
Cradle to Grave: Working with a Security Plan • Chapter 12 509
applications.We would hope that if your organization is not doing code
reviews, they are at least running development work by a QA team prior
to release to production—one or the other is better than neither. Of
course, bringing in the QA team after too much production work has
already been completed will result in needing a corresponding amount
more time and money to fix errors.
As you should with code reviews, expect the QA team to find errors
in your work. If you talk to anyone who has been in QA for a signifi-
cant period of time, they will tell you that they are fully aware that
whatever ...