This is a very important concept with a lot of ramifications. I want to mention three things one particular stakeholder, the custom software owner (e.g., the client of a custom software consultant), can do to efficiently and rationally acquire the knowledge that will provide him/her with the necessary level of confidence.
- Before the start of the project, and periodically thereafter, review the corrective action processes within the development organization. How are bugs in the software discovered and eliminated? How are defects in the software development processes identified and corrected? (This will give the owner confidence that the development organization's processes must improve over time. It's the idea behind such things as CMMI.)
- Review the development organization's software life-cycle methodologies. What types of development processes do the developers follow? How do the developers justify the tools and technologies used to produce custom software? (This will give the owner confidence that processes known to produce quality software are being used.)
- Trace the progress of the code being developed. How is progress measured? What evidence of progress is being produced and documented? (This will give the owner objective evidence the desired development processes are actually being followed.)
Note that besides independent verification of SQA processes being used by the development organization, the software owner's input is critical for SQA tailoring. The appropriate scope, rigor, and intensity of SQA processes depend on the nature and intended usage of the software. This validation activity is the owner's domain and responsibility. (This is an explanation for why, whenever it is possible for the owners and developers to be the same people, "eating your own dog food" is such a common technique for producing quality software.)