There are plenty of ways to build software that responds to changes in data or outside events. It can be less intuitive to come up with a solution that needs to respond to nothing happening.
DevOps is the idea, that the concerns and interests of developers and those of operations are better served when they aren’t addressed in isolation as individual silos, but in unison. As a result, the whole organization that depends on both ends up being more agile and more stable
A tool that helps with scanning for security vulnerabilities in dependencies can be a great addition to a CI/CD stack. Using it poorly can leave you with a false sense of security.
In every organization and in every team, I run into one or two customs that people tell me are part of "Scrum by the book", that aren’t actually in the book.
How do you know when having a tech lead may be taking your organisation in the wrong direction? Let’s take a look at some of the archetypical tech leads, their pitfalls and ways to go about and deal with them.
I’m a developer and I like Scrum. Not every developer does. A complaint I sometimes hear is the following:
We spend so much time in meetings that I don’t get around to writing code!
If you have - or are confronted with - such a complaint, I have some tips for you to take into consideration
The book The Fifth Discipline by Peter M. Senge landed on my doormat recently. I ordered it after hearing Andrew Harmel-Law of ThoughtWorks mention it at the JFokus 2020 conference (article in Dutch). His takeaway was as follows:
"Placed in the same system, people tend to produce the same results".
Once I received the book however, a line at the top of the cover caught my eye:
"In the long run, the only sustainable source of competitive edge is your organization’s ability to learn faster than its competitors"
This statement rings so many bells I’d like to dwell on just that without even going into the book itself. There are two obvious yet often missed clues here that I’d like to share.
The times I’ve worked on a project where the scope is "rebuild the existing implementation, but with new tool / techonology X", I’ve encountered various pitfalls that make these projects much harder than they need to be.
Let me offer some tips on how to deal with them.
Many companies that are undergoing a digital transformation are discovering that it is an endless endeavour. Technological innovation allows a company to become more responsive to change in their business domain, but also makes it subjective to progress in the underlying technical implementation. A lot can be said for the delivery pipeline optimizations that help deliver business value more efficiently, but how does your organisation keep up with technological innovation?
When you start work on a product, your velocity may be low and not reflect the investment you need to make to have proper continuous delivery. Here’s an idea to make it visible.
When you build a soda factory, producing your first can of soda effectively costs as much as the entire factory. Of course you plan to produce a whole lot more, and distribute the cost over your planned production.
This is an analogy that’s worth considering when starting on a new product with your Scrum team. During the first few sprints of work on a product, a team is often busy setting up the delivery pipeline, test framework, local development environment, etc. All this work undeniably has value, but usually isn’t expressed as "product features".
For example: You have 20 similar functional user stories that would be an equal effort to implement. The first 2 sprints your functional burndown is low. This is because during sprint planning, whichever user story gets picked up first has the questionable honour of having subtasks such as "Arrange access to Browserstack", "Set up Jenkins", "Set up AWS account", "Set up OpsGenie for alerting" and "Set up Blazemeter for load test", to name a few.
Consider what the Scrum Guide says about a deliverable increment:
Incremental deliveries of "Done" product ensure a potentially useful version of working product is always available.
a "Done", useable, and potentially releasable product Increment is created
The Increment is the sum of all the Product Backlog items completed during a Sprint and the value of the increments of all previous Sprints. At the end of a Sprint, the new Increment must be "Done," which means it must be in useable condition and meet the Scrum Team’s definition of "Done". An increment is a body of inspectable, done work that supports empiricism at the end of the Sprint. The increment is a step toward a vision or goal. The increment must be in useable condition regardless of whether the Product Owner decides to release it.
Development Teams deliver an Increment of product functionality every Sprint. This Increment is useable, so a Product Owner may choose to immediately release it.
This is problematic because it means your first few sprints tell you little about your ability to deliver value given the manpower and knowledge at your disposal. Also, it may mean your first few sprints fail to deliver any functional increment that could go live. Because what you’ve decided constitutes value is different than what you’re investing in, it may feel like you’re forced to do necessary work without seeing measurable results. You have little to demo during your sprint reviews. Product owners get nervous the longer this takes. You’re destined to be off to a poor start.
See the following sprint backlog and resulting velocity chart. When you hide all the automation and measurement boilerplate work as subtasks underneath whichever user stories you pick up forst, your burndown charts give the impression you achieved very little.
This doesn’t seem fair.
Some resort to starting out with a "Sprint 0" of undefined length and without a sprint goal, to just get all the ramping up out of the way, as though it’s a necessary evil. Don’t do this. Focus on delivering value from the start.
The Scrum guide by scrum.org doesn’t mention spikes, but it has something else: the Product Backlog Refinement. And this often gets mistaken for a Scrum Event that puts the entire Development Team in a room with the Product Owner for half a day a week. The entire team then looks at the top of the product backlog and tries to uncover all the details there. They do this until enough uncertainties are uncovered and the team feels confident it can estimate. It gets worse when there is a project manager on board who needs estimations to discuss budgets and delivery dates before deciding whether he wants a story at all. This way, you end up spending a lot of time on value you’re not delivering. At some point, somebody will say: This is taking too long; let’s make it a spike and move on. And that’s not what spikes are for.
A spike is a concept from Extreme Programming (XP) where the team does a technical examination of possible solutions before committing to one to solve a requirement. Like many concepts from XP (for example: Daily Standup vs Daily Scrum), it’s found its way into many Scrum projects. The Scrum Alliance adopts and expands the concept by saying it is a story-like backlog item that yields information rather than a working increment of software. This information can be both technical or functional and is deemed necessary before deciding on whether or not to implement a functional story. And if so, it ensures that enough information is available to know how. The Scrum Alliance warns that a spike should be used sparingly, if at all.
Most companies have security compliance requirements that you need to take into account when creating your software. Similarly to how you can express infrastructure and tests as code, you can shift left security compliance concerns into your development team. This blog shows how a team I worked in used Ansible in a (GitLab) delivery pipeline to create compliant Amazon Machine Images (AMI) containing our application.
There are institutions that have taken it upon themselves to come up with security benchmarks that companies can start from. For example:
The Center for Internet Security (CIS) offers benchmarks for oft-used applications and operations systems.
The Defense Information Systems Agency (DISA) offers “technical guidance to lock down information systems/software that might otherwise be vulnerable to a malicious computer attack“ through their Security Technical Implementation Guides (STIGs).
Both contain builds of compliant operating systems that you could use as the basis of your machine image. The company I worked for required CentOS 7, and I went and looked for a CIS benchmark for that. The CIS website has a list of hardened images, but I took a different route for several reasons.
We had to pick from a predefined list of (hardened) in-company images.
I wanted to understand the CIS benchmark and be able to deviate where desirable, for example, if required in order for a COTS application to run.
We had to make sure that once our development team was done making changes, the resulting image could be checked once more for CIS compliance. This was part of the compliance requirement for autonomy, meaning that if your team can prove it can manage compliance, it gets the seal of approval.
