Organizations are more concerned about application security than ever and have a growing awareness of security concerns. SearchSoftwareQuality.com’s newest expert, Dan Cornell, principal of software consulting company Denim Group, discusses mobile security, what organizations can do to build security requirements into software and security challenges in cloud ALM.
He views the most serious concerns with mobile software security as falling into two major areas: 1) how organizations expose their users to risk, and 2) how applications expose the companies themselves to risk.
In regards to user risk, he explains, “Mobile apps have impact on security of your customers and their data and most folks would agree that a forward-thinking enterprise is going to take into account the security situation of their users and they’re not going to want to expose their users to risk because of these applications they’re developing. It’s bad business.”
As far as company risk, he explains that potentially sensitive algorithms are put in mobile applications that are then run on mobile devices that are vulnerable to attackers who can disassemble them, and “more importantly, organizations are exposing Web services to support these mobile applications.” The Web services that run in a company’s data centers are vulnerable to risk in online customer support scenarios, for example.
He recommends that organizations examine whether their Web services can remain resilient against malicious attacks, and offers suggestions for including security in the requirements management process. He says, “If the developers know going in that they need to implement these different controls, then they know to build them.”
Cornell continues, “We often use a technique called threat modeling, to in a structured way to lay out the different assets and parts of the system and where data flows, and use that to identify potential weaknesses during the design stage, so you can identify those up front and plan to mitigate those risks, rather than rolling them out and try to retrofit the security controls later.”
When it comes to cloud application security, Cornell explains:
Software as a Service applications and their APIs are being incorporated into mobile apps to implement some functionality of the system. It’s important for developers to understand if you’re getting data feeds from Twitter or from Facebook or from Salesforce, especially systems where content is being generated by third parties, you have to be very careful when you bring that data into your system to make sure that it conforms to whatever rules you expect it to conform to. You shouldn’t trust things that are coming from these cloud applications necessarily.
On the other hand, the availability of SaaS and PaaS platforms is appealing to developers. It can be very convenient and beneficial for many companies to rely on cloud services, but from a security standpoint, there are potential risks as well.
Cornell emphasizes that “you need to be judicious in where you elect to give up control,” and this tradeoff is different for every organization.
To read some of Cornell’s SSQ Ask the Expert responses, see:
In a recent conversation with Shlomo Swidler, prominent consultant and founder of Orchestratus, he discussed the merits of strong project leaders and team builders in the DevOps environment.
Swidler offered a historical perspective on DevOps and said that it is another step in the continuing evolution of the IT service delivery model. In the past teams were divided, operations was typically only involved in hardware and developers were typically only involved in software.
“As the two roles started to converge, because software began to take on more and more responsibility for high availability, those roles also merged. That’s really what DevOps is. The closer alignment of development and operations, or the functions within the organization that know how to build the software and the functions that know how to deliver the software,” he explained. This alignment is more and more common in companies today, and there is more awareness of this convergence.
“In and of itself, DevOps does not help organizations build software that is more in tune with what the users want…What DevOps can do is help, once you understand what the users’ needs are, to develop applications more quickly, and in such a way that once they are deployed, they will be more reliable,” he said.
In any environment, the role of the project manager is to make sure the team has all the skills it needs to develop an application that is correct and serviceable in the field to meet desired reliability, according to Swidler. He explained that in DevOps, the project manager must ensure that both the development and operations sides understand what the other side needs, and make sure that interactions and “cross-functional germination” take place.
There is a cultural gap between developers and operations—as developers push through change readily, and operations people tend to want to minimize risk, he explained. Their performance is measured by two very different criteria. However, good team builders and project managers create a “team-wide incentive alignment” so that the two sides can work together effectively.
“Culture is created by leaders. Whatever the leader’s behavior expresses, that is what the organization is going to rally around,” Swidler explained.
He went on to say, “It’s the leader’s responsibility to make sure that the team is managed or structured or governed in such a way that everybody’s success or failure is mutually dependent.” Ultimately, this is how to go about aligning IT teams with business objectives.
For other recent SSQ stories on DevOps, see:
As more IT organizations opt for management and collaboration through hybrid development processes, companies such as CollabNet respond with offerings that integrate updated tools and functionality. CollabNet recently announced the summer release of their TeamForge 6.2 ALM platform, which is unique in providing a combined platform for Git and Subversion management.
Senior Director of Product Marketing Lothar Schubert discussed some of the new features and explained that this release “delivers on integration, visibility and reporting, especially for Agile application lifecycle management and enterprise cloud development.”
He continued, “The whole notion of integration—integration across tools, integration across clouds—is something that we take very seriously and deliver on in 6.2.” He then explained the new features of TeamForge 6.2:
- Orchestration across tools and clouds, including Git, Gerrit, ReviewBoard, Black Duck Code Sight.
- Planning, measurement and reporting, using a datamart “built specifically to manage site activity, to measure software commits and any kind of tracker artifacts,” providing visibility into quality, according to Schubert.
- Code quality, re-use and governance that builds on CollabNet’s strong heritage in source code and source code management.
- Enterprise grade Git and Subversion management that encompasses security and hybrid SCM.
For webinars detailing these new tools, click below:
For a previous post on CollabNet TeamForge, see:
Employees are bringing more and more mobile devices to the enterprise, requiring companies to determine how they can best satisfy employees’ business needs while encountering varying operating systems.
Marcio Cyrillo, head of mobile strategy at Ci&T, explains that companies view the influx of mobile devices in the workplace as an opportunity to increase productivity and also to communicate to employees that the company is on the cutting edge of technology, encouraging employees to work remotely as well as on site. They want to embrace mobile because they know it is here to stay.
While we will still need a desktop for certain tasks, mobile increasingly provides businesses with useful tools and enhances productivity. “This is where we are headed: integration with legacy systems and corporate systems providing me the right information wherever I am, in the right context. This is how mobility can really transform the industry, making companies more competitive and very targeted. Our teams are more efficient because they have the right information in the right context,” says Cyrillo.
Clients started approaching Ci&T saying they no longer wanted to develop for iOS only; they wanted something that could be deployed to both iOS and Android. While it was sometimes challenging at first to develop on non-native platforms— they used PhoneGap and Titanium, which they were already familiar with—they were able to overcome them and carry out successful hybrid development.
Hybrid development is a useful approach for companies wanting to streamline their mobile development practices, though it doesn’t allow for applications to perform exactly the same way as when they are developed on native platforms. “But for companies, it’s a fantastic thing because now you have one source code and then two tweaks, or two implementations, just a small part of it, to make the source code deployable on different platforms. For companies, it’s the best approach right now because you don’t need two teams working on the same application.”
Now HTML5 is the standard for hybrid development, according to Cyrillo. It does have some limitations, but some of those will change with iOS 6. Still, Cyrillo sees HTML5 as being more important for mobile Web applications in the future, “millions of people will be coding with it and not even realize what is behind it.”
For related articles, see:
Pre-deployment testing has always been important, but now we are much more aware of it, as many high-profile failures are related to performance, according to Theresa Lanowitz, founder of voke, inc. She discussed the importance of performance testing, the distinction between “apps” and “applications” and mobile testing trends.
Careful testing of software is critical because “the software that runs your company is now inextricably linked to your brand. So your brand is reflected through the software you are putting out there; your brand is reflected through the software that your customers are using,” said Lanowitz.
Testing tools and approaches must meet numerous performance testing standards in both pre-deployment testing as well as infrastructure testing. In a recent voke press release announcing the voke Market Mover Array™ Report: Testing Platforms, Lanowitz stated, “Organizations can no longer dictate where, when, or how software is used. Workers are mobile, customers are global and every individual has a preference as to how they want to consume software. As a result, the testing market of the future will not have one dominant vendor; rather the market will be defined by software from testing vendors that is open and integrated with a wide variety of tooling options.” In response to this need, voke offers analysis of a number of vendor tools.
Companies must thoroughly test both apps and applications, as both are critical to business functions and company branding. Lanowitz explained the differences between these two categories: “The term app has evolved into our daily lexicon to mean something that is really small, consumable, easy to use, lives on our smartphone—and you’re certainly not going to run your entire company from a mobile app, whereas you’re going to have everything you need on these applications that are inside your organization.” Yet, businesses are using apps to become more competitive and appeal to their customers in new and varied ways.
Testing across various devices, operating systems and networks presents complex challenges for testers. And the market is responding. “We’re seeing this proliferation of mobile test vendors come about, and it’s great to see that. These mobile testing vendors are doing a really great job of building out that incredibly complex matrix and helping people figure out: when you’re doing your development, which devices do you test on? Which operating systems are you going to test on? What do you build for? Once you start to expand your testing, you go a little bit further. And then once you put it into production, here are the devices and operating systems we’re going to support. And that’s something enterprises really need to have a strategy for.”
“Performance is really central to the success of every app and application—performance and security.” Lanowitz concluded. “A lot of these newer types of technologies, these newer platforms that we have to be concerned about that are adding another layer of complexity, bring about the need for performance and security in a bigger way.”
The old adage, “An ounce of prevention is worth a pound of cure” applies to application development, particularly now, when applications are going mobile and social at unprecedented rates, according to Shunra Chairman and CEO Gary Jackson. He and Senior Director of Product Management, Dave Berg, spoke about Shunra’s latest pre-deployment application performance testing services and recent partnerships with application testing providers HP, SOASTA, Jamo and Keynote DeviceAnywhere.
Pre-deployment testing is perhaps more critical now than in the past due to “mobile and the speed at which enterprises are now releasing mobile applications. Whereas a few years ago you might have a month, six months or even a year between release cycles, now you sometimes have to get a new product or upgrade out in a matter of weeks or days. Agile has also contributed to this increased speed in lifecycle development,” Jackson explained.
There is increased pressure to rapidly and accurately distribute applications across various devices, networks and operating systems. Even so, “You don’t want your end users to be your testers,” says Dave Berg. Now more than ever it is important that end users receive the best possible product, as failures are costly and go public quickly.
One of the challenges with mobile app performance testing has been that while one user can conduct performance testing on their phone, using a particular carrier, in a particular geographical location, and other users can test on their respective devices and networks, it was difficult to re-create the same testing conditions again and again. Shunra now makes it possible to test and retest under the exact same conditions to fix performance issues, according to Berg. Shunra maintains a database of conditions from multiple sources, allowing you to incorporate them with load testing and functional testing as well.
Just as preventive healthcare reduces the costs associated with treatment of illnesses, addressing performance issues prior to deployment can produce tremendous cost savings. Several studies have pointed to the fact that “60% of the total cost in an application’s lifecycle comes from remediating performance related issues after the app has been deployed,” according to Jackson. He continued, “If you cut that number down just a few points, you will see astronomical savings and ROI on the pre-deployment testing you performed. It is often close to 100 to one in cost savings.”
Mik Kersten, CEO of Tasktop Technologies, is presenting a session titled, “ALM in the Cloud: Bringing Code to the Cloud and Back Again” on June 13 at the Better Software West conference in Las Vegas. He discussed some of the topics he will cover in a pre-conference interview.
What happens to the lifecycle of an application when it is in the cloud? According to Kersten, “That application is not only consuming libraries, but now it’s consuming cloud-based services. And those cloud-based services have their own lifecycle as well. They have defects in them. They have parts that evolve, they have additional features. And the applications are deployed to the cloud, make use of them, and as such, their lifecycles get intertwined and we get this much more complex ecosystem that evolves in the cloud. Our ALM tools and the way we look at ALM need to evolve to support that.”
He discussed how PaaS is just now emerging as a popular service, and it creates new issues that organizations need to address. Many of the ALM tools created to manage these issues are not yet mature.
Kersten explained, “In the world of PaaS, you’re consuming services that are outside of the application, and the defects for that service and the new features being added for that service are completely outside of your software supply chain.” Because of this complexity, our view of the application lifecycle needs to evolve to address the new needs, according to Kersten.
One of the challenges of this complex environment is that there are siloes to contend with between the stakeholders and the planning tools. “So we have to create this flow of lifecycle artifacts between those siloes. I think that is key part of scaling the way we manage application lifecycles from this very homogeneous thing that we’re used to where everything’s in one tool, to this very heterogeneous thing where the lifecycle spans the organizational boundaries and spans those siloes within the organization.”
Participants can expect some Q&A and discussion around this topic.
For more on ALM in the cloud:
Companies face growing pressure to deliver applications quickly and continuously. “We’re living in a time where everything is a service, and as a result, the speed and innovation is accelerating. In fact, we see it as an exponential curve,” said Matthew Morgan, vice president of Project Marketing, Applications, Software, HP. He discussed HP’s new product offerings, explaining how they support DevOps and cloud innovation in a recent interview.
HP announced enhanced versions of HP Application Lifecycle Management (ALM) and HP Performance Center (PC) that facilitate continuous delivery of applications. As more and more organizations adopt DevOps, products that enable visibility, collaboration and quality are essential.
“Application innovation is hindered by the silos that exist between development, testing and operations teams, leading to delays, missed opportunities and potential application defects,” said Subbu Iyer, vice president, Product and Strategy, Applications, Software, HP. “By integrating information and processes from IT operations into application lifecycle management, HP provides a critical foundation for DevOps, enabling organizations to drive business results through the continuous delivery of innovative applications.”
In addition to updated ALM tools, they also announced new testing capabilities with HP LoadRunner 11.5, which simplifies the scripting process, and HP Sprinter, which offers new scanning capabilities and automates recurring test scripts to ease the manual testing process.
“We take a heterogeneous approach from a technology and infrastructure perspective, meaning that our technology works and adds value if you’re using traditional deployments, private cloud, hybrid cloud – we are not tied to one or the other,” explained Morgan. He continued, “Our capabilities are incredibly diverse, not just from an infrastructure perspective, but from a technology perspective. We don’t care if you’re building a mobile app, Web app, HTML5 game app or a client-server packaged application…We can monitor them all, we can test them all, we can validate for performance every last one.”
Related stories on SearchSoftwareQuality.com:
CollabNet recently announced the release of a video scribe that highlights five principles for adopting and scaling cloud development practices. I spoke with Jim Ensell, Chief Marketing and strategy officer, and Guy Marion, VP and GM of Cloud Division from CollabNet about this announcement and how their CloudForge offering evolved.
Ensell highlighted the three major trends that they are seeing in the IT industry right now, first identifying Agile adoption in the enterprise, and then noting, “Another big megatrend we see is the convergence of the development and operations world into what today is called DevOps. And then thirdly is really the cloud, which has become a big accelerator toward this movement toward DevOps.” In response to these trends, CollabNet has been moving to Enterprise Cloud Development services.
CollabNet is responding to the need for hybrid cloud services by offering their private cloud service TeamForge, and their public cloud service CloudForge. Customers can take advantage of aspects of both of these platforms.
Customers can create an account in minutes and start to use the service. It’s open to what platform you work in, what framework you’re developing in. Our number two most common use case is actually developing for mobile platforms like iOS or Android. We also, number one, support development for Web development, Web properties, Internet applications, whether it’s a website or Facebook app or whatever. There’s also a lot of enterprise development to be done in primarily Java and increasingly in languages like PHP. So we provide a set of open services, allow people to plug in with their own development environments and hook into the code repository that we host for them.
CollabNet is refocusing around enterprise cloud with CloudForge, a development platform as a service (dPaaS) that supports cloud development teams.
According to the video scribe, “Enterprise Cloud Development is a powerful new trend that enables development teams to leverage the power of Agile processes and integrate development and operations teams, all while harnessing the benefits of hybrid cloud computing to provide the enterprise with a centralized view of productivity, cost management and compliance. Think of it as the orchestration of application lifecycle management and DevOps across any platform, framework or cloud.”
Click here to view CollabNet’s video scribe, “Five Steps to Software Development and DevOps in the Hybrid Cloud.”
At Scrum Gathering Atlanta, Julia Dillon, application services manager at Capital Group Companies, delivered an informative session titled, “Do Agile Teams Need Managers? A Series of Fortunate Events,” in which she first described what happened when the coach left her team and then opened the discussion for suggestions on how to handle management of an Agile team.
Dillon explained the various points of view involved; managers consider themselves necessary and great “doers,” yet they are confused about their role and can be disorganized. Team members view management as confused about Agile and sometimes out of touch. When the Agile coach is gone, the team may find itself lacking the personality, experience, confidence or some combination of these traits that the coach brought to the team.
In response, the team Dillon worked on created an action plan that entailed collaboration and attendance of some members at an Agile leadership workshop to get some clarity about roles, strategies and accountability.
Among other topics, her team learned about the differences between organizational design and command and control, learned some tools and practices and learned how to bridge the gap between disparate visions on the team. They discovered that the role of management encompasses engaging actively with the business side, being “people” people, handling portfolio management and creating the right environment.
In the new world view, management team roles break down into a senior manager in charge of budgeting, strategy and investment planning; a manager serving as an “Uber” Product Owner, who is the portfolio manager, aligning investment strategy and business value; and a manager serving as an “Uber” Scrum Master, who delivers large-scale program planning and execution as well as removes organizational impediments, according to Dillon. Furthermore, the performance objectives are different for each level of management.
She highlighted the most prescient needs of an Agile organization from its management team, including setting a the bar high for goals, developing the talents of individual team members, delegating someone whose task it is to “keep it fresh” and creating an environment in which team members can take risks and ask questions.
Participants in the session offered additional suggestions, explaining that since Scrum teams are self-organizing, managers play a key role in developing personnel, training, quality initiatives and communities of practice. Others mentioned that excessive management is not needed as Scrum Masters act in a leadership role.
Related articles on SearchSoftwareQuality: