Application Security - The Agile Way
Traditionally application security has involved upfront design and a big bang penetration test after development. This leads to the phenomenon of “bolt-on” security that translates into increased cost and complexity.
Drawing on our experience on real-world projects, we show how security can be baked-in on an agile project. Using case studies we demonstrate how security concerns are captured during project inceptions, how developers write secure code, security testing is automated and how configuration management can help achieve secure deployments. This talk introduces several new concepts like secure by design, secure design patterns and lightweight code reviews.
Outline/structure of the Session
We will cover following topics in the talk:
- Current state of Security on Agile projects
- Why is security in agile is different than other projects
- Integrating security in agile projects
- Continuous security testing
- Learning resources
- Project managers would learn what kind of people they need to be on project to deliver a secure application to client.
- Developers would learn what things they need to keep in mind to write secure code, what practices to follow, etc.
- Quality Analysts would learn why security testing is different than any other testing and why and how to automate this testing.
Project Managers, Developers and Quality Analysts
schedule Submitted 2 years ago
People who liked this proposal, also liked:
eXtreme Programming for ETL and Data Analytics
Over the last decade, eXtreme Programming practices like User Stories, Evolutionary Design, Test-Driven Development (TDD), Behavior Driven Developer (BDD), Refactoring, Continuous Integration and Automation have fundamentally changed software development processes and inherently how engineers work.
Having experienced various benefits from XP practices on our J2EE stack, our team started to apply these practices to extract, transform, and load (ETL) and Data Analytics side of our product. Unfortunately, there is very little guidance available in this context, esp. for the SAS Platform. Right from finding the unit testing framework to structuring the code to designing our modules and setting up a Continuous Integration builds, our team had to figure out everything, the hard way.
Join us to understand the challenges we faced during this process and how we resolved these challenges.
The Tao of Transformation
"To know, is good. To live, is better. To be, that is perfect." - The Mother
During the Agile adoption, its a common complain that many team in many organizations get caught up in the ceremonies or mechanics of Agile and fail to understand/appreciate the true value and spirit of Agile. And because of this, the original intent of the Agile movement itself is lost. This is a serious issue!
This workshop will highlight, a well-proven approach to transformation (not adoption) and show the distinct steps in this journey that an individual or a collective goes through when learning anything new. Activities, serving as examples, in the workshop, will focus to show the journey - that is, how to begin with rituals, then gradually move to practices, arriving at principles and eventually internalizing the values. Witnessing this gradual process of transformation will help participants discover for themselves their current progression. We hope this will serve as a guiding light during their Agile journey.
Finally, we will leave the participants to ponder upon and discover for themselves their ideals in life and work as this is not only applicable to software development, but also to any discipline where humans are involved, including life itself.
The Art of SQL Database Refactoring
"We've tested this feature thoroughly and it worked really well. But for some weird reason, it's really slow in production today...must be a network issue...or may be the server is having a bad day..."
Do you often hear these kinds of comments in your development team? Let us guess, your application is very data-centric and churns big blocks of data on every user request. And under the hood, your application is most probably heavily dependent on long/complex queries with joins, temp-tables, case-statements, nested queries, etc.
These SQL queries probably started-out very simple. But as your requirements evolved, iteration after iterations, the queries also grew in complexity. And most often, even if you test-drove your newer stories, the performance of these complex queries is not evident until you run them in production.
Given that our requirements will evolve and so will our database, how do you deal with the above problems?
There are TWO essential parts to evolutionary database design:
- The art of refactoring your SQL queries.
- Figuring out the right balance of what processing is done in SQL on the DB sides and what is done on your service side in your App/Web Server.
Join us as we take a tour of how we refactored our complex, non-performant queries and overall DB without hurting our time-to-market.
Organizational PatternsUnmesh Joshi
schedule 2 years agoSold Out!
Organizational Patterns study by Jim Coplien done throughout 90s forms the foundation of Agile. Its important to understand these patterns and go beyond 'popular practices' like stand ups, user stories and TDD. Individuals are important and there are certain characteristics of these individuals which makes a team Agile or not. This presentation covers some of the very important patterns which form the basis of Agile, without these, any Agile project is bound to fail.
Jeff Sutherland, creator of scrum, now actively uses Organizational patterns to explain acrum and also started an effort at www.scrumplop.com to collect patterns which make Scrum work.
Relevance of the '12 principles' through project lifecycle - A Practitioner's ViewSridharan Vembu
schedule 2 years agoSold Out!
This talk is about taking a closer look at how one or more of the 12 principles behind Agile Manifesto are closely connected to the different stages of the project lifecycle and how they impact the right choice of practices and tools at each stage.
Few sample scenarios:
1. Major change in the way iteration planning was done - common backlog for the platform (comprising of different application teams), think each 'iteration' as a 'release' - deployment of business features to production end of each iteration - resulted in greater collaboration, no separate integration/stabilization phase towards major commercial launch
Relevant Principle: Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale
2. Reflecting on team organization - one large team (or) multiple smaller teams and / or feature teams, concepts like Mountaineers-Divers, Navigators-Drivers -> effective and easy context sharing, no stepping-into-each-others-shoes, efficient balance between big picture view and attention to details and such.
Relevant Principle: At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly
3. Feature kick-offs, analysis volleyballs, need basis Dev/QA/BA huddles, vide calls with distributed teams, subject-specific-google-hangouts -> Effective communication and fewer email conversations
Relevant Principle: The most efficient and effective method of conveying information to and within a development team is face-to-face conversation
Experience clearly suggests that following the right principle at the right time for a specific situation ensures successful outcome, while ignoring one or many of these principles often results in failure.
4. Adverse effects of measuring the delivery team's efficiency of the team one-dimensionally based on the Story Points delivered
Relevant Principle: Working software is the primary measure of progress.
In this talk, through specific practical examples, I would be explaining
- identifying the right principles for each life cycle stage of the project/program
- deriving the right practices based on the principles and following them effectively to deliver value to customer
- business and delivery constraints that prevented us from adhering to some of these principles, resulting in not-so-desired outcomes
In summary, I would like to emphasis the importance and relevance of the 12 Agile Software Principles behind Agile Manifesto in everyday life of a Agile Practitioner.
Agile Business Analysis Anti-PatternsUnnat Gupta
schedule 2 years agoSold Out!
In this talk we will pick up various (5-7) business analysis anti-patterns, specially for Agile projects, that either we ourself have practiced at some point of our BA carrier or have seen other BA's doing. We will talk about the symptoms which act as a sign of presence of these anti patterns, why are the problems associated with them and what are the ways to get rid of them.
These anti-patterns may range from behavior with customers to behavior with the own team.
Some of the anti-patterns we are planning to discuss:
1) BA aka The Order takers
2) Task (UI/backend) based stories
3) Engrossed in too much detail to miss the view of bigger picture - story verus feature
4) As a “user”...., where the user is either "system" or "product owner"
5) Leave the NFRs / CFRs to the Developers/Tech lead
6) Detail the hell out of stories
7) Focus on Happy Paths only
8) Focus on building a software over solving the real problem
9) Resist change in requirements
Continuous Delivery Workshop - Setting up Deployment Pipeline
It does not matter how good our design or architecture is, at the end of the day what matters is whether our code is ready for production. But the question is, how do we make sure that our code is always production ready. As described by Jez Humble [Co-author of Continuous Delivery book] Continuous Delivery [CD] is fast, automated feedback for production readiness of our code when any change that happens to the code, Database, configurations or the infrastructure.
During this workshop, we will give you an overview of Continuous Integration[CI] and Continuous Delivery[CD] and also talk about the key practices of CD such as:
- Mainline Development
- Feature Toggles
- Build Automation
- Deployment Automation
As this will be a “hands-on” session, we will be using Jenkins as an example tool. We will walk you through setting up CD using Jenkins and its Build Pipeline Plugin. We will also briefly touch upon open source tools that help with deployment automation such as Chef/Puppet, Capistrano etc.
To Deploy or Not-to-Deploy - decide using TTA's Trend & Failure Analysis
The key objectives of organizations is to provide / derive value from the products / services they offer. To achieve this, they need to be able to deliver their offerings in the quickest time possible, and of good quality!
In order for these organizations to to understand the quality / health of their products at a quick glance, typically a team of people scramble to collate and collect the information manually needed to get a sense of quality about the products they support. All this is done manually.
So in the fast moving environment, where CI (Continuous Integration) and CD (Continuous Delivery) are now a necessity and not a luxury, how can teams take decisions if the product is ready to be deployed to the next environment or not?
Test Automation across all layers of the Test Pyramid is one of the first building blocks to ensure the team gets quick feedback into the health of the product-under-test.
The next set of questions are:
• How can you collate this information in a meaningful fashion to determine - yes, my code is ready to be promoted from one environment to the next?
• How can you know if the product is ready to go 'live'?
• What is the health of you product portfolio at any point in time?
• Can you identify patterns and do quick analysis of the test results to help in root-cause-analysis for issues that have happened over a period of time in making better decisions to better the quality of your product(s)?
The current set of tools are limited and fail to give the holistic picture of quality and health, across the life-cycle of the products.
The solution - TTA - Test Trend Analyzer
TTA is an open source product that becomes the source of information to give you real-time and visual insights into the health of the product portfolio using the Test Automation results, in form of Trends, Comparative Analysis, Failure Analysis and Functional Performance Benchmarking. This allows teams to take decisions on the product deployment to the next level using actual data points, instead of 'gut-feel' based decisions.
There are 2 sets of audience who will benefit from TTA:
1. Management - who want to know in real time what is the latest state of test execution trends across their product portfolios / projects. Also, they can use the data represented in the trend analysis views to make more informed decisions on which products / projects they need to focus more or less. Views like Test Pyramid View, Comparative Analysis help looking at results over a period of time, and using that as a data point to identify trends.
2. Team Members (developers / testers) - who want to do quick test failure analysis to get to the root cause analysis as quickly as possible. Some of the views - like Compare Runs, Failure Analysis, Test Execution Trend help the team on a day-to-day basis.
NOTE: TTA does not claim to give answers to the potential problems. It gives a visual representation of test execution results in different formats which allow team members / management to have more focussed conversations based on data points.
The Agile “Chalta-Hai (It’s OK)” Manifesto
The Agile Manifesto was formulated by 17 people in 2001. We know the principles of the Agile Manifesto … but do we really understand it?
Depending on the organisation culture, the team culture and various other factors, they reach varying levels of Agile adoption. Martin Fowler talks about the levels of adoption and the path to get better via his post on “Your Path through Agile Fluency”.
Not surprisingly, not all Agile project implementations are successful.
This session is going to take you through a journey to talk about some of the Myths of Agile and also behaviors that inhibit organisations and teams to reach great(er) heights in Agile Fluency to achieve Agile’s benefits. As a result, the Agile Manifesto has remained on paper, but teams have come up with their own ‘workarounds’ - which are not truly solutions to solve a complex problem well.
We accept it because of our “chalta-hai (it’s ok)" attitude. At the end, what are we then left with? The Agile “Chalta-Hai (It's OK)” Manifesto.
Enabling Continuous Delivery (CD) in Enterprises with Testing
The key objectives of Organizations is to provide / derive value from the products / services they offer. To achieve this, they need to be able to deliver their offerings in the quickest time possible, and of good quality!
In such a fast moving environment, CI (Continuous Integration) and CD (Continuous Delivery) are now a necessity and not a luxury!
There are various practices that Organizations and Enterprises need to implement to enable CD. Testing (automation) is one of the important practices that needs to be setup correctly for CD to be successful.
Testing in Organizations on the CD journey is tricky and requires a lot of discipline, rigor and hard work. In Enterprises, the Testing complexity and challenges increase exponentially.
In this session, I am sharing my vision of the Test Strategy required to make successful the journey of an Enterprise on the path of implementing CD.
Inverting Test Pyramid - A First Hand Experience Report
Test automation is extremely crucial in adoption of an agile delivery. However, it can take one for a ride, if the approach is not correct. In this sensational, heart throbbing, experience report, we'll share our story of how we turned around an inefficient, expensive automation style to lean, efficient style. In addition to sharing a real-world example, we'll also share some of the key challenges we faced and how we solved them. If you are convinced about the Testing Pyramid, but are struggling to invert it, then this session is for you.
Earlier Defect Detection - Higher test coverage at Unit/Intermediate layers lead to earlier defect detection. Reduced number of issues found on higher test environments/Production. Reduced cost of defect fixing.
Reduced maintenance cost - UI tests are fragile and costlier to maintain Vs backend tests. No of changes in services layer are comparatively less.
Reduced test execution time - Backend tests are much faster. Almost 7-10 times faster than UI Tests - improved build certification time.
Test feedbacks are naturally distributed across layers of application. Test feedbacks are more pin pointed/ granular.
Calculating RoI on Agile Enablement
"We want to be Agile!!...
Because its cool, and its becoming a norm, it will help us to cope with changing requirements, help us deliver faster etc etc."
Isn't this a common sentiment in organizations struggling with the ever changing user/customer taste?
With Agile going main-stream with most organizations looking to have at least a few business critical projects run in an Agile way, the question of ROI comes up. Shifting from a traditional way of building software to an Agile way, requires change and as any good business leader would know; change is not free. Business leaders would like to understand and justify the return on Investment to make this shift. In our talk, we will be talking about how to look at the Agile process holistically and how this process affects budgeting and how early value realization can help offset the cost of change. We will also discuss stories of other in house IT shops and product houses who have made this shift and the journey they have undertaken
From our experience of working with such organizations, we have found that for these process-focused Agile adopters, much of their measurements include:
- how long is our stand-up?
- how long is our build?
- how many stories do we have?
- how many points can we fit into a sprint? etc.
From their perspective, they already have plenty of metrics. Often it's also the case that they're getting benefit, just because common sense does kick in behind the scenes, and because they're delivering more frequently as a result in the reduction of documentation, so they don't always run out of money either. That leads to bad habits, possibly, rewarding wrong practices. In this talk we want to discuss metrics we have used on the projects and have found useful. Metrics like: Cycle Time, Time to market (also called Lead Time), Collaboration, Quality (in terms of code complexity , code coverage, test pyramid) and bus factor. One thing to note is that any of these metrics alone would not provide holistic way of measuring benefit, and hence a combination of them is required.
Prioritization Techniques: Lets move beyond MoSCoW!!
- Have you been in a situation where everything gets prioritized as MUST HAVE?
- Have you been in a situation where you have find it difficult to get different stake holders to agree on relative priority of different features?
- Most of the time is spent in discussiing low value features?
- Whoever screams the loudest, gets their pet features prioritixed high?
- Do you want to learn some more prioritization games/techniques that can be used to start prioritizing at Feature level and subsequently refine it to story level?
- You feel the current technique(s) you use for prioritization are time consuming and ineffective?
If answer to any of the above questions is yes, this is the workshop for you to attend
Customers are never thrilled to find out they can’t get all the features they want in release 1.0 of a new software product. In reality, customer expectations are high, timelines are short, and resources are limited. Any project with resource limitations has to establish the relative priorities of the requested features, use cases, or functional requirements. Prioritization helps the project manager resolve conflicts, plan for staged deliveries, and make the necessary trade-off decisions. Thus, requirement prioritization is used in Software development for determining which requirements of the software product/application should be included in a certain release. Requirements are also prioritized to minimize risk during development so that the most important or high risk requirements are implemented first.
Several methods for assessing a prioritization of software requirements exist. In this workshop we are going show some of techniques/games we have used for feature prioritization.
Techniques to Speed Up your Build Pipeline for Faster Feedback.
I would like to share my experience and journey on how we brought down our Jenkins build pipeline time down from over 90 minutes to under 12 minutes. In the process, I would share specific techniques which helped and also some, which logically made sense, but actually did not help. If your team is trying to optimize their build times, then this session might give you some ideas on how to approach the problem.
Development Impact - For one of our build job, below graph shows how the number of builds in a day have increased over a period of time as the build time has reduced. Frequency of code check-in has increased; Wait time has reduced; failed test case faster to isolate and fix.
Business Impact - More builds leading to quicker feedback and faster story acceptance and less story spill over.
Getting A Partner To Adopt AgileSunil Mundra
schedule 2 years agoSold Out!
Due to the business benefits which accrue from Agile, clients are demanding their IT Departments/Partners to adopt Agile. It is quite common to find a situation where the client has adopted Agile, but its Partner/Vendor has not.
This talk is based on my consulting engagement with a client who had adopted Agile and their partner had not, and the client wanted the partner to Adopt Agile.
The talk will cover the critical challenges encountered in getting the partner to adopt Agile, especially given the wide difference in cultures of both organizations and also the organizations being located in different continents. The talk will also cover the key learnings from this journey.
Line Managers - an Endangered Species in AgilePankaj Kanchankar
schedule 2 years agoSold Out!
The matrix organization of yore relied on maximizing returns on each skillset. This lead to having line managers and practice horizontals.
Engineering managers looking after developers and practice managers looking after the respective practices of BA, QA and PMO. This lead to having multiple lines of reporting for team member whilst on the project.
In Agile teams, focus is on the self organising teams of empowered employees working towards common success criteria (project success is team success). Not everyone can be a PO or a Scrum Master. So is the role of so called line managers or practice managers become redundant?
Whats their role in the agile teams?
How their role needs to transform
In this talk I will be addressing these questions. Bring out how some of their responsibilities are now taken up by the team or Product Owner or Scrum Master. I will also be suggesting how line managers can take this as an opportunity to morph into more meaningful roles that help the organization and teams.
Turning around a twice-failed distributed enterprise program into successSridharan Vembu
schedule 2 years agoSold Out!
The common myth about agile methodology is, it is suited for smaller, co-located teams, would not scale up for big enterprises and is best suited for smaller, less complex programs.
In this talk, I intend to share how we went about setting up, executing and successfully delivering probably one of the most complex and strategic programs for one of our customers. This program was the first ever successful adoption of the fully distributed agile implementations for the customer.
Context: The client is the leading Telecom Operator in the UK, having their captive and other strategic partners based out of India. The program was highly strategic for the client and the predicted ROI was high.
- The implementation was tried twice by different vendors for more than an year, but failed to deliver; root causes were not analyzed
- The Program Sponsor had one last chance to try and deliver the platform successfully, against a very tight schedule
- Continued Operational risk with the legacy system in place
Outcome of our engagement:
- Core functional application ready in pre-production by the end of first release cycle (4 months from engagement start); fully ready to functionally scale easily and quickly
- Adoption of the technical and execution approach to other related programs within the portfolio
- Outcome of initial assessment of the existing codebase was to go with re-write from scratch; was a really hard sell, but was the RIGHT thing to do
- Re-define the release cycle: extend development period by embedding integration testing as part of development cycle and cut down on the low level design phase
- Need-basis colocation of functional SMEs with development team
- Direct access to Product Owners: weekly video calls, must-attend iteration show-cases, etc
- Remove unnecessary operational overheads, in terms of people as well as organizational processes
- Well-defined, pragmatic strategy for Integration testing (major constraints - lead time for test data preparation, limitation in re-usability of test data, lack of e2e functional understanding within team)
- Smart seeding of other vendor team members (with good functional/domain understanding) into the core team
- Zero compromise on basic hygienic practices: IPMs, Showcases, communicate negative-news-first with alternate solutions/workarounds, strict removal of wastes, inclusive decision making, highest degree of code coverage, sanity test suite, e2e basic automation suite
- Building trust between distributed teams: cross-pairing, align on core work hours across time zones, joint showcases and retrospectives (shared responsibility)
- Big push to release the core functional platform into production in 3 months (immediate next release)
- Working out of other vendor premises: seen as threat to their business, lack of cooperation and collaboration
- Product Owners based out of UK, no easy / frequent access
- Functional SMEs/designers based out of different location
- Release cycle that was in place: 8 weeks of design, 4 weeks of development and 8 weeks of testing!
- Distributed and isolated testing teams
- Highly manual and time-consuming E2E testing processes
- Multiple interfacing systems, both upstream and downstream
- Client development team based out of UK, different execution approach, lack of trust between the teams
In summary, I would like to share the unique aspects of the execution approach that made this program a real success for the customer, though some of the approaches might be tried out in different environments and project situations.
Scaling Agile For Enterprises with Distributed Engagement ModelsKhaarthigha S
schedule 2 years agoSold Out!
I would like to share my experience in consulting and managing a distributed team - Identification of strategies for a transformation of "a lifeless program to a Successful Program " and journey from "Collective Inception to Collective delivery"
This becomes challenging especially with a complicated -distributed engagement model for our client which is a reputed and huge enterprise with presence in every corner of the world.
In a complete globalized world, the major bottleneck for a huge enterprise is the effective functioning of globally distributed teams despite using Agile,lean.
In my presentation, I am going to share the approaches that we tried to address the pain points including the following:
- Not even able to plan the Iteration planning meeting - Iteration planning not producing the outcome despite hours of planning meeting
- Manage dependencies between teams for a collective delivery
- Communication channel between teams (Change how you communicate/coordinate)
- To bring the organic coherence between teams despite the cultural difference
- To also worry about the unknown interfaces & disastrous scenarios
- Different team communities with different process and practices impacting the other team’s delivery
- To sustain the work ecosystem for all the teams
- Inoffensive collective Retrospective for a constructive learning
- Major Natural pain point – “its not the distance, it’s the time zones”
- Above all, Conflict Resolution
Eg: one part of approach which we tried was "Mountaineer-Diver Model".
Impacts of above are listed below:
- Dynamic Dependecy resolution between teams ( instead of long hours of call for each dependency)
- Collective , Objective planning for all the teams by matching the dependencies so that the delivery is not affected and also "All teams walking in same speed"
- More common understanding and project focus in all teams (Frustration with the team members reduced)
- All members from different teams directly interact and work even they are distributed ( as they spend some time physically working together as "integration teams")
- As a result of above -> 2 key metrics improved :
- Velocity of all teams improved
- Development and Testing complete even before the deadline -> Delivery before the scheduled date
- Very less time spent in meetings for conflict & dependency resolutions, planning , etc..
"Project execution was the key success".
This will help in approaching the issues pragmatically , dynamically and also help understand how its better to make a hybrid out of multiple tools rather than using only one single process tool.
Ownership TransferVinod Sankaranarayanan
schedule 2 years agoSold Out!
Getting a different team to take over an application brings in challenges from multiple perspectives. There will be differences around processes, engineering as well as culture. Larger transfers would also involve changes to infrastructure. For long, the industry has done a disservice to this field by calling it Knowledge Transfer. Knowledge Transfer, is but a subset of the scope of activities involved in this exercise. We propose to rename this as Ownership Transfer.
In specific - we put this process into practice with one of our customers. After more than 5 years of supporting the platform, ThoughtWorks worked with The customer teams to transfer knowledge and context back to the customer. A few highlights on the application.
• More than 80% of all online ticket sales are done through this application
• More than 400,000 visits a day
• Close to 5 billion USD of ticket sales
• More than 70 VMs supporting the production application
• Upwards of 300 VMs supporting other development and testing environments
A few highlights on the program,
• More than 150 IT members involved in the program
• A ramp-down was part of the process to get the final numbers to about 60
• The transfer had to occur from Bangalore back to London
• Infrastructure had to re-optimised from Bangalore over to London
• Two organisations were involved viz. ThoughtWorks and the customer
Since both Bangalore and London were following agile practices, the teams decided to utilise core agile concepts to effect the transfer. This became all the more important as business required critical features to be delivered on a continuous basis.
Before we started off on this exercise, we created a methodology to effect the transfer. This methodology is fairly context agnostic and should support a healthy, sustainable and mature way to transfer ownership. The transition itself was about a year long and involved multiple aspects around agile such as remote pairing, program MVP and above all, continuous delivery and non-disruption to business through the process.
The session will introduce a framework that can be applied to most Ownership Transfer situations. In particular, this will be of interest to groups who are looking to transfer ownership from one team to another. These could be from a development team to a support team, or from one vendor to another as well. This will also provide insights on transferring ownership across distributed teams.