Software Development

Why were well-planned projects failing to meet their objectives? In the late 1990s, a group of software developers set out to address this challenge, creating what we now know as Agile methodology. They were looking for an approach that could adapt to rapidly changing user requirements whil delivering working software quickly and efficiently. Where it started In 2001, a group of software development leaders met at Snowbird, Utah, and formalised the Agile movement by publishing the Manifesto for Agile Software Development. At the time, traditional development models like Waterfall were failing to adapt to changing requirements, resulting in costly delays and dissatisfied customers. ...

Understanding the Spring Framework Evolution, Risks, and Audit Considerations** History & Evolution Released in 2003 by Rod Johnson as a lightweight alternative to Java EE. (Wikipedia - link) Evolved into a full ecosystem, including Spring Boot (2014) for simplified deployment, Spring Security, and Spring Cloud for microservices. Originally developed by Interface21, later acquired by SpringSource, then VMware. Widely used in enterprise applications, cloud services, and microservices. Audit Questions to Ask What versions of Spring and Spring Boot are in use? Are legacy Spring applications still maintained and patched? Is the team using official support channels, or relying on outdated third-party dependencies? Key Risks for In-House Development Dependency risks – Third-party libraries (e.g., Log4j) can introduce vulnerabilities. Security misconfigurations – Weak Spring Security settings may expose authentication flaws. Excessive complexity – Over-engineered architectures can hinder maintainability. Inconsistent coding practices – Lack of standardisation can create operational risks. Questions to Ask How does the team track and update dependencies? Are security configurations reviewed regularly? Are developers following a consistent architecture and coding standard? Audit & Governance Best Practices Use Software Composition Analysis (SCA) tools to monitor third-party dependencies. Implement secure CI/CD pipelines to enforce security checks before deployment, and maintain audit trail / ability to roll-back. Ensure strong access controls – Proper OAuth2 configurations, API gateways, and authentication reviews. Monitor Spring security advisories and enforce timely patching. Questions to Ask Does the organization use tools like Snyk or OWASP Dependency-Check for vulnerability scanning? Are secure coding practices enforced in CI/CD pipelines? How often are Spring applications tested for security weaknesses?

Key elements Types of testing Unit Integration System End-to-end (e2e) User Acceptance Testing (UAT) Non-functional - testing for objectives like performance of the system (speed, capacity), security, accessibility What gets testing / timeline Critical processes / critical flows, eg. authenticating, that transactions work as expected Prioritise high-risk or high-importance features early, allow time to fix defects Ownership of testing Developers - unit & integration tests QA teams - end to end & non-functional tests Business - UAT Tools Frameworks JUnit Cypress Automated testing with Postman CI/CD GitHub Actions Jenkins Azure DevOps Results dashboards & alerts Environments Dev, Test, Staging, Pre-Prod, Prod Test data strategy Quality Gates Release only if/when tests pass (agree coverage %, what is critical path) Risk-based testing: focus effort Metrics & Governance testing coverage defect leakage test pass rate regression testing (Youtube) Align with SDLC & audit/compliance needs

Continuous Integration and Continuous Deployment (CI/CD) is a concept in DevOps. CI/CD automates software development by merging code changes, running tests, and deploying applications. Continuous Integration (CI) integrates new and updated code, while Continuous Deployment (CD) automates the release of validated code to production or staging. CI/CD pipelines reduce manual errors, minimise deployment failures, and ensure consistent testing. With automated controls, such as security scans and compliance checks, this reduces risk and helps meet security standards. ...

DevOps combines development and operations practices to streamline software delivery through collaboration, automation, and continuous integration/continuous delivery (CI/CD) pipelines DevOps enables faster and more reliable deployments, bringing benefits such as improved efficiency, scalability and accelerated time-to-market. With the right design, automated control procedures can mitigate specific risks in development, such as coding errors and security vulnerabilities. Related DevSecOps

DevSecOps is a concept that integrates security practices into the DevOps process to ensure rapid software delivery while maintaining security. DevSecOps emphasises automating security checks and embedding security early in the software development lifecycle. The primary benefit is reducing vulnerabilities while maintaining the speed and agility in development that DevOps brings. The DevSecOps acronym comes from the three words Development, Security and Operations. Further reading Secure DevOps environments for Zero Trust (Microsoft Learn) ...