- \n
- \u00a0 \u00a0 \u00a0 Better match between deliverables and needs;<\/span><\/li>\n
- \u00a0 \u00a0 \u00a0 Minimize the risk of slippage by splitting the project into \u00ab\u00a0sprints\u00a0\u00bb and these into \u00ab\u00a0tasks\u00a0\u00bb of short duration;<\/span><\/li>\n
- \u00a0 \u00a0 \u00a0 Better communication between the various project stakeholders;<\/span><\/li>\n
- \u00a0 \u00a0 \u00a0 Emphasis is placed on identifying and categorizing the functionalities that will have the most added value for the organization;<\/span><\/li>\n
- \u00a0 \u00a0 \u00a0 In the \u00ab\u00a0cost, time, functionality\u00a0\u00bb trilogy, the challenge is to develop as many of the most important features as possible in the time allocated, even if it means removing features, unlike the Waterfall mode, which emphasizes features, all features, even if it means exceeding them over time.<\/span><\/li>\n<\/ol>\n
<\/p>\n
![\"Plan](\"http:\/\/www.analystik.ca\/blogue\/wp-content\/uploads\/2017\/10\/stylegestion-en-1024x412.jpg\")
\n<\/p>\n
The purpose of this post is not to describe the Agile development method or even to try to convince you to use it because most IT projects are now in Agile mode.<\/span><\/p>\n
The interest of this post is to discuss the relevance of this development method when in your organization or at your customer’s premises, security and compliance take precedence.<\/span><\/p>\n
Our concern is rather: what happens to Enterprise Agility with the integration of security and compliance measures?\u00a0 \u00a0Can Security and Enterprise Agility coexist?\u00a0 \u00a0How are Agile practices and processes affected?<\/p>\n
First, let us describe the impacts that these new priorities are having:<\/span><\/p>\n
- \n
- \u00a0 \u00a0 \u00a0 More stakeholders and levels of stakeholders involved<\/span><\/li>\n
- \u00a0 \u00a0 \u00a0 More rigorous, more demanding tests<\/span><\/li>\n
- \u00a0 \u00a0 \u00a0 Longer production start-up times<\/span><\/li>\n
- \u00a0 \u00a0 \u00a0 Higher production start-up costs<\/span><\/li>\n
- \u00a0 \u00a0 \u00a0 More complex environment<\/span><\/li>\n
- \u00a0 \u00a0 \u00a0 A tenfold increase in documentation<\/span><\/li>\n<\/ol>\n
<\/p>\n
Let us clarify these new constraints in the context of Security and Enterprise Agility :<\/strong><\/em><\/h2>\n
1. \u00a0 \u00a0 \u00a0 More stakeholders and levels of stakeholders involved<\/span><\/h2>\n
– In a more controlled environment, the developer may still have the task of writing test scripts, but it is certain that he will not be responsible for the tests.\u00a0 This responsibility will be given to the Quality Control team and the tests will probably be performed in another environment to which developers do not have access<\/span><\/p>\n
– Similarly, deployments of the test and production versions will have been performed by another team or by other users<\/span><\/p>\n
– As for the content of the version, the deployment team or even another team will be responsible for ensuring that the version of the deployed application does not contain any subprograms or APIs that are not approved by the organization’s software environment team.\u00a0 The versions of these subprograms and APIs must be validated<\/span><\/p>\n
– We don’t want infiltration into our environment.\u00a0 One of the above teams is also responsible for ensuring that robot software has scanned the code to ensure that it is of high quality and hermetic against any hacking attempts such as \u00ab\u00a0SQL injection\u00a0\u00bb or \u00ab\u00a0HTML injection<\/span><\/p>\n
\u00a0<\/span><\/p>\n
2. \u00a0 \u00a0 \u00a0 More rigorous, more demanding tests<\/span><\/h2>\n
– In an organization where security and compliance are paramount, depending on the criticality level of the application, testing is the nexus of war.\u00a0 Would you be willing to bank with your financial institution’s application if you had only the shadow of a doubt that it is not honest?<\/span><\/p>\n
– There is a wide gap between a bank transaction application and an application used by only a few users of the organization and whose impact of a temporary shutdown would be relatively minimal.\u00a0 The quality and quantity of tests will be adapted to the criticality level of the application to be put into production.<\/span><\/p>\n
\u00a0<\/span><\/p>\n
3. \u00a0 \u00a0 \u00a0 Longer production schedules and 4. Higher production start-up costs<\/span><\/h2>\n
– It is certain that the two previous points have a major impact on production lead times and costs<\/span><\/p>\n
– In fact, the impact is so great that even with sprint periods of around 3 weeks, production start-ups will often take place every quarter<\/span><\/p>\n
– Obviously if we consider the number of stakeholders involved, the number of tests and the number of validations required for a production launch, we understand that the number of man-days required will be significant… and the costs too!<\/span><\/p>\n
5. \u00a0 \u00a0 \u00a0 More complex environment<\/span><\/h2>\n
– The previous points explain how a production deployment can be complex, how many stakeholders can be involved.\u00a0 It must be understood that a good number of tools will also be required to support all these operations. Please note that our objective is not to advertise some of the products mentioned below, the objective is only to name a product that is often a leader in the field.<\/span><\/p>\n
- \n
- First for the tests, several stakeholders and perhaps several teams will be involved.\u00a0 It therefore takes a communication tool between these stakeholders to list the bugs, describe them, track them, assign them a status, etc.\u00a0 In many organizations, Hewlett Packard’s product, ALM (Application Life Cycle Management), is used. Also, a local firm that specializes in software quality has also developed a great tool that integrates all test operations into a single platform: Askida CT.<\/span><\/li>\n
- Above, we have indicated that a robot must scan the code to ensure, among other things, that there is no code allowing \u00ab\u00a0SQL \/ HTML injections\u00a0\u00bb.\u00a0 Depending on the size of the organization, this work will be given externally or otherwise, a product such as Fortify will be used.<\/span><\/li>\n
- We also want to ensure that the application we want to deploy complies with the organization’s standards and rules.\u00a0 The number of these standards and rules can be staggering; again, it takes a tool to help us in this task, a tool like SD Elements.<\/span><\/li>\n<\/ul>\n
6. \u00a0 \u00a0 \u00a0 Much more documentation<\/span><\/h2>\n
– Compliance and documentation go hand in hand.\u00a0 We do not want a \u00ab\u00a0people centric\u00a0\u00bb organization where the organization’s business intelligence is in people’s heads. We want a \u00ab\u00a0process centric\u00a0\u00bb organization where the quality of processes allows to grow, to grow quickly and safely.<\/span><\/p>\n
– A good process is a documented process with up-to-date documentation<\/span><\/p>\n
<\/p>\n
Conclusion<\/span><\/h2>\n
In this post, we understand that in a technological context calling for Security and Enterprise Agility co-existence, the impact on IT developments mainly, for an organization where security and compliance prevail, can be significant.\u00a0 Is it always worth using an Agile development methodology when the organization’s processes are not?<\/p>\n
In my opinion yes… but by adapting to the constraints of the organization and understanding that there is a trade-off between Security and Enterprise Agility.<\/span><\/p>\n
- Above, we have indicated that a robot must scan the code to ensure, among other things, that there is no code allowing \u00ab\u00a0SQL \/ HTML injections\u00a0\u00bb.\u00a0 Depending on the size of the organization, this work will be given externally or otherwise, a product such as Fortify will be used.<\/span><\/li>\n
- \u00a0 \u00a0 \u00a0 More rigorous, more demanding tests<\/span><\/li>\n
- \u00a0 \u00a0 \u00a0 Minimize the risk of slippage by splitting the project into \u00ab\u00a0sprints\u00a0\u00bb and these into \u00ab\u00a0tasks\u00a0\u00bb of short duration;<\/span><\/li>\n