I’ve read an interesting article about how agile leaves security features off the hook.
Security features are usually counted as a non-functional requirements. Non-functional requirements have been a thorn in the side of developers for years. But as with everything, it’s goes a bit deeper.
Non-Functional requirements are hard to define. You can define uptime, but how do you make sure your design supports it? Or you want a secure product, but what does that really mean?
A couple of things happen here: The product manager usually does not know enough about non-functional features (they usually are business matter-experts, and these non-functional things are not core to the product). Sometimes, they don’t even know how define what they want, it just needs to be there.
In many of those cases, the one who does take the decision is the developer. This is usually a bad thing. In agile teams, the team makes the decision. This makes the product owner very happy, since the interpretation of what is secure or stable is now a team decision, rather than his own. People don’t like to make decisions, especially on stuff they don’t fully understand, and here the team stepped forward instead.
As a team, it feels better if everyone agrees that we should concentrate on building what we know, rather than on what we don’t. We can specify that later. That’s how the security features get dropped in priority.
Unfortunately feeling better doesn’t create a stable or a secure product.
Let me state this clearly:
If the product owner wants a secure product, he needs to understand security. If he wants uptime, he needs to have the tools to understand if the solution the team suggests is good enough. If he doesn’t, someone else will make it the decision for him. And by this, he exposes the product to all sorts of risks, from actual security breaches to legal risks.
Product owners set the priorities to what the team works on. If the team reduces the priority against their will, the product owners are not doing their job.
“I can’t be expert on everything!” You say.
But you need to be on everything in your product.
That’s what responsible product owners do.