I thought it might be helpful to share how I think about the problem of "policy verification through the life cycle." I use policy as a mapping for "rules", "building codes" or requirements.
For simplicity, I think about requirements as either user, system requirements or business. I also break it down by business requirements, operational constraints, technological requirements, organizational and industry compliance. From a life cycle perspective, I break the rules up into design, implementation, and deployment. This helps me very quickly parse and prioritize the space. It also helps me use the right tool for the job and right-size my efforts.
How does this help? It helps when you evaluate your approaches.
- What are the most effective ways to verify design rules? (for example manual design inspections)
- What are the most effective ways to verify implementation rules? (for example, FX Cop and Code Analysis, for low-hanging fruit, combined with manaul code inspections)
- What are the most effective ways to verify deployment rules? (for example, deployment inspections)