DevOps Needs to Become DevOpsSec!

DevOps seeks to bridge the development and operations divide through the establishment of a culture of trust and shared interest among individuals in organizations. However, this vision is incomplete without the incorporation of information security, which represents yet another silo in IT.The purpose and intent of DevSecOps is to build on the mindset that “everyone is responsible for security” with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.

Think of DevOpsSec —sometimes called “Rugged DevOps” or “security at speed”—as a set of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent outcome of DevOps approaches.

With customer focus comes the benefit of aligning business and security strategies to ensure just right, just enough security that everyone in an organization can support and implement. With Advancement in technology many types of compliances have become a necessity for businesses and their Clients. Clients want to know that their sensitive data is being protected. To ensure information security and data integrity of customers, DevSecOps mindset, here, plays an important role!

Security professionals should not think of themselves as gate keepers, rather they are the innovators who need to be agile and scale up very fast to quickly solve customer problems.

Handling huge security data and scrutinizing them is another pain area. Providing security Information for fast decisions is actually becoming an art form!
Objective criteria can help business professionals know how, when, and in what order to improve the security profile of its business resources.

On the other hand Organisations need to turn the tables and become the hunters instead of the hunted.

Proactive Hunting needs to be done in order to achieve this, organisations need to become less reliant on technology to defend them. They also need to make better use of their best security assets – their people – who work collaboratively may it be development, Operations or Security! Also, effective access control is not just about putting up barriers to entry. It should also enable more visibility into what specific employees are doing within specific systems. With all of these other principles in mind, it is necessary to ensure that continuous detection and response is put in place in order to complete information discovery and real-time attack detection. DevSecOps requires continuous detection, comparison, correlation and response to mitigate the lack of attack analysis derived from gating processes and paper based controls.

http://www.anarsolutions.com/devops-needs-to-become-devopssec/?utm_source=Blogger.com

Continuous Integration

Continuous Integration (CI) is a development practice that

requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early.

Traditional software development methods don’t dictate how frequently or regularly you integrate all of the source on a project. Programmers can work separately for hours, days, or even weeks on the same source without realizing how many conflicts (and perhaps bugs) they are generating. Agile teams, because they are producing robust code each iteration, typically find that they are slowed down by the long diff-resolution and debugging sessions that often occur at the end of long integration cycles. The more programmers are sharing the code, the more problematic this is. For these reasons, agile teams often therefore choose to use Continuous Integration.

Continuous Integration (CI) involves producing a clean build of the system several times per day, usually with a tool like Cruise Control, which uses Ant and various source-control systems. Agile teams typically configure CI to include automated compilation, unit test execution, and source control integration.

Improving Software Quality and Reducing Risk, best practices of CI include:

Manage Source Code, Using a Version Control Product :-
The best way to manage source code is to use a version control product, which will provide a complete audit trail and history of the code.  It’s also the place where the build server can monitor the code to determine any changes.
Version All Test Scripts and Configuration Files :-
Test groups and configuration files are similar to source code in that they change frequently and need to be audited and traced.  They should be kept in the version control system. That way, teams can revert back anytime to previous versions of the code for comparison.
Enable Triggering of Builds from the Command Line :-
Teams should streamline the build process so that it uses common, standard tools.  For example in the Java world standards to use would be Maven, ANT, NANT. To enable triggering of builds from the command line, teams should also standardize on a build script/tool and incorporate unit testing into the build process.
Commit frequently (at least once a day) as a Developer :-
Developers should commit frequently – at least once per day – several times a day is recommended.  By doing so, developers will know the real time state and health of the software Integrate frequently; Build the Mainline on the Integration Server – Developers should integrate code changes frequently, so that integration doesn’t become such a hard process.  Once teams begin doing this, they should have the continuous integration server building that main line.
Enable Fast Builds (Typically <10 minutes) :-
Builds should be fast. Anything beyond 10 minutes becomes a dysfunction in the process, because people won’t commit as frequently. Large builds can be broken into multiple jobs and executed in parallel.
Test Using a Replica of Production :-
Testing should be done in a production-like environment.  The build server should be built to the same standards as production.  Not necessarily in terms of being locked down and tightly regulated, but it needs to have the same version of operating system, patches, libraries, and so forth.  That way, when the binary goes into production, there won’t be dependency issues.
Use a Central Binary Repository :-
A central artifact binary repository helps to manage and govern the binary artifacts and associated metadata.  It also helps to enable end to end traceability by making it easier to associate binaries, builds and versions of source code.
Make it Easy to Obtain Build and Test Results :-
Build and test results should be easy to obtain since they are key to ensuring good quality.  Developers should be able to easily see these results – especially when the build breaks. Developers should be notified as soon as possible as to why it broke, so that they can fix it as quickly as possible.
Automate Deployment :-
Automating deployment helps to reduce waste. Many continuous integration servers already have plugins for automating deployment to various web application servers like TomCat, JBoss, and WebSphere.
Using these best practices would definitely help for continuous deployment the overall benefits include:
Eradication of manual FTP deployment
Prevention & reduction of production & staging errors
Generation of analysis & reporting on the health of the code base
As the overall process matures CI helps in terms of business as well, the value of Continuous Integration reduces risk, reducing overheads across the development & deployment process, thus enhancing the reputation of the company by providing Quality Assurance!

http://www.anarsolutions.com/continuous-integration/?utm_source=Blogger.com

“5 Ps” of Software Development

Just like there are 5Ps of marketing, there are also “5 Ps” of Software Development in an organisation

1. People :

People include project teams, subject experts, end users, leadership, clients and stakeholders. Good people are required to make a project successful. People issues include having visible executive sponsorship, building an environment of trust, empowering staff, focusing on leadership as well as management, recognizing that the primary gating factor when improving processes is people’s ability to absorb change, and promoting a cross-discipline strategy at both the team and individual levels. A good leader must monitor work and results on a regular basis. He should be willing to listen to all the advice and take right decisions when needed. End users need to be involved at all stages of the project. Without their involvement, the project can be a complete waste of time. Leadership support helps a project get what it needs, financial support, acceptance, and support from others. All of these people are stakeholders and have important roles in the project viz-a-viz organisation.

2. Principles/Philosophies :

Principles and Philosophies of the organisation help to guide people’s decisions when their processes and practices don’t directly address the situation which they find themselves in. At AnAr, our values are very important to us and represent a large part of the service that we offer to our clients. We seek to facilitate good planning and development outcomes by delivering honest advice and to work diligently to achieve our client’s goals. We work with passion to ensure our clients receive a quality and professional experience throughout the duration of a project. Our Core Values teaches us to work in a cohesive environment where there is win-win-win and continuous learning.

3. Practices/Patterns :

. A practice is a self-contained, deployable component of a process. Each patterns & practices offering contains a combination of written documentation and re-usable modes of practice. They are basically used as reference handbook in any organisation .Generally practices are developed over the years of experience and many patterns & practices offerings illustrate how to best fit the situations and get the best outcome considering all possibilities for overall solution benefit. By using patterns & practices offerings, you can accelerate the organizational growth, personal benefit, reduce risk, and position yourself to take future challenges.

4. Products you build (services you sell) :

– This includes the technologies – such as databases, application servers, networks, and client platforms – and tools such as integrated development environments, testing tools, and project planning tools used to create solutions for stakeholders. At the end of the day it is the outcome and feedback that matters most of the time. The products that people built with the help of philosophies led down, the principles and practices of the organisation should have an expected ROI and then the delight factor comes into the picture. The product that you build is the motive and that’s how the 5 P’s are interrelated.

5. Processes :

The previous 4Ps do not exist in a vacuum, there need to be a set of processes acting as some sort of glue to help piece all of this together. Minimally this glue is a lifecycle although more often than not it is a full process or method. At AnAr, we follow the Process Review System laid down by the philosophies of Dr. Deming. These processes help us understand the way we work, collaborate all the facts and thus play a very important role.

I believe, that for successful improvement in the overall process across your entire organisation, you must address these 5Ps. How you address each issue, and to what extent, will vary based on your situation. We can discuss each one in detail in the blogs coming up.

http://www.anarsolutions.com/5-ps-of-software-development/?utm_source=Blogger.com

How to choose a CMS – Umbraco Vs WordPress

Always remember to research a CMS before investing time in it. Choosing a content management system (CMS) for your website can be a very difficult process that has you constantly changing your mind between the many different solutions available. This can be down to features provided, the pros and cons of each system and the cost of hosting the solution. Never forget that the main purpose of a CMS is to make creating and editing content simple and easy. Never sacrifice the user experience for functionality. Remember these things and it will drastically improve your experience with Content Management Systems. However the first question you should be asking yourself before you consider any CMS is “What am I trying to achieve? – What is my purpose? ”

The CMS you use shouldn’t dictate your design and development process, it should be able to adapt to your vision and or your business needs.

In this article we are going to look at two of the most popular CMS’s used and see which would be more suitable for your needs. We will compare two CMS’s that AnAr have experience of developing in both Umbraco and WordPress. Umbraco is an open source content management system written in C# and is based on Microsoft .Net platform. It offers extensive customizable options for developers to uses in any type of website or complex applications.

WordPress is an open source content management system based on PHP platform and is predominantly used for creating blogging sites as well as small websites. A huge number of plugins and templates are available in the marketing which makes it a favorite choice for developing small and medium sized websites.

Both Umbraco and WordPress are content management systems which offers a wide range of features and flexibility, each CMS has have its own merits and demerits however as mentioned earlier it’s what you’re trying to achieve that should be the major influence in your decision. Let’s compare both solutions.

When to choose WordPress?

WordPress is a simple, easy to understand CMS which uses PHP and MySQL technologies and so is less expensive to deploy. As a free, open-source platform, it offers thousands of options for expansion and customization, whether through themes and plug-ins or custom code.

The interface is easy to understand, you won’t need a book for it, although buying a “WordPress for Dummies” – book will save you some time if you have no experience with blog management at all. Adapting the look requires some knowledge of CSS, the style sheet language.

WordPress website gives you the most control of any free blogging platform that have seen. For websites with simple functions that needs to be deployed with lesser turnaround time WordPress is the best choice. It is supported by a large community of designers and developers who create templates and plugins for websites. It is best suited for websites that have frequent updates and hence is largely accepted for blogging sites. By integrating the readily available templates and plugins a WordPress site can be easily created, however the design customization is largely limited to the design template as well as the plugins. As the plugins and templates are developed by third party developers, the chances of developing a security issue or a threat cannot be ignored.

WordPress is the best choice for the following scenarios

• When the hosting server is Unix/MySQL

• The requirement is for a simple website with frequent/regular updates

• For websites where security is not a major priority and most of the content is public

• The content management team is of small size

When to choose Umbraco?

Umbraco is a fully-featured open source content management system with the flexibility to run anything from small campaign or brochure sites right through to complex applications for Fortune 500’s and some of the largest media sites in the world and that it’s free. It is based on .Net technology and hence web deployment costs more that than for WordPress. Umbraco is developed on ASP.NET platform, which is popular among professional programmers and is one of the most frequently used in the Internet along with JSP and PHP. Such notions as themes and skins, that to a much extent limit web-developers possibilities, are not basic here. Everything a developer can do with ASP.NET master-pages tools, HTML, CSS is available in Umbraco development. It offers high flexibility in terms of design and functionality and is much preferred by developers for creating complex websites and applications. The community of developers that support Umbraco keeps updating the technology and so the growth of Umbraco CMS has been consistent. The content editing tools available with Umbraco give full control of the website to the user.

Umbraco is the best choice for the following scenarios

• When the hosting server is Windows/MSSQL

• Requirement is for large sites with complex features and functionality

• For website and applications where security is a major priority

• Content is managed by a large team

From an SEO point of view, plugins are available for WordPress to optimize the content and for Umbraco the SEO friendly content can be easily managed within the CMS. The ultimate decision on which technology to be use is based on the purpose of the website or the requirement. Both Umbraco and WordPress has the power to accommodate different features and functions however, each has its own specialties which makes developers want to use a particular CMS for a particular requirement. At the end, we have to remember – what is our purpose?

http://www.anarsolutions.com/umbraco-vs-wordpress/?utm-source=Blogger.com

Types of Software Maintenance

No matter what business it is that you run, buying a web solution and sitting back simply does not suffice anymore. Keeping up your web application with the developments that happen in the ever hulking world of Internet is as important as its inception itself. Let’s discuss about the whys and what’s of Software Maintenance…

Software Maintenance is that last step in the Software Development Life Cycle that does not get its fair share of attention. And we understand that. When people shed thousands of bucks on software, they expect it to conform to their needs – both present and future. Unfortunately though, that’s not possible – there number of reasons, why modifications are required, some of them are briefly mentioned below:

• Market Conditions

  – Policies, which changes over the time, such as taxation and newly introduced constraints like, how to maintain bookkeeping, may trigger need for modification.

• Client Requirements

  – Over the time, customer may ask for new features or functions in the software.

• Host Modifications

  – If any of the hardware and/or platform (such as operating system) of the target host changes, software changes are needed to keep adaptability.

• Organization Changes

  – If there is any business level change at client end, such as reduction of organization strength, acquiring another company, organization venturing into new business, need to modify in the original software may arise.

These basically can be categorized into four types of maintenance, namely, corrective, adaptive, perfective, and preventive.

Corrective maintenance

is concerned with fixing errors that are observed when the software is in use. It deals with the repair of faults or defects found in day-today system functions. A defect can result due to errors in software design, logic and coding. Design errors occur when changes made to the software are incorrect, incomplete, wrongly communicated, or the change request is misunderstood. Logical errors result from invalid tests and conclusions, incorrect implementation of design specifications, faulty logic flow, or incomplete test of data. All these errors, referred to as residual errors, prevent the software from conforming to its agreed specifications. Note that the need for corrective maintenance is usually initiated by bug reports drawn by the users.

In the event of a system failure due to an error, actions are taken to restore the operation of the software system. The approach in corrective maintenance is to locate the original specifications in order to determine what the system was originally designed to do. However, due to pressure from management, the maintenance team sometimes resorts to emergency fixes known as patching.

Corrective maintenance accounts for 20{837330d4a8ef7eefea6ad76a2e6c839eeae477cba1366427bd0e21e978eaa9aa} of all the maintenance activities.

Adaptive maintenance

is concerned with the change in the software that takes place to make the software adaptable to new environment such as to run the software on a new operating system. It consists of adapting software to changes in the environment such as the hardware or the operating system. The term environment in this context refers to the conditions and the influences which act (from outside) on the system. For example, business rules, work patterns, and government policies have a significant impact on the software system.

For instance, A bank decides to offer a new mortgage product. This will have to be included in the system so that mortgage interest and payments can be calculated or the Government recently changed the VAT rate from x{837330d4a8ef7eefea6ad76a2e6c839eeae477cba1366427bd0e21e978eaa9aa} to y{837330d4a8ef7eefea6ad76a2e6c839eeae477cba1366427bd0e21e978eaa9aa}. This change meant that many organizations had to make alterations to their systems.

Adaptive maintenance accounts for 25{837330d4a8ef7eefea6ad76a2e6c839eeae477cba1366427bd0e21e978eaa9aa} of all the maintenance activities.

Perfective maintenance

is concerned with implementing new or changed user requirements. It involves making functional enhancements to the system in addition to the activities to increase the system’s performance even when the changes have not been suggested by faults. This includes enhancing both the function and efficiency of the code and changing the functionalities of the system as per the users’ changing needs.

Examples of perfective maintenance include Re-organizing data sets within a database so they can be searched faster or use less storage or providing shortcuts commands that experts can use instead of the slower standard menu system.

Perfective maintenance accounts for 50{837330d4a8ef7eefea6ad76a2e6c839eeae477cba1366427bd0e21e978eaa9aa}, that is, the largest of all the maintenance activities.

Preventive maintenance

involves performing activities to prevent the occurrence of errors. It tends to reduce the software complexity thereby improving program understand-ability and increasing software maintainability. It comprises documentation updating, code optimization, and code restructuring. Documentation updating involves modifying the documents affected by the changes in order to correspond to the present state of the system. Code optimization involves modifying the programs for faster execution or efficient use of storage space. Code restructuring involves transforming the program structure for reducing the complexity in source code and making it easier to understand.

Preventive maintenance is limited to the maintenance organization only and no external requests are acquired for this type of maintenance.

Preventive maintenance accounts for only 5{837330d4a8ef7eefea6ad76a2e6c839eeae477cba1366427bd0e21e978eaa9aa} of all the maintenance activities.

Author: Abasaheb Sangle.

http://www.anarsolutions.com/types-of-software-maintenance/?utm-source=blogger.com

Continuous Everything – DevOps

DevOps is all about automation and continuity. The word “continuous” seems to be the root of many agile concepts in today’s world. As agile adapts and takes on more and more evolving practices, the glossary for this lean-structured methodology gets thicker and thicker.

Earlier we had discussed about continuous as a DevOps buzzword, and the continuous continuousness of DevOps because it seems like everything is continuous. There’s continuous delivery, continuous integration, continuous testing, continuous deployment, etc.

Continuous Delivery is the practice of ensuring that code can be rapidly and safely moved (aka “delivered”) between development, testing and staging environments. Every application/code change is delivered to a “production-like” environment through rigorous automated testing. This system for testing code incrementally and frequently to ensure quality is referred to as Continuous Integration. The value lies in the practice of continually integrating changes, so the system can catch errors and failures while they’re still small and manageable. Your automated, continuous integration system provides a level of confidence that the application can be deployed to production (in theory with a push of a button) when the business is ready.

Continuous Deployment is the next step in this model. Continuous deployment can be thought of as an extension of continuous integration, aiming at minimizing lead time, the time elapsed between development writing one new line of code and this new code being used by live users, in production. To achieve continuous deployment, the team relies on infrastructure that automates and instruments the various steps leading up to deployment, so that after each integration successfully meeting these release criteria, the live application is updated with new code.

Today’s DevOps teams have a lot of capabilities at their fingertips and are advancing these disciplines to realize the most common benefits:

• Speed & Agility. Short time to market delights your customers with the latest features and functions. Business stakeholders seek the agility to meet market demands and compete for the customer’s attention.
• Scope & Scale. Automation testing mitigates risks by testing every new iteration of your code, instead of testing once a day, or once a week. That limits the damage that can be done if something breaks. Testing incrementally also makes it easier to identify and remediate errors.
• Governance & Quality. Fast changes, and lots of them, require organizational alignment. Automation, when designed correctly, facilitates communication and workflow across diverse teams. Automation eliminates — or at least vastly reduces — the opportunity for people to cause errors.

Continuous Feedback – For every step of this build-measure-learn cycle, you need feedback. Both from your customers or users, and from your team members, especially in an onsite offshore model and and it’s hard to plan pairing sessions due to different timezones.

Don’t ever economize on feedback and user input. Remember: this is where ‘the corporations’ fail, building stuff that people don’t need. Rather: select, build, measure, improve, and keep the pace!

Apart from these is a wide variety of continuous automation solutions for DevOps: continuous delivery, continuous deployment, continuous improvement, continuous integration, continuous monitoring, continuous testing, and more. Providing continuous delivery, continuous operations, and continuous services and having a client centric approach gets better and more towards – “everything”.

http://www.anarsolutions.com/continuous-everything/?utm_source=Blogger.com