www.moat.blog© Memoirs of a Technocrat 2018

The Safe & Secure Software Factory

Niroshan Rajadurai

@moatblog

www.moat.blog

www.moat.blog© Memoirs of a Technocrat 2018

“The trouble with programmers is

that you can never tell what a

programmer is doing until it’s too

late.”

Seymour Cray

www.moat.blog© Memoirs of a Technocrat 2018

The Costs of Bug Containmentthe growing cost of defects;

Software development life cycle phase

no.

of

code d

efe

cts

found

www.moat.blog© Memoirs of a Technocrat 2018

The Costs of Bug Containmentbuild up of technical debt;

www.moat.blog© Memoirs of a Technocrat 2018

The Costs of Bug Containmentemotional cycle of manual delivery;

source: https://www.atlassian.com/continuous-delivery/business-value

www.moat.blog© Memoirs of a Technocrat 2018

FOSS

Architecture

Security

Threads / Deadlocks

Intraprocedural

Crash Causing

Data Flow

Control Flow

Semantic

Syntactic

‘src’ calls ‘lib’

‘lib’ shouldn’t use ‘src’

deadlocks,

priority inversion,

Schedulablity,

pointer dereference

ptr->q;

where ptr = NULL

if (a = b) {

if (a != b) {}

}

detected by compilers

simple analysis,

code walkthroughs, etc

The Costs of Bug Containmentroot causes of defects;

license conflicts

code matches

vulnerabilities

data leakage

SQL injections

remote code execution

class interfaces

function call chains

recursion

uninitialised variables

unsanitised data usage

If (a = b)

syntactically ok, but

meaning not correct

www.moat.blog© Memoirs of a Technocrat 2018

Toyota Production System (TPS)quality control principles;

Quality control process following

four principles:

Detect the abnormality

Stop

Fix or correct the immediate

condition

Investigate the root cause and

install a countermeasure

www.moat.blog© Memoirs of a Technocrat 2018

Toyota Production System (TPS)

andon;

www.moat.blog© Memoirs of a Technocrat 2018

"A computer lets you make more mistakes faster than any

invention in human history-with the possible exception of tequila.”

author unknown

www.moat.blog© Memoirs of a Technocrat 2018

Software Factory Approachdeliver incrementally

“Walking on water and

developing software

from a specification are

easy if both are

frozen.”Edward V. Berard

Ris

k

Continuous Feedback

Ris

k

TimeTime

MVP

Release Cycle Release Cycles

www.moat.blog© Memoirs of a Technocrat 2018

TPS Applied to Software

autonomation;

Autonomation through automated software quality gates at each stage T(x)

Isolate

Target each developer commit – T(0) – ‘Time Zero’

Verify

Quality metrics

Common root cause issues

Deliverables

Merge

T(0): dev desk T(1): feature branches T(2): dev branch T(3): release branch

Automated Andon

www.moat.blog© Memoirs of a Technocrat 2018

Implement

Feature

Commit

Changes to

Repository

MergeSoftware

Quality Gate

Software Quality Gatesautomated andon;

Implement

Feature

Commit

Changes to

Repository

Merge

Other Developer Branch Merges into Mainline

T(x+1)

Other Developer T(x) Branch Merges into T(x+1)

T(x)

www.moat.blog© Memoirs of a Technocrat 2018

ISO/IEC 9126

Functionality

Reliability

Usability

Efficiency

Maintainability

Portability

Software Factory Approachcontinuously manage quality;

“Software and

cathedrals are much

the same – first we

build them, then we

pray.”Sam Redwine

Static Code

Analysis

Test

Automation

Static Code

Analysis

Test

Automation

SW

Architecture

Static Code

Analysis

SW

Architecture

www.moat.blog© Memoirs of a Technocrat 2018

Software Factory Approachwhat about infrastructure and stacks;

www.moat.blog© Memoirs of a Technocrat 2018

Infrastructure as Codecontainerise environments;

Application

Application infrastructure (standardised)

Operating system services (standardised)

OS Config (standardised)

Operating System

Virtualised

Hardware

Virtualised

Storage

Virtualised

Network

The hardware

This is all software

and can be

managed as such

Don’t worry about

the stuff below here

www.moat.blog© Memoirs of a Technocrat 2018

Software Factory Approachfull automation through sdlc;

Building. Using “infrastructure as code”, builds are optimized and

parallelised through container instances.

Testing. Achieve Test Automation at unit, integration and system level.

Create regression suites to verify software changes.

Static Analysis. Ensure compliance to MISRA, AUTOSAR C++ and Quality

Metrics.

Security. Bake in advanced security checkers, e.g. CERT, CWE, OWASP at Time

Zero (T0).

Architecture. Manage software dependencies to reduce complexity, avoid

erosion and optimize the build.

Compliance. Ensure traceability and adherence through all artefacts.

www.moat.blog© Memoirs of a Technocrat 2018

Benefits of Software Factorycase study; medical device manufacturer

Building. Reduction in build times by 65%, broken builds reduced by 75% in

the Dev Branch.

Quality. Detection of architecture defect early reduces technical debt and

saves over $100K, 45 crash causing defects found at T(0) before code

committed to the repository.

Security. Vulnerabilities at T(3) decreased by 40%

www.moat.blog© Memoirs of a Technocrat 2018

The Software Factory Effect

Niroshan Rajadurai@moatblogwww.moat.blogncr@moat.blog