Post on 03-Jun-2020
www.moat.blog© Memoirs of a Technocrat 2018
The Safe & Secure Software Factory
Niroshan Rajadurai
@moatblog
www.moat.blog
www.moat.blog© Memoirs of a Technocrat 2018
“The trouble with programmers is
that you can never tell what a
programmer is doing until it’s too
late.”
Seymour Cray
www.moat.blog© Memoirs of a Technocrat 2018
The Costs of Bug Containmentthe growing cost of defects;
Software development life cycle phase
no.
of
code d
efe
cts
found
www.moat.blog© Memoirs of a Technocrat 2018
The Costs of Bug Containmentbuild up of technical debt;
www.moat.blog© Memoirs of a Technocrat 2018
The Costs of Bug Containmentemotional cycle of manual delivery;
source: https://www.atlassian.com/continuous-delivery/business-value
www.moat.blog© Memoirs of a Technocrat 2018
FOSS
Architecture
Security
Threads / Deadlocks
Intraprocedural
Crash Causing
Data Flow
Control Flow
Semantic
Syntactic
‘src’ calls ‘lib’
‘lib’ shouldn’t use ‘src’
deadlocks,
priority inversion,
Schedulablity,
pointer dereference
ptr->q;
where ptr = NULL
if (a = b) {
if (a != b) {}
}
detected by compilers
simple analysis,
code walkthroughs, etc
The Costs of Bug Containmentroot causes of defects;
license conflicts
code matches
vulnerabilities
data leakage
SQL injections
remote code execution
class interfaces
function call chains
recursion
uninitialised variables
unsanitised data usage
If (a = b)
syntactically ok, but
meaning not correct
www.moat.blog© Memoirs of a Technocrat 2018
Toyota Production System (TPS)quality control principles;
Quality control process following
four principles:
Detect the abnormality
Stop
Fix or correct the immediate
condition
Investigate the root cause and
install a countermeasure
www.moat.blog© Memoirs of a Technocrat 2018
Toyota Production System (TPS)
andon;
www.moat.blog© Memoirs of a Technocrat 2018
"A computer lets you make more mistakes faster than any
invention in human history-with the possible exception of tequila.”
author unknown
www.moat.blog© Memoirs of a Technocrat 2018
Software Factory Approachdeliver incrementally
“Walking on water and
developing software
from a specification are
easy if both are
frozen.”Edward V. Berard
Ris
k
Continuous Feedback
Ris
k
TimeTime
MVP
Release Cycle Release Cycles
www.moat.blog© Memoirs of a Technocrat 2018
TPS Applied to Software
autonomation;
Autonomation through automated software quality gates at each stage T(x)
Isolate
Target each developer commit – T(0) – ‘Time Zero’
Verify
Quality metrics
Common root cause issues
Deliverables
Merge
T(0): dev desk T(1): feature branches T(2): dev branch T(3): release branch
Automated Andon
www.moat.blog© Memoirs of a Technocrat 2018
Implement
Feature
Commit
Changes to
Repository
MergeSoftware
Quality Gate
Software Quality Gatesautomated andon;
Implement
Feature
Commit
Changes to
Repository
Merge
Other Developer Branch Merges into Mainline
T(x+1)
Other Developer T(x) Branch Merges into T(x+1)
T(x)
www.moat.blog© Memoirs of a Technocrat 2018
ISO/IEC 9126
Functionality
Reliability
Usability
Efficiency
Maintainability
Portability
Software Factory Approachcontinuously manage quality;
“Software and
cathedrals are much
the same – first we
build them, then we
pray.”Sam Redwine
Static Code
Analysis
Test
Automation
Static Code
Analysis
Test
Automation
SW
Architecture
Static Code
Analysis
SW
Architecture
www.moat.blog© Memoirs of a Technocrat 2018
Software Factory Approachwhat about infrastructure and stacks;
www.moat.blog© Memoirs of a Technocrat 2018
Infrastructure as Codecontainerise environments;
Application
Application infrastructure (standardised)
Operating system services (standardised)
OS Config (standardised)
Operating System
Virtualised
Hardware
Virtualised
Storage
Virtualised
Network
The hardware
This is all software
and can be
managed as such
Don’t worry about
the stuff below here
www.moat.blog© Memoirs of a Technocrat 2018
Software Factory Approachfull automation through sdlc;
Building. Using “infrastructure as code”, builds are optimized and
parallelised through container instances.
Testing. Achieve Test Automation at unit, integration and system level.
Create regression suites to verify software changes.
Static Analysis. Ensure compliance to MISRA, AUTOSAR C++ and Quality
Metrics.
Security. Bake in advanced security checkers, e.g. CERT, CWE, OWASP at Time
Zero (T0).
Architecture. Manage software dependencies to reduce complexity, avoid
erosion and optimize the build.
Compliance. Ensure traceability and adherence through all artefacts.
www.moat.blog© Memoirs of a Technocrat 2018
Benefits of Software Factorycase study; medical device manufacturer
Building. Reduction in build times by 65%, broken builds reduced by 75% in
the Dev Branch.
Quality. Detection of architecture defect early reduces technical debt and
saves over $100K, 45 crash causing defects found at T(0) before code
committed to the repository.
Security. Vulnerabilities at T(3) decreased by 40%
www.moat.blog© Memoirs of a Technocrat 2018
The Software Factory Effect
Niroshan Rajadurai@moatblogwww.moat.blogncr@moat.blog