How is your organization benefiting from the usage of ARIS bpm designer tool (licensed version features)?
I see a few posts on this site related to modeling being done using ARIS Express free edition. But I am curious to know the added benefit apart from creating a solid repository and methodology for modelling information.
What are the tool's pro's and cons?
0xA3 might be right that this question is slightly off-topic here. Still, lets try to give a short answer:
Using a tool such as ARIS is not about just documenting your processes. This is just the first step. Take those models and analyse them. Try to reveal information, which you were not aware of before. There are many different techniques how to work with models, e.g. simulation and process cost calculation. Also, you can use ARIS' internal scripting engine to create your own custom analysis.
The point is not in just documenting, but on working with those models to solve problems.
May we invite you to post your question to ARIS Community and discuss it with other ARIS users?
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
I'm looking for the "best" agile-friendly feature and defect tracking software. Currently, we are using fogbugz, but this is not terribly useful for teams following an agile methodology as far as I can tell. There are better tools for this, such as Greenhopper for JIRA. I've used JIRA before, but I'm wondering if there are any other tools that are better.
I'll relate my experience, hoping it will be helpful.
We started piloting Scrum using cards on a wall. We figured we would switch to a tool once we started doing it for real. We set up our defect tracker (Redmine) with User Story and Tasks, and have a way to create a burndown in each project. What we found, however, is that you don't really get the transparency of a physical information radiator. People walk by the card wall and can see the team progress. Very few will check the web site as often as they inspect the card wall. So currently, we do the card wall for the current Sprint and track the Sprint in Redmine, which gives us historical information.
As we scaled up to more teams than we have wall space for, we realized we're going to need a tool that can work like a card wall and be a 'real' agile tracker. So we looked at several tools, and our short list included Version One, Rally, and Mingle. Either of these products might be best for you, but ultimately we chose Mingle for various reasons.
The one thing I worry about is the loss of the card walls. It's hard to explain the transformative value that these public information radiators have had. The teams get lots of visibility from the Product Owners as well as management and other stakeholders. I worry that the visibility will be lost if we switch to using solely the tool. I may have to build dashboards that go up on wall-mounted monitors, acting as a high-tech version of the card walls. One thing we did do was procure some touchscreen whiteboards that will allow teams in standups to move virtual cards in a familiar way, using the tool's drag-and-drop card wall interface. I'm hoping this will allow us to retain the team communication and interaction benefits we've seen when gathered around a card wall.
Anyway, good luck with your quest!
We are using PivotalTracker (http://pivotaltracker.com) in our projects. It is a lightweight and easy to use tool. It works in the cloud, so creating an account and setting up a project is a matter of minutes. User story and bug entering is quite easy. The tool supports a standard workflow of tasks consisting of Not Started, Started, Finished, Delivered, Accepted and Rejected states.
I haven't tried fogbugz yet but I used JIRA, Greenhopper and VersionOne before PivotalTracker. The downside of all these tools against PivotalTracker is that using them brings you too much overhead. You have to setup and maintain them. You have to configure them. And because they are harder to use, they require more time for daily usage. I have seen that developers hesitate to use these tools because they create too much friction. IMO PivotalTracker is the best tool in this respect.
The downside of PivotalTracker is that it gives only a few configuration options. It doesn't allow you to customize workflows. It doesn't have much user authorization options. But in our case it suits very good to our needs.
This might be a non-answer to some extent, but I hope it will still be informative and add value.
I've been on multiple teams using various tools including physical boards and Greenhopper. Other agile teams in my department have used and evaluated various other options. If you are talking about finding the most efficient way to manage the team within a sprint (as opposed to release planning, backlog grooming, etc) I've come to the following conclusion:
Nothing is going to be a great fit unless you wrote the tool yourself or use a speadsheet. Yes, a spreadsheet. It's the most flexible option I've come across. We use a fancy one with burndown charts and such, but it works great.
Any tool you find now which may be a perfect fit will eventually end up not doing something you want. Here is an example from my own recent experience:
We were working to bring down the length of time it takes to report status during out daily scrum meeting. The challenge was that developers have a tendency to go into a detailed explanation of issues they've encountered while working on a task. We try to postpone those discussions until after the scrum meeting. It was hard to do until we started simply highlighting any items in the spreadsheet we need to discuss further. This let us move on with the meeting but not lose track of issues that need to be discussed. It was effortless to introduce this into our process precisely because we were using a flexible tool like a spreadsheet. The tool didn't stand in the way of improving our process.
As for defect tacking, most of the teams in my department use JIRA.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 9 years ago.
Improve this question
in these days, i'm interested in software security. As i'm reading papers i see that there are many attacks and researchers are trying to invent new methods for softwares to get more secure systems.
this question can be a general including all types of attacks.There are many experienced programmers in SO, i just want to learn what are using to check your code against these attacks ? Is there any tools you use or you don't care ?
For example i heard about static/dynamic code analysis and fuzz testing.
SQL injection attacks
Cross Site Scripting
Bufferoverflow attacks
Logic errors
Any kind of Malwares
Covert Channels
... ...
thanks
I'm going to focus on web application security here...
Really you want to get used to manually trawling through a website/application and playing with various parameters etc. so proxy tools are of great help (they allow you to capture and interact with forms, before they reach the server):
LiveHTTPHeaders - FireFox plugin.
Burp Proxy - Java based.
Obviously there becomes a point where manually crawling a whole website becomes rather time consuming/tedious and this is where automated scanning tools can be of help.
Black box:
WebSecurify - not used it but it's been created by a well known web app security guy.
Skipfish - Google released this recently so it's probably worth a look.
And there are many other commercial tools: WhiteHat Sentinel, HP Web Inspect and probably many others I can't remember.
White box:
A lot of the academic research I've seen is related to static code analysis tools; I've not used any because they all focused on PHP only and had some limitations.
Other resources:
ha.ckers.org - great blog, with an active forum related to web app sec.
OWASP - as perviously mentioned, there are lots of insightful articles/guides/tutorials here.
If you want to learn more about manually attacking sites yourself the Damn Vulnerable Web App is a nice learning project. By that I mean, it's a web application that is written to be deliberately insecure, so you can test your knowledge of web application security vulnerabilities legally.
I wrote a black box scanner in Perl for my third year dissertation which was quite an interesting project. If you wanted to build something yourself it really just consisted of:
crawler
parser
attacker
Something that you haven't mentioned but I think is important: code reviews.
When you're just trying to implement something as fast as you can it is easy to overlook a security issue. A second pair of eyes can pick up many problems or potential problems, especially if the reviewer is experienced at spotting typical security holes.
I believe that it is possible in many cases to do manual code reviews without special tools. Just sit together at the same computer or even print out the code and do the review on the paper copy. But since you specifically asked for tools, a tool to help with manual code review is Rietveld. I haven't used it myself, but it is based on the same ideas used internally at Google (and written by the same guy, who also happens to be the author of Python).
Security is definitely a concern and developers should at least be aware of common vulnerabilities (and how to avoid them). Here are some resources that I find interesting:
OWASP Top 10 for 2010
OWASP Guide for Secure Web Applications
OWASP Testing Guide v3
There are 2 types of software defects that can cause security problems: implementation bugs and design flaws.
Implementation bugs usually appear in a specific area in the code, they are relatively easy to detect and (usually) not too complicated to fix. You can detect (most) of these with automated tools that do static code analysis (tools like Fortify or Ounce) although these tools are expensive. With that said, you still have to remember that there are no "silver bullets" and you cannot not blindly rely only on the tool output without some sort of manual code review to confirm/understand the real risk behind the issues the tool reports.
The other problem is design flaws, that's another story. They are usually complex issues that are not consequence of a mistake in the code but poor choice in the design or architecture of the application. Those cannot be identified by an automated tool and really can only be detected manually, by a code/design/architecture review. They are usually very hard and expensive to fix passed the design phase.
So I recommend, reviewing your code for implementation bugs that can have impact on security (code review using automated tools like Fortify/Ounce + manual review of tool results) and reviewing your design for security flaws (no tools for this, has to be done by someone who knows about security).
For a good read on software security and the complexity behind designing secure software, check Software Security: Building Security In, by Gary McGraw (amazon link)
I use tools to aid in the hunt for vulnerabilities, but you can't just fire off some test and assume everything is okay. When I am auditing a project I look at the code and I try and get a feel for the programmers style and skill level. If the code looks messy then chances are they are a novice and they will probably make novice mistakes.
It is important to identify security related functions in a project and manually audit them. Tamperdata is very helpful for manual auditing and exploit development because you can build custom http requests. A good example for manual auditing for PHP is: Are they using mysql_real_escape_string($var) or are they using htmlspecialchars($var,ENT_QUOTES) to stop sql injection? (ENT_QUOTES doesn't stop backslashes which is just as dangerous as quote marks for mysql, mssql is a different story.) Security functions are also places for "Logic errors" to crop up, and no tool is going to be able to detect this, this requires manual auditing.
If you are doing web application testing then Acunetix is the best testing tool you can use. Wapiti is a very good open source alternative. Although any tool can be used improperly. Before you do a web application test make sure error reporting is turned on, and also make sure you aren't suppressing sql errors, such as with a try/catch.
If you are doing Automated Static Code Analysis for vulnerabilities such as Buffer Overflows then Coverity is the best tool you can use(Fortify is nearly identical to Coverity). Coverity costs tens of thousands of dollars, but big names like the Department Of Homeland Security uses it. RATS is a open source alternative, although Coverity is far more complex of a tool. Both of these tools will produce a lot of false positives and false negatives. RATS looks for nasty function calls, but doesn't see if its still safe. So RATS will report every call to strcpy() strcat() sprintf(), but these can be safe if for instance you are just copying static text. This means you will have to dig though a lot of crap, but if you are doing a peer review then RATS helps a lot by narrowing the manual search. If you are trying to find a single exploitable vulnerability in a large code base, like Linux, then Rats isn't going to help much.
I have used Coverity and their sales team will claim it will "detect ****ALL**** vulnerabilities in your code base." But I can tell you from first hand experience that I found vanilla stack based buffer overflows with peach that Coverity didn't detect. (RATS did however pick up these issues, along with 1,000+ other function calls that where safe...) If you want a secure application or you want to find an exploitable buffer overflow then Peach is the platform tool you can use to build the tools you need.
If you are looking for more exotic memory corruption issues such as Dangling Pointers then Valgrind will help.
There's bunch of web application security scanners in the market
Take a look at this list:
WASC - Web application security scanner list and Netsparker Community Edition : which is the free version of Netsparker.
A tool doesn't know if your code is insecure.
Only you do (and the attackers).
At best the tool will spot a few vulnerabilities of one type in your code and make you realize you never protected against that type of vulnerability, but you will still have to go clean up all the instances the tool missed.
I'm looking for some good tools that help to share tips, best practices, company standards, etc. amongs developers in my company. Two tools I'm currently considering are a wiki (screwturn wiki) or Sharepoint 2010. I'm wondering if there is something better suited to the task, or any input anyone has on this subject. I'd prefer something that's windows based (i.e. runs on IIS, can authenticate users against Active Directory etc) but I am open to anything.
Well, you're right, the most suitable computer tool is Wiki. There are many engines available. We use Atlassian Confluence. It is good to write down things that contains many formal details. Like client-server protocol description, or game-design / UI-design documents.
However for sharing tips, best-practices, interesting investigations etc no tool will overcome live talk! I've came to this conclusion for many times. Daily standups and pair programming lead to much much better information circulation than any computer-based tool I ever seen.
At my company we use a private MediaWiki installation. It works very well for our needs.
Publicly we share programming knowledge at DocForge.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 9 years ago.
Improve this question
We have been looking to implement Agile methodology within our geographically distributed development team, so i need suggestions on any free on-line application that you have used and find useful.
Right now we are using paper cards and wall to manage this :), but we want to shift to an on-line version preferably free.
I have used TargetProcess at my previous job!
My Core requirements are:
Business Analyst can add user stories
We can assign, prioritize different user stories to developers.
QA team can add test cases around different user stories.
Project Manager can track the time of all the resources and can pull reports for upper management
I've been using Pivotal Tracker which is a free agile project management tool and covers the following agile concepts:
Velocity tracking and emergent iterations
Story-based iterative planning
Real-time collaboration
Would certainly recommend you try this before paying for an alternative.
Also, as mentioned, Basecamp is a great tool for maintaining documentation, to-do lists and the rest. There is a barely promoted free option for single project use that you will find on the signup page below the Max and Premium options.
Possibly not an agile tool as such (depends on your definition) but the free Team City continuous integration and build server is the kind of software that you don't believe you could live without once you've used it. Basically a commit to SVN by any developer triggers a build to your staging server about 30 seconds later meaning the latest build is very agile!
Timetracking: slimtimer.com.
This is one of the best time trackers I've seen (and I've seen many)
Mercurial code hosting: list available here.
I've only used the service provided by sourceforge.net and was satisfied with it.
Web conferencing, desktop and whiteboard sharing: Dimdim.
I haven't had much luck with it, but I believe it might perform much better on a Windows machine.
All sorts of version control, wiki, RSS feeds: sourceforge.net.
It's only for FOSS projects, though, but it really ofers a lot of services.
Other than that, basecamp should fit right in an agile process (although I haven't used it much) with a reasonable price ($50/month...)
Try using http://www.icescrum.org/en/. This is open source tool and free platform for Agile developments. You can read its feature on Features tab on website.
Also, Visit http://www.openlogic.com/wazi/bid/188152/Comparing-Open-Source-Agile-Project-Management-Tools. This article compares the most compelling open source options.
At work we use a product called Skinnyboard. It has a ton of great features, like:
Support for Sprints and Product Backlogs
Sprint tracking via stories/tasks
Individual task history
Sprint/Product Backlog burndown, to see projected finish dates, etc.
It's free to try, which gives you (I believe) one board. After that you have to pay though, but it's a great product and definitely worth it.
It's simple, visually appealing, and only has what you need. In my opinion, it's like the Basecamp of SCRUM tools.
They say it better than I ever could,
AgileFant is an open source tool
for managing agile software
development activities, such as:
projects, products, releases,
iterations and backlogs. It brings
together the perspectives of long-term
product and release planning and
project portfolio management.
Another one that's recently sparked some interest and seems potentially useful (I'm in beta, easy to get in afaik) is Flowdock which is basically a mish-mash of email alerts, RSS feeds, ticketing systems and plain ol' realtime chat with status messages et al. Think of it as Google Wave that doesn't suck and check out the intro video from the front page.
Try out Flying Donut. It is a new online product inspired by scrum. You may host public or private projects.
Disclaimer: I have been using it for many months, since I helped building it, and I love it.
In my organisation, we have some very inefficient processes around managing requirements, tracking what was actually delivered on what versions, etc, do subsequent releases break previous functionality, etc - its currently all managed manually. The requirements are spread over several documents and issue trackers, and the implementation details is in code in subversion, Jira, TestLink. I'm trying to put together a system that consolidates the requirements info, so that it is sourced from a single, authoritative source, is accessible via standard interfaces - web services, browsers, etc, and can be automatically validated against. The actual domain knowledge is not that complicated but is highly proprietary and non-standard (i.e., not just customers with addresses, emails, etc), and is relational: customers have certain functionalities, features switched on/off, specific datasources hooked up - all on specific versions. So modelling this should be straightforward.
Can anyone advise the best approach for this - I a certain that I can develop a system from scratch that matches exactly the requirements, in say ruby on rails, grails, or some RAD framework. But I'm having difficulty getting management buy-in, they would feel safer with an off the shelf solution.
Can anyone recommend such a system? Or am I better off building it from scratch, as I feel I am? I'm afraid a bought system would take just as long to deploy, and would not meet our requirements.
Thanks for any advice.
I believe that you are describing two different problems. The first is getting everyone to standardize and the second is selecting a good tool for requirements management. I wouldn't worry so much about the tool as I would the process and the people. Having the best tool in the world won't help if your various project managers don't want to share.
So, my suggestion is to start simple. Grab Redmine or Trac and take on the challenge of getting everyone to standardize. Once you have everyone in the right mindset then you can improve the tools you use for storage.
{disclaimer - mentioning my employer's product}
The brief experiments I made with a commercial tool RequisitePro seemed pretty good me. Allowed one to annotate existing Word docs and create a real-time linked database of the identified requisistes then perform lots of analysis and tracking of them.
Sometimes when I see a commercial product I think "Oh, well nice glossy bits but the fundamentals I could knock up in Perl in a weekend." That's not the case with this stuff. I would certainly look at commercial products in this space and exeperiment with a couple (ReqPro has a free trial, I guess the competition will too) before spending time on my own development.
Thanks a mill for the reply. I will take a look at RequisitePro, at least I'll be following the "Nobody ever got fired for buying IBM" strategy ;) youre right, and I kinda knew it, in these situations, buy is better. It is tempting when I can visualise throwing it together quickly, but theres other tradeoffs and risks with that approach.
Thanks,
Justin
While Requisite Pro enforces a standard and that can certainly help you in your task, I'd certainly second Mark on trying to standardize the input by agreement with personnel and using a more flexible tool like Trac, Redmine (which both have incredibly fast deploy and setup times, especially if you host them from a VM) or even a custom one if you can get the management to endorse your project.