Ready, fire, aim

Agile is not Ready, Fire, Aim

(Disclaimer: this article is not about what Agile is, the term is used only for blatant marketing purposes. Some principles were violated in the writing of this post)

A colleague of mine recently said something to the effect of “the goal of agile is faster delivery”.  This is a common misconception fostered by the improved velocity that agile teams can achieve in the context of enhancing software with new or improved features. The goal of agile is higher quality software, where quality is defined as meeting the intended functionality in a reliable manner. (lots of paraphrasing there, so please don’t flame me about accuracy). Another root of this misconception is that people who do not participate in agile projects (sometimes referred to as chickens) want agile to be about time-to-market (I’m working on a longer rant on that topic alone). Just like some people want agile to eliminate the need for planning and documentation, not be because these things are not critical (apologies for the double negative), but because they are tedious. They are certainly not mindful, because one focuses on the past and the other on the future, and we all want our features right now. Agile without planning and documentation leads to technical debt (something I grumbled about recently, with more to come).

Technical debt is the driver behind this particular rant, as I recently observed the creation of an equivalent jumbo mortgage with an early balloon payment due. In the same recent article linked earlier I mentioned how sometimes a platform migration is driven by a desire to get out of unacknowledged tech debt. In this instance, I witnessed the debt being incurred as a result of the migration. Specifically, the approach was taken to manually migrate data that was in immediate use while configuring the application without documentation in order to get into production as quickly as possible (the root cause of most tech debt). The idea was to migrate the rest of the data later. This migration, like many these days, was from one SaaS to another. The secret to a maintainable and extensible SaaS application is including flex fields in the data model. These are fields that have no pre-defined purpose so that customers can use them for customization and the vendor can avoid the hairball that results from customizing for each customer. The downside to this data model is that if the customer changes default labels and makes heavy use of the flex fields without documenting all of these changes, the data migration effort increases several-fold.

So, here is a real-world example of the impact of technical debt in a compressed timeline that is easy to follow: Short cuts were taken to quickly “realize value” from a new platform, and then to fully taken advantage of the platform subsequent efforts are increased, resulting in a much higher total cost and longer timeline to completion to get that short term win. None of this is the result of bad people or malicious intent, in fact, quite the opposite. It is the result of a “modern” business culture that has evolved to focus on quarterly earnings. It also explains why businesses that really want to innovate either do so before their IPO or go private to get back on track. It’s not because software can’t be done right in a standard corporate structure, but that “Continuous attention to technical excellence and good design enhances agility”.

© Scott S. Nelson

Early Morning Security Ramblings

Posting it here for those that don’t belong to LinkedIn or subscribe to Answers there:

Q:  Which Tastes Better for Security, Java or .NET?

Both this two languages are safe by security point of view with their own levels, but which one tastes better w.r.t your working experience?

A:  As others have noted, the security of the individual applications written in these languages depends on the development approach used. The next level from their is the application servers, which really depends on the app server vendor for Java and again back to the developer and the server admin. And, of course, the servers sit inside an operating system, which adds another layer of vulnerability. This is point where the earlier poster who noted that Microsoft is more often the target comes in to play. Microsoft is more often targeted, which increases the likelihood of someone trying to break in. However, the biggest threat is admins and/or policies that prevent keeping up to date on patches. Then there is the architecture as a whole, where there are points in the network, structure of the firewalls and accessibility of data. There are still plenty of admin servers that have the default log in credentials set.

Then again, the vast majority of real digital break ins come from the hacker knowing passwords in advance, which is an issue that is platform independent 🙂

© Scott S. Nelson