Software Craftmanship Clean Code

Software Craftmanship Clean Code

4

Development of IT Spend Over Time By Activity

Development of IT Spend Over Time By Activity

5

6

Andrew Hunt, David Thomas The Pragmatic Programmer: From Journeyman to Master

Clean Code

Clean Code Collection The Robert C. Martin Clean Code Collection consists of  two bestselling eBooks: • Clean Code: A Handbook of Agile Software  Craftmanship • The Clean Coder: A Code of Conduct for Professional  Programmers

Clean Code Collection • How to unit test and practice test‐driven development • What it means to behave as a true software craftsman • How to deal with conflict, tight schedules, and unreasonable  managers • How to get into the flow of coding and get past writer’s block • How to handle unrelenting pressure and avoid burnout • How to combine enduring attitudes with new development  paradigms • How to manage your time and avoid blind alleys, marshes,  bogs, and swamps • How to foster environments where programmers and teams  can thrive • When to say “No”‐‐and how to say it • When to say “Yes”‐‐and what yes really means

Clean Code Collection • Readers of this collection will come away  understanding • How to tell the difference between good and bad code • How to write good code and how to transform bad  code into good code • How to create good names, good functions, good  objects, and good classes • How to format code for maximum readability • How to implement complete error handling without  obscuring code logic

Architecture Craftmanship

Agile Arcitecture

Clean Code Summary

Clean Code Summary Secure Application Development – Short Introduction

The American Boy Scout Rule Leave the campground cleaner than you found it.

What’s Wrong With This Picture?

What level of security is provided here? You couldn’t get through the gate because it  was completely locked. It was properly installed and configured. I could not get  through it. But.... 

What’s Wrong With This Picture?

What level of security is provided here? You couldn’t get through the gate because it  was completely locked. It was properly installed and configured. I could not get  through it. But.... 

UNCLASSIFIED

Secure Enough?

Appearances of security can be deceiving, have hidden effects

DDoS for Hire

UNCLASSIFIED

Defense‐in‐Depth 

But at what level ‐ which methods, capabilities  MUST we have?

Future Threats Involve FUTURE  Flash

1999 (Epidemics) Infected systems

1995 (Globalization)

1994 (Virus=local problem)

Seconds

The Globalization of Cyber Warfare

Minutes

Days

Weeks

Months

Information Security vs. Cyber Security

• Private and state interests sometimes  indistinguishable • Citizens of country X might fight for country Y • Anyone, anywhere, can volunteer at any time • Corporations are active participants both as targets  and possibly as combatants

Peacetime Medical Assistance vs.  Wartime Medical Assistance

FUTURE  Flash

SURVIVAL 1999 (Epidemics) Infected systems

1995 (Globalization)

1994 (Virus=local problem)

Seconds

Biological Defence as a Model

• Artificial Immune  Systems (Forrest et al) • Biological defence  examples – External (teeth, claws  etc) – Internal (lymphatic  network & immune  system) – Social networks in  animal groups  (Soldier Ants, herding,  swarms..)

Minutes

Days

Weeks

Months

Security as an Attribute “Security just another of software like  usability, performance, reliability,  scalability. The idea of incorporating security into the SDLC begins with evaluating the relative  importance of this attribute and then  going on to incorporating controls in line  with that.”

Process: Application Development Life Cycle Business Arch & Planning

Requirements

Application  Categorization

Security  Requirements

Analysis, Design & Implementation

Access  Control

Input  Validation

Security  Architecture  Review

Design &  Code Review

Unit &  Integration  Test

Test

Process: Application Development Life Cycle

Elevation

Build Controls

Requirements

Application  Categorization

Security  Requirements

System Test

Categorize Define Requirements

Business Arch & Planning

Analysis, Design & Implementation

Access  Control

Input  Validation

Security  Architecture  Review

Design &  Code Review

Test

Unit &  Integration  Test

Elevation

System Test

Categorize

Vulnerability  Test

Governance  Review

Define Requirements Build Controls

Verify Controls

Vulnerability  Test

Governance  Review

Verify Controls

Governance  Review

Risk Management

Pre‐Elev Risk  Review

Governance  Review

Risk Management

Track Security Metrics

Track Security Metrics

Track and Manage Defects and Risks

Track and Manage Defects and Risks

Pre‐Elev Risk  Review

61

62

The Agile Practitioner’s Dilemma  Agile Forces:  More responsive to business concerns

Secure Forces:  More aggressive regulatory environment

 Increasing the frequency of stable releases

 Increasing focus on need for security

 Decreasing the time it takes to deploy new features

 Traditional approaches are top-down, document centric 64

The Agile Practitioner’s Dilemma  Agile Forces:  More responsive to business concerns

Problems with Scrum

Secure Forces:  More aggressive regulatory environment

 Increasing the frequency of stable releases

 Increasing focus on need for security

 Decreasing the time it takes to deploy new features

 Traditional approaches are top-down, document centric 65

Summary

Outrunning the Bear It’s a fact that Grizzlies run a lot faster than  humans So you won’t be able to outrun it  But, you will always be safe As long as you can outrun somebody else!

Security Assurance – The Message In security matters Past is no guarantee Present is imperfect and Future is uncertain

Enterprise Software Engineering: from Crafting Software to Software Craftmanship

Summary of Summaries

You need the New CLASSICS, the CLASSICS of AGILE CRAFTMANSHIP ERA

Why not a TTU Coding Dojo? Secure Coding Dojo?