Monday, March 12, 2012

On the nature of Agile Development

The history of software development within the last twenty (20) years is littered with notable software development and implementation failures; The Denver International Airport’s Luggage Handling System; Ford’s attempts at implementing an ERP / CRM based purchasing system; Avis Europe ERP platform; Hudson Bay’s Inventory Management system and many others; (Ewushi-Mensah, 2003)[i] (Galin, 2004)[ii] Both Galin and Ewusi-Mensa outline that the underlying issues at the root of the cause of software development failures and how they fail are related to the following characteristics of development: in addition to this there is the ever present Chaos report that cites the many reasons for project failure. (Standish Group, 1995)[iii] (Matus, 2009)[iv]; basically the Standish report on metrics about software projects indicate that only 32% are successful, 44% are challenged and 24% of all projects surveyed fail; of the 24% the reasons for failure are cited as further to this the PMI agrees that around only 30% of software development project succeed; this is often due to the following reasons:

1. Stakeholder Involvement
2. Requirements Analysis and Gathering
3. Project Planning and Execution
4. Project Metrics and Analisys
5. Project Risk
6. Software Quality Assurance Planning and Testing

Within the Information technology project management module we reviewed and analysed as well as developed a formal project plan using “Earned Value Management” in conjunction with Microsoft’s Project Management software to develop and analyse Gantt charts according to estimates made with the use of Bohem’s Cocomo II models of software development using the Project Management Institutes (PMI) PMBook as a frame of reference. This in conjunction with the Software Quality Assurance module underscored the importance of two key pieces of planning information when engaging in any project. Basically the PMBook acts as method we may use to determine “How to get to point b from here, point a”; Point B, being the end of the project and the requirements define what the end of said project looks like; by applying Occam’s razor to the project and compartmentalizing the development effort of said software into small manageable segments we may then create a project plan based on real world development time using previous software projects as a means to estimate the Time, Cost and overall requirements to meet the desired development of whatever software project is required. This is done by creating the following documents and plans and including them in a formal agreement with the client.

1. The Formal Software Requirements
2. The Software Development Project Plan
3. The Software Quality Assurance Plan
4. The Software Test Plan (as completed during testing).

Generally these expectations are included in the service level agreement and development contract; often we may employ the use of “Carrots” as bonuses for early completion and limit risk by identifying formal drop dead dates and sticks (punitive damages); associated with missing or failure to deliver on said predefined mile stones.

Why is User Acceptance testing crucial? Why is having their feedback so important to the development cycle? The “Agile” manifesto defines the principles of the “Agile” methodology; the methodology was defined by Beck et al. In 2001. (Beck et al. , 2001)[v] as a means to improve upon the existing software development methods such as Rapid Application Development using RUP and the Waterfall Model’s which have plagued the software development industry for nearly 25 years.

The issues are often that what the client desires is difficult to capture, depending on business, the nature of software abstraction and the use of people as your input agents: Even with formal requirements analysis, risk registers and wireframe design; scope creep is a formidable foe to any software or IT Project and these in conjunction with the inherent risk of working in complete mathematical abstractions only compounds and aggravates the problem of software development risk. The importance of using User Acceptance Testing and Business Acceptance Testing is oft cited by Galin (Galin, 2004)[vi] and Naik et al. (Naik et al., 2011, P. )[vii] That it is critical to defining software development project success factors; in that the End user (The person whom will use your software) defines what your project success is.

These components of stakeholder involvement, constant communications, simple requirements as defined by the client and development team and the rapid application software development life cycle in the Agile development methodology are part of the iterative process thus the definition of success factors for each iterative versions as developed; combined with the rapid software life cycle are designed to foster or incubate success factors within the life cycle of the development project; or at least help change the projects course should it go awry; for whatever reasons.

The ISACA and the (ISC)2 both state that senior management sponsorship is critical to any information technology project, this is also true for any software development project; thus the key to any good development effort is to maintain a body of project knowledge in conjunction with the legal agreements to develop said software and use acceptance testing for both business and users as a means to quantify the project as developed and delivered. Further to this should the project be critical to the businesses income the real risk of failure can be the client or end user bankruptcy and the loss of income for those at the client organization. The proof of the work as requested lies in the UAT along with the “Lessons Learned” briefs as created by the quality assurance plan and software test team; regardless of the nature of development without documented knowledge of what was done or how it was accomplished would lend itself to direct fraud.

This risk is very real when your deliverables are measured in lines of code, or binary executables that are coded by geographically disperse teams of geniuses around the planet and only executed by one parent organization in the internals of some business oriented system for a large multinational organization.

We may underscore the importance of client acceptance testing as being the ability for the client organization to either maintain or adopt the proposed solution with a minimal amount of platform development transfer risk; or undertake the full development of said project with limited and known financial risk according to estimations as generated. Where possible we may even measure against the estimates as a means to deduce project risk for a given iteration.

Software development is defined as both the most profitable industry and the one with the greatest level of risk; it stands to reason that the greatest amount of riches lie in the riskiest ventures. When the success or failure of your company lies in your users ability to use your software; their signature on the hand off documentation or at least of a number of requirements which also include being able to use said platform without aggravation or frustration or complete systems failure; as we see with modern organizations such as Microsoft; Google, Facebook, LinkedIn, Amazon, Yahoo, Apple and other major incorporations whose sole core revenue generators are software; their value is defined as the ability for the average every day person to use their platforms; less the cost of creating said platforms. There we may define the importance of the client sign off, UAT and BAT: as the life blood of the organization for without it lawsuits and bankruptcies may befall such follies.

References
[i] Ewusi-Mensa, Kweku (MIT Press, August 1st 2003) Software Development Failures ISBN: 0-262-05072-2

[ii] Galin, Daniel (Pearson/Addison Welsly, 2004) Software Quality Assurance ISBN: 978-0-201-70945-2)

[iii] N.a. (The Standish Group, 1995 – 2009) The Chaos Report [Online] PDF Document, Available from: http://www.projectsmart.co.uk/docs/chaos-report.pdf (Accessed on March 10th 2012)

[iv] Mateus, Aleh (Model Us, May 4th 2009) Standish Group Chaos Report 2009 [Online] World Wide Web, Available from: http://modelus.com/Blog/post/2009/05/04/Standish-CHAOS-report-for-2009.aspx (Accessed on March 10th 2012)

[v] Beck, Kent; Mike Beedle; Arie van Bennekum; Alistair Cockburn; Ward Cunningham; Martin Fowler; James Grenning; Jim Highsmith; Andrew Hunt; Ron Jeffries; Jon Kern; Brian Marick; Robert C. Martin; Steve Mellor ;Ken Schwaber; Jeff Sutherland; Dave Thomas (Agileinfo Organization, 2001) The manifesto for Agile Development [Online] World Wide Web, Available from: http://agilemanifesto.org/ (Accessed on March 11th 2012)

[vi] Galin, Daniel (Pearson/Addison Welsly, 2004) Software Quality Assurance ISBN: 978-0-201-70945-2)

[vii] Sagar Naik, Piyu Tripathy (John Wiley and Sons, September 23rd 2011) Software Testing and Quality Assurance: Theory and PracticeSoftware Testing and Quality Assurance: Theory and Practice ISBN: 978-1-1182-1163-2

Friday, March 2, 2012

The importance of Ethics


I have been working in Information Technology for over a decade, throught my career as an “it security guy” I have recieved many questionable requests; the gamut usually includes everything from indviduals to government bodies asking one of the following questions:


1. Can you hack into so and so’s e-mail and screw with them for me?
2. Can you get me free software / movies / music both from friends and employers?
3. Can you find out so and so’s password to this or that resource? 
4. Can you engage in this project that is potentially liable and possibly illegal but must be done by our group?


What are morals? what is ethical? certianly there have been many great men and women before myself that have spent lifetimes of study in philosphy arguing the benefice of the populace over that of the individual or nominitive and utilitarian views and many doctors of philosophy have argued the virtues and diffrences between Kant, Descartes, Camus, Wittgenstien and Popper(Edmunds et al.)1 Confucius, Plato and Tzun Tzu even pontificated on what might be ethical two thousand years before we crawled out of the dark ages. There are countless diatribes on the subject of the application of ethics and morality to any given problem. Generally morality may be best summerized as the “right thing to do for all parties concerned given a specific situation.” In the cases of War and Medical resarch the water get’s very muddy and murky very quickly. Is it ethical to test cosmitics on any mammal when almost perfect computer models exist? Is it ethical to test potentially fatal cancer treatments on humans that are not sick? The whole goal of Total War is to eliminate the threat posed by an opponent which less than 75 years ago meant another industrialized nation; as we have seen modern warfare views civilian casualties as a "collateral damage"; instead of "innocent bystanders".


With respect to security resarch; when if at al is it alright to publish security vulnerabilities in sofware is a matter of great debate; the CERT is designed to allow the vendor to fix or patch their issue before it causes grevious harm to their clients. Cisco has actually had consultants and employees alike sued and arrested for publishing vulnerabilities related to thier management and routing and switching hardware and software.(Scheiner)2 . 


There are many considerations that I make when I recieve the above requests; one is if I am asked to conduct a formal forensic investigation; I am not a forensics expert but usually law enforcement and private investigators will violate a persons right to privacy as part of a justified investigation where immideate grevious harm may be present. These are conducted where warrants have been granted to process digital assets; This includes people engaging in fraud, or whom have threatened acts of terrorism or violence against others or are at risk of doing causing harm to others. With respect to these situations and only these situations would I even consider recovering someone else password and divulging it to the appropriate parties.  


My paticular expierence where I had chosen not to engage a client and avoid legal and political liability; We had recieved a request from a potential client to help revise a medical records database in clear violation of the law. The client had asked me to update a platform they were using as an interim measure while they were waiting on a software release that complied with privacy and adminstrative legislation. Suffice it to say that recently this information has become poltically sensitive and at the time I had mentioned to our client during the initial meetings that thier actions to circumnavigate the process and procedures may land them in jail due to the sensitive nature of the records management involved and the contravention of the privacy act; Not to mention the associated disclosure risk was at a political level. 


I delicined the contract offer and I told the consultancy I was working for that if they engaged that client in that project that it would quite literaly result in leagal action in the future if it were uncovered by an inquirty or by any other means as the project it self violated the rights to privacy and both federal and provincial security policies regarding personal medical records and data handeling pratices. In the U.S. Medical companies must comply with HIPPA when dealing in the digital storage of records, Banks must comply with BASEL and FISMA and businesses must comply with Sarbanes Oxley (SOX); Failure to comply with these regulations usually results in punitive damages being exercised by the Federal government; however Sarbanes Oxley has yet to be tested by the courts against any business. 


As for the personal “Can you hack so and so for me” requests, I always offer the following guiding pieces of ethical training offered to me during my CISSP training. (Tipton)3 These are based upon the findins of Firtz H. Gupe, Timothy Garcia-Jay and Willion Kuheler.


Golden Rule - Treat others as you wish to be treated.
Kant’s Catagorical Imperative - If an action is not right for everyone it’s not right for anyone.
Descartes Rule of Change - If an action is not repeatable at all times; it’s not right for anyone.
Utilitarian Principal - Take the action that achieves the most good.
Risk Aversion Principal - Incur the least harm or cost.
Avoid Harm - Avoid Malfesance or “Do no Harm”. 
There is no free lunch - Everything belongs to somone.
Legalism - Is the action legal?
Professionalism - Is the action contrary to the code of ethics? Does it contravine one of the above rules; or will it require that someone I ask violate the above code?


As Groucho Marx once stated; “These are my principles and if you don’t like them I have others!”, in cases where ethical questions come to light I often find myself returning to this simple page to consider weather or not what I am doing is right. If it violates any of these rules, I tell my client politely that I cannot work with them on ethical grounds. 


1 Edmunds, David; Eidinow, John; Wittgenstien, Popper (Harper Collins, October 2002) Wittgenstein's Poker: The Story of a Ten-Minute Argument Between Two Great Philosophers ISBN: 978-0-060-9366-48


2 Scheiner, Bruce (Scheiner on Security, 2005) More on the Lynn / Cisco contraversy [Online] World Wide Web available from:http://www.schneier.com/blog/archives/2005/08/more_lynncisco.html (Accesssed on March 1st 2012) 


3 Tipton, Harold F (Auerbach, Taylor and Francis, 2010) The offical guide to the (ISC)2 CISSP CBK 2nd edition P 495 ISBN: 978-1-4398-0959-4