Agile2019 presentation
David Norton, Executive Director, CISQ
The human aspect that has been at the heart of agile success since its inception may well be its Achilles heel when it comes to scaling, and dealing with complex mission-critical environments; indeed, this sentiment has been used by many agile detractors. However, this does not have to be the case and could be the catalyst for an enhanced form of agile that combines the best of agile values and behaviour with modern systems engineering practices.
Next-generation agile will have to leverage unprecedented levels of automation from inception to implementation, and beyond. Techniques such as Model-Based Systems Engineering (MBSE), and Continuous Quality will enable digital twins augmented with AI and IoT sensor feedback, allowing developers to work with increasing levels of complexity in a safe and secure way - without sacrificing agile principles.
This interactive session will focus on a number of interrelated topics to help delegates formulate a strategy for next-generation agile engineering practices, including the following:
Tackling the problem of quality at speed, agile at scale with the correct application of relevant guidelines and standards to form a solid foundation to build on.
Re-evaluating MBSE in the context of agile and digital twins to support complex business ecosystems from strategy to implementation.
Dealing with human factors in the engineering process as we increase automation - when do we augment and when do we remove human actor.
Learning Outcomes:
How to maximise automation within agile and the DevOps toolchain with a strategy that takes advantage of emerging standards and best practices.
How to combine human-centric approaches such as design thinking and hypothesis- driven development with AI and IoT to improve the customer experience and innovation.
How to increase velocity and reduce lead time without sacrificing quality or generating high levels of technical debt.
How engineering methods such as Model-Based Systems Engineering and Systems of Systems Engineering combined with agile can tackle complex business ecosystems.
3. We Need Continuous Delivery Of Features To Stay Ahead
http://giphy.com/gifs/KW3nydTAyPaU0
4. Learning to Play on a VUCA Pitch
Volatility
Uncertainty
Complexity
Ambiguity
5. Understand How The Modes Relate and Interact
Stacey Model
The Theory Bit - Models Of Complexity
The Cynefin framework
6. Adjust Your Decisions Making Process To Fit The Situation
“Decisions without actions are pointless. Actions
without decisions are reckless.”
― John Boyd
26. System of Systems – Net Centric Warfare – Where it
all started
1 2
3
4
5
6
27. System of Systems – TeleHealthcare & TeleFitness
Out Patient
Mobile Device
Telecommunication
Network
Healthcare ProviderCardiovascular Monitor
Application
Local Doctor
Patient
System
Emergency Services
28. System of Systems – A Very Practical Example – Haiti
Disaster Response
OpenStreetMap
Satellite
Images
2000
Users
GPS
Aid Workers
Event
12 H
24 H
"Over just a few days, it saved me and my
driver from getting lost twice, and the alternative
would have been long delays. We are running
fast trying to help people and your work makes
it easier.“ Kjeld Jensen - Red Cross
1
2
3
4
31. The Manifesto for Agile Software Development
1.Customer satisfaction by early and continuous delivery of valuable software.
2.Welcome changing requirements, even in late development.
3.Deliver working software frequently (weeks rather than months)
4.Close, daily cooperation between business people and developers
5.Projects are built around motivated individuals, who should be trusted
6.Face-to-face conversation is the best form of communication (co-location)
7.Working software is the primary measure of progress
8.Sustainable development, able to maintain a constant pace
9.Continuous attention to technical excellence and good design
10.Simplicity—the art of maximizing the amount of work not done—is essential
11.Best architectures, requirements, and designs emerge from self-organizing teams
12.Regularly, the team reflects on how to become more effective, and adjusts
accordingly
32. When dealing with complex mission critical systems
in a system of systems environment (Smart city’s,
open banking, healthcare) it not always possible to
have daily cooperation and Face-to-face
conversation with the key stakeholders.
Not good, but reality of life
35. MBSE
TOOLS
PEOPLE
TRAININGEFFORT
Modeling is a
nice to have
We don’t
have the time
Its vendor
hype
Its too complex
Always ends
up in analysis
paralyses
Its too formal and
we need to be agile
We don’t
have the
cash
Requires
Process/Org
Change
$
$ $
$
60. 2. Treat Digital Twins and Agile MBSE as System of Systems
(SoS) Governance Challenge.
• Directed — The SoS is created and managed to fulfill specific purposes and the other
systems are subordinated to the SoS. The component systems maintain an ability to operate
independently; however, their design and operationalization are subordinated to the central
SoS goal.
• Acknowledged — The SoS has recognized and agreed objectives, joint governance
mechanism and resources for the SoS implementation; however, the supporting systems
retain their independent ownership, objectives, funding, and development and sustainment
approaches.
• Collaborative — The component systems interact more or less voluntarily to achieve agreed
upon central purposes. The central players collectively decide how to provide value and
desired outcomes.
• Virtual — The SoS has no central governance authority or a centrally agreed upon purpose
for the SoS. Large-scale behavior emerges — and may or may not be desirable.
61. Acknowledged, Collaborative & Virtual - BUT NOT Directed
Factors
beyond your
influence
Factors you
you can
influence
Factors you
control
Digital business model exist in a
complex environment.
• Pace of new technically
• More cyber-physical devices
• Ambiguity on regulation
• Uncertainty of API strategies
• Less time to respond
• Less control over the value stream.
• Lower barriers to entry allow new
entrants and fast followers.
63. 4. Adopt Architecture Runway For Major Models — Just in Time, Not
Just to Late
Core Models
Architecture
Story's Backlog
Components,
Frameworks,
Libraries,
Adaptors)
Features
Architecture
Model
Epics and
Story's
Local Sub System
Models
Product
Backlog
64. 4. Adopt Architecture Runway For Major Models — Just in Time, Not
Just to Late
SAFe has the
concept of MBSE.
You can use MBSE
without a enterprise
agile framework, but
it is harder.
73. Complex Toolchains
•Production metrics, objects and feedback
•Requirements
•Business metrics
•Update release metrics
•Release plan, timing and business case
•Security policy and requirement
•Design of the software and
configuration
•Coding including code quality
and performance
•Software build and build
performance
•Release candidate
•Acceptance testing
•Regression testing
•Security and vulnerability analysis
•Performance
•Configuration testing
•Approval/preapprovals
•Package configuration
•Triggered releases
•Release staging and holding
•Infrastructure storage,
database and network
provisioning and
configuring
•Application provision
and configuration.
•Performance of IT infrastructure
•End-user response and experience
•Production metrics and statistics
•Application monitoring
75. Greater Reliance on Suppliers
Hope is not a
strategy
Quality
Productivity
Security
Cost
76. The Nine-Digit Glitch
Board of Directors
CEO, COO, CFO
Business VPs
Corporate
Auditors
CIO
Now affect Accountable for
Governance
Risk management
Business Continuity
Brand protection
Customer
experience
Nine Digit Defects
Cyber incidents see a 1087% increase
year on year (RSM research).
77. Lets Learn From The Past
As industry's mature they automate, from robots
to fly-by-wire
80. We built this city, we built this city on rock an' roll
We Need Standards We Can Implement
81. We Need Standards We Can Implement
We built this city, we built this city on rock an' roll
82. ISO 25010 Software Quality Model
• Functionality - "A set of attributes that bear on the existence of a set of functions and their
specified properties. The functions are those that satisfy stated or implied needs."
• Reliability - "A set of attributes that bear on the capability of software to maintain its level of
performance under stated conditions for a stated period of time.”
• Usability - "A set of attributes that bear on the effort needed for use, and on the individual
assessment of such use, by a stated or implied set of users."
• Efficiency - "A set of attributes that bear on the relationship between the level of performance of
the software and the amount of resources used, under stated conditions.”
• Maintainability - "A set of attributes that bear on the effort needed to make specified
modifications."
• Portability - "A set of attributes that bear on the ability of software to be transferred from one
environment to another."
83. ISO 25010 In Structural Code Analysis
• OWASP Top 10 Vulnerabilities—most critical web application security risks – CWEs &
CVEs
• OWASP Application Security Verification Std v4.0 – 14 categories guide automated unit
& integration tests – most all verification checks have corresponding CWEs
• SANS/CWE Top 25 — most commonly encountered cyber weakness enumerators
(CWEs),
• CISQ Object Management Group (OMG) Automated Source Code Measures for
technical debt & structural quality (Security, Reliability, Performance Efficiency &
Maintainability) – all based on CWEs
84. CISQ Structural Quality Measures
Example architectural and
coding weaknesses included in
the CISQ measures
• SQL injection
• Cross-site scripting
• Buffer overflow
• Empty exception block
• Unreleased resources
• Circular dependency
• Expensive loop operation
• Un-indexed data access
• Unreleased memory
• Excessive coupling
• Dead code
• Hard-coded literals
CISQ Structural Quality Measures
Security
22
weaknesses
(Top 25 CWEs)
Reliability
29
weaknesses
Performance
Efficiency
15
weaknesses
Maintainability
20
weaknesses
An international team of experts
selected the weaknesses to include
in CISQ measures based on the
severity of their impact on
operational problems or cost of
ownership.
Only weaknesses considered severe
enough that they must be
remediated were included in the
CISQ measures.
CISQ Structural Quality measures
are currently being extended to
embedded systems software.
86. Sample RFP CISQ has been referenced by the U.S. General Services
Administration (GSA), formally citing CISQ requirements in a
Information Technology (IT) statement of work from the
Office of the CIO for the Office of Public Buildings. GSA is an
independent agency of the U.S. government that supports
general services of Federal agencies.
See page 21, section 5.9 in GSA’s document, Schedule 70
Blank Purchase Agreement for IT and Development
Services…
“PB-ITS (Project Based IT Services) is seeking to establish
code quality standards for its existing code base, as well as
new development tasks. As an emerging standard, PB-ITS
references the Consortium for IT Software Quality (CISQ) for
guidance on how to measure, evaluate and improve
software.”
Working With Suppliers
87. Standards Are Only Effective If Implemented
We have to deal with the risk link - people.
88. Focus on Culture and Behavior
• Don’t expect everyone to like
automation, some people just
like doing it the hard way
• Incentivize the behavior you
want for the individual and
team.
• Have agreed metrics and KPI
linked to automation.
• Show results
89. Develop The Correct Skills
Process
Design
Scripting
Toolchain
Integration
Standards
Definition
90. Obtain Commitment From The Team
Product
Backlog
Risk
Backlog
[Requirements, Policy's, Definition of Done]
Compliance
Officer
Team
Product
Owner
Product
Manager
GRC
Stores/Themes
Compliance Strategy [Working
software, documentation]
Risk Log / Board
Escalations
GRC Questions
Information “Radiator”
Standards, Good Practice, Regulations
91. Certify The Environment, Don’t Assume
Product
Backlog
Risk
Backlog
[Requirements, Policy's, Definition of Done]
Complianc
e Officer
Team
Product
Owner
Product
Manager
GRC
Stores/Themes
Compliance Strategy [Working
software, documentation]
Risk Log / Board
Escalations
GRC Questions
Information “Radiator”
Standards, Good Practice, Regulations
Automated
Environment
Certified
Tool
Team
Align
92. Have a virtual quality and security assistant
?
!
?
Chatbot integrated
into the toolchain
93. Gamify - Link Automation to Autonomy
Autonomy
Time of
Deployments
Intra-day
allowed
After hours and
on weekends
Frequency of
Deployments
No limits on
changes per
today
Few
changes
per week
Change
Advisory
Board
CAB for
information
purposes only
CAB for all
changes
Freeze
Periods
Only exceptional
change freeze
periods apply
All freeze
periods apply
Continuous
Integration
Environments
Quality
Assurance
Incident
Management
Release
Management
Coding
Practices
Team
A
Level of Automation
Team
B
94. Stay in Control of Quality With Agile Governance
• Communities of
Practice
• Toolchain
Consistency
• Tools Register
• Automation Best
Practice
95. Link Automation to KPI, and Set Targets
• Feature throughput
• Lead-time/Cycle-time
• IT Downtime
• Business Downtime
• Percentage of task
automated
• Refactoring rate and
cost