The UX/UI experience in Agile projects is always fun, and the below is very sage, I think, when dealing with custom development… but what about implementing a platform? How does this approach fail? It does, in some cases, for good reason. Where does the skill set overlap between UX/UI people need to merge with development in these cases? OR, do we act truly Agile and just talk? Not working ahead, but along side of…?

UX: The Gatekeeper RoleThe two main recommendations for ensuring good usability in Agile projects remain the same as in our original research: Separate design and development, and have the user interface team progress one step ahead of the implementation team. That way, when it comes time to build something, it’s already been designed and tested. And yes, you can do both in a week or two by using paper prototypes and discount user testing. Maintain a coherent vision of the user interface architecture.

Create the initial vision during a “sprint zero” period — before any implementation has started — and maintain it through annual or semi-annual design vision sprints. You can’t just design individual features; they have to fit together into a coherent whole — a whole that must be designed as well. Bottom-up user interface design equals a confused total user experience the Linux syndrome.

From:  Agile User Experience Projects Jakob Nielsen’s Alertbox.

Compliance is not just a pain in the tushy. While it can be difficult to achieve, the standards for compliance have a sort of soft interpretation. For 508 compliance, there are elements that can be interpreted. Ultimately, a human being or group of human beings have to assert that a site is 508 compliant. Unless that person has the authority to officially dub a site compliant, it is compliance-minded. That’s all. Sometimes that is enough and the compliance police do not come looking.

I have written a bit about 508 compliance and W3C assessability standards. I am not a fan of standards that can be interpreted. That is not really a standard. PCI compliance is a bit nicer in that regard, so I will talk about it a bit today. Hang onto your hats. This is about as sexy as it gets.

There are 12 points (requirements, really) that must be satisfied for a site or site collection or System to be PCI compliant.

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

First, what is the motivation behind this? Your safety as an online consumer, ostensively. If you read my blog on any kind of regular basis, however, I tend to think there are other forces at play. Just like SOX Compliance, PCI compliance keeps a lot of companies in business. PCI Compliance experts. But they are not the genesis of this requirement. The credit card companies are. It limits their liability. It puts the onus on the site owner. I do not know if that is a good thing or a bad thing, but as with most things, I would bet the answer is “a little of both”.

So how do items like #6 become proven true or false? The Payment Card Industry Data Security Standards (PCI DSS) Information Security Policy & Procedures Manual sets forth these measures (requirements, really). And the reason I keep saying (requirements, really) is that requirements can be interpreted until UAT takes place. Sure, you can go Agile and you can go JIT, but it does not make sense to here. This is one occasion where yoru developers, stakeholders, phone support staff, and anyone who has anything to do with a transaction will be relevant is a very real and direct manner. You are better off, in my experience, joining forces with one of the organizations capable of dubbing you compliant early. That is in contrast to building, engaging, and changing/adapting. Ultimately, it will be up to your qualified PCI Compliance Agent if your application was designed with security best practices in mind, or if your application is secure. The way they determine this is up to them, although there is more detail behind these requirements – as you would expect with any project… a purely Agile approach would tend to leave people saying “that’s not really what I meant, so let’s iterate.” Why iterate when the deliverables are monitored by those who accept them and who know what they mean?

Point 6 “means”:

• Deliverable: A formalized Security Patch Management Program employee, complete with his/her roles and responsibilities.
• Deliverable: Comprehensive inventory of all “system components” directly associated with the Cardholder environment.
• Deliverable: Comprehensive inventory of all other I.T. resources not associated directly with the Cardholder environment.
• Deliverable: Subscribing to industry leading security sources and additional supporting resources for vulnerability announcements, and other security patch management alerts and issues.
• Deliverable: Procedures for establishing priorities in regards to security patch management. This will include, but is not limited to, the following: 1. Significance of the threat. 2. The existence and overall threat of the exploit. 3. The risks involved in applying security patch management procedures (its affect on other systems, resources available along with resource constraints). 
• Deliverable: The creation of a database of remediation activities that needs to be applied.
• Deliverable: Test procedures for testing patches in regards to remediation.
• Deliverable: Procedures for deploying, distributing and implementing of patches and other related security hardening procedures
• Deliverable: Procedures for verifying successful implementation of patches and other related security hardening procedures.

These are not litmus test deliverables. They are required. The flaw is that we have requirements with detailed discovery yet the requirements are not positive assertions of anything but a hypothesis not proven true or false. They are pointers. Specific documents make up the larger requirement. This is fairly well defined, but still, there is that final UAT (that is indeed stretching it a bit but hopefully my intent is clear) where the dubbing agency says “Yes, PASS”. They are usually very willing to help you fulfill these requirements and create these deliverables.

To protect cardholders and personal information, organizations must not only employ best practices, but they must also pay to have themselves audited. This seems fair, I suppose. I also respect that this is not a rigid set of requirements, but a yielding and forgiving one. It makes sense to temper things with a bit of reality. Still, it is not a standard, in my mind.

If a platform is ever able to say it is PCI compliant (or more likely, a framework), it would be very interesting. To build a framework so that departure from these guidelines is impossible would seem an attractive project for someone.

I am all for complaince, and I am all for standards, but I simply do not believe that PCI Compliance is a gauge against a standard. Advice: get audited by a PCI Consultant early. Let them tell you what they need. It may be less than you would do on your own and the money you spend on them will be money you save internally (lower project TCO). And as always, best practices in your SDLC and intelligent (common sense) design and architecture will be more valuable than whatever cute name you give your process.

AJ Ayer called something that could not be proven true or false “nonsensical”, but I think this is a little different than that. PCI Consultants need to be honest and earnest or they will have no authority. The intent, and the discipline, is valuable here, and I dig that very much.

Thank you,

Josh

It is the fashionable thing to poo-poo Waterfall methodologies lately, but I am beginning to think that it is far too simplistic a view to say that you can’t know everything ahead of time. True, the classic Gantt Chart model with each activity planned to the hour, dependencies, and Critical Path *may be* overkill, but what is this chart really doing? It is saying that “these are things we need to do, and this is how we are going to try to do it.”

Agile, Kanban, Scrum all denote tasks. Some use sticky notes. Some use a backlog. The tasks are still there. What is missing is that long black .mpp bar that limits the amorphous black box of “Development”. Non-Waterfall approaches still execute tasks in order, but that order is defined as you go to an extent. In reality, every team member has what they know about the project and tasks in their mind, and they are doing mini Gantt charts in their head. Even if it is moment by moment, people plan. Nobody sits and just codes without a goal. Remember, you have plans to accomplish goals. You might say that the definition of a plan is it’s goal.

When nothing is known about an incipient effort, there is room and need for Agility. There is less room or need for Agility when the project is more cut and dry (“install MS Office” or “stand up Drupal in our dev environment”).

Point being, even “Agile” approaches involve planning. Just not as much, and not as far ahead, and not to the level of detail that an overzealous Business Analyst / Project Manager might do in their trusty .mpp. Seriously, I have seen some pretty detailed project plans, but I have not seen any that presume to know horrific levels of granularity. Those horrific granules are generally requirements, and they are valid in any effort. They tend to live somewhere else -wireframes, a functional spec, business rules, wherever that particular team puts that stuff.

People over process is a tenet of Agile. This is, apparently, to say that in “Waterfall” practices process trumps people. Everyone reading this knows that invariably any project, no matter how strong the Business Case or how vital the technical effort, there is someone in an office that can derail everything at whim. People are always over process. The trick is to adapt the process to the people and accommodate the people. All your stakeholders are important, and it is equally important to realize who has not been named a stakeholder yet has the ability to rock your world if they choose to.

Even something as sexy as Kanban is to some people; it is just people performing tasks in an organized fashion. What is new about this? It is Waterfall, diluted. The very discussion of Kanban and it’s amazing achievements in Japan is ceremony. Putting up the board is ceremony. Taking the cellophane off of the post-its is ceremony. Ceremony means nothing. You just don’t want to waste more time than you have to. You don’t want to say things like “muda” because nobody will know that you mean “waste” and you will be mudaing all over the place.  The little stickies are ceremony. Sprints are ceremony.

Any task that has been designated as a 4 day task will take 99 percent of developers 4 days to do. If they finish core functionality in one day, they will use the 3 extra to make it better. They build. And at the end of 4 days and continuous integration, QA as part of a breathing application begins. This is where the Kanban board has an advantage. This, and in the team-oriented approach to work and work product.

Still, Waterfall lingers there in the background. There is that goal. I need to get to the store. I am not sure which roads I will take and I did not know that the shortcut I generally take is closed, but I will get to the store. Waterfall chokes on anomalies – which are more common than uncommon. But regardless, I left the house with a path in mind and adapted. Agile assumes the goal of Waterfall.

Now, who really cares about what these things are called? Who cares about Waterfall vs. Agile vs. Framed Agile or what have you? A lot of people do. A lot of people with vested interest care. They want you to take their certification course and to obviate the utility of their software package for your development shop. There is some merit in this, but not enough to warrant the degree of productization we can see in the world of software methodologies. I try my best to not name names but to ask about a team’s approach. Invariably, words like “sprint” come up – but I take it with a grain of salt and assume it distinct from the hardcore Scrum sprint. You have to be flexible. You have to take all these tools, approaches, philosophies, certifications, and take what is useful and leave behind but keep close by that which is not immediately useful. If you do that, you will be able to adapt and build. You have been doing it since you first drove to the store.

Best,

Josh

I need to do this. I am writing, but this does not belong in the chapter I am working on and I cannot get past it. Therefore, I must purge myself of it. We have been here before, yes. Consider this a duplicate post if you like.

Agile is not Scrum. It is not XP. Okay? Those are commercial terms. A philosophy has become productized and the very tenets of Agile are lost in the nonsensical ceremonious definitions that make up these trademarked and certifiable methodologies.

Keep it simple.

You what to know what Agile is?

Easy.

• Individuals and interactions over processes and tools

• Working software over comprehensive documentation

• Customer collaboration over contract negotiation

• Responding to change over following a plan

Can we please just build software and get over our cute little processes? Agile only makes common sense. It is the agile methodologies that blow me away with their arrogance. And this post has not been spawned by any project I am working on now. I, as you may know, have a book that is late and I detailing a story about a company I worked with that had their own branded agile process. It had all sorts of checkpoints and mandates and on and on and on. That company crashed and burned.

Meanwhile, my buddy Mike (who I still cannot link to but don’t mind because I get to use him without exposing him wherever possible) built screenr.com off of a totally informal process. THAT is Agile. Rather, that is an EXAMPLE of Agile manifested as agile development.

This is not to say there should not be requirements. With stakeholders come requirements. When you have few stakeholders, it is very possible that requirements can be something you just talk about all day as you build. They change. They are required. That means you NEED to talk about them.

It’s not about thinking outside the box. It is about getting rid of boxes until you require them. Like requirements.

Thanks,

Josh