Example Report Excerpt
This the management summary from a report prepared over the period of a number of weeks on a customer's application. This report was circulated to the directors of the company and our consultant received a personal letter from the CEO for the quality and clarity of the report. The CEO reported that this was 'the best management summary he had ever seen'.
Slight changes have been made to the report to ensure that the customer cannot be identified
Management Summary
This report is a peer review provided for the CUSTOMER on the application developed by XXX for the REASON.
The review finds that the design of the application is consistent with industry practice for this type of system as are the software components utilised.
From a technical perspective the (in review scope) code is well developed and easy to read. Technical comments are well placed allowing a developer to understand the program flow, however, functions are not individually commented and there are no comments explaining the function of each component. This type of commenting would be expected as the application matures. Without these a developer whom is new to this application will take longer to understand the code and will be more error prone when writing code.
There is no 'source code control' system implemented, either procedural or systemic, and thus, there is no release control procedure. This is another area of concern and risk. The consequence of this is that the exact application configuration and state of the development is unknown (except to the developer).
The operational requirements and dependencies are not formally documented. This is an area of concern as to rapidly rebuild a new environment, for whatever reason, the single live/development/testing environment would have to be available. Clearly this would not be the case in the event of a disaster.
Although steps have been taken to protect the application from standard security attacks known in this type of environment, some changes have been recommended to protect the system from attacks which can circumvent the security control and checking that has been put in place.
No documentation has been produced for the project. This is an area of concern. A highly skilled systems analyst/developer would be able to understand the application, however, the timescales for attainment of this understanding will be elongated and development would be prone to mistakes based on misassumptions or from lessons learned that are not documented.
No regression testing is not performed, there are no formal sign off tests, and there are no change control procedures. Clearly, there is an informal system in place. However for effective risk management this report recommends considering implementing these type of procedures.
This review finds that the operational environment is not what one would expect from a product of this organisational importance. Development is undertaken in the 'live' commercial environment. This review recommends splitting into two or three environments, with a dedicated controlled live environment.
A number of security concerns pertaining to the configuration of the live server have been identified and remedies have been suggested.
Clearly the application is functional and suitable for its purpose. The reviewer finds that the highlighted issues are not a result of ignorance or any lack of care, but have come about as a result of the commercial pressure to rapidly develop and deploy this application. All of the recommendations are attainable and if implemented will significantly improve the ability of the CUSTOMER to control the elements of risk that dependence on this application introduces. However it should be noted that, initially, implementing these recommendations will slow the development of the application and increase the cost.
A 'Recommendations Index' is provided on page 25.
