Recent Blog EntriesRSS feed
  • Deployment Automation: The End of Plug-n-Pray
    Speaking to a customer recently, I was told: "Honestly, our favorite thing about moving to AnthillPro is that we've moved beyond 'Plug-n-Pray' deployments. You know, many of our deployments were so scary we'd have a bunch of people in the office ...
  • AnthillPro is a Maven Repository!
    AnthillPro's integrated build artifact repository is one of our favorite things about the tool. After all, if you're going to support moving a build through it's lifecycle towards production with deployments and tests, it's helpful to manage the files ...
  • Build and Deployment Pipelines
    Michael Sayko, a software configuration management consultant based in Austin, Texas, wrote a great article for CM Crossroads on the advantages of a build pipeline approach to build and deployment automation. You should check it out. I'm a big fan of the ...
  • Q&A from Enterprise Build-Deploy-Test-Release Webinar
    Last week Jeffery and presented BDTR Automation in the Enterprise where we discussed the drivers for expanding automation from the team level to the enterprise level, as well as the requisite technical and social components to the design and rollout of ...
  • Questions an Enterprise CI System Should Answer
    In our webinar on Build-Deploy-Test-Re...
Recent ResponsesRSS feed for responses
  • Re: Q&A from Enterprise Build-Deploy-Test-Release Webinar
    Many thanks Eric. This is indeed good food for thought.
  • Re: DevOps: The Rise of QA?
    Oliver, While I tend to agree with you in principal, when I visit customers and ask them what test environments they have, they usually say something like, "Well, we have dev test, QA, UAT...." What happens in the QA environment? "Well, ...
  • Enterprise CI Cultural Maturity
    Great post and ideas! I’m going to share this with the rest of my team as we work more with enterprise-level clients. Thanks and Regards/- a href="http://en...
Navigate
January 2010
SunMonTueWedThuFriSat
       1   2 
  3   4   5   6   7   8   9 
 10  11  12  13  14  15  16 
 17  18  19  20  21  22  23 
 24  25  26  27  28  29  30 
 31       
Dec  |  Today  |  Feb

Categories | Tags | Advanced Search
Archives
2010
September (0)
August (4)
July (5)
June (5)
May (2)
April (5)
March (3)
February (7)
January (6)

2009
December (3)
November (3)
October (2)
September (7)
August (8)
July (3)
June (8)
May (3)
April (2)
March (3)
February (3)
January (3)

2008
December (2)
November (2)
October (3)
September (1)
August (1)
July (2)
June (1)
May (0)
April (1)
March (2)
February (1)
January (0)

2007
December (0)
November (0)
October (1)
September (0)
August (1)
July (0)
June (1)

Summary of blogsRSS feed
Urbancode Blogs RSS feed
AnthillPro Blog - News and Info about AnthillPro.RSS feed
The Devil in the Details - A blog about the practice of software development.RSS feed
Our Daily Read
The Build Doctor
CITCON Aggregator
Login
Username
Password
Remember me

Chaperoning Promiscuous Software

submit to reddit StumbleUpon Delicious Save to Delicious
Every developer has done it. We just needed a bit of XML parsing or a better utility for dealing with connections. So we downloaded a library, stuck it in our code base and used it. Minutes later we felt great as our software had new capabilities quickly. Weeks later when things started to break we wondered,  "Did one of those libraries also have bugs and does our team even know all the libraries it has let into its code?"

Reuse of open source or commercial libraries can be great. It lets a team focus on delivering unique functionality to the business without rewriting that XML parsing utility. However, a mature software development organization needs to understand some of the risks of reuse and take steps to chaperon their code.

A team should know

  • which components we have in our product portfolio
  • if we are staying compliant with licensing
  • if the libraries we are using are secure
  • if the various components we are using are compatible
  • where developers can find pre-screened libraries
To address these challenges, we need a coherent strategy for chaperoning our organization's reuse. There are four elements of a successful strategy for managing components:

1) Testing and Validation of 3rd party components
2) A Definitive Software Library to track approved versions
3) Preventing unapproved libraries slipping in
4) Rapid audit of what is used where for impact analysis

Component Test Labs

At Urbancode, we increasingly encounter IT departments adopting rigorous standards for approving third party libraries for reuse. Developers identify specific versions of the components they want and a special testing team approves those versions. The best test labs screen licensing models, run security scans and test model applications built from a stack of proposed components for performance characteristics and correctness.

A Definitive Software Library

Once the test team approves a version of a component, we need to store the approved binary and give developers access to it. ITIL refers to this kind of storage as a Definitive Software Library (DSL) or Definitive Media Library. I'm a fan of the older DSL terminology.

Java teams using Maven can utilize solutions like Artifactory or Nexus to provide a basic DSL. AnthillPro customers, be they developing Java, Microsoft technologies or other stacks, can use the built in CodeStation repository to manage their shared artifacts. In either scenario, the approved libraries are provisioned automatically at build time making it easier for developers to use the pre-approved versions than download something new from the internet.

Using Protection

When a new library is required, developers may skirt the validation process and simply download a library and commit it into source control. Any gains made by the creation of an approval process for third party libraries can be undone very quickly. So we need a way of preventing unapproved libraries from entering our projects.

At Urbancode, part of our strategy is running an extra step in our automated, authoritative build process that scans the files checked out from source control for any obvious library files (those with extensions like .jar or .dll) and immediately failing the build if any are present. If the code base is clean, we continue on and retrieve any libraries we use from the DSL (CodeStation); and perform the build.

Rapid Impact Analysis

From time to time, a security firm may issue a warning about a commonly used library. Or the team behind the library may warn that a serious bug is in some versions. If we are using a DSL and preventing other components from being used, we can quickly identify if we might be impacted. If we have not approved those library versions we are in the clear.

If the team has approved problematic components, we know some of our projects are likely impacted. But which ones? To facilitate this impact analysis the team must track which projects use which libraries. At Urbancode, we use AnthillPro's CodeStation integration to automatically record when builds reference outside libraries. Our team can quickly and easily determine which projects, releases and builds include suspect libraries, speeding our impact analysis.

Conclusion


Reuse components. But reuse them responsibly. These four elements: testing, a DSL, prevention, and usage tracking; provide the foundation for controlled, effective reuse of 3rd party libraries.
Tags :
Responses[3] RSS feed for responses to this blog entry
Posted by Eric Minick on January 25, 2010 9:58:00 AM EST#


Reply

Re: Chaperoning Promiscuous Software

Comment from Wolfram Arnold on February 5, 2010 8:42:17 PM EST#
That seems like a heavy-process and heavy-handed approach to me.  Also the reward structure is all backwards.  IT managers and tools that need to "prevent" developers from doing things which are easy and get their job done fastest probably will never be able to tap their developers' full potential.  The incentives are mis-aligned.  To change behaviors, the organization, culture and practices must be arranged such that the desired behavior is also the easiest thing to do for developers.

And the idea that some in-house test team is supposed to verify 3rd party libraries strikes me an inversion of responsibility as well.  This is like hiring a test driver to check that the car I just bought actually is safe to drive.  For open source components, why not insist that all libraries have test suites, verify test coverage with your Anthill tool and reject those that don't pass their own suite or don't have coverage.  For 3rd party proprietary libraries the same applies. The vendor should test it, ideally show this by demonstrating their own test suite.  Or else you better check the fine print in the support contract.

Perhaps this sounds too utopian for the Enterprise Java world, but it is standard practice in the Ruby-on-Rails community.
Reply

Re: Chaperoning Promiscuous Software

Comment from Eric Minick on February 8, 2010 10:07:48 AM EST#
Thanks for the well thought out response! I agree that implementing this whole system can be heavy handed. It's very extreme for a mission a simple CRUD application. Teams I know who are writing shrink-box applications take any change to their tool-change or dependency graphs very seriously and test any new version of a component they are upgrading to extensively.

I would also argue that part of the goal is to facilitate developer productivity not hamper it in favor of control. By creating a set of approved components in a well know, easily accessible (and ideally searchable) place, developers don't need to hunt down various components online, and perform whatever validation they would do on them (usually none). This helps at component finding time, it also helps in a large enterprise as developers switch projects. When they move from one project to another, they find the same XML parsing libraries in place. The same logging technologies in place, etc, etc. Enterprise IT, in reality has quite a lot of friction caused by people moving between projects. If some level of consistency between those projects is facilitated, that friction can be reduced a little bit.

That said, I can see where the testing and the seperate approval organizations can be too much rigor in some teams. At very least, have a central place to store the components and track what you're using. It's truly frightening how many teams have no idea what components their using.
Reply

Re: Chaperoning Promiscuous Software

Comment from Anonymous on February 9, 2010 4:18:25 PM EST#

Very timely article. We're well on our to making this real without really getting in the way of development too. Wolfram sounds like a developer to me ;-)
© 2006-2010 Urbancode, Inc.
Anthill, AnthillPro, and AnthillOS are trademarks of Urbancode, Inc.
All other trademarks are owned by their respective owners.
tel: (216) 858-9000 fax: i (216) 393-0006 email:info@urbancode.com