SKILLS & TRICKS
We have all gone through this cycle of vulnerability detected and patches applied in our careers. Some of us still go through this vicious cycle of tense, challenging and nerve wrecking moments when you are racing against time and people in business are asking for updates while the customer support is assuring the customers with eyes on the screen waiting for the announcement "Patch Applied", "Service Restored" etc
Software Patch and Vulnerability Management continue to be a major challenge for many organizations. There is no single software product or vendor source of these vulnerabilities. Organizations must consider patching at all levels of software and only applying Microsoft Patch through Tuesday updates to protect systems and data from cyber-attack is not sufficient.
Organizations that were diligent with Microsoft patches avoided WannaCry related ransomware. However, flaws with Apache Struts and Intel Processors left organizations vulnerable to cyber-attack (e.g., Spectre and Meltdown).
A lot of software companies have elected to stop providing individual patches each release period. Instead, separate and distinct patches are bundled in a roll-up model. The reason for this change is to prevent patch fragmentation that led to problems like dependency errors, lengthy scans, and testing complexity. This practice has created an all or nothing condition for customers in which selecting individual patches are no longer available. Further, software companies are building these patch bundles in a monthly rollup manner. These patch bundles not only contain all the recently announced patches, but also the previously shipped patches. This cumulative update model is intended to improve security, quality, and reliability. Yes i am referring to the Microsoft and Adobe model, however with this model in practice comes the requirement for customers to perform extensive application program compatibility testing in a short period of time—especially when functionality and non-functionality (i.e., security) code changes are mixed in the update. The days of cherry-picking patches are over.
Orchestrating patching is complex and costly. Patching has many dependencies including asset management, notification tracking, risk assessment, patch preparation, QA, release management, communications, and auditing. As with the installation of any software update, many teams must collaborate to ensure success and avoid unintended interruption of service. If any of these teams are not resourced and prepared for this demand, then patches are not properly tested and announced prior to deployment creating availability and integrity risks. If patch deployment is delayed to perform necessary QA and communication, vulnerabilities linger longer for cyber- criminals to discover and exploit. Traditional operations and project management methods of patching are not nearly rapid enough.
Sadly most organizations claim to have adopted the Agile methodology which is an iterative approach to software development and delivery but fail to address when it comes to the needs of patch upgrades and its mostly neglected until an incident takes place. I'll try my best to summarize how Agile can be implemented for patch vulnerability assessment and the structure through which you will be able to maintain pace as well as deliver quality.
I don't claim that i am an expert on this subject and still there is a long curve of learning involved as my career grows in to new roles. What i am sharing here are some of my observations, notes references etc related to agile leadership and how well an organization should adopt them for survival. Let’s examine some favorite ideas and concepts around agile leadership.
In my experience, there are at least five criteria for successful agile transformations. Lasting organizational change happens:
The following focus on the main concepts related to agile leadership: from servant leadership to the agile mindset to creating a learning organization. The lists are not supposed to be comprehensive but provide the interested reader with a starting point for further research.
Scrum Artifacts – results/products of our management activities – are designed to increase transparency of information related to the delivery of the project, and provide opportunities for inspection and adaptation.
There are six artifacts in Scrum:
Items 5 and 6 might look more like activities, but they are considered artifacts in the Scrum Guide, and therefore we will explain them as so. You can imagine their output (tracking information, burn-down charts, etc.) as the real artifacts and these two items as ongoing activities (like Product Backlog grooming) or part of the Scrum events (part of Sprint Review and Daily Scrum).
1. Product Backlog
In Part 1 we extensively covered the basics about Scrum, Agile Manifesto , the Principles, facts and myths about Scrum and the roles within the team.
In this post we will concentrate on understanding and will do a deep dive analysis of:
- Scrum Events
- Scrum Activity - Backlog Grooming
- Scrum Activity - Slack
Scrum events are designed to enable critical transparency, inspection, regularity, and adaptation. You must prefer to use these predefined meetings with fixed objectives and maximum durations instead of ad-hoc meetings, which most likely waste our time.
There are just five events in a Scrum Project:
1. Sprint: Each Scrum project is a set of Sprints. A Sprint is a container for the four other events (as represented in the above diagram), development effort, and the maintenance of the Product Backlog.
2. Sprint Planning: Sprint Planning is the first event inside a Sprint. The Scrum Team plans the items they are going to deliver in the Sprint and the way they will deliver them.
3. Daily Scrum: The Development Team starts working on the objectives of the Sprint as soon as Sprint Planning is completed. During the Sprint, the Development Team holds a daily meeting (normally 15 minutes) to coordinate the work for the next 24 hours. This meeting is called the Daily Scrum.
4. Sprint Review: Before the end of the Sprint, the Development Team presents (demonstrates) the outcome of the Sprint to the customer and receives feedback. This meeting is called Sprint Review (also known as Sprint Demo).
5. Sprint Retrospective: After the Sprint Review and just before the Sprint is over, the Development Team holds an internal meeting to review the Sprint and use it to improve the process (lessons learned) in the next Sprint. This meeting is called Sprint Retrospective.
Time Box Concept
Time Box is an essential concept in Agile methods, a predefined fixed maximum duration of time in order to maximize productivity in which we freeze the target and work with full focus on certain tasks or objectives. Time-boxed events repeat many times, until the final goal of the project is achieved. All the changes are applied only when one time-box is finished and we are ready to start the next one.
The duration of a time-box should be agreed upon and fixed. We are free to change the duration based on lessons learned, but not frequently, and never based on single occasions. For example, we are not allowed to say that “we have a lot to do this time, so let’s increase the duration for this particular case”.
What we are allowed to say is “based on the previous ten time-boxes, we realized that the duration of our time-boxes is not suitable, and a 30% increase in duration might better fit our needs. So, let’s increase them from now on”.
After some thought i have decided to write and share some of the basics about Scrum. A lot of people have different views, theories and ways of doing things which they call Scrum. While i do not contest some of those practices but its essential to understand the concepts and strongly agree that every organization team will need to mold and churn some process to make things work.
So in this series of blogposts, the first one will be addressing the following:
- Scrum and Agile
- Agile Manifesto
- Agile Principles
- When to use Scrum VS other Methods
- Facts and Fibs about Scrum
- Scrum Timeline
- Scrum Roles and Team
At a later time, i'll share the more advanced stuff and also touch base with SAFE.
Scrum and Agile
It is not possible in some projects (especially in IT projects) to gather all the requirements upfront because of their extreme uncertainties. Therefore, we need a project management method flexible enough to deal with many change requests that appear during the project and keep the project team productive.
There are a number of systems designed to provide these two properties, and a group of them are called Agile Frameworks. Scrum is a project management method of the Agile group; it is the most famous and the most broadly used one.
Scrum is based on a certain process, which i'll explain in the next few blogposts as we progress. This Scrum process will not be effective, unless it is combined with certain roles and artifacts.
On a number of occasions i have come across the issue with Agile Story Points and how the final software output is measured. Though there is no best way to measure a software delivery but a lot of experimentation has been done in the recent years. In this post i will be sharing some of my personal experiences and will try to highlight the Agile Metrics and ISO Standard Measures. I personally feel, both of them can be mixed together to a certain level to measure the output.
Without a doubt Agile processes and procedures have brought advantages for speedier delivery of software that meets developing client needs. Be that as it may, the opportunity given to individual teams to manage their own processes has made it difficult to manage the activities across Agile teams – what we call managing ‘Agile-at-scale’.
To be specific, Agile metrics such as Story Points, may be used by individual teams to manage their own affairs but are very little help for the tasks of planning and monitoring progress across teams, for understanding performance and whether it is improving or not, and for estimating future investments.
Senior management is responsible for setting budgets and allocating resources optimally so as to deliver the greatest value to the organization, and for tracking progress against budgets across the organization. This cannot be done properly for a software group using only typical Agile processes where there are no common performance data across all the teams. These management tasks become even more difficult for an organization that has contracted out its software development to external suppliers that use Agile processes, but that do not use any standard performance measures. I have come across a number of organizations who lack in defining individual, team and product level KPIs to achieve a target - though they do achieve something but not precisely hitting the nail with the hammer.
In this post i'll try to explain the challenges that management faces when confronted with the limitations of Agile metrics. I'll try to show some of the stuff which has been experimented, how simple but effective and long-established ISO standard software measures can fit seamlessly into Agile processes to enable managers to estimate and control Agile delivery at scale. This can be achieved without needing to change any of the underlying Agile processes, and whilst continuing to obtain the benefits that Agile teams can bring in the speed and flexibility of delivering business value.