Auditing in an Agile Environment
description
Transcript of Auditing in an Agile Environment
Auditing in an Agile Environment
Andres CamachoAugust 2012
Agenda
• Intro to Agile Software Development
• Highlight practices
• Things to look for in an audit
• Questions
Manilla
Secure, one-stop “Digital Life Management Dashboard” that gives consumers simple, instant, direct
access to all of their expenses and online accounts
Waterfall
What happens when things change?
Agile Software Development
• Iterative
• Working software over comprehensive documentation
• Collaboration over contract negotiation
• Responding to change
• Early visibility
How does Agile reconcile with IT audits and secure software development?
Agile Software Development• User stories
• Velocity
• Whole team
• Test driven development
• Estimation session
• Sustainable pace
• Backlog
• Daily standups
• Early visibility
• Automated tests
• Simple designs
• Fast iterations
• Planning game
• Continuous integration
• Refactoring
• Pair programming
• Collaboration over contract negotiation
• User stories
• Whole team
• Backlog
• Early visibility
• Automated tests
• Fast iterations
• Continuous integration
• Pair programming
• User stories
• Whole team
• Backlog
• Early visibility
• Automated tests
• Fast iterations
• Continuous integration
• Pair programming
User Story
• Unit of work
• Small, stands on its own two feet
• Estimable
• Placeholder for a conversation
As a … I can … so that …
User Story
Story Workflow
Backlog
• User stories that are ready to be implemented
• Developers work next story in queue
• No P’s
• We use Pivotal Tracker
Pivotal Tracker
Git
• Standard source code control software for Ruby community
• Github, social coding
• Rigorous commit workflow
Is GitHub secure?
Commit Workflow
feature branch
• All work done using feature branches
• Format:
feature-3274744-Add_custom_reminders
Iteration
• Stories and bugs that are released to production
• Stories labeled (tagged) by release date
W TH F MT W TH F
Staging branch merged
End of Iteration
relea
se br
anch
bug fixes
tag a
nd re
lease
to
prod
uctio
n
Release
feature branch
bug fixes
Master
Staging
Production
Whole Team
• Hire generalists
• Everyone gets to work on everything
• Automatic cross training
• Small teams
• Product/QA are part of the team
Pair Programming
• 2 developers 1 story
• Built in code review
• Built in cross training
• Collaboration
Collaboration
Pull Request
• Request by a contributor to pull code changes into a codebase
• Used extensively by open source projects
• Adopted as a code review tool
Pull Request
Automated Tests
• “pay me now or pay me more later”
• Critical, especially with dynamic languages (Ruby, Python)
• Unit tests, acceptance tests
• Test Driven Development
• At Manilla 3 lines of test code for every 1 line of code
Continuous Integration
• Check in early and often
• Automated builds and deployments
• Keep the build fast
• Everyone can see the results
Continuous Integration
Early Visibility
Documentation
Where is the documentation?
Documentation
Documentation
Resources
• Manilla – http://www.manilla.com
• Pivotal Tracker – http://www.pivotaltracker.com
• Github – http://www.github.com
• Relish - https://www.relishapp.com/
My Background
• Degree in Finance, many courses in Accounting
• Auditor for Price Waterhouse in San Jose, CA
• Computer Science courses at San Francisco State
• Positions at Price Waterhouse, NextCard, QRS, Yaga, Vinfolio, and Manilla