10 Recommended Practices for Achieving Agile at Scale

Agile No Comments »

By Kevin Fall
Deputy Director, Research, and CTO
SEI

This post is the first in a two-part series highlighting 10 recommended practices for achieving agile at scale.

Kevin FallSoftware and acquisition professionals often have questions about recommended practices related to modern software development methods, techniques, and tools, such as how to apply agile methods in government acquisition frameworks, systematic verification and validation of safety-critical systems, and operational risk management. In the Department of Defense (DoD), these techniques are just a few of the options available to face the myriad challenges in producing large, secure software-reliant systems on schedule and within budget.

In an effort to offer our assessment of recommended techniques in these areas, SEI built upon an existing collaborative online environment known as SPRUCE (Systems and Software Producibility Collaboration Environment), hosted on the Cyber Security & Information Systems Information Analysis Center (CSIAC) website. From June 2013 to June 2014, the SEI assembled guidance on a variety of topics based on relevance, maturity of the practices described, and the timeliness with respect to current events.  For example, shortly after the Target security breach of late 2013, we selected Managing Operational Resilience as a topic.

Ultimately, SEI curated recommended practices on five software topics: Agile at Scale, Safety-Critical Systems, Monitoring Software-Intensive System Acquisition Programs, Managing Intellectual Property in the Acquisition of Software-Intensive Systems, and Managing Operational Resilience. In addition to a recently published paper on SEI efforts and individual posts on the SPRUCE site, these recommended practices will be published in a series of posts on the SEI blog. This post, the first in a two-part series by Ipek Ozkaya and Robert Nord, presents challenges to achieving Agile at Scale as well as the first five of the 10 technical best practices detailed in the SPRUCE post. The second post in this series will present the remaining five best practices, as well as three recommendations for making the best use of the practices to achieve Agile at Scale.

Read more...

A Field Study of Technical Debt

Architecture , Technical Debt 1 Comment »

By Neil Ernst
Member of the Technical Staff
Software Solutions Division

Neil ErnstIn their haste to deliver software capabilities, developers sometimes engage in less-than-optimal coding practices. If not addressed, these shortcuts can ultimately yield unexpected rework costs that offset the benefits of rapid delivery. Technical debt conceptualizes the tradeoff between the short-term benefits of rapid delivery and long-term value. Taking shortcuts to expedite the delivery of features in the short term incurs technical debt, analogous to financial debt, that must be paid off later to optimize long-term success. Managing technical debt is an increasingly critical aspect of producing cost-effective, timely, and high-quality software products, especially in projects that apply agile methods. A delicate balance is needed between the desire to release new software features rapidly to satisfy users and the desire to practice sound software engineering that reduces rework. Too often, however, technical debt focuses on coding issues when a broader perspective—one that incorporates software architectural concerns—is needed. This blog post, the first in a series, highlights the findings of a recent field study to assess the state of the practice and current thinking regarding technical debt and guide the development of a technical debt timeline.

Read more...

Devops Q&A: Frequently Asked Questions

DevOps , DevOps Tips No Comments »

By Joe Yankel
Member of the Technical Staff
CERT Cyber Security Solutions Directorate

This post is the latest installment in a series aimed at helping organizations adopt DevOps.

Joe YankelSince beginning our DevOps blog in November, and participating in webinars and conferences, we have received many questions that span the various facets of DevOps, including change management, security, and methodologies. This post will address some of the most frequently asked questions.

Read more...

Context-Aware Computing in the DoD

Emerging Technologies , Handheld Devices , Tactical Systems No Comments »

By Jeff Boleng
Principal Researcher
Advanced Mobile Systems Initiative

Jeff BolengIn their current state, wearable computing devices, such as glasses, watches, or sensors embedded into your clothing, are obtrusive. Jason Hong, associate professor of computer science at Carnegie Mellon University, wrote in a 2014 co-authored article in Pervasive Computing that while wearables gather input from sensors placed optimally on our bodies, they can also be “harder to accommodate due to our social context and requirements to keep them small and lightweight.” For soldiers in battle or emergency workers responding to contingencies, seamless interaction with wearable devices is critical. No matter how much hardware soldiers wear or carry, it will be of no benefit if they have to stop what they are doing to interact while responding to enemy fire or another emergency situation. This blog post describes our joint research with CMU’s Human Computer Interaction Institute (HCII) to understand the mission, role, and task of individual dismounted soldiers using context derived from sensors on their mobile devices and bodies to ensure they have the needed information and support.

Read more...

Testing, Agile Metrics, Fuzzy Hashing, Android, and Big Data: The SEI Blog Mid-Year Review (Top 10 Posts)

Agile , High-Performance Computing , Malware , Testing No Comments »

By Douglas C. Schmidt
Principal Researcher

Douglas C. SchmidtThe SEI Blog continues to attract an ever-increasing number of readers interested in learning more about our work in agile metrics, high-performance computing, malware analysis, testing, and other topics. As we reach the mid-year point, this blog posting highlights our 10 most popular posts, and links to additional related resources you might find of interest (Many of our posts cover related research areas, so we grouped them together for ease of reference.)

Read more...

Fabric, Ansible, Docker, and Chaos Monkey: The DevOps Mid-Year Review

DevOps , DevOps Tips No Comments »

By Hasan Yasar
Technical Manager
Cyber Engineering Solutions Group

Hasan YasarIn late 2014, the SEI blog introduced a biweekly series of blog posts offering guidelines, practical advice, and tutorials for organizations seeking to adopt DevOps. These posts are aimed at the ever-increasing number of organizations adopting DevOps (up 26 percent since 2011). According to recent research, those organizations ship code 30 times faster. Despite the obvious benefits of DevOps, many organizations hesitate to embrace DevOps, which requires a shifting mindset and cultural and technical requirements that prove challenging in siloed organizations. Given these barriers, posts by CERT researchers have focused on case studies of successful DevOps implementations at Amazon and Netflix, as well as tutorials on popular DevOps technologies such as Fabric, Ansible, and Docker. This post presents the 10 most popular DevOps posts (based on number of visits) over the last six months.

Read more...

The SPRUCE Series: 8 Recommended Practices in the Software-Development of Safety-Critical Systems

Architecture , SEI/SPRUCE Series No Comments »

By Kevin Fall
Deputy Director, Research, and CTO
SEI

Kevin FallThis is the second installment of two blog posts highlighting recommended practices for developing safety-critical systems that was originally published on the Cyber Security & Information Systems Information Analysis Center (CSIAC) website. The first post in the series by Peter Feiler, Julien Delange, and Charles Weinstock explored challenges to developing safety critical systems and presented the first three practices:

  • Use quality attribute scenarios and mission-tread analyses to identify safety-critical requirements.
  • Specify safety-critical requirements, and prioritize them.
  • Conduct hazard and static analyses to guide architectural and design decisions.

This post presents the remaining five best technical best practices.

Read more...

The SPRUCE Series: Recommended Practices in the Software Development of Safety-Critical Systems

Architecture , Mission Thread Workshop , SEI/SPRUCE Series No Comments »

By Kevin Fall 
Deputy Director, Research, and CTO
SEI

Kevin FallSoftware and acquisition professionals often have questions about recommended practices related to modern software development methods, techniques, and tools, such as how to apply agile methods in government acquisition frameworks,systematic verification and validation of safety-critical systems, and operational risk management.  In the Department of Defense (DoD), these techniques are just a few of the options available to face the myriad challenges in producing large, secure software-reliant systems on schedule and within budget.

In an effort to offer our assessment of recommended techniques in these areas, SEI built upon an existing collaborative online environment known as SPRUCE (Systems and Software Producibility Collaboration Environment), hosted on the Cyber Security & Information Systems Information Analysis Center (CSIAC)website. From June 2013 to June 2014, the SEI assembled guidance on a variety of topics based on relevance, maturity of the practices described, and the timeliness with respect to current events.  For example, shortly after the Target security breach of late 2013, we selected Managing Operational Resilience as a topic.

Ultimately, SEI curated recommended practices on five software topics: Agile at ScaleSafety-Critical SystemsMonitoring Software-Intensive System Acquisition ProgramsManaging Intellectual Property in the Acquisition of Software-Intensive Systems, and Managing Operational Resilience. In addition to a recently published paper on SEI efforts and individual posts on the SPRUCE site, these recommended practices will be published in a series of posts on the SEI blog.  This post, the first in a series by Peter Feiler, Julien Delange, and Charles Weinstock, presents the challenges in developing systems for safety-critical systems and then introduces the first three technical best practices for the software development of safety-critical systems. The second post in the series will present the remaining five practices.

Read more...