Ensuring Quality Through the Definition of Done

This is the article, I wrote a long time ago and was published on the scrum alliance community blog. Unfortunately, after a recent revamp, old blogs were removed from the site. Given this article was viewed and discussed by many, I am putting a copy here. Hope you will like it.

OZ

Quality is one of the most commonly used terminologies and at the same time the most misunderstood one. It serves as a ‘get out of jail card’ and marketing jargon. Putting the shenanigans aside, there is a greater need to understand the term. So let’s try to explain the quality and how we can ensure a quality of a product.

Quality is an abstract concept and any description will be a mere approximation. For example, quality can be defined as a general satisfaction level of a person or compliance with a certain set of standards. Therefore, it is very important for a development team to come up with their own definition of quality or quality goals for their product. Quality goals are complementary to the functional requirements and will play an important role in the success of the product.

It is important to understand that quality can have subjective or objective aspects. Each subjective aspect needs to be approximated to an objective aspect. For example, client satisfaction is a subjective aspect that can be approximated to client feedback and survey. Similarly, client preferences can be mapped to business intelligence reports or business analytics. Once all the aspects are defined, the next step is to document and share that information with the whole team. This is where SCRUM can play a vital role. SCRUM not only defines a way of doing things but also specifies the nature and requirement of the work to be done. One of the key work-related concepts is ‘Definition of Done (DoD). DoD refers to the general understanding of the team regarding a completed work. However, with the help of Scrum Master (SM), we can incorporate quality aspects into the DoD. There are three main advantages of doing this:

1. the whole team will have a common understanding of the quality requirements and will take ownership of this.

2. the quality will be ingrained within the product as no task will be completed without fulfilling the quality requirements.

3. Quality assurance early in the development process. This can save huge effort and money on costly quality control processes.

This approach can be applied to both new and ongoing development.

Tips to make Definition of Done (DoD) work for you
– Put DoD on the Scrum team’s board or wall, where it is visible to the team all the time. Let your creativity fly, come up with a unique or eye-catching way of describing doneness. The more verbose or monotonous the definition, the less likely people will notice (remember we are living in the world of ever-shirking attention span).

– If you are a Scrum Master, try to emphasize the importance of DoD once in a while. Lead by example all the time.

– Having well-defined review or change management process.

That’s about it. This is a very simple, cost-effective, and agile approach to ensure a quality product.

Leaky cauldron: A case of a vulnerable container

Containerised application development is a common engineering practice. However, putting your code in a container doesn’t make it secure out of the box.
Want to know more?
Let me tell you about 5 simple ways to make your container application secure. See my blog for details… ttyl

Is your container truly secure?

Containerised application development is a common engineering practice. However, putting your code in a container doesn’t make it secure out of the box. Yup! you heard it right. And believe me, you are not the only one! Count me on this list as well.

The moment of realisation dawn upon me when I had a conversation with the AppSec engineer (Aaron) about it. That’s how the conversation went (at least what I can recall).

Me: Hey Aaron, how are you doing mate!

Aaron: Good OZ, how about it.

Me: Same old same old. Hey, I would like to run a few things with you regarding the new service I am working on.

Aaron: Sure! Shoot

Me: Well! it will be quick as I have it all covered (me showing off). It is a containerised application so security wouldn't be an issue...

Aaron: Hold it right there. What makes you say that?

Me: (caught up a bit surprised) aa.. as I said it is CONTAINERISED.

Aaron: News flash OZ, putting your code in a container doesn't make it secure out of the box. At worst, it give you an illusion of security which can catch you off-guard.

Me: I have to be honest with you, I wasn't aware of it.

This conversation was a bit embracing but I have been a developer long enough to know what I don’t know and never shy to admit it. This conversation made me think about the security aspects of a container-based application. It started a journey to explore the notion of security in the context of a container based applications.

In this blog, i will share a quick summary of useful stuff that helped me create a better, more secure application.

Without further ado!

Drum rolls please!!


5 simple ways to improve your container security

1: Smaller container = Smaller attack surface

The container should only contain enough support structure (OS features, tools, libraries, running processes, etc) to run the desired application as expected. Everything else should not be part of your container ecosystem.

Given the hereditary nature of the container framework like Docker. You are not only inheriting the functionality but also the security vulnerabilities. It is important to evaluate the base image carefully.

One possible solution is to use Docker Slim which minify the image and create security profiles (more on it later). Check out this short video for details

Don’t take my word for it… see it in action!

This principle will guide you to adopt micro service based architecture. A smaller size image is easier to sync with remote repositories and improves the deployment time.

2: Contain the container

Control what the container can see and do!

Operating System (OS) provides a large number of system calls to perform various OS / Kernel related operations like modifying I/O privileges or profiling etc.

It is important to control the sys commands a container can run. By default, Docker applies a “Seccomp” profile which whitelists a small subset of commands. However, you can take a step further to create a tighter list.

Ensure that the container is running in the least possible privilege settings. Aside from Seccomp, you can isolate containers (limit what container can see or do) by running it in the context of an unprivileged user. DON’T USE ROOT USER unless there is a clear case for it. Remember: root user in a container is a root user outside.

3: Run vulnerability scans

Containers are created hierarchically. Your container uses a base image that may inherit from any other and so on. This establishes a system largely based on vendors or third-party routines. With this model, you will inherit the good, the bad and the ugly.

If your base image has a security vulnerability, guess what!! it has become your application’s security vulnerability. This serious problem leads to the rise of security vulnerability tools like Twist Lock, Anchore, Clair, etc. There are a lot of options out there…. open source, proprietary. In fact, Docker Enterprise also provides scan features when you push your docker image to the registry. Personally, I am using Twist-Lock and it works like a charm.

To put it simply the main purpose of the security vulnerability tool is to perform a static analysis of the dependency tree and identify any potential security loopholes by comparing it with the database of known security issues.

The scan results may look like this:

Recently, I used these tools extensively with the service I am working on. I will share my insights about comparative analysis of JRuby image on Open JDK, AWS Corretto, Adopt JDK and Azul Zulu. Let’s keep this topic for another blog 🙂

Pro tip: Integrate Security Vulnerability scan in your CI/CD pipeline and make it a blocker for your deployment.

4: Apply security best practices

I got to have this one on my list. It is always handy to have a tool for course correction, especially for a lazy lousy developer like me.

Lads! please welcome “Docker Bench Security“. Shout out to Thomas & Diogo for this Swiss army knife of a tool for docker developers.

When you run this tool on your container or image, it executes a script to check common best practices (like the stuff we discussed in point #2) and give you a quick summary and report. Running this tool while developing apps will ensure that all bases are covered.

# clone the repo and run it like this.
sh docker-bench-security.sh -i <Container or Image Name>

One area of improvement for this script. I would love to have something like this as part of my continuous development process or as a plugin to my IDE. Like to know your thoughts. If I get 10 or more yeas, I will work on it.

5: Use signed images

This may sound obvious and common knowledge but more often than not, it slips through the cracks. You can blame the triviality of the task but it can be consequential.

As a general rule of thumb, you should know the owner of the docker image you are using (as a base or an element of a composite). This is where “signed images” come into the picture. It revolves around the idea of using Digital Signature to ensure integrity.

The author should sign the images and the consumer should use one. Let’s break this down a bit.

Author Checklist

One of my signed images #self marketing

– Generate “root key” using docker trust. See the link below for more details

– Use the root key to create a repository tag pair using the docker trust signer. The public key will be shared by Docker Notary service.

– Use the private key to sign the tag.

– No need to signed all the tags. However, you should sign the ones your consumers will use. For example, latest or LTE tag, etc.

– Make this part of your build process to avoid manual work.

– Think about whether it makes sense for you to make it an Official Docker container. It is not straight forward, you need to comply with the list of requirements that may affect your timelines.

More details here.

Consumer Checklist

– Use official or user signed images.

– Enforce this check on the docker daemon to avoid non-compliance.

Application security is a vast and evolving field. I am not an expert in it by any means. The main purpose of this blog is to share my experience and things I learned by reviewing articles, documentation and going through many iterations of trial and error.

I hope it helps in your journey! Let me know your feedback.

Stay Safe! Stay Hopeful!

My Experience @ VoxxedDays 2019

VoxxedDays only started organising conferences and tech community events in Singapore recently. However, they are establishing themselves as one of the legit places for developer, entrepreneurs and techies.

My relationship with VoxxedDays goes back to 2017 when they did their first conference in Singapore and I was lucky to participate init.

This year’s conf lives up to its reputation.

Fan moment #1 “With Compiler Wizard Chris Thalinger”
Fan moment #2 “Jenkins Creator Kohsuke Kawaguchi”

Key takeaways are the sessions related to Graal (which includes mine as well), Kafka and Kubernetes. Since its my blog, i will share my session link 🙂

I also like to give a special mention to the day 1 closing note from Tim Berglund.

Checkpoint 2019

Its that time of the year when we look at the passage of day and night with more excitement.

It’s not just another day end…

it’s not just another month end…

ITS is the end of the whole freak’in YEAR

and I don’t see any reason not to celebrate it… we made it through.

Just like with everything these days, new year’s eve attracts a share crowed of negativity who argues the rationale of celebrating the new year.

I hear your point! I do!

Now, let me if new year’s celebration is not worth celebrating then what else is?

Human celebrations (almost all of them) is associated with the start of OR end of something … Independence Day, Spring Coming, Harvesting, Birthday and so on!

So, on this special occasion try not to be a drag and have some fun!

Happy Holidays, Merry Christmas and Happy New Year to everyone!

What’s up with all the silence, OZ

Wasn’t blogging for a while and let me tell you why!

Let me be the first to admit that I had been awfully quiet on my blog for a few months. All the silence of the blog is not telling the whole story of my past months. Looking back, they had been hectic. Let’s break it down a bit!

Hello Fatherhood

Became father of a baby gal (wooohoooo)… I was shit scared but holding your child is the best feeling in the whole… words can’t explain and words are not enough.

47f6d7a8-05ab-4667-aaa0-0bc85fb72fba

I wanna be a youtube star 😀

Started youtube series about serverless computing model. Episode 1 already up!!

OZvsServerless EP1

FOSSASIA 2018

Attended + Presented at FOSSASIA 2018. It was fun reconnecting with old friends and visitors from all over the world.

26097971647_aa3e4fe206_z

See the full video here: The myths and realities of serverless architecture – Owais Zahid – FOSSASIA 2018

Hello Toronto

Took a 23-hour flight to Toronto and attended Scrum Gathering. It was an amazing experience visiting this lovely city and meeting the most polite ppl on the planet :D. More on this later.

IMG_2018

Few Other things!!

Apart from the big apples! Participated in Google Code Jame, Hackathon and learned how to change diapers:D, had an argument with Lufthansa Flight (see twitter for the whole story :p)

There you have it! A quick summary of what happened. Now the dust is settled, I will add more blogs and videos (so stay tuned!)

Connecting people in Style … CSS

Why Tech communities are important? Is your organization socially connected?

Quick Question, “Do you know why Open Source / Inner Source projects are more successful and evolve at a higher rate?”

Well! there are many reasons for it, but none more important or crucial as “Community”.

The community is the set of people which have common understanding, aspirations, and concerns. From social work to social awareness, communities have been integral to the development, improvement, and sustenance of human societies.

Using the same definition, we can infer by virtue of “what’s true in the real world is true in the virtual world”. Communities or to be specific Tech Communities are integral to development, improvement, and sustenance of projects. The main reason we use a particular tool or technology has a lot to do with the number of people backing it. We frequently come across the statements which mention “number of stars” or “forks” on GITHUB, amount of documentation, tutorials available etc. All these factors are crucial to the success of a project.

Long story short, “Tech communities are important”

More so, there is a social aspect of the communities. When people are part of the group, they start to build relationships and bonds. This process not only strengthens the fabric of the unit but also accelerate learning and exchange of ideas. The idea to bring people of a community always results in innovation, creativity … spark

Continuing the traditions of social connectivity, on 29th Nov Autodesk Singapore hosted Singapore CSS meetup group. The idea is to bring Web experts and enthusiasts on a single platform and let the 2-way communication kicks in. From financial institutes to design studios, from college students to tech company; we got a crowd of over 40 people from all walks of life.

We also got an opportunity to showcase some of the awesome stuff we are doing at Autodesk. We propagate the message that Autodesk is one of the great places to work for and we value innovation and creativity. All in all, I had a great time meeting new and old friends and learning new things.

To know more about the event, see the official page. Following are some of the pictures from the event 🙂

Everyday Randomness: Guinea pig wheel

Are you going places when you move?

Chapter 2: “Guinea Pig Wheel”

Where are we going?
Nowhere it seems!
We are running in circles
Coming back to where we started
Over and over again

Are you walking when you walk? Are you running when you run?

The answer is: It depends.

It depends on your perspective. If we relate walking or any form of movement with “going places” then definitely NOT! … So… what are we doing on the treadmill?

How many of us are guinea pigging ourselves every day! This question comes to my mind when I went to my friend’s place and looked at his pet guinea pig (Sammy) Ferris wheeling the hell out of himself. Looking from outside, this whole process looks darn stupid and depressing. It brings me back to my original point of repetition in life (see my earlier blog for details).

Anyways, back to Sammy. The poor guy doesn’t have much choice; does he. But what about us? Why are we doing the same thing over and over again without going places? That visit made me think. After few days, when I start running on my treadmill, it just wasn’t the same. I didn’t feel like doing it. So, I stopped the treadmill and gave an outdoor a try.

I saw people; young and old. Trees dancing at the tone of breeze. Birds doing the last rendezvous before nightfall. I had a really good time. I was moving and at the same time going places. It is neither a rebellious deed nor a novel idea, but it did give me a glimpse of possibilities awaits us. All it takes is a little thought and effort to do things differently.

Wrap up

There you have it. This was the story of one of many Ferris wheels of my life. Do you have any Ferris wheels of your own? how are you coping with them? and most importantly, what are you doing to break them? 

~Owais Zahid