software & systems development governance : an approach …sysa.omg.org/docs/swa_ibm.pdf ·...

®

IBM Software Group

© 2004 IBM Corporation

Software & Systems Development Governance :An approach to improving Software AssuranceSridhar IyengarIBM Distinguished [email protected] Software Assurance Day : February 15, 2006 : Tampa, Florida

IBM Software Group | Rational software

2

Topics Covered

♣Introduction to Governance – Why do we care

♣What does Software Assurance have to do withGovernance

♣Model driven tools integration across the life cycleEnabling traceability and management of artifacts

♣Model Driven Security – An example


3

If only we could link Business, Development & Operations


4

E01-EDI

Data Warehouse(Interfaces to and from theData Warehouse are not

displayed on this diagram)

G02 - GeneralLedger

A05 - AP

S01 - SalesCorrections

I01 POReceiving

I03 Return toVendor

I06 WarehouseManagement

Maininframe

PC/NT apps Unix apps

3rd Party Interface

S06 - Credit App

P15 EES EmployeeChange Notice

OTHER APPS - PCAP - Collections/Credit

TM - Credit Card DB

ACCTS REC APPS - PC990CORBad Debt

Beneficial FeesBeneficial Reconcile

JEAXFJEBFAJEBKAJEDVAJESOAJEVSAJEVSFNSF

TeleCredit Fees

INVENTORY CONTROL APPS - PCCode Alarm

Debit ReceivingsDevo Sales

Display InventoryIn HomeJunkouts

Merchandise WithdrawalPromo CreditsRTV Accrual

ShrinkAP Research - Inv CntrlAP Research-Addl Rpts

Book to Perpetual InventoryClose Out Reporting

Computer Intelligence DataCount Corrections

Cross Ref for VCB DnldsDamage Write OffDebit Receivings

DFI Vendor DatabaseDisplay Inventory ReconcileDisplay Inventory Reporting

INVENTORY CONTROL APPS - PCDPI/CPI

IC BatchingInventory Adj/Count CorrectInventory Control Reports

Inventory LevelsInventory Roll

Merchandise WithdrawalOpen ReceivingsPI Count Results

PI Time Results from InvPrice Protection

Sales Flash ReportingShrink Reporting

SKU Gross MarginSKU Shrink Level Detail

USMVCB Downloads

Journal Entry Tool Kit

Scorecard - HR

L02-ResourceScheduling(Campbell)

P09 - P17Cyborg

M02 - Millennium

M03 - Millennium 3.0

Banks - ACH and Pos toPay

Cobra

B01 - StockStatus

S03-Polling

P14 On-line NewHire Entry

CTS

Plan Administrators(401K, PCS, Life,Unicare, Solomon

Smith Barney)

D01 Post LoadBilling

I04 HomeDeliveries

I02 -Transfers

Arthur Planning

I07 PurchaseOrder

I12 EntertainmentSoftware

I05Inventory Info

E13E3 Interface

S04 - Sales Posting

V01-Price ManagementSystem

I10 Cycle PhysicalInventory

I55 SKUInformation

K02Customer Repair

Tracking I35 Early WarningSystem

B02 MerchandiseAnalysis

I13- AutoReplenishment

U18 - CTO

InterceptI09 Cycle Counts

E02-EmployeePurchase

Texlon 3.5

ACH

Stock Options

I17 Customer PerceivedIn-Stock

U16-Texlon

SiteSeer

C02 - CapitalProjects

F06 - FixedAssets

US Bank ReconFile

Star Repair

EDICoordinator

Mesa Data

NEW SoundscanNPD Group

AIG Warranty Guard

Resumix

Optika

Store BudgetReporting

P16 - Tally Sheet

Cash Receipts/Credit

S05 - HouseCharges

Ad Expense

L01-PromoAnalysis

V02-PriceMarketingSupport

BMP - Busperformance Mngt

StoreScorecard

I11 PriceTesting

Valley Media

P09Bonus/HR

I15 Hand ScanApps

Roadshow

POS

S08 - VertexSalesTax

A04 - CustRefund Chks

Equifax

ICMS Credit

CellularRollover

S09 - DigitalSatelliteSystem

NPD,SoundScan

Sterling VANMailbox (Value)

I18SKU Rep

X92-X96Host to AS400

Communication

S02 -Layaways

Washington,RGIS,

Ntl Bus Systems

V04-SignSystem

I14 Count CorrectionsNARM

P01-EmployeeMasterfile

I06 - CustomerOrder

FrickCo

UAR - Universal AccountReconciliation

DepositoryBanks

S07 - CellPhones

S11 - ISPTracking

AAS

Fringe PO

Cash Over/Short

L60 MDFCoop SKU Selection

Tool

SKUPerformance

SupplierCompliance

1

I35 - CEIASIS

Misc Accounting/Finance Apps - PC/NTCOBA (Corp office Budget Assistant)

PCBS(Profit Center Budget System)Merchandising Budget

AIMSMerch Mngr Approval

Batch ForecastingAd Measurement

AIMS Admin

AIMSReportingAd

Launcher

V03- MktReactions

SpecSource

CTO2.Bestbuy.com

RebateTransfer

SignSystem

CopyWriter'sWorkspace

ELTPowerSuite

StoreMonitor

AIS Calendar

Stores & Mrkts

Due Dates

Smart Plus

InsertionsOrders

BudgetAnalysis Tool

Print CostingInvoice App

AIS Reports

BroadcastFilter

Smart PlusLauncher

GeneralMaintenance

Printer PO

PrinterMaintenance

VendorMaintenance

Vendor Setup

Connect 3

Connect 3Reports

Connect 3PDF Transfer

Spec SourceSKU Tracking

S20-SalesPolling

Prodigy

PSP

In-HomeRepair

WarrantyBillingSystem

Process Servers(Imaging)

Prepared by Michelle Mills

Actual Application Architecture

Complexity is Forcing Change


5

Initiatives Underway at IBM

♣ Outside In Design (OID) – Scenario Driven

♣ Componentization – exploit open source or binary components asneededDrive componentization and SOA standards

♣ End-end life cycle integration

♣ Move to SOA across and within products

♣ Model Driven Development, Deployment, Security, Management…

♣ Standards (UML, SysML, UML Testing Profile, MOF, XMI, RAS,SAML, XACML, WS_Security…)

♣ Patterns, Transformations and RecipesModeling Tools : Abstract modeling levelDevelopment Tools : Code & Artifact level


6

The world of many of our customers

Project Manager(Bangalore)

Provisioning(Boulder)

Testing(Toronto)

Developer(Warsaw)

Executive(Somers)

Customer(Topeka)

Governing a geographically distributed, service-oriented, open computingenvironment while ensuring regulatory compliance


7

TRADITIONAL CURRENT REALITY

Co-located teamsTechnology firstVendor lock-inApplication silosProject driven

Geographically distributedComplianceOpen computingModular systems (SOA)Value driven

Right-sourcing

Standards

Solution delivery

Transforming software and systems development

Business Driven DevelopmentEnabling organizations to govern the businessprocess of software and systems development


8

Governance is the exercise of authority,responsibility and the communication of information

Governance defined

♣ Establishing chain of authority,accountability and responsibility

♣ Measurements and controls to enable peopleto carry out their authority and responsibility


9

Governance consists of

Establishing chains of responsibility,authority and communication toempower people

Executing measurement and controlmechanisms to enable people to carryout their roles and responsibilities

Manage value• Align business and software• At organizational and project levels - Balance risk and return - Provide clarity and accountability

Develop flexibly• Leverage resources anywhere• Enable agile sourcing choices• Use iterative processes to reduce risk

Control risk and change• Continuously measure to reduce risk• Enable lifecycle change management• Meet internal and external compliance

needs

Governance Governing Development,Deployment & Management


10

Business Analyst

Modelsbusinessprocesses

DeploymentManager

Deploys thesolutions

IT Operations

Maintains the DataCenter

CSR

Handlescustomerincidentreports

Insurance Adjuster

Handles claimsthat can besettled by phoneor email

Field Adjuster

Handlesrequests thatrequire on-siteinspection

VP of Claims

Reducescost forclaimsprocessing

VP of Development

Reviews forecast vs actual andcompetitive products.Formulates actions to address

Establishes strategic goalsand ensures companyprofitability

CEO

IntegrationDeveloper

Assembles andimplementssolutions

CIO

Responsible forTechnologyInfrastructure

Innovation Insurance Team

Risk Analyst

Analyze, define,and managepolicies

CFO

Responsible foraccounting andfinancial

Manages newdevelopmentprojects

Project ManagerPortfolio Manager

Ensures developmentprojects are aligned withbusiness strategy


11

Governance across life cycle : Project Flow

IMPLEMENTATION FLOW

AnalyzepolicyPolicy

Change

Identifyrequire-ments

Identifyremediation

plan (w/LOB)

Prioritizeprojects

Estimateproject costs

InitiateProject

Request

GenerateAudit

Package

START

END

Decomposeprojects into

tasks

PROJECT APPROVAL FLOW

sign-off

Develop, TestService

Deploy, ManageService

sign-off

ApproveProject

sign-off

Validate plan &

requirements

ManageServices

Operations

DevelopmentGovernance

sign-off

Data, Security,Strategic, BusinessGovernance

SOA (Service)Governance

SecuringServces IT Governance

Feedback


12

Governance and processes are the keys to asuccessful transition to SOA

♣Financial transparency♣Business/IT alignment♣Process control♣SOA Governance

Processes

♣Gatherrequirements

♣Model &simulate

♣Design

♣Discover♣Construct & test♣Compose

♣Integrate people♣Integrate processes♣Manage and

integrate information♣Protect information

♣Manage applications& services

♣Manage identity& compliance

♣Monitor business metrics♣Secure Apps & Services


13

Transforming to an SOA environment : How do weintegrate Custom & COTS software

ServiceJustification

ServiceOwnership& Funding

ServiceModeling

ServiceLifecycle

Management

ServiceOperations

Management

1.0 Identify Services

2.0 Identify ServiceOwners

3.0 Fund Services

4.0 Specify Services

5.0 Realize Services

10.0 ManageServices

Performance

11.0 ManageService Level

6.0 Develop& Test Services

7.0 Deploy Services

8.0 ManageServices

9.0 MaintainServices

Continuous Process Measurement and Management

DecomposeDecomposebusiness processbusiness process

and identifyand identifyservices requiredservices required

EstablishEstablishfunding, projectfunding, project

plans andplans andresourcesresources

CodifyCodifybusinessbusiness

process andprocess andenforceenforce

standardsstandards

DevelopDevelopiteratively, testiteratively, test

to improveto improvepredictability,predictability,

manage changemanage changeto ensureto ensure

traceability andtraceability andauditabilityauditability

MonitorMonitorcompositecompositeapplicationapplication

performanceperformanceand adjustand adjust

Measure progress, manage change andMeasure progress, manage change andadjustadjust


14

Model Driven Development & Deployment

BusinessModeling

(BPD,UML)

IT Modeling(UML, SQL, XSD)

J2EE/Web ServicesDevelopment

WrappingOrchestration

(J2EE))

DeploymentJ2EE App SvrWeb Services

Management

ComponentMgmt

App Mgmt

Design/Build Run/Manage

WSDL SCAXML

SPEM

BPEL

SQLJ2EE

EMF SQL

UML2BPEL

Java

CIMUML2BPM

BizRules

C++

J2EE

TraceabilityLinks and

Transformations(profiles, metamodels,Code Gen Templates)

Specific metadataModels

Serve up models, Components, processes

On Demand

UML2J2EE

DCMSAM


15

Application Life Cycle Integration PlatformA call to action to the Eclipse Community

End to End Application Lifecycle Tooling (End to End Application Lifecycle Tooling (Eclipse.orgEclipse.org member value add tools) member value add tools)

Language ToolingLanguage Tooling(J2EE, Web Services,(J2EE, Web Services,

Deployment)Deployment)

Data ToolsData Tools(RDBMS, XML(RDBMS, XML……))

DomainDomainSpecificSpecific

Tools/AppsTools/Apps……

MDD ToolsMDD Tools(Object, Data Modeling,(Object, Data Modeling,

Code generatorsCode generators……))

Code/Artifact Repositories, Management Tools (Code/Artifact Repositories, Management Tools (Eclipse.orgEclipse.org member value add tools) member value add tools)

Eclipse Tools Integration platform (Models, APIs, XML formats…)

Eclipse CoreEclipse Core

GEFGEF JDT/CDTJDT/CDT

TestingTestingTPTPTPTP

EMFEMF RCPRCP ETC.ETC.

MDD/MDAMDD/MDA(UML2,U2TP(UML2,U2TP……))

J2EEJ2EE(EJB, JSP(EJB, JSP……))

Web ToolsWeb Tools(WTP(WTP……))

SAM*.SAM*.


16

Model Driven Security – Life Cycle


17

Security Roles in an Organization

Security Administrator, System/ApplicationAdministrator, Operator

Operations andAdministration

Business analyst, Application programmer,Identity/Security developer

Development

Chief Security Officer, Security Policy Officer,Security Architect, Security Auditor

Business Strategyand decision making

RolesOrganization


18

Security Definitions at the Business Process Level


19

Security Constraints captured in UML

Figure 5 Applying constraints to UML sequence diagram


20

Sample XACML generated from Annotated Model


21

Software Assurance : Some Relevant OMG Standards

♣ UML 2.0 : Architecture, Design & Requirements Capture

♣ UML Testing Profile : Test automation

♣ KDM : Metadata about existing systems

♣ MOF & XMI : Metadata Infrastructure

♣ SysML : System design, Requirements


22

Governance consists of

Establishing chains of responsibility,authority and communication toempower people

Executing measurement and controlmechanisms to enable people to carryout their roles and responsibilities

Manage value• Align business and software• At organizational and project levels - Balance risk and return - Provide clarity and accountability

Develop flexibly• Leverage resources anywhere• Enable agile sourcing choices• Use iterative processes to reduce risk

Control risk and change• Continuously measure to reduce risk• Enable lifecycle change management• Meet internal and external compliance

needs

Governance Governing Development,Deployment & Management

software & systems development governance : an approach …sysa.omg.org/docs/swa_ibm.pdf ·...

Documents