Keynote by Dr. Linda Rising
- Surprisingly, people are moved to action by stories NOT facts (or evidence). In fact when someone is shown evidence as to why they are wrong they only stand firmer in their belief (as a defense mechanism).
- A placebo can be just as useful as the "real thing" because what we BELIEVE can make us fail or succeed. The placebo allows us to believe in something.
- Tools: NCrunch, CruiseControl.Net, R#, NANT
- Policy: Develop to one trunk (no long standing branches). Because of this, GIT may not be the best choice.
- Goal: Want SMALL commits frequently. For example, about once an hour and ideally 2 files.
- Break refactoring out in a separate commit.
- Policy: Can't commit when build is broken
- Policy: Run all tests before commit (on local machine)
- Policy: Don't go home until a broken build is fixed. This doesn't mean late hours necessarily. It could just mean backing out the offending commit, and addressing it the next day, then recommit.
- Goal: a pipeline should be about 4 minutes for quick feedback.
- Goal: it is ideal for it to be faster to redeploy a change using the pipeline than manually backing out a release.
- Goal: 75% code coverage. Most will be between 50% and 80%
- Use Feature Toggles when required, but avoid if can.
- Warm up an app after deploy
- Measure commit to live time.
- Broken Windows Effect - one broken window (bug, issue, technical debt, not tested unit, etc) begets more broken windows.
- As developers we spend 70% of our time reading code (ours or someone else's) and the rest of the time copy and pasting. Consider poorly written code to be a broken window and copy and pasting that implementation pattern the creation of more broken windows.
- Anti-patterns: Fat controllers, large models, functionality grouped into services or managers (not sure I understand the last one...).
- Enforce standards on each commit and fail the build. Could be formatting rules, naming conventions, etc. This will make code diffs be much easier because we only have to read meaningful changes, not changes to code formats.
- Code that is easy to change (opposite of code smell) has: High Cohesion, Loosely coupled, little duplication, low cyclomatic complexity.
- Shorten Feedback loop: Idea -> Test -> Measure -> Learn -> (loop back)
- Gall's Law: Solving complex problems (or systems) from scratch in one go does NOT work, but starting with simple case that works and iterating works (summarized from quote from John Gall).
- Testing Pyramid (GUI testing, Acceptance testing, unit testing)
- Interestingly, only 20%-25% of the audience in the Testing in CD talk at AOTB used TDD. Maybe it isn't so surprising because people that already know it and use it may not attend a talk on it when there are new topics to be heard.
- Interestingly, only 10%-15% of same group used BDD.
- Hypothesis Driven Development - Can be written as statements in the following format: We believe <this capability>, Will result in <this outcome>, We will have confidence to proceed when <we see measurable signal>.
Pen Testing (Penetration Testing)
- Expect 20-30 minutes scan time depending on application size
- Run on UI and API.
- Use BDD to describe security tests (see BDD Security) to have human readable tests for security.
- Tools can find 70-80% of vulnerabilities, but the rest needs to be manually done.
Pen Testing Tools
- Static code review using tools like Veracode.
- BDD_Security - Define security tests using BDD style scenarios.
- Mittn - define a hardening target using human-readable language
- Arachni-Scanner - free with source and runs on Windows, Mac, and Linux
- Gauntlt - may be useful as well to coordinate security tools.
- ZAP - free security tools / scanner.
- SSLyze - checks for mis-configurations affecting SSL Servers.
- Nessus - a paid PCI vulnerability scanner.
- Process: Test Hypothesis -> Quick delivery and release -> measurement -> repeat
- Big Bang never works or at least very scary.
- Use The Strangler Pattern to avoid big bang.
- Postel's Law - Architect for testability, develop for evolve-ability.
- Last Response Moment - wait as long as you can (so you have more information), but no longer.
- Beware of the silver bullet
- Continuous Delivery - automate as much as you can. Note, you can still have approvals in your process, but the action once approved is still automatic.
- Conway's Law - organizations which design systems ... are constrained to produce designs which are copies of the communication structures of these organizations
- Keep systems poised for change.
- Don't think yes, no to ideas, but instead think what are the risks and benefits. Then the other person get's to decide if it is worth it.
- Do the simplest possible thing that might work because the complexity may never be needed.
Understanding the problem