Application developers and security analysts can communicate and collaborate more easily using Denim Group’s new open source vulnerability management tool ThreadFix.
In a recent announcement, Denim Group explained that “ThreadFix imports the data from automated dynamic and static scanners as well as manual testing reports into a centralized platform.” This provides a single view into all application security vulnerabilities—information which is exported into a bug tracker tool that application developers are familiar with using.
Ultimately, ThreadFix decreased the time needed to repair software defects and uses a “virtual patch” in the form of a Web application firewall, to protect corporate assets while defects are being fixed.
“Denim Group’s ThreadFix is taking an innovative approach to application vulnerability management,” said principal analyst Eric Ogren of The Ogren Group. “ThreadFix’s normalization of data from multiple scanning sources brings much needed de-duplication to vulnerability reports, while the virtual patching of discovered application vulnerabilities significantly helps security teams protect corporate data from external threats. Organizations should look to technologies such as ThreadFix to accelerate the closing of dangerous security holes in applications.”
Dan Cornell, chief technology officer at Denim Group, added that ThreadFix is a “useful component of DevOps toolchain,” and that it enables teams much versatility when tools are able to communicate with each other.
In regards to cloud environments, he explained, “If an organization is using cloud-based testing providers– such as Veracode, WhiteHat or Qualys– they can use ThreadFix to pull data from those cloud providers’ APIs and merge it with results from other non-cloud-based security testing activities.”
Furthermore, Cornell said, “If an organization has both in-house-hosted applications as well as cloud-based providers where they need to do security testing for compliance purposes, they can use ThreadFix to store the results of the testing of cloud-based systems alongside the testing they perform for custom-developed applications.”
To read more about the recent release of ThreadFix, see ThreadFix: Open source defect management tool speeds security vulnerability fixes.
To learn more or to download ThreadFix, visit the Denim Group resource page.
voke, inc.’s recent survey of Agile use, discussed in two reports: “Market Snapshot Report: Agile Realities” and “Strategic Brief on the Cost of Rework for Agile and Non-Agile Projects,” caused a bit of controversy in the Agile world.
Ellen Gottesdiener, a seasoned Agilist and consultant at EBG Consulting, took issue with some of voke’s conclusions, though she affirmed that she did not have access to the specific survey questions or answers. She shared her thoughts in a recent interview.
One of the survey’s findings, referenced in TechTarget’s Executive Editor Jan Stafford’s first article in a two-part series, Software defects increase cost of Agile projects, is that “In effect, Agile embraces the fundamental realignment of business ownership of requirements to developer ownership of requirements through frequent changes in source code,” according to voke co-founder Lisa Dronzek.
Gottesdiener disagrees. “That is not what Agile is about. It’s in fact the opposite. It’s not true that you’re realigning business ownership of requirements. There’s a huge burden and responsibility of ownership of the requirements on the business.” She emphasized that the business responsibility when it comes to requirements is actually extremely valuable.
“I’ve found that there’s a tremendous amount of discipline in Agile and responsibility that the business has about what needs to be built and when it needs to be built.”
Another assertion, cited in Stafford’s article about documentation, is a misconception according to Gottesdiener: “Agile values documentation less while advocating self-organizing teams and a constant pace of development,” said Dronzek. “This creates a huge problem for ongoing maintenance when individuals or teams move on to a new project and are unavailable to help support a prior project that has little or no documentation.”
Gottesdiener explained that while there is a myth that Agilists don’t care about documentation, the truth is “just like all other practices, documentation has to be calibrated for the situation at hand.”
“If the team is going to develop and not maintain their own product—which, right there is a questionable practice because you learn a lot by maintaining your own product—then, there needs to be an understanding by the business that it is likely to be more costly in the long run to maintain a product without useful and usable documentation. Therefore, part of each delivery of the product should include maintenance-related documentation.”
In regards to evaluating QA practices, the article mentions: “Another key factor in cost of quality is how early QA is started in a development project. In the voke survey, most enterprises (71%) reported not starting QA testing at a project’s beginning, during requirements definition.”
“Then they’re not implementing Agile appropriately,” Gottesdiener responded. Thinking about how to validate that the team is building the right product and verifying that it is built correctly is everyone’s responsibility, she explained.
One point that Gottesdiener does agree with is “The importance of laser focus on requirements is what comes out of this survey,” said co-founder Theresa Lanowitz. “Requirements are at the center of every successful or unsuccessful software project, regardless of the style of development.”
The focus on requirements is essential, though challenging, explained Gottesdiener. “I think that Agile practices, when you apply them correctly, help you do a much better job with requirements and business analysis.”
In the second article of the series, The Agile method remains confusing for software professionals, Lanowitz and Dronzek call into question the standards of Agile as described in the Agile Manifesto.
“Building software is complex. The best organizations will have some standard practices that they know are good practices,” said Gottesdiener. She explained that the assumption that there can be a standard set of practices which apply across all organizations implementing Agile is mistaken. The practices must be adapted to suit the specific needs within the context of what each organization is creating. “There is no such thing as best practices. There are good practices in context.”
Business and IT are becoming more closely linked and collaborative. Serena announced Monday that they have updated their Orchestrated IT tools, which facilitate IT agility and enable enterprises to better utilize mobile, social and cloud technologies.
In an interview with David Hurwitz, senior vice president of worldwide marketing at Serena, he discussed the nature of DevOps in today’s organizations: “We find that in mid-sized to larger enterprises that are not pure dot-coms, nobody really has DevOps on their business cards. It’s more of a mindset that needs to get supported through live artifacts and by automating the whole pre-release and release-to-production flow.”
He added that “release management is where the rubber meets the road in DevOps,” highlighting the new Serena Release Manager product, which adds development-driven release management to Serena’s existing operations-driven release management support tools.
Other updates include Serena Service Manager, designed to support social IT collaboration; Serena Mobile Request Center, which takes advantage of mobile device capabilities; and Serena Mobile Dashboard, which enables users to perform IT analytics on the iPad.
Hurwitz commented that the phrase “online Agile business” doesn’t just mean Agile as in “Agile development,” but agile in a more general sense. Collaboration between business and IT is more important than ever, as “IT has finally reached the promised land where they are intrinsic to what the business needs to do,” he said.
Major players such as IBM Rational and CA offer competitive products, but “Serena is the only one to approach IT management from an orchestrated point of view. Human workflow automation and integration with existing systems are what differentiate orchestrated IT from other systems,” Hurwitz explained.
In conjunction with the release of these updated solutions, Serena is holding the “IT Agility Deserves a Beer” Haiku Twitter Contest. The winner will receive beer for a year. For details, click here.
HP has embraced the concept of DevOps. “The idea of creating true agility” is to ensure that applications function exactly the way they were designed to, explained Matt Morgan, VP of hybrid IT and cloud, product marketing, HP software, in a recent interview.
Earlier this summer, HP announced the release of enhanced versions of HP Application Lifecycle Management (ALM) and HP Performance Center (PC). These offerings facilitate continuous delivery of applications, which enable visibility, collaboration and quality in a DevOps environment.
Morgan highlighted a continued emphasis on quality: “Quality has always been a core principle. It’s a core principle whether you’re building a mainframe app, a client server app, a Web app or you’re maintaining apps that are 20 years old. What we’re finding is that while the practice of building software has changed, and is changing, the need to ensure quality has become more important.”
The role of the project manager in DevOps is different than in traditional models. PMs can digitize the key performance indicators, determining success early by looking at a digital dashboard. HP’s approach focuses on providing this type of visibility through an executive scorecard that enables the project manager to track information and disseminate information amongst team members.
“HP believes that performance is a key tenet to quality,” Morgan said. Basically all consumers have high expectations for performance. He explained that HP seeks to facilitate the collaboration between the two sides—development and operations—by creating an application performance management solution that operates bi-directionally, enabling information to travel back and forth from pre-production to resolve defects.
As far as the relationship between agility and quality, Morgan asserted, “There is a lot of concern that QA professionals have that agility means less quality. And it is the absolute opposite. People are betting their business in a more key way on business software than ever before. And that software cannot fail.”
“The idea of quality being in at any point marginalized needs to be flipped on its head. Actually, there has been a spike in the importance of quality. I think this is a call to all quality assurance professionals to elevate their conversations, both internally and externally, about how key quality becomes when competition is just a click away,” Morgan concluded.
For recent stories on DevOps, see:
SearchSoftwareQuality.com has offered a wide variety of coverage on Agile in the enterprise this month, coinciding with the Agile2012 conference last week in Dallas, Texas. Here is a recap of conference coverage:
Mike Cottmeyer, enterprise Agile coach at LeadingAgile, LLC, gave a preview of what to expect from both his Wednesday talk, “Patterns for Agile Adoption and Transformation,” and his Thursday talk, “Understanding Agile Program and Portfolio Management.” Each offers strategies for managers to adopt Agile and change the structure of project management within the organization.
Structured conversations enable team members to communicate more effectively and meet delivery expectations, according to Ellen Gottesdiener, principal consultant and Mary Gorman, VP of quality and delivery at EBG Consulting, who co-presented “The Product Partnership: Using Structured Conversations to Deliver Value.”
Consultants Ellen Gottesdiener and Mary Gorman provide insight into logical strategies that aid in team communication in Agile organizations that include structured conversations in this article, which explores these ideas more in-depth.
How can Lean-Agile principles help guide teams in successfully adopting Agile in the enterprise? Alan Shalloway, founder and CEO of NetObjectives, presented “Scaling Agile with Multiple Teams: Using Lean to Drive Business Value.” His presentation highlighted effective principles as well as case studies that demonstrate successful implementations.
Agile practitioners who seek to improve their skills have a new training option available to them. At Agile2012, Emergn announced its launch of Value Flow Quality (VFQ) Education, a work-based learning program that enables project managers, developers, testers and other team members to complete self-driven training, immediately applying skills while working on their current projects.
Shunra recently announced a new mobile app performance testing tool, vCat for Mobile, which expands their existing vCat technology to mobile devices. Dave Berg, senior director of product management and Shunra COO Bill Varga, offered details on how this tool works and the benefits it provides.
In developing vCat for Mobile, Shunra added two new improvements, including an enhanced API that allows the ability to remotely control the product through Web services. “You can control it through a phone, or another application, which makes the total cost of ownership go down and simplifies different use cases,” said Berg.
They also added the capability to virtualize more than one network on one piece of software, supporting up to 10 simultaneous networks.
Analysis has shown that vCat for Mobile improves mobile app performance by over 40%. Berg explained that Shunra tested the product by cloning very popular websites and implementing vCat recommendations to see how performance improved. The controlled environment of vCat technology enables companies to experiment with various changes before implementing them across their applications.
Varga explained the value of pre-deployment testing, warning that “just a 250 millisecond delay is enough to lose customers to a competitive offering and damage company brand. With vCat for Mobile, organizations now have a powerful tool to measure, evaluate and optimize their applications to ensure a positive customer experience.”
He discussed how Shunra uses discovery tools called NetworkCatcher that provide primary and secondary tool options for specific use conditions. NetworkCatcher was designed specifically for application performance engineering, Berg added.
For more on application performance engineering, see the white paper “Mobile Application Performance Engineering: A lifecycle approach to achieving confidence in application performance.”
Ultimately, vCat for Mobile offers companies a strong ROI and reduction in total cost of ownership. “Pre-production helps avoid significant remediation expenses for all of our customers,” concluded Varga.
Agile practitioners who seek to improve their skills have a new training option available to them. At Agile2012 this week, Emergn announced its launch of Value Flow Quality (VFQ) Education, a work-based learning program that enables project managers, developers, testers and other team members to complete self-driven training, immediately applying skills while working on their current projects.
Paul Dolman-Darrall, EVP for strategy at Emergn, explained that the business benefits this system offers are encompassed in the name: it delivers more value, improves flow and team cooperation and enhances quality and productivity. The VFQ course uses a modular system that enables students to study within a time frame that works for them, whether it’s a couple of months or up to a year.
He described the three levels of certification currently available, explaining that “the first level is about finding something that is suitable for your particular role or for a particular methodology that you are implementing, say Scrum or Kanban, for example.”
The highest level is known as the deployment level, which is a very comprehensive course. The choices allow participants to go as far as they would like to go, choosing from 60 topics. The setup is also flexible, so students can study at work, at home or from anywhere.
The course has been designed for all the major roles within IT, and recently the course is expanding to business analysts and other business roles. “IT is not a silo; it’s not by itself within a business. It has to become part of the business. So what we’ve discovered through our early pilots is that some people in the business are working quite heavily with IT and have also started to pick up the materials,” said Dolman-Darrall.
Companies can invest in the amount of content that they feel is appropriate for their organization, either by purchasing modules by themselves or registering for a monthly subscription that enables access to all the learning content. In addition, Emergn offers a two-day corporate training course for those organizations that are looking for a one-time training opportunity.
Customers who have tried VFQ have provided positive feedback so far, vouching that they are really learning and that the program explains both the “how” and the “why.” They have been able to immediately apply skills on the job and proactively prevent and resolve issues.
How can Lean-Agile principles help guide teams in successfully adopting Agile in the enterprise? Alan Shalloway, founder and CEO of NetObjectives, is presenting “Scaling Agile with Multiple Teams: Using Lean to Drive Business Value” at Agile2012 on Aug. 14. He offered a preview of his presentation, which highlights effective principles as well as case studies that demonstrate successful implementations.
He has found through his work that smaller teams using Agile report success, while teams using Agile at the enterprise level rarely report success. Shalloway and his colleagues have found that Lean management and coaching offer many benefits to enterprise agility efforts.
He explained, “We’ve created a framework called the Lean-Agile roadmap that doesn’t tell people what to do per se– nothing is ever prescriptive, or shouldn’t be– but it tells people what they need to accomplish.” It is based on Lean flow principles, and has proven to be a successful approach.
The presentation focuses on the goals teams need to accomplish in order to achieve enterprise agility, which center around optimizing the time spent from the conception of the idea to project completion. When there are multiple teams, the general approach has been that they will work on their respective projects and then communicate with each other through Scrum of Scrums.
Shalloway noted, however, that as teams tend to be “tribal” and focus on their own objectives, this approach is not always effective. He recommends creating a bigger context for all involved, which he says begins with identifying the business value of the project.
Implementing Lean flow ideas requires that teams in very large organizations introduce a new role, the business product owner, or project manager, who liaises between the stakeholders and the teams. This individual can help manage projects with the big picture in mind. They help the teams take a holistic view.
“Most practitioners have a holistic mindset,” he commented. “Most people who are trying to adopt Agile understand that the need for this holistic view is important, but it’s not a command and control thing; it’s just a way to create a bigger picture.”
Shalloway advocates that teams self-organize and experience the effectiveness of these principles themselves. He doesn’t believe in telling people how they should go about their projects. He explained that teams can take advantage of the experience and knowledge they already have: “They can validate it on their own past experience if it will work or not.”
He continued, “They don’t have to abandon their old roles. They can actually start where they are and make changes based on these new insights that have been provided to them.”
Structured conversations enable team members to communicate more effectively and meet delivery expectations, according to Ellen Gottesdiener, principal consultant and Mary Gorman, VP of quality and delivery at EBG Consulting. They are co-presenting “The Product Partnership: Using Structured Conversations to Deliver Value” at Agile2012 on Monday, August 13.
They cited experiences with clients, those who are currently using Agile and those who are transitioning to Agile, where stakeholder conversations had been less than optimal. One of the main issues Gorman noted is that planning meetings can be unproductive, lacking the focus, detail and attention to complexity that is really necessary. Often the right people are not involved in the project.
Gottesdiener added that team members often come to the meeting with requirements that are not ready for planning.
She explained that there is an “art and science of making requirements ready to pull into the team’s work for a particular delivery cycle, whether it’s a release, or whether it’s an iteration, or, using Scrum terminology, a sprint.” She emphasized, “‘Making ready’ is a really big issue.”
Other challenges with stakeholder conversations are the siloes that form, in which Agile team members are adhering to particular “roles” rather than working together towards the same goal—delivering value. Furthermore, the value is not well-defined; it is not transparent or explicit for team members.
In terms of explicit value, Gorman explained that it’s important to look at what the value is for each of the product partners—the customers, the business people and the technology stakeholders. “What’s their value, and what’s their perspective on the value of the product that they’re going to use? Be very explicit about that, really get inside their head, and sometimes their heart.”
She continued, “Being able to explore the value and then use that for our decisions as we move along has been really critical.”
Gottesdiener added that everyone needs to understand the definition of value. She said, “Value is fair return or equivalent in exchange for something—goods, services, money, time… Value is in the eyes of the beholder.”
During the tutorial the participants will learn how to apply the structured conversation pattern “Explore-Evaluate-Confirm” to identify high-value product options.
Gottesdiener and Gorman are also presenting the following at Agile2012:
That Settles It! Techniques for Transparent and Trusted Decision-Making on Your Agile Team Wednesday morning, August 15, 2012 with Ellen Gottesdiener.
The Contracting Two-Step: Patterns for Successful Collaborations, Wednesday afternoon, August 15, 2012 with Mary Gorman.
At Agile2012 in Dallas next week, Mike Cottmeyer, Enterprise Agile Coach at LeadingAgile, LLC, will be giving two presentations. He gave a preview of what to expect from both. His Wednesday talk, “Patterns for Agile Adoption and Transformation” and his Thursday talk, “Understanding Agile Program and Portfolio Management,” both offer strategies for managers to adopt Agile and change the structure of project management within the organization.
“How do you enact the cultural shift that inevitably has to happen? That falls into the category of non-trivial problems,” says Cottmeyer. Sometimes completing a total transformation takes months or even years, depending on the organization. Fortunately, Agile has evolved to the point now that there are several success stories out there, as well as failures that provide current practitioners with a basis of what not to do, so Agile adoption can prove highly beneficial despite the complex changes involved.
Senior leadership teams can make a total Agile project management transformation. “Where it really works best is when you’ve got an engaged senior leadership team that understands the problem and is able to make the changes organizationally, enterprise-wide, that are necessary to make Agile work.” It goes beyond just a development process, extending into the other team members’ functions as well.
Agile transformation, the focus of Wednesday’s talk, requires attention to organizational structure, practices and culture, Cottmeyer explains. Furthermore, he emphasizes the importance of the inter-relationship between those three factors. Organizations can achieve success with systematic, incremental steps that consider each of these dimensions.
Thursday’s presentation on program and portfolio management will focus mainly on practices, techniques and tools that teams can use to efficiently accomplish their goals.
Cottmeyer hopes participants will leave with a different view on what is possible with Agile. “As Agile moves into its second decade, there are a lot of us out there dealing with the real, corporate realities that these managers are facing, and there are strategies beginning to emerge that can help them be effective as long as they’re willing to look beyond the traditional boundaries of Agile that people have been talking about for the last ten years. And really focus on business-level agility. There’s some good ideas out there that people are having success with.”
For other recent SSQ articles on enterprise Agile, see: