begin building your own set of tools, which is the hallmark of an experienced DBA. The scripts that are provided in this section are the foundation of database administration, and will spark ideas for additional and more specific scripts. The value is that you can learn much from what is provided.

Each topic in this book is given a brief 2-3 pages, which makes it somewhat terse. In many cases you'll have to go to other books for deeper explanations, but at least you'll be quickly functional.

If I had to choose a single book with which to get started this would be it. Of course you'll outgrow this as your skills and experience evolve, but it will get you started and does so using good practices and workable techniques.

Trapped in a Time Warp? Are you currently stuck in the mainframe or mid-range world and are seeking an escape? Or perhaps you realize that your skills are growing obsolete and you want to remake yourself. Programming the World Wide Web may be your ticket out. If you're trying to break into development and are seeking a basic book that will prepare you for a career as a web developer, this isn't what you're looking for. It's neither a programming tutorial nor a book on specific environments, such as .NET. However, if you're doing maintenance programming in, say, RPG/400 or writing JCL and are wondering how you can refactor your skills and get out of the mid-range and mainframe environment this book is ideal.

Solid programming skills are assumed (preferably in C or C++, but that isn't essential). You should have a basic understanding of databases and data structures. If you have these skills this book will systematically familiarize you with the web programming environment and common tools and programming languages that you'll need to master in order to transition out of the data center. I like the way the book touches all of the key knowledge areas, starting with HTML and going through javascript, perl and the usual cast of mark-up, scripting and programming languages. More importantly, this book doesn't skim the surface - it does into databases, XML and server-side development. If you've read the table of contents and are tempted to question why CGI was included in such a relatively new book, bear in mind that most of the information in this book is ideal for maintenance programmers, and there are literally thousands of systems that still employ CGI scripts. This also reinforces my opinion about who will benefit most from this book - maintenance programmers from mid-range and mainframe environments.

In a nutshell, you bring your knowledge of algorithms, data structures and development methodologies, and the book will show you how to apply them to web programming.

Still More XML Resources. I mentioned Definitive XML Application Development in my last entry. If you're a developer this is an excellent resource. Be aware that the book requires a solid working knowledge of XML and associated protocols (XLST, XPath, XML Schema), Python and Java), and is written for practicing developers who are involved with web services, e-commerce and extended supply chain applications. You should also be reasonably familiar with DOM, data structures and relational databases to get the most from this book.

After a quick introduction to the XML processing the author wastes no time getting to the meat by going into processing types in Sections II (Event-Based Processing), III (Tree-Based Processing) and IV (Declarative Processing). Each of these sections are comprised of chapters and topics that cover the strengths and weaknesses of each approach, common tools and example applications, and tips and techniques.

Section V is focused on Java development, including SAX in Java, DOM in Java and XSLT In Java Applications. This section covers APIs, tools and specific considerations for each topic.

The final section addresses XML processing in detail, and deals with alternative processing approaches (including hybrids of event-, tree- and declarative-based models), schemas, and RSS.

In addition the appendices are informative and add to the value of this book. In particular, Appendix A, A Lightning Introduction to Python, will get seasoned developers up-to-speed (augmented by Appendix C which covers Python XML Packages). Appendix B is a glossary that goes into considerable detail, making it a handy reference.

More XML Resources. It's one thing to have a book of spcifications, such as the one cited in my last entry, but such books are more useful as references than as learning tools for mastering the underlying technology. One of the best collections of XML resources is The Definitive XML Professional Toolkit. This boxed set contains three books that have been published in December 2001 and represent the essentials for anyone who is working with XML and web services. The books are:

1. Charles F. Goldfarb's XML Handbook (4th Edition) by Charles F. Goldfarb and Paul Prescod. Goldfarb invented SGML, upon which XML is based and which had a significant influence on the design of HTML. At 1200 pages this book is probably one of the most complete references that one can have. It covers every conceivable topic, ranging from a good description of XML and how it evolved from SGML, to semantic web and web services (each of which are disciplines onto themselves).

   Expected topics are given in-depth treatment (XML, schemas, DTDs, datatypes, XSLT, XSL-FO, XLink, XPath, XPointer, XSDL, namespaces, topic maps, RDF, SOAP, UDDI, WSDL and VoiceXML), with a focus on the following:

   • integration of XML and the older EDI approaches to e-commerce and extended supply chain systems
   • a sound approach to content management - how XML fits into the web services framework
   • chapters on important topics such as portals, databases, content acquisition, conversion and publishing
   • a series of chapters devoted to tutorials on XML basics, schemas, and transformation and navigation protocols
   In addition this book comes with two CD ROMs that are packed with applications such as IBM's AlphaWorks suite and NeoCore XMS Native XML Database (Personal Edition). A trial version of TurboXML IDE & Schema Editor is also included among the 175 programs on the CD ROM set.

   This is an overwhelming book for beginners, but is a valuable resource for anyone who is deeply involved in web services, XML and related technologies. If you fit the latter category this is probably the only XML reference you'll need.

2. Definitive XML Schema by Priscilla Walmsley. In a nutshell this book gives a detailed description of the XML schema and associated topics. The author is a member of the W3C working group that created XML Schema, and the material in this book is consistent with W3C recommendations. See the editorial description and reviews on this book's product page for specifics.
3. Definitive XSLT and XPath by G. Ken Holman. Covers everything you need to know about transforming information structured vocabularies and output formats. The author is the chair of OASIS's XSLT/XPath Conformance Technical Subcommittee. See the editorial description and reviews on this book's product page for specifics.

What's not included in this set, but worth getting is Definitive XML Application Development by Lars Marius Garshol. However, the books that do come this this boxed set will provide you with a solid foundation of the basics as well as software tools that you can evaluate as candidates for your own development environment.

XML Resources. Because XML is so versatile, especially for enterprise applications integration, and as a core component of web services and e-commerce systems, I want to share some of the better XML books that are available.

Although you can download XML specifications from the W3C working groups, a single book that summarizes these specifications is worth the investment. XML Family of Specifications: A Practical Guide is such a book. It's a comprehensive and up-to-date (as of this review) reference on XML as defined by the W3C. Part I is more of a desk reference (with a lot of example code), which covers XML syntax, modeling and parsing, DTDs and schemas. Part II, also with many examples, is a complete treatment of parsing with APIs, with separate chapters on SAX, DOM, JDOM and JAXP. Transformation and display protocols are covered in Part III, including CSS2, XSLT and XPath. XSLFO for formatting is also covered in this part. Xlink and Xpointer to facilitate referencing operations are the subjects of Part IV, and the book wraps up the formal descriptions of the family of specifications in Part V, which covers XHTML and RDF. I have a personal interest in RDF, and found the chapter devoted to it complete, but terse. This characterizes all of the chapters in this book. What makes this book valuable is the way the information is displayed. Each chapter starts with either an overview or concepts, and each clearly explains each specification and gives clear examples to demonstrate how they work in practice.

Appendices at the back of the book are especially valuable because they summarize much of the information in the body of the book. For example, Appendix A depicts the family of specifications in a format that clearly shows the relationships among them. In addition, the web site that supports the book provides a lot of supplementary material, including over 900 links to related resources and an image map of the family of specifications that is one of the most visually appealing and informative resources one can have at their disposal. Note that the web site is not up-to-date - some information that was cited as coming in April and May were still not online as of late June.

This is not a book for learning XML as much as it's a reference. The main value over W3C material that is available over the web is the clear writing and many examples. It reads much better than dry specs and is complete in its coverage.

Now For Something Strange. As long as I'm dredging up old books that I think are still useful, here is one that is worth tracking down: Testing to Verify Design and Manufacturing Readiness This book, despite the editorial description on this page, is entirely about hardware/software integration as it pertains to managing acquisition risk for the buyer and the processes and procedures that need to be employed by the developer.

If you work within the framework of the FDA's General Principles of Software Validation or the FAA's DO-178B for safety-critical avionics the material is consistent with these governing documents, but is too outdated to be useful.

However, if you are working on integrated projects that are unregulated with respect to government controls you may find this book useful. It contains a wealth of useful guidelines for establishing and managing processes to support development of products that are based on embedded software or hardware/software integration, The core of this book is a collection of templates that were developed and proven in the DoD industry, and are designed to manage integrated testing, failure management and field feedback. Each element is applicable to commercial environments, especially for companies that are manufacturing intelligent network devices, data storage systems and specialty products such as digital control systems, sensors and other integrated hardware/software products.

The templates are introduced in Chapter 1, and each of the seven functional areas covered by the templates are discussed in separate chapters. These functional areas are: integrated testing, failure reporting, design limits, product life, test/analyze/fix process, uniform test reporting and field feedback. A chapter on applying these follows, but the material is slanted towards DoD issues. If you apply thought and imagination while reading this chapter you should get ideas on how to refactor the cases into your own environment.

Section 2 devotes three chapters to software design and test, which are based on the older waterfall development life cycle. However, this particular life cycle lends itself well to developing embedded systems, making this material valid and applicable to commercial environments.

Overall, this is a useful book for the intended audience I cited above if you can track down a copy. In particular, the checklists and overall framework are valuable, and much can be learned from the risk-based approach taken in the book.

Shifting Gears. Although I'll inevitably return to quality and reliability, I am going to shift to another topic in my next entry: XML. Also, most of the topics for the next few weeks will be in the form of book reviews instead of the tutorials and news items that we've been writing about. That will change as soon as things stabilize. We're all busy and haven't the time to do the research we normally do, nor the freedom to craft original essays on topics that are dear to us. That will change in due time, but until then please bear with us.

Oldies, But Goodies. One of my personal favorite books, and one that has had a profound influence on me, is Quality Assurance for Information Systems. This book represents a pivot point in Perry's prolific published works that date from 1981. What makes it pivotal is the fact that this book synthesizes his approach to IS quality assurance from a production support viewpoint and his future work which focuses on software testing.

Although over 11 years old the QA approach contained in this book is still valid. To get at the gems, though, you have to overlook a few things. For example, terminology common in the mainframe data center of past decades sounds quaint even to those of us who came from that environment. Also, the code examples used to illustrate quality problems are sure to confuse the younger generation of C++ and Java developers and test professionals who probably never heard of PL/I and only vaguely know about FORTRAN.

What I like about this book and the reason why I think it's still an important reference is the fact that application quality from an enterprise perspective is addressed. This goes beyond testing and release processes, as well as beyond project issues surrounding applications delivery and SQA. The focus is on production and maintenance, although testing, SQA and project metrics are addressed.

In addition to the focus, the book contains checklists, questionnaires and sample forms that can be updated to reflect modern computing environments - and you may be surprised to find that much of this 'ancient' material requires very little modification. Another aspect of this book that I like is the material on software maintenance, which seems to be a lost art, although it's as important now as it ever was.

Don't let the age of this book deter you if you're interested in quality assurance from a production support point of view. The best recommendation I can give is that this book has served me well in over a decade of consulting, and it probably will for years to come. However, it shouldn't be your only reference either.

More on Quality and Testing. In previous entries I covered most of the newer books on quality, reliability and testing. However, there are some older books that are still valid or contain enough information of value that they merit a mention.

• Testing Very Big Systems. After you've peeled back the layers of testing techniques that are better documented and more refined in more recent books, and archaic language that characterized the mainframe lingo that was dying out when this book was first written a decade ago you'll find gold.
  First, the way test case management is presented stands the test of time. The author is obviously well versed in managing complex system testing and it shows in his detailed approach to developing a test strategy and managing a large array of test cases. As good as this material is, it isn't a sufficient reason to track down a copy of this book because Rick Craig and Stefan Jaskiel have a more modern book, Systematic Software Testing that accomplishes the same goal.
  The real gold is in the way that this book integrates testing, issue management and metrics. Although there is a large body of knowledge on these topics, this book manages to sort out the complexities in the clearest terms I've encountered. I also think that the approach change management is excellent, and especially the way this is linked to issue management. On the subject of issue management, the taxonomy of issue types has served me as a model during numerous consulting engagements for service delivery and software engineering process development, and have been proven in the field.
  Additional gold is in the chapters on test documentation (especially the treatment of status reporting) and managing management. I also like the way that the author takes economic considerations into account, which was not much in vogue when this book was written in 1992.
  If you're an SQA or applications delivery practitioner I strongly recommend tracking down a copy of this book. Look past the archaic parts and you will find one nugget after the other of useful information. I wish this book would be rewritten to reflect today's environment and the lessons that the author learned in the decade since this book was first published because there is much in this book that you will not find elsewhere.
• Ensuring Software Reliability. Despite this book's age and the subsequent software reliability books that have since been published, it adds a perspective and information that is either not in more recent books, or is not given the same comprehensive treatment.
  If you are familiar with software reliability as a discipline and with any of the major books, such as John Musa's Software Reliability Engineered Testing, you'll probably not find anything new in Part I, although chapters 3 (software failures and failure processes), and 6 (reliability terms and definitions) add clear, succinct descriptions and definitions to these topics.
  Part II, however, is where this book shines and why I use this book as one of my principal references. Specifically, chapter 7, which covers software reliability data collection, is thorough and comprehensive. I especially like the way data collection is integrated into a reporting process, and the near exhaustive list of error, product and process metrics and their associated descriptions. Chapter 8 is another gem. It describes 12 major reliability models, ranging from Musa's models to predictive models. One of the most interesting models in this catalog is the 'Leone Test Coverage Model', which is based upon percentage of completion and coverage of specific development and testing tasks. For each model the author gives a summary description, provides assumptions and parameters of the model, and the associated math. Each model's summary contains strengths and weaknesses, and when in the life cycle the model is best employed.
  Overall, this book contains some invaluable information and information that has been superseded by newer books (especially the last chapters in Part II). If you're seeking information that I've highlighted above, this book is a worthwhile investment. If you're looking for a book that is more up-to-date I recommend Software Reliability Engineered Testing by John Musa. This book will remain an often referenced part of my library for some time to come.

In my next entry I'll provide additional books that I like in spite of their age.

Short Break. I am going to briefly break from the testing, SQA and reliability thread because I don't have time right now to devote to properly wrapping it up. I will offer an interesting article titled Use of Metrics in High Maturity Organizations to keep the pace alive until I return to the topic.

Wireless and M-Commerce Development. I just posted my take on a book titled Mobile Business Strategies: Understanding the Technologies and Opportunities in our sister weblog, Postcards from the Revolution.

That weblog focuses on service delivery and business/IT alignment issues, while this one is slanted towards software engineering and more technical topics. The book fit within our theme for Postcards from the Revolution, but there is a related book that is more suitable for this audience. The title is The Complete Wireless Internet & Mobile Business Programming Training Course (with CDROM), and the friend who called it to my attention was enthusiastic. It appears to be a complete training course in all aspects of wireless and mobile commerce development. Judging from the content of the thirty-four associated PowerPoint presentations that are available for free download this is, indeed, a complete training course. If you need to get yourself or your staff quickly up-to-speed and you have a constrained training budget this may be a cost-effective alternative.

Back to Quality. Before ending this entry I want to revisit quality. If you are pursuing the ASQ CSQE certification you may want to get a copy of Fundamental Concepts for the Software Quality Engineer. This book is published by the sponsor of the certification (ASQ), and the book editor is Taz Daughtrey, who is editor-in-chief of ASQ's peer-reviewed quarterly journal, Software Quality Professional.

More on SQA + Reliability. In my haste to provide SQA resources yesterday I left out two important ones that should be bookmarked and frequently visited by anyone who is interested in software quality assurance:

1. David F. Rico's home page.
2. Tantra Management Services.

These are my personal favorites, and I have been using them for years as primary resources.

Software Reliability - Short Version. I am still pressed for time, so this entry is going to be as terse as my last. In the same manner that I use a single book as my primary reference for SQA, I use Software Reliability Engineered Testing by John Musa as my primary reliability reference. My 11 May 2001 review on Amazon will show why I hold it in such high regard. That doesn't mean that it's the only book I use - I have a large collection of SQA and reliability books - it means that it's the first one to which I turn for authoritative information on the topic. On the web the first place I go is the Data and Analysis Center Software Reliability page, which points me to the resources I need for particular aspects of reliability.

Past Information. Reliability has been addressed in this weblog in many previous entries, so I am not going to repeat much of that material here. However, during the next few days (when I get a break in my routine) I am going to wrap up this thread with a few longer entries that describe my own views about SQA and reliability.

SQA. We've now come to SQA, and while most of my testing resources are books, there is only one book that I use as a primary reference for SQA: The Handbook of Software Quality Assurance by Gordon Schulmeyer and James McManus. My reasons for using this book as a primary reference are cited in my 18 April 2001 Amazon review. However, my most frequently used resources for SQA, and the ones which have shaped my thinking, are:

• CrossTalk Magazine.
• Software Technology and Support Center, which has a rich cache of technical documents, great material about software quality engineering and testing, as well as related topics.
• Data and Analysis Center for Software SQA page.

One interesting page I want to share that crosses SQA and software engineering practices is Nine Steps to Defect-Free Software, which should be made into a poster and placed in every cubicle in development.

I am pressed for time, so am going to abruptly end this without further commentary. I'll pick up where I left off tomorrow.

Closing In. This thread started with a brief set of reasons why I was enamored with Systematic Software Testing by Rick D. Craig and Stefan P. Jaskiel, and has grown into a series about testing, quality, SQA and reliability. I opened the last entry with a quote attributed to Hesiod, who remains an influential Greek poet and philosopher. The theme of this entry is metrics, so I am going to open with a quote by Albert Einstein:

Not everything that can be counted counts, and not everything that counts can be counted.

How true. Einstein's legacy of genius will live on for ages because he has influenced generations of mathematicians and physicists.

While perhaps not at the same level as Einstein, Robert B. Grady will remain in my memory because of the deep influence his work has had on my thinking. I first discovered Grady in 1992 when I read Practical Software Metrics for Project Management and Process Improvement (see Linda's 22 April 2001 Amazon review). This is Grady's first book and it sets the tone for his later two books discussed below. What makes this book so important is that it is one of the first to integrate software metrics with project management metrics.

What I particularly like about this book includes:

• Complete view of metrics that matter, and the chronicle of how these metrics evolved in a large company (Hewlett-Packard).
• Recognition that any software metrics initiative extends beyond the project that delivers the software - Grady examines post-production metrics and ties them back to not only the development life cycle, but the product life cycle as well. Ten years after this book was published there are still large organizations that are struggling with doing this, yet Grady's book provides a clear roadmap to achieving this elusive goal.
• Continuous improvement is the central theme in this book. Grady does not stop with collecting and analyzing metrics, but how to effectively employ them to spot improvement opportunities and develop a strategy to effect those improvements.

The book is written as both a story of how a successful metrics program evolved, complete with anecdotes that will prove helpful, and as a collection of data that illustrates what is and is not important to a comprehensive metrics program.

Among all of Grady's books I like this one the best; however, I recommend that his other two also be carefully read if software process improvement is your goal. He has much to say and backs it up with data and a chronicle of his experiences from real projects.

Five years later Grady wrote Successful Software Process Improvement, which followed-up on the foundation he laid in the first book by showing how his metrics-based approach can be leveraged into a viable process improvement program. This book uses the TQM Plan-Do-Check-Act framework as the basis for process improvement. However, he goes deep into the issues and factors to give a complete approach to developing and managing a continuous improvement posture.

Highlights of this book include:

• The same story telling approach he successfully used in his first book. The conversational writing style and the logical sequence of the book makes it easy to read. Moreover, the real life examples add credibility and make the content practical instead of merely blue sky theory.
• A complete survey of assessment methods, such as the CMM, Software Productivity Research's Software Quality and Productivity Assessment, and Hewlett-Packard's internal QUality Maturity System. The latter two are especially interesting because they are, in essence, balanced scorecards.
• Business-oriented - the approach taken never strays from cost/benefit and ROI.

The parts I especially liked included the chapter on software failure analysis (a personal interest), key lessons from adopting best practices, and moving past reasons not to succeed. In fact, if you get nothing else from this book the last part will make this book a worthwhile investment because he shows how to deal with the six most common excuses for not pursuing process improvement (or any other initiative for that matter).

In also like the wealth of metrics, data and examples. While this book is longer than his first one, it's still a manageable 314 pages and is highly readable. If you are involved with software process improvement initiatives this book should be on your short list.

His last book, Software Metrics: Establishing a Company-wide Program, is about how to establish a viable metrics program. See my 28 November 2000 review on Amazon for details.

There is one other book that has deeply influenced me, Software Excellence: A Total Quality Management Guide. This book is a collection of papers that were made into a text under the editorial control of Shigeichi Moriguchi. Mr. Moriguchi did a superb job of ensuring both readability and structuring the content in such a manner that it can actually be viewed as three books:

1. A textbook on software quality control.
2. Catalog of techniques used in testing and SQA.
3. Training guide for testers and SQA professionals.

More details can be read in my 20 February 2002 on Amazon.

Moving Along. Life is a journey, not a destination. This thread is going to imitate life because in the next entry I'll continue the journey, which will pass into the realm of SQA - a strange place inhabited by many cultures, and whose inhabitants are still trying to figure out who they are.

Picking Up. My last entry opened the door to test process improvement, which is summed up in a 2800 year old quote by Hesiod:

It is best to do things systematically, since we are only human, and disorder is our worst enemy.

Isn't it amazing how something uttered so long ago by a Greek poet is relevant to software testing?

It's beyond question that the Greeks made many lasting contributions to culture and civilization. In the world of test process improvement the lasting contributions may well be coming out of the Netherlands. As an aside, our Dutch brothers and sisters are also making significant contributions to service level management (see my 5 April 2002 entry in our sister weblog, Postcards from the Revolution). The reason I believe that the Dutch are leading the way in test process improvement is because the Test Process Improvement (TPI) and Test Management Approach (TMAP). Each of these approaches are documented in the following books:

Test Process Improvement: A Practical Step-by-Step Guide to Structured Testing. This book provides a coherent process improvement approach for software testing. It provides a model that supports the assessment of strengths and weaknesses of an existing software testing process and an approach for developing and implementing remedial action to rectify the weaknesses. As such this book is not useful to organizations that have not achieved a mature and stable testing process because the model will not apply. If you are seeking a book that will get your processes stable you will find Systematic Software Testing by Rick D. Craig and Stefan P. Jaskiel a better place to start.

However, if your processes are stable this book is among the best because it stays focused on improving the testing process and does so in the same manner that SEI's CMM does for software development. In fact, the TPI approach in this book is cross-referenced to the CMM, which gives you an approach that can be viewed as a testing maturity model that aligns nicely with the CMM (including the newer CMMI). This is one of the strong points of the book and TPI.

Another thing to know about this book is that it's written more like a specification than a narrative. Some readers may find this difficult, but if you are involved in mapping the TPI key process areas to the CMM (or SPICE, Bootstrap or PSM), you'll appreciate the format. Also, the book views TPI as a subset of software process improvement, and software process improvement as a subset of TQM. While the authors focus on the software testing process, they do not isolate it from the bigger picture. This allows you to view then entire quality process as a coherent whole when you're assessing the software testing process and developing improvement strategies.

I personally think this book adds considerably to the software testing body of knowledge, and that the approach the authors give is both practical and sensible. If you work in an organization that has a stable testing process or is at CMM level 2 or above this book is essential reading.

Software Testing: A Guide to the TMAP Approach My first introduction to TMAP was in the above book, which the author co-authored. It piqued my interest, but unfortunately all of the literature on TMAP was written in Dutch. This book makes this powerful test management approach available to English speaking readers, making it invaluable.

First, a little about TMAP to explain why I think the approach is important and useful: It views testing as a process instead of a collection of procedures. The advantage is that once a process is in place it can be stabilized and improved upon. The key to testing is repeatability, and without a process there can be no repeatability. TMAP consists of four elements that combine to form a cohesive test management model:

1. Testing life cycle that is aligned to the development life cycle. This life cycle is encapsulated within a planning and control framework that easily fits into the project management activities of the development life cycle.
2. Testing techniques - not the techniques used in the execution of test cases, but the techniques employed for defining a test strategy, developing test specifications, and the associated artifacts. This book does cover some basic test execution techniques, but they are not the focus of the book and are not covered in great detail.
3. Infrastructure and tools - addresses what are the minimums for an effective test process in the form of environments and tools. If you're establishing a test organization this aspect will be invaluable.
4. Organization - how the test organization is structured and how it relates to external functions, such as development, configuration and release management, project management and other major stakeholders.

Each of the above elements and their parts are covered in great detail, resulting in a sound framework for test management. That alone makes this book invaluable, but there are some additional gems that I especially liked:

• Test point analysis and estimation, which is an estimating method for test effort that is based on function point analysis. This is incredibly valuable because accurate estimation is one of the shortfalls in testing. This alone is reason to buy the book. For more information about Test Point Analysis you can download Test point analysis: a method for test estimation or look through the presentation slides from Conquest 2000, which also includes presentations on TPI and other items of interest. Although off topic, Test Effort Estimation Using Use Case Points is a related approach that fits nicely within the unified process.
• The wealth of checklists - I especially liked the comprehensive list of quality characteristics.
• Testing in maintenance situations - probably the most common situation for software testing and this book covers it well.

This book and the first one I discussed above combine to give a complete picture of test management and test process improvement.

There are a few other books about test process improvement that are worth reading:

• Software Testing in the Real World (see Linda's 21 March 2001 Amazon review for details).
• Lessons Learned in Software Testing
• Surviving the Top Ten Challenges of Software Testing: A People-Oriented Approach

While the last two are more slanted towards advice and examples, they do promote process improvement by showing what does and does not work.

Testing, Quality and Process. In our 13, 14 and 16 May entries Linda and I have taken turns discussing quality- and testing-related books.

The software testing profession came into its own in 1979 when Glenford Myers published The Art Software Testing. Although this book is still in print (a remarkable feat in itself), it's quaint when compared to what we now have in published works and the body of knowledge. What this book did for the profession is legitimize it as a valid career path and to portray software testing as a profession instead of an activity to which mediocre programmers were exiled. Myers deserves the credit bestowed, but there is an unsung hero in the software testing and quality movement whose prolific writing has had considerable influence: William E. Perry.

Perry was writing about maintenance, testing and quality before Myers' book arrived on the scene, and his 1991 book, Quality Assurance for Information Systems: Methods Tools, and Techniques, is an interesting blend of holistic IT quality and software testing. I still refer to my copy for ideas when I am researching metrics. This book is about mid-point in Perry's publishing career. While his subsequent books focused more on software testing, this one is among the first to cover both software quality assurance and software testing in a coherent manner.

William Lewis' Software Testing and Continuous Quality Improvement that both Linda and I have recently discussed here (and reviewed on Amazon) extends Perry's work with respect to a holistic view of software quality.

Testing vs. SQA. I make the distinction between testing and SQA as follows:

Testing is an activity to find or prevent defects in software using older inspection techniques or more modern preventive techniques. Note that I am not including value judgments in my definition, else I would have ignored the inspection approach. What I want to do is highlight differences between testing and SQA.

SQA is an oversight function that collects and analyzes quality data to be used in pursuit of process improvement.

Based on my definitions testing belongs in the application delivery domain and serves as the boundary between application delivery and service delivery (i.e., production). This is shown in the organizational diagram that Linda and I developed. SQA, in my opinion, should be a function of a program management office (an ideal spot for oversight), or an entirely separate function that reports directly to the CIO.

However, software testing is evolving to the point where testing and SQA are becoming blurred. In fact, to put it crudely, finding the boundary between testing and SQA is akin to picking fly shit of pepper. I apologize for that analogy, but it best describes the situation. The two books I've recently discussed, Systematic Software Testing and Introducing Software Testing each integrate testing and SQA, and it looks like the direction that software testing is going to take. There are some strengths and weaknesses to this:

• Strengths: end-to-end quality infrastructure, with a viewpoint that encompasses the entire systems life cycle (not just the development life cycle).
• Weaknesses: misses the big picture because testing is a narrow viewpoint of software quality. Other stakeholders in the service level management and project management domains have different viewpoints. See our Life Cycle Quality Gates document for an overview of metrics we deem important and you'll see why many will not be on the RADAR of a test organization.

I fall on the side of centralized SQA as an oversight function. I believe that Edward Deming was correct when he stated, [I]f the measurements you’re using are unfair, inconsistent and not within the control of the person being evaluated then you will demoralize and de-motivate your employees. Testers should be concerned with testing, not the politics of metrics. In fact, Craig and Jaskiel raise this as an issue (in different words) in Systematic Software Testing.

Clouds in My Coffee. The way I see it the maturity of the software testing profession, as evidenced by the two books I discussed yesterday, and the affinity of testing and SQA, are on a course that needs to be carefully considered. For small organizations this isn't such an important issue, but for large enterprises the strengths and weaknesses need to be more carefully examined and weighed than I've done in this entry. The good news is we have reached a point where quality is considered to be important and proactive approaches to achieving it are becoming more prevalent. Better yet, thses approaches are wrappd in process.

Where the issues become even more cloudy is in the growing (and excellent) body of knowledge and practices supporting test process improvement. My next entry will focus on that aspect of testing and quality before moving on to software reliability in a future entry.

Have a wonderful weekend!