23 items | 17 visits
christopher bischoff's List: Agile
-
-
Somehow, over the decade or so since the original agile manifesto, agile has come to mean ‘management agile’. It’s been captured by management consultants and distilled as a small set of non-technical rituals that emerged from the much larger, richer, but often deeply technical set of agile practices.
-
Agile has indeed become a cargo cult. Stripped of actual software engineering practices and conducted by ‘agile practitioners’ with no understanding of software engineering, it merely becomes a set of meaningless rituals that are mostly impediments and distractions to creating successful software.
-
-
-
encouraging organizations to align around products instead of projects.
-
On average 29% of an IT budget is spent on new system development while 71% is spent on maintaining existing systems and adding capacity to those systems. This is because organizations do not retire applications. A lot of money is being spent on maintaining mission critical applications. Some of these applications are even running on software no longer supported by the vendor. More money is being spent on applications that have part or all of their source code missing. This is mainly because once a product is delivered to production, the project team that built it is disbanded and team members move onto different projects. Organizations have no way to rationally decide what to retire. Everything is rolled up into one budget and there is no clear way of deciding what systems are generating value and which are not.
-
-
-
he short rationale is that in Agile and really any lean, successful company, you want "everyone to touch the product". Security guys need to code, those that don't (the majority) are not required.
-
Paul Graham says "a programmer working as programmers are meant to, is always making new things". I would argue this should be true for everyone working on agile projects including security people. The only people that add value are coding, designing the UI, testing etc; "touching the product". Unfortunately most security people are not doing this; they create documentation, provide advice and consulting, "manage risks" or manage other security people and thus at best add zero value. Arguably you would be far better having only security engineers that coded the security components and where they performed code reviews and security testing actually fixed the problem
-
-
-
“We introduced Scrum and it works really well” and “we’re too slow to bring new features to our customers”.
-
that sounds like a typical case of sub-optimization. You optimize only one part of a value stream but not others. While that one part (e.g. development) is getting faster and faster other parts of the system are not able to keep up the new pace. The development team will either run low on User Stories or it will swamp QA or Operations with features to be released. In the worst case, you end up slowing down the whole feature creation process instead of speeding it up.
-
-
-
the Agile Manifesto revealed the weaknesses and immaturity of the founding principles. The two most disturbing: “Working software is the primary measure of progress” and “Business people and developers must work together daily throughout the project.”
-
Using “working software as the measure of progress” is narcissistic. Rush to write code is oft the translation of this misguided principle. Software developers want to be measured on what they know — code — instead of what they don’t know: the domain, business requirements, and the user. The idea is that you’ve got nothing if you don’t have working software. The cop-out is thinking that code is the measure of everything. Software is always part of a bigger picture. It works in conjunction directly or indirectly with other software, technologies, the environment, business processes, and people to create customer experience and/or improve operational efficiency. Like most of the Agile principles, this one is developer-centric rather than user-centric.
-
-
-
Agile is a philosophy - defined by 4 comparative value statements and 12 principles. So the top-dog rightly focuses the company on one well defined Agile process - Scrum.
-
-
-
manifesto for agile software development (http://agilemanifesto.org) consists of 4 basic values:
1. Individuals and interactions over processes and tools?
2. Working software over comprehensive documentation?
3. Customer collaboration over contract negotiation?
4. Responding to change over following a plan
-
-
-
- Per sprint:
- Get to the daily scrums and fortnightly sprint planning sessions so I can put forward my valuable chicken advice and requirements. This will probably only work if I am in the same room, which could be a challenge since I am in a different continent but I will work on my boss on that.
- Threat model. Try to get the developers and product guys to think of mis-use cases and attack trees per sprint. This could be challenging, as they will probably say NO (although Lulzsec, Sony and RSA are helping my cause here and I know a few physiological tricks now to exploit). Nevertheless, a sprint may also be too small a unit for threat modelling. This may work best per release.
- Security unit test cases. Writing security unit tests along with the developers’ functional unit test. These should be from the threat model and will also be automated and added to the regression suite where possible
- Static analysis. We have an automated code-scanning tool, which the developers should be running every time they check-in code. Tickets are then raised for defects. Let's see how quickly these get fixed and what priority they receive. I will also be pushing for manual peer review by both developers and me. One of the biggest problems I can for see is although there is a lot of new code being written, there is many existing assets to be re-used. The web stuff from the start-up is being manually pen tested but doubt anyone has reviewed the code and we will not have time to do that.
- Dynamic analysis. We also have the Q/A group that use an automated application vulnerability scanner. I will be looking at that, working with them to tune and raising tickets for defects.
-
- Per release:
- Manual penetration test. Sorry I promised at B-sides to call this a security controls review, as we are too soft and squishy for outcome based testing. Even if we were not the CEO is probably not going to like the spear phishing email nor our partners when we try to hack through them. Still we have an internal team for this testing and it will do what it always does give us some comfort we are running faster than the guy running from the bear.
-
-
-
- Low overhead methods that emphasize values and principles rather than processes
- Project priorities are re-evaluated on a continuing basis in cycles of a week, a month, or sometimes longer depending on the project
- Especially beneficial for small teams with rapidly changing requirements
- Allows for testing of the product in components
Some of Agile’s characteristics:
-
- Low overhead methods that emphasize values and principles rather than processes
- Project priorities are re-evaluated on a continuing basis in cycles of a week, a month, or sometimes longer depending on the project
- Especially beneficial for small teams with rapidly changing requirements
- Allows for testing of the product in components
Some of Agile’s characteristics:
-
-
-
1. Revenue
The iterative nature of agile development means features are delivered incrementally, enabling some benefits to be realised early as the product continues to develop.
2. Speed-to-market
Research suggests about 80% of all market leaders were first to market. As well as the higher revenue from incremental delivery, agile development philosophy also supports the notion of early and regular releases, and ‘perpetual beta’.
3. Quality
A key principle of agile development is that testing is integrated throughout the lifecycle, enabling regular inspection of the working product as it develops. This allows the product owner to make adjustments if necessary and gives the product team early sight of any quality issues.
4. Visibility
Agile development principles encourage active ‘user’ involvement throughout the product’s development and a very cooperative collaborative approach. This provides excellent visibility for key stakeholders, both of the project’s progress and of the product itself, which in turn helps to ensure that expectations are effectively managed.
5. Risk Management
Small incremental releases made visible to the product owner and product team through its development help to identify any issues early and make it easier to respond to change. The clear visibility in agile development helps to ensure that any necessary decisions can be taken at the earliest possible opportunity, while there’s still time to make a material difference to the outcome.
6. Flexibility / Agility
In traditional development projects, we write a big spec up-front and then tell business owners how expensive it is to change anything, particularly as the project goes on. In fear of scope creep and a never-ending project, we resist changes and put people through a change control committee to keep them to the essential minimum. Agile development principles are different. In agile development, change is accepted. In fact, it’s expected. Because the one thing that’s certain in life is change. Instead the timescale is fixed and requirements emerge and evolve as the product is developed. Of course for this to work, it’s imperative to have an actively involved stakeholder who understands this concept and makes the necessary trade-off decisions, trading existing scope for new.
7. Cost Control
The above approach of fixed timescales and evolving requirements enables a fixed budget. The scope of the product and its features are variable, rather than the cost.
8. Business Engagement/Customer Satisfaction
The active involvement of a user representative and/or product owner, the high visibility of the product and progress, and the flexibility to change when change is needed, create much better business engagement and customer satisfaction. This is an important benefit that can create much more positive and enduring working relationships.
9. Right Product
Above all other points, the ability for agile development requirements to emerge and evolve, and the ability to embrace change (with the appropriate trade-offs), the team build the right product. It’s all too common in more traditional projects to deliver a “successful” project in IT terms and find that the product is not what was expected, needed or hoped for. In agile development, the emphasis is absolutely on building the right product.
10. More Enjoyable!
The active involvement, cooperation and collaboration make agile development teams a much more enjoyable place for most people. Instead of big specs, we discuss requirements in workshops. Instead of lengthy status reports, we collaborate around a task-board discussing progress. Instead of long project plans and change management committees, we discuss what’s right for the product and project and the team is empowered to make decisions. In my experience this makes it a much more rewarding approach for everyone. In turn this helps to create highly motivated, high performance teams that are highly cooperative.
-
-
-
scrum is not the same thing as Agile. Scrum is just a technique used to foster face-to-face communication. I like scrum and have had good success with it because, a) it promotes a subtle form of peer pressure in the group, and b) developers often come up with ingenious solutions when discussing problems in an open forum. Sure, it embodies Agile’s quest for simplicity and efficiency, but that’s just facility – not the benefit.
Scrum is just a technique, and some Agile techniques work in particular circumstances, while others don’t. For example, I have never got pair programming to work. That could be due to the way I paired people up, or the difficulty of those projects might have made pairs impractical, or perhaps the developers were just lazy (which definitely does happen).
-
The second point is that people break process. Mr. Markham does not accept that, but sorry, there are just not that many variables in play here. We use process to foster and encourage good behavior, to minimize poor behaviors, and to focus people on the task at hand. That does not mean process always wins. People are brilliant at avoiding responsibility and disrupting events. I couch Agile pitfalls in terms of SDL – because I am more interested in promoting secure code development – but the issues I raise cause general project failures as well. Zealots. Morons. Egoists. Unwitting newbies. People paranoid about losing their jobs. All these personality types figure into the success (or lack thereof) of Agile teams. Sometimes Agile looses to that passive-aggressive bastard at the back of the room. Maybe you need process adjustments, or perhaps better process management, or just maybe you need better people.
-
-
Nov 12, 10
-
My proposal for a new measurement framework is the Agile Triangle: Value, Quality, and Constraints. The measures are value, to the customer in terms of a current releasable product; quality (to deliver continuous value to the customer, in terms of a reliable, adaptable product); and constraints (the traditional scope, schedule, and cost). Constraints are still important project parameters, but they are not the project’s goal. Value and Quality are the goals and constraints may need to be adjusted as the project moves forward to increase customer value. Schedule might still be a fixed constraint, but then scope could be adjusted to deliver the highest value within the schedule constraint.
-
-
-
- Can you describe the runtime environment of your web application?
- Do you know the release process for your app?
- What are the most critical issues operations is dealing with currently?
- When is your work done?
DevOps State of Mind
Ask your developers the following questions:
The answers to these questions tell you whether your developers are thinking out of their “code creation” box and consider deployment of their app as part of their work. Only if they show at least some basic interest in the operations realm are they ready for DevOps. If your developers think they can just “throw their work over the fence to QA” (or the build server), or, even worse, that they’re done once they commit their code to version control, you’ve got a long way to go.
-
- Which new features are upcoming?
- Do you look forward to the next release?
- When was the last time you talked to the developers?
- Is your work creating business value?
Ask your sys admins the following questions:
The answers to these questions show you how the sys admins think about their work and their areas of responsibility. Only if they are involved in development to a certain degree and welcome frequent change (i.e. creating business value) are they ready for DevOps. If they only think about avoiding change and don’t care at all about what’s upcoming or what’s creating business value, you’ve got a ways to go with your sys admins as well.
-
-
-
Within that business process there are all kinds of activity that needs to happen, some technology-driven and some human-driven. This is where all of the different functions of IT come into play. Developers, QA, Architecture, Release Engineering, Security, Operations, etc each do their part to fulfill that process.
But if you take away the context of the business process, what have you got? You've got a bunch of people and groups doing their own thing. You lose any real incentive to fight inefficiency, duplication of effort, conflicts, and disconnects between those groups. It's every person for themselves, literally.
-
The whole point of DevOps is to enable your business to react to market forces as quickly, efficiently, and reliably as possible. Without the business, there is no other reason for us to be talking about DevOps problems, much less spending any time solving them.
-
-
-
- Advantages of this iterative approach to software development include:
- Reduced risk: clear visibility of what's completed to date throughout a project
- Increased value: delivering some benefits early; being able to release the product whenever it's deemed good enough, rather than having to wait for all intended features to be ready
- More flexibility/agility: can choose to change direction or adapt the next iterations based on actually seeing and using the software
- Better cost management: if, like all-too-many software development projects, you run over budget, some value can still be realised; you don't have to scrap the whole thing if you run short of funds
For this approach to be practical, each feature must be fully developed, to the extent that it's ready to be shipped, before moving on.
Another practicality is to make sure features are developed in *priority* order, not necessarily in a logical order by function
- Reduced risk: clear visibility of what's completed to date throughout a project
-
-
-
Pareto's law is more commonly known as the 80/20 rule. The theory is about the law of distribution and how many things have a similar distribution curve. This means that *typically* 80% of your results may actually come from only 20% of your efforts!
-
-
-
- Predictive vs Adaptive - Engineering Methodologies are Predictive in nature and they focus too much on pre-planning of the processes in great detail. This obviously makes them comparatively less flexible for future changes. Agile Methodologies in contrast are Adaptive in nature and they welcome changes even to the point of changing themselves.
- Process-oriented vs People-oriented - Engineering Methodologies are Process-oriented. As mentioned in the above point they focus on pre-planning of processes in great detail and subsequently come up with a defined overall process to be used by whosoever uses it. Agile Methodologies on the other hand are People-oriented as they believe process definition is not an independent thing and the development of a software relies heavily on the skills of the development team rather than on defined processes. Agile Methodologies use processes only to support the development team in doing their work more effectively and efficiently. Process never takes a lead in agile methodologies.
Differences between Engineering Methodologies and Agile Methodologies
-
- Predictive vs Adaptive - Engineering Methodologies are Predictive in nature and they focus too much on pre-planning of the processes in great detail. This obviously makes them comparatively less flexible for future changes. Agile Methodologies in contrast are Adaptive in nature and they welcome changes even to the point of changing themselves.
- Process-oriented vs People-oriented - Engineering Methodologies are Process-oriented. As mentioned in the above point they focus on pre-planning of processes in great detail and subsequently come up with a defined overall process to be used by whosoever uses it. Agile Methodologies on the other hand are People-oriented as they believe process definition is not an independent thing and the development of a software relies heavily on the skills of the development team rather than on defined processes. Agile Methodologies use processes only to support the development team in doing their work more effectively and efficiently. Process never takes a lead in agile methodologies.
Differences between Engineering Methodologies and Agile Methodologies
-
-
-
Waterfall Model Vs Agile Model: Conceptual Difference
After the short interlude of history, let us start the actual waterfall model vs agile model comparison, by starting with the major conceptual differences in the two approaches. Then we will compare the difference in software development life cycle, involved in both approaches. Let us discuss the waterfall model advantages and disadvantages after delving into the main concept. Waterfall model of software development, as the name itself signifies, is a sequential process of software development. Like in a waterfall, the water progressively falls from one altitude to the lower, in a similar way, the production cycle progresses sequentially, from one stage to the other (illustrated by a waterfall model diagram in textbooks). The waterfall model phases of software development are as follows: requirement specification, conception, analysis, design, coding, testing & debugging, installation and finally maintenance. In this sequentially structured approach, the development team goes ahead to the next stage of development only after the first is fully accomplished. Software development companies adopting this model spend considerable amount of time in each stage of development, till all doubts are cleared and all requirements are met. The belief that drives this kind of software development model is that considerable time spent in initial design effort corrects bugs in advance. Once the design stage is over, it is implemented exactly in the coding stage, with no changes later. Often the analysis, design and coding teams are separated and work on small parts in the whole developmental process. Emphasis is placed on documentation of every stage of software development. -
Waterfall Model Vs Agile Model: Efficiency
In the ongoing comparison of waterfall model vs agile model, let us see how these two ideologies compare with respect to development efficiency. Efficiency is decided by the quality of ultimate software product, the number of bugs and the development time consumed. Through my own research into the working of both these models, I found the agile models to be more efficient than the waterfall model, due to its adaptability to the real world. The 'One Phase' and 'Rigid' development cycle makes it difficult to make last minute changes in requirements or design. While the agile methods, due to their iterative and adaptable nature, can incorporate changes and release a product in lesser time. Of course, agile models are not perfect either, but they are certainly more widely applicable than the waterfall model.
-
-
-
in an Agile development world are most security guys useless? The short rationale is that in Agile and really any lean, successful company, you want "everyone to touch the product". Security guys need to code, those that don't (the majority) are not required.
-
- 12 principles [2] behind Agile development are (emphasis mine):
- Customer satisfaction by rapid delivery of useful software
- Welcome changing requirements, even late in development
- Working software is delivered frequently (weeks rather than months)
- Working software is the principal measure of progress
- Sustainable development, able to maintain a constant pace
- Close, daily co-operation between business people and developers
- Face-to-face conversation is the best form of communication (co-location)
- Projects are built around motivated individuals, who should be trusted
- Continuous attention to technical excellence and good design
- Simplicity
- Self-organizing teams
- Regular adaptation to changing circumstances
-
-
-
DevOps and its approach of blending development and operations staff together to create better products, I’ve started to see similar trends develop in the security space
-
In successful and agile orgs, the predominant mindset is that if you’re not touching the product, you are semi-useless overhead. And there’s some truth to that. When people are segregated into other “service” orgs – like operations or security – the us vs. them mindset predominates and strangles innovation in its crib.
-
List Comments
(0)
List Info