Correlation between code maintainability and development velocity - maintainability

Has anyone seen a clear correlation data between the code maintainability and a team's development velocity? Can anyone suggest an own experience, a research paper or any other information sources?
I have often experienced that long-lasting architectural problems, such as application modularity, migrating between dbs, are difficult to be refactored due to urgent demands from the business side. It is also difficult to argue from developer's view point how quantitatively such refactoring would enhance the development speed and longer-term benefits.
This question might not be suited for StackOverflow. I am happy to post this question somewhere else if someone could give me a suggestion just where.

Related

Books About Development Fundamentals (Mainly Web)

I'm a 24yo Web Developer trying to improve my knowledge in this field.
I've been working on web since I was 12 and feel like I lack some fundamentals.
Many times I'm being rejected in interviews not because lack of talent, programming knowledge or a small portfolio (In fact, my portfolio is pretty big for a 24 yo dev), but because I can't answer many fundamental questions such as difference between/terminology about CRUD, REST, SOAP, OOP-related questions and such..
Going to university right now is impossible for many reasons so I was trying to get my hands on some books about dev fundamentals (mainly oriented to web dev). What are the best ones, and why? Which resources (Shouldn't necessary be books) should I look deeply into? And in the end.. What suggestions could you give to become a better developer?
I can only share from my own experience. During technical interviews, i had a cheat sheet printed and ready. That helped a lot on the telephone interview but also as a study guide. I can recommend the "PHP Zend Certification Study Guide" and php-fig.org to freshen up on Design Patterns and other things.
When the interviewer thinks you are qualified, you need to write code anyway. During the code writing you will probably write in OOP PHP with no framework. Prepare a simple mvc with some simple crud functionality, sessions and user login.

Agile and UX design [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 6 years ago.
Improve this question
Firstly, I'm aware there is a UX stackexchange, but I'm a UX designer trying to get more of a dev's perspective! How can the UX design activity work well with a team of developers and testers trying to work in an Agile way? There seems to be reluctance to do any (UX) design up front, and to only engage users after something has been built, rather than prototyping and testing with users before making production-quality code.
The basic theory behind agile is that there should be close collaboration between the development team and the customer throughout the development cycle, and that the team has all of the skills needed to succeed.
In your case, the UX designer skillset should be represented on the team, and conversations with the customer about UX concerns should take place alongside conversations about functionality.
So, the explicit answer to "How can the UX design activity work well with a team of developers and testers trying to work in an Agile way?" is "In an agile way, of course!" You need to work on the same stories as the developers. Don't try to create a UX design all at once. Let it emerge over time as the stories are developed, just like the functionality. As the developers are working with the customer to understand the functionality of each story, you need to be present and discussing UX concepts. Functionality and UX should evolve together, so the developers always know both what the software should do and how it should look and feel to the user.
The developers have learned that big design up front is a bad thing; the same goes for UX.
A key aspect of Agile is responding to change over following a plan.
Creating a detailed UX design up front works brilliantly as long as the requirements are unchanging and there are no technical problems encountered that require changes to be made. Agile is all about handling these kinds of changes.
The best way for a UX designer to work in an Agile way is to think of it as a 'just in time' process. What is the best way for you to produce good designs but to do the work at the latest possible time that is practical?
In this way if a change does occur (for example there is change in priorities and you have to quickly focus on other work) then you are best positioned to quickly adapt.
As you can probably tell this isn't a one-size-fits-all solution. Each team needs to explore how they fit design and developement together. With some teams they might have the designer pairing with the developer and work on the design and development at the same time. Other teams might do their designs a few weeks ahead and run them by the users so that they are approved and ready by the time development starts. There are no hard and fast rules here, it is about doing that which the team finds to be most effective.
It is all about discovering the best compromise between doing detailed up front preparation and being able to respond to late changes.
You should try faster methods, as paper wireframing or balsamiq mockups which gives you a very good idea of what the system will look like, so you can test with real users and you are able to make an 'on time' delivery between sprints.
It is very important to discover what the user needs,or to be more accurate to see if they get the idea of your development before It's built.

Seeking pointers to approaches and methodologies for system analysis and design

I have found quite a few material (books and other stuff online) on how to make UML diagrams. So now I understand UML and the diagramming (with a tool).
However, where I am stuck is the approach / methodology. My hunt for approach / methodology always leads to how to use UML and which diagram fits where. Frankly my intent is to know how to start the journey from putting down the domain understanding (and how) to drafting the blueprint of the system that is ready for the use of developers.
I really don't care if it is UML (good if it is so) or not. I should be able to communicate the target application's domain understanding, it's analysis and eventually it's intended design in as clear terms as possible.
I think there is no Cast in Stone way of doing this, however, I am looking for potential approaches / methodologies. Please share pointers to any books / training material that is available for the purpose.
Here are a few resources that may help:
Domain Driven Design Quickly (Free summary of Domain Driven Design)
Domain Driven Design
These resources deal with gathering the knowledge of the Domain from domain experts, coming up with terms that are ubiquitous for all parties involved, and then designing the programming model to suit.
Additionally, since you mention UML, and if you haven't come across the following book yet, I highly recommend it:
UML Distilled 3rd Edition
Lastly, in more general terms, I would look further into Agile Development Methodologies.

How do we "test" our security policy?

DISCLAIMER: At my place of work we are aware that, as none of us are security experts, we can't avoid hiring security consultants to get a true picture of our security status and remedial actions for vulnerabilities. This question is asked in the spirit of trying to be a little less dumb and a bit more aware of the issues.
In my place of work, a small business with a sum total of 7 employees, we need to do some work on reviewing our application for security flaw and vulnerabilities. We have identified two main requirements in a security tester:
They are competent, thorough and know their stuff.
They are able to leave us with a clear idea of the work we need to do to make our security better.
This process will be iterative so we will have a scan, do the remedial work and repeat. This will be a regular occurrence going forward.
The problem we have is: How do we know 1? And, even if we're reasonably sure of 1, how on earth do we proceed to 2?
Our first idea was to do some light security scanning on our code ourselves and see if we could identify any definite issues. Then, if the security consultants we choose identify those issues and a few more we're well on the way to 1 and 2. The only problem is that I've been trawling the interweb for days now looking at OWASP, Metasploit, w3af, burp, wikto, sectools (and Stack Overflow, natch)...
As far as I can tell security software seems to come in two flavours, complex open source security stuff for security experts and expensive complex proprietary security stuff for security experts.
I am not a security expert, I am an intermediate level business systems programmer looking for guidance. Is there no approachable scanner type software or similar which will give me an overview of the state of my codebase? Am I just going to have to take a part time degree in order to understand this stuff at a brass tacks level? Or am I missing something?
I read that you're first interested in hiring someone and knowing they're good. Well, you've got a few options, but the easiest is to talk to someone in the know. I've worked with a few companies, and can tell you that Neohapsis and Matasano are very good (though it'll cost you).
The second option you have is to research the company. Who have they worked with? Can they give you references? What do the references have to say? What vulns has the company published to the world? What was the community response (were they shouted down, was the vuln considered minor, or was it game changing, like the SSL MitM vuln)? Have any of the company's employees talked at a conference? Was it a respected conference? Was the talk considered good by the attendees?
Second, you're interested in understanding the vulnerabilities that are reported to you. A good testing company will (a) give you a document describing what they did and did not do, what vulnerabilities they found, how to reproduce the vulnerabilities, and how they know the vulnerability is valid, and (b) will meet with you (possibly teleconference) to review the vulnerabilities and explain how the vulns work, and (c) will have written into the contract that they will retest once after you fix the vulns to validate that they are truly fixed.
You can also get training for your developers (or hire someone who has a good reputation in the field) so they can understand what's what. SafeLight is a good company. SANS offers good training, too. You can use training tools like OWASP's webgoat, which walks you through common web app vulns. Or you can do some reading - NIST SP 800 is a freely downloadable fantastic intro to computer security concepts, and the Hacking Exposed series do a good job teaching how to do the very basic stuff. After that Microsoft Press offers a great set of books about security and security development lifecycle activities. SafeCode offers some good, short recommendations.
Hope this helps!
If you can afford to hire expert security consultants, then that may be your best bet given that your in-house security skills are low.
If not, there is not escaping the fact that you are going to need to understand more about security, how to identify threats, and how to write tests to test for common security exploits like XSS, SQL injection, CSRF, and so on.
Automated security vulnerability software (static code analysis and runtime vulnerability scanning) are useful, but they are only ever going to be one piece in your overall security approach. Automated tools do not identify all exploits, and they can leave you with a false sense of security, or a huge list of false positives. Without the ability to interpret the output of these tools, you might as well not have them.
One tool I would recommend for external vulnerability scanning is QualysGuard. They have a huge and up to date database of common exploits that they can scan for in public facing web applications, web servers, DNS servers, firewalls, VPN servers etc., and the output of the reports usually leaves you with a very clear idea of what is wrong, and what to do about it. But again, this would only be one part in your overall security approach.
If you want to take a holistic approach to security that covers not only the components in your network, applications, databases, and so on, but also the processes (eg. change management, data retention policy, patching) you may find the PCI-DSS specification to be a useful guide, even if you are not storing credit card numbers.
Wow. I wasn't really expecting this little activity.
I may have to alter this answer depending on my experiences but in continuing to wade through the acres of verbiage on my quest for something approachable I happened on a project which has been brought into the OWASP fold:
http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
It boasts, and I quote from the project documentation's introduction:
[ZAP] is designed to be used by people
with a wide range of security
experience and as such is ideal for
developers and functional testers who
a (sic) new to penetration testing.
EDIT: After having a swift play with ZAP this morning, although I couldn't directly switch on the attack mode on our site right away I can see that the proxy works in a manner very similar to OWASP's Web Scarab (Would link but lack of rep and anti-spam rules prevent this. Web Scarab is more technically oriented, it seems, looking over the feature list Scarab does more stuff, but it doesn't have a pen test vulnerability scanner. I'll update more once I've worked out how to have a go with the vulnerability scanner.
Anyone else who would like to pitch in and have a go would be welcome to do so and comment or answer as well below.

Application Security Audit of an .NET Web Application?

Anyone have suggestions for security auditing of an .NET Web Application?
I'm interested in all options. I'd like to be able to have something agnostically probe my application for security risks.
EDIT:
To clarify, the system has been designed with security in mind. The environment has been setup with security in mind. I want an independent measure of security, other than - 'yeah it's secure'... The cost of having someone audit 1M+ lines of code is probably more expensive than the development. It looks like there really isn't a good automated/inexpensive approach to this yet. Thanks for your suggestions.
The point of an audit would be to independently verify the security that was implemented by the team.
BTW - there are several automated hack/probe tools to probe applications/web servers, but i'm a bit concerned about whether they are worms or not...
Best Thing to do:
Hiring a security guy for source code analysis
Second best thing to do hiring a security guy / pentesting company for black-box analysis
Following tools will help :
Static Analysis Tools Fortify / Ounce Labs - Code Review
Consider solutions such as HP WebInspects's secure object (VS.NET addon)
Buying a blackbox application scanner such as Netsparker, Appscan, WebInspect, Hailstorm, Acunetix or free version of Netsparker
Hiring some security specialist is so much better idea (will cost more though) because they won't only find injection and technical issues where an automated tool might find, they will also find all logical issues as well.
Anyone in your situation has the following options available:
Code Review,
Static Analysis of the code base using a tool,
Dynamic Analysis of the application at run time.
Mitchel has already pointed out the use of Fortify. In fact, Fortify has two products to cover the areas of static and dynamic analysis - SCA (static analysis tool, to be used in development) and PTA (that performs analysis of the application as test cases are executed during testing).
However, no tool is perfect and you can end up with false positives (fragments of your code base although not vulnerable will be flagged) and false negatives. Only a code review could solve such problems. Code reviews are expensive - not everyone in your organization would be capable of reviewing code with the eyes of a security expert.
To begin, with one can start with OWASP. Understanding the principles behind security is highly recommended before studying the OWASP Development Guide (3.0 is in draft; 2.0 can be considered stable). Finally, you can prepare to perform the first scan of your code base.
One of the first things that I have started to do with our internal application is use a tool such as Fortify that does a security analysis of your code base.
Otherwise, you might consider enlisting the services of a third-party company that specializes in security to have them test your application
Testing and static analysis is a very poor way to find security vulnerabilities, and is really a method of last resort if you haven't thought of security throughout the design and implementation process.
The problem is that you are now trying to enumerate all of the ways your application could fail, and deny those (by patching), rather than trying to specify what your application should do, and prevent everything that isn't that (by defensive programming). Since your application probably has infinite ways to go wrong and only a few things that it is meant to do, you should take an approach of 'deny by default' and allow only the good stuff.
Put it another way, it's easier and more effective to build in controls to prevent whole classes of typical vulnerabilities (for examples, see OWASP as mentioned in other answers) no matter how they may arise, than it is to go looking for which specific screwup some version of your code has. You should be trying to evidence the presence of good controls (which can be done), rather than the absence of bad stuff (which can't).
If you get somebody to review your design and security requirements (what exactly are you trying to protect against?), with full access to code and all details, that will be more valuable than some kind of black box test. Because if your design is wrong then it won't matter how well you implemented it.
We have used Telus to conduct Pen Testing for us a few times and have been impressed with the results.
May I recommend you contact Artec Group, Security Compass and Veracode and check out their offerings...

Resources