Read the Community Blog

Secure Scrum

For 10 years agile development has been finding more and more followers and practitioners. It seems like a sure bet that SCRUM will be the leading process skeleton for lean and agile project management. As for most new technologies also processes and frameworks go through a hype-cycle. At this moment we know a lot about the advantages of SCRUM and maybe we know too little about the pitfalls.

In the area of security SCRUM does have some dangerous assumptions which I personally believe will prove to be major challenges in getting security right in development projects. Let me just mention two here:

  • SCRUM assumes that in the team everyone should be able to deal with all aspects of the solution, which would lead us to assume that all developers need to be knowledgeable in security controls and secure programming. However in all the successful projects that I have seen there was a security expert that joined the team almost on a daily basis. I believe the same is true by the way for other non-functional aspects like usability. Not sure what Ken Schwaber thinks about this but I firmly believe that the team works best if team members bring their strengths together. One is interested in security, another is interested in usability (and great design), a third is interested in database scalability and off you go with a great team :). It is good to have a backup in case someone leaves the project but that comes at a cost.
  • SCRUM is a project management skeleton but not a software engineering process. Scrum does not tell you how to come up with requirements, it does not tell when and how to integrate and test, and it does not tell how to build a lasting architecture, nor does it have anything to do with secure coding practices. This is not to blame SCRUM for this. SCRUM is great because it is simple and it focuses on very few aspects like prioritizing resources and interacting with stakeholders.

All I intend to say here is; please don't try to invent a secure SCRUM because security is better placed in a solution development life cycle than a process skeleton. And a great lean process skeleton should not be overloaded. If anything SCRUM should be more specific about project and solution risk management. Two years ago an interesting column was posted on infoq (http://www.infoq.com/news/2008/07/managing-risk-with-scrum). Antti Vähä-Sipilä also has an interesting blog-entry on this matter: http://blog.safecode.org/?p=45.

What are your experiences?

O'Reilly Cloud Computing Book

An OSA reference has been included into the recent O'Reilly book "Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance" by Tim Mather et al. The Cloud Computing pattern from the patterns library is reproduced in the Appendix. We are pleased to be of assistance in a small way, for a solid reference work on the topic.

If you are interested in reading further on the topic you can find it here on Amazon

Trials and tribulations of TCPDF

I've been trying to get the PDF rendering working properly and I find that this is not as simple as I would like!

We are using Joomla which includes TCPDF as the default rendering engine, however the documentation on how to configure is weak to non-existent so I will capture my efforts here so we do not lose.

Configuration options are held in /cms/libraries/joomla/document/pdf/pdf.php rather than in /cms/libraries/tcpdf/config/tcpdf_config.php as you might expect.

The TCPDF library does not deal with images that have sizes specified very well, and seems to scale incorrectly. I have tracked down the problem to the image_scale variable in pdf.php as follows

// Scale ratio for images [number of points in user unit]
var $_image_scale = 1.75;

This is 4 by default (very small image), when set to 1.75 and using standard PNG or JPG images the image scale is fine. If you set scale to less than 1.5, the image expands off the page, and the PDF text gets corrupted. It may that the units need to be corrected (px rather than the default mm), as I have found that setting the image with no size attributes works fine.

The text formatting still needs some work, but this should be quite straightforward to correct.

The test pattern can be viewed here

The final problem to solve is how to get PDF renderer to use the PNG image rather than default SVG which is the preferred option we use on the site as it allows links for the controls. Unfortunately the SVG is too complex for the PDF renderer to handle...

Details on TCPDF API are available from http://api.joomla.org/1.5/com-tecnick-tcpdf/TCPDF.html

Better printing for patterns

We will try and get the printing improved as a priority. We know that quite a lot of our users want to easily print the patterns, and right now they do not print very well. One option is a PDF converter, although when we tested this a while back it did not work very well. Stay tuned and we should have an answer soon!

Summer hibernation

Just a quick note to say that while progress has been slow lately due to the summer here in the Northern Hemisphere where the core team are located, we are still working according to the roadmap and you can expect to see some new patterns and other artifacts as we head into September and October.

It's not so much fun working on a PC after work when there are long evenings to be spent in the garden, playing with the children, and generally enjoying life :-)