Agile Software Teams: How they Engage with Systems Engineering on Department of Defense Acquisition Programs

No Comments »

By Eileen Wrubel
Senior Member of the Technical Staff
Acquisition Support Program

Eileen WrubelTension and disconnects between software and systems engineering functions are not new. Grady Campbell wrote in 2004 that “systems engineering and software engineering need to overcome a conceptual incompatibility (physical versus informational views of a system)” and that systems engineering decisions can create or contribute to software risk if they “prematurely over-constrain software engineering choices” or “inadequately communicate information, including unknowns and uncertainties, needed for effective software engineering.” This tension holds true for Department of Defense (DoD) programs as well, which historically decompose systems from the system level down to subsystem behavior and breakdown work for the program based on this decomposition. Hardware-focused views are typically deemed not appropriate for software, and some systems engineers (and most systems engineering standards) have not yet adopted an integrated view of the two disciplines. An integrated view is necessary, however, because in complex software-reliant systems, software components often interact with multiple hardware components at different levels of the system architecture. In this blog post, I describe recently published research conducted by me and other members of the SEI’s Client Technical Solutions Division highlighting interactions on DoD programs between Agile software-development teams and their systems engineering counterparts in the development of software-reliant systems. 

Read more...

What is DevOps?

DevOps , Weekly DevOps No Comments »

By Todd Waits
Project Lead
CERT Cyber Security Solutions Directorate

This post is the latest in a series to help organizations implement DevOps.

Todd Waits In a previous post, we defined DevOps as ensuring collaboration and integration of operations and development teams through the shared goal of delivering business value. Typically, when we envision DevOps implemented in an organization, we imagine a well-oiled machine that automates 

  • infrastructure provisioning
  • code testing 
  • application deployment 

Ultimately, these practices are a result of applying DevOps methods and tools. DevOps works for all sizes, from a team of one to an enterprise organization.

DevOps can be seen as an extension of an Agile methodology. It requires all the knowledge and skills necessary to take a project from inception through sustainment to be contained within a dedicated project team. Organizational silos must be broken down. Only then can project risk be effectively mitigated.

While DevOps is not, strictly speaking, continuous integration, delivery, or deployment, DevOps practices do enable a team to achieve the level of coordination and understanding necessary to automate infrastructure, testing, and deployment. In particular, DevOps provides organizations a way to ensure

  • collaboration between project team roles
  • infrastructure as code
  • automation of tasks, processes, and workflows
  • monitoring of applications and infrastructure

Business value drives DevOps development. Without a DevOps mindset, organizations often find their operations, development, and testing teams working toward short-sighted incentives of creating their infrastructure, test suites, or product increment. Once an organization breaks down the silos and integrates these areas of expertise, it can focus on working together toward the common, fundamental goal of delivering business value.

Well-organized teams will find (or create) tools and techniques to enable DevOps practices in their organizations. Every organization is different and has different needs that must be met. The crux of DevOps, though, is not a killer tool or script, but a culture of collaboration and an ultimate commitment to deliver value.

Every Thursday, the SEI will publish a new blog post that offers guidelines and practical advice to organizations seeking to adopt DevOps in practice. We welcome your feedback on this series, as well as suggestions for future content. Please leave feedback in the comments section below.

Read more...

Information Resilience in Today’s High Risk Information Economy

Information Resilience , Resilience Management Model (RMM) No Comments »

By Nader Mehravari
Senior Member of the Technical Staff
CERT Cyber Risk Management Team

This blog post was co-authored by Julia Allen and Pamela Curtis

Nader MehravariEarlier this month, the U.S. Postal Service reported that hackers broke into their computer system and stole data records associated with 2.9 million customers and 750,000 employees and retirees, according to reports on the breach. In the JP Morgan Chase cyber breach earlier this year, it was reported that hackers stole the personal data of 76 million households as well as information from approximately 8 million small businesses. This breach and other recent thefts of data from Adobe (152 million records), EBay (145 million records), and The Home Depot (56 million records) highlight a fundamental shift in the economic and operational environment, with data at the heart of today’s information economy. In this new economy, it is vital for organizations to evolve the manner in which they manage and secure information. Ninety percent of the data that is processed, stored, disseminated, and consumed in the world today was created in the past two years. Organizations are increasingly creating, collecting, and analyzing data on everything (as exemplified in the growth of big data analytics). While this trend produces great benefits to businesses, it introduces new security, safety, and privacy challenges in protecting the data and controlling its appropriate use. In this blog post, I will discuss the challenges that organizations face in this new economy, define the concept of information resilience, and explore the body of knowledge associated with the CERT Resilience Management Model (CERT-RMM) as a means for helping organizations protect and sustain vital information.

Read more...

DevOps and Agile

DevOps , Weekly DevOps 2 Comments »

By C. Aaron Cois
Software Engineering Team Lead 
CERT Cyber Security Solutions Directorate

This post is the latest in a weekly series to help organizations implementDevOps. 

Aaron CoisMelvin Conway, an eminent computer scientist and programmer, createdConway’s Law, which states: Organizations that design systems are constrained to produce designs which are copies of the communication structures of these organizations. Thus, a company with frontend, backend, and database teams might lean heavily towards three-tier architectures. The structure of the application developed will be determined, in large part, by the communication structure of the organization developing it. In short, form is a product of communication. 

Now, let’s look at the fundamental concept of Conway’s Law applied to the organization itself. The traditional-but-insufficient waterfall development process has defined a specific communication structure for our application: Developers hand off to the quality assurance (QA) team for testing, QA hands off to the operations (Ops) team for deployment. The communication defined by this non-Agile process reinforces our flawed organizational structures, uncovering another example of Conway’s Law:Organizational structure is a product of process.

DevOps and Agile

As the figure shown above illustrates, siloed organizational structures align with sequential processes, e.g., waterfall methodologies. The DevOps method of breaking down these silos to encourage free communication and constant collaboration is actually reinforcing Agile thinking. Seen in this light, DevOps is a natural evolution of Agile thinking, bringing operations and sustainment activities and staff into the Agile fold. 

Agile

Every Thursday, the SEI Blog will publish a new blog post that will offer guidelines and practical advice to organizations seeking to adopt DevOps in practice. We welcome your feedback on this series, as well as suggestions for future content. Please leave feedback in the comments section below.


Read more...

Tactical Cloudlets: Moving Cloud Computing to the Edge

Cloud Computing No Comments »

By Grace Lewis
Principal Investigator, Edge-Enabled Tactical Systems
Software Solutions Division – Advanced Mobile Systems (AMS) Initiative

Grace LewisSoldiers in battle or emergency workers responding to a disaster often find themselves in environments with limited computing resources, rapidly-changing mission requirements, high levels of stress, and limited connectivity, which are often referred to as “tactical edge environments.” These types of scenarios make it hard to use mobile software applications that would be of value to a soldier or emergency personnel, including speech and image recognition, natural language processing, and situational awareness, since these computation-intensive tasks take a heavy toll on a mobile device’s battery power and computing resources. As part of the Advanced Mobile Systems Initiative at the Carnegie Mellon University Software Engineering Institute (SEI), my research has focused on cyber foraging, which uses discoverable, forward-deployed servers to extend the capabilities of mobile devices by offloading expensive (battery draining) computations to more powerful resources that can be accessed in the cloud, or for staging data particular to a mission. This blog post is the latest installment in a series on how my research uses tactical cloudlets as a strategy for providing infrastructure to support computation offload and data staging at the tactical edge.

Read more...

DevOps Enhances Software Quality

DevOps , Weekly DevOps 2 Comments »

By C. Aaron Cois
Software Engineering Team Lead
CERT Cyber Security Solutions Directorate

This post is the latest in a series for organizations implementing DevOps.

Constaine CoisA DevOps approach must be specifically tailored to an organization, team, and project to reflect the business needs of the organization and the goals of the project.

Software developers focus on topics such as programming, architecture, and implementation of product features. The operations team, conversely, focuses on hosting, deployment, and system sustainment. All professionals naturally consider their area of expertise first and foremost when discussing a topic. For example, when discussing a new feature a developer may first think "How can I implement that in the existing code base?" whereas an operations engineer may initially consider "How could that affect the load on our servers?"

When an organization places operations engineers on a project team alongside developers, it ensures that both perspectives will equally influence the final product. This is a cultural declaration that in addition to dev-centric attributes (such as features, performance, and reusability), ops-centric quality attributes (such as deployability and maintainability) will be high-priority.

Likewise, if an organization wants security to be a first-class quality attribute, a team member with primary expertise in information security should be devoted to the project team.

Every Thursday, the SEI Blog will publish a new blog post that will offer guidelines and practical advice to organizations seeking to adopt DevOps.

We welcome your feedback on this series as well as suggestions for future content. Please leave feedback in the comments section below.

Read more...

A New Weekly Blog Series to Help Organizations Adopt & Implement DevOps

DevOps , Weekly DevOps No Comments »

By C. Aaron Cois
Software Engineering Team Lead
CERT Cyber Security Solutions Directorate

Constantine CoisDevOps is a software development approach that brings development and operations staff (IT) together. The approach unites previously siloed organizations that tend to cooperate only when their interests converge, resulting in an inefficient and expensive struggle to release a product. DevOps is exactly what the founders of the Agile Manifesto envisioned: a nimble, streamlined process for developing and deploying software while continuously integrating feedback and new requirements. Since 2011, the number of organizations adopting DevOps has increased by 26 percent. According to recent research, those organizations adopting DevOps ship code 30 times faster. Despite its obvious benefits, I still encounter many organizations that hesitate to embrace DevOps. In this blog post, I am introducing a new series that will offer weekly guidelines and practical advice to organizations seeking to adopt the DevOps approach.

Read more...

Open Architectures in the Defense Intelligence Community

Common Operating Platform Environments (COPEs) , Open Systems Architectures No Comments »

By Derrick H. Karimi
Member of the Technical Staff
Emerging Technology Center

This blog post is co-authored by Eric Werner.

Derrick KarimiIn an era of sequestration and austerity, the federal government is seeking software reuse strategies that will allow them to move away from stove-piped development toward open, reusable architectures. The government is also motivated to explore reusable architectures for purposes beyond fiscal constraints: to leverage existing technology, curtail wasted effort, and increase capabilities rather than reinventing them. An open architecture in a software system adopts open standards that support a modular, loosely coupled, and highly cohesive system structure that includes the publication of key interfaces within the system and full design disclosure. One area where the Department of Defense (DoD) is concentrating on the development of service-oriented architectures and common technical frameworks is in the intelligence community, specifically the Defense Intelligence Information Enterprise (DI2E). As this blog post details, a team of researchers at the SEI Emerging Technology Center (ETC) and the Secure Coding Initiative in the SEI’s CERT Division, are working to help the government navigate these challenges in building the DI2E framework, which promotes reuse in building defense intelligence systems.

Read more...