Security Test-Driven Development – Spreading the STDD-virus

Agile development with short release cycles have been here for a while now. Most of us want fast feedback loops and many even Continuous Delivery with changes in production software everyday. However, most of us also want secure software and the question is: Can security engineering keep up the pace? A fast feedback that your production website has been hacked is not so nice.

Security is a quality attribute of your software, just like performance. If you don’t want to be surprised by bad performance in production, what do you do? You test and design for it of course and you preferably do so continuously from the start.

In my experience, the same however cannot be said of security. It is very often relegated to a once a year penetration-test activity. Not really an agile way of working is it? Not a secure one either since untested software is released as often as everyday. There must be a better way of working which allows us to both work in an agile way and to verify security on the way.

In the security field people like Gary McGraw have long been advocating ways of “Building Security In”. The Microsoft MVP Troy Hunt also proposes that you should “Hack yourself first”, instead of just waiting for the pentesters. Shouldn’t it be possible to weave these security activities into the process the same way as it is possible with normal testing activities using TDD? Indeed I, as well others believe it is so. Let’s look at how small extensions to an agile process can work in this direction.

Extending Sprint planning to deal with security

To start off you must first know what the requirements are. In a normal agile project this is done by eliciting User Stories from the customer or the Product Owner.

Let’s take an example of an online e-Commerce site. A User Story might be “As a customer I want to be able to add a review of a product so that information about products can be shared between customers”.

This works very well for traditional functional requirements, but for non-functional requirements a little extra thought is needed. In the case of security requirements it is often useful to state a requirement in a scenario that should NOT happen. In our case we shall call these scenarios “Abuser Stories”. These stories are non-technical descriptions of bad things you want to make sure you avoid. An Abuser story for this site might be:

“An attacker uses the Review Product-function to spread malicious Javascript”. Another might be: “An attacker abuses the Review Product-function to gain unlimited access to the database”.
A Product Owner might not be able to come up with these stories himself, but might need the help of a security engineer to help him with finding these threat scenarios.

SecurityTesting
read more »

The Training Deck – how to onboard a new team member faster

There will always be a productivity dip for the team when a new member joins. The question is not if it is going to happen, but how much will productivity dip and for how long. Imagine if you could onboard new team members with a minimum of productivity loss.

Training Deck

read more »

Slides from “Passion for projects 2017”

Today I met a crowd I do not bump in to all that often; project managers. I decided to share insights from Agile projects, stretching from Hospitals to Digitilization, how they simplified and speeded up their pre-studies. Learning how to do so well, helps avoiding the “we have to speed up implementation, to make up for lost time” syndrome.

Yes, the “black window” backwards bike, was there too 🙂

black_widow_backwards_bike_small

Slides in english, are available here.

Slides in swedish, are available here.

 

 

Doing Scrum with Multiple Teams: Comparing Scaling Frameworks

Our article about Scaled Scrum has been published on InfoQ. In the article we describe the basics of LeSS, SAFe, and  Scrum@Scale and show the similarities and differences between them

You find the article about Scaled Scrum at InfoQ.

Enjoy!

Nivåer av ledarskap

Efter ha läst boken “Leadership Agility” av Bill Joiner och Stephen Josephs har mina verktyg att hantera utmanande situationer i min coaching utökats.

Ledarskap kopplad till Piagets utvecklingsteori

Underlaget till boken “Leadership Agility” är mångårig forskning kring ledarskap kopplad till Piagets utvecklingsteori.
Enligt den genomgår barnet och sedan den unge vuxne ett antal mognadssteg och man kan också klassificera ledarskap utifrån var individen är i denna mognadsprocess.  För mig har det varit och är en modell som jag har stor nytta av i min coaching. 

read more »

The iZettle Example: Decentralized Tech Development In Practice (Case Study)

Don’t stand in the way of great employees.
That’s one of the operational mantras that guide the finance technology company iZettle.
Two others are “Keep the startup spirit strong” and “Stay adaptable to changing market needs.”
In this blog post, we share some of the things we are implementing and tweaking at iZettle to keep producing great results and attracting in-demand, talented developers. My role has been to assist the tech development organization in making this work.
(Another blog post coming soon will cover the transformation of making the whole company agile, while this post focus on the practices that are put in place to keep a high performing, decentralized tech development organization at iZettle.)
Let’s begin by facing the reality of fast-growing startups.

DevOps

The organizational challenges for most fast-growing startups
Most startups want a flat organization to keep their entrepreneurial juices flowing, but when new employees join in a steady stream there eventually comes the point where the founders or upper management feel overwhelmed by chaos.
Things get confusing.
Employees aren’t seen.
No one seems to know what’s going on.
What usually happens for most start-ups at this point is that bureaucracy processes start piling up. Layers of management are added, and project managers are introduced to coordinate the chaotic environment. And so are written reports for managers to send to upper management, and silos are building up between different departments. And decisions are taken somewhere else.
And then what happens?
Usually, entrepreneurial enthusiasm suffers and so does talent motivation and speed of innovation.
And that is exactly what iZettle wants to prevent.
But that is easier said than done when a company grows like a wildfire.

read more »

One thing that improves your personal life – and makes you a better value creator

As a high-performing tech professional, it’s useful to constantly fine-tune your ability to add value.

For example, you might ask yourself at work:

What is the one thing we can change in our product, service or in the way we work together that can bring more value to our customers or the team?

This philosophy of looking for things that can add value can also be used for your personal and professional development.

To give you some inspiration, here are some of the real life small changes and habits that our team members at Crisp have made that have added tremendous value to our personal and work lives. read more »

Warning! These 6 Pitfalls Will Slow Down Your Organization

warning-146916_960_720

You have probably read about “at scale” implementations, activity based offices, globally distributed teams, SAFe, Agile transformations and outsourcing. Beware. Danger can be lurking beneath the surface of these popular phenomena.

read more »

10 years of Agile @ Crisp. Next challenge: Global Warming!

10 years ago, 2007, me and a few Crisp colleagues embarked on a mission: be best in Sweden at helping companies become agile. We had experienced first-hand the power of agile development, and wanted to use this newfound super-power to help both Crisp and our clients improve. Others joined us and – tadaa!  – Agile Crisplet was born (and the concept of crisplets)! That was the year I taught my first Certified ScrumMaster course together with Jeff Sutherland, co-creator of Scrum. Since then we’ve co-trained almost 30 courses! About 2-3 times per year. In fact, May 22-23 is our 10 year anniversary (join us at the course in Stockholm!).

Now 10 years has passed since our Agile Crisplet was formed, and I’m happy to see we have achieved more than we ever could have dreamed!

Dispensing with false humility here, we’ve somehow managed to become one of the world leaders in this field! Famous agile and lean experts partner with us. Super well-known product companies, large telecoms and banks, even government organizations, turn to us as first choice for agile guidance and training. Our videos and articles and books have racked up millions of hits, and we are basically overwhelmed with requests to do coaching, write book forewords, do conference talks and workshops, and run training courses. I’ve done almost 30 keynotes in 20+ countries. I’m amazed (and overwhelmed) every time I look at my inbox, I’ve had to hire an assistant just to turn down the 95% of all requests that we simply don’t have capacity to handle.

OK, so now what?

10 years is a long time, and now it’s time for a new focus! At least for me (Crisp is a no-CEO company where people are free to do whatever they want).

read more »

Undrar du om man kan upphandla Agilt inom LOU? Här har du svaret på under 3 minuter (video)

Den Agila upphandlingskonferensen Lyckade upphandlingar
Den 21a februari höll vi vår andra konferens, “Lyckade upphandlingar” för att sprida ljus över hur vi kan upphandla Agil utveckling även inom LOU. Förra våren anordnade vi (agilakontrakt.se) en konferens i Köpenhamn och nu var vi i Stockholm. Vi blev ganska precis 50 taggade personer, både jurister, kunder i offentlig sektor, folk från upphandlingsmyndigheten (yes!), leverantörer och konsulter som hade samlats för att bli inspirerade, dela med sig och ta del av erfarenheter och kunskap kring Agil upphandling.

Först vill jag bara säga att anledningen till att jag engagerar mig i den här frågan inte alls är att jag kan upphandling – eller LOU, men däremot har jag lång erfarenhet av hur man med Lean UX och Agil metodik skapar digitala tjänster och produkter som löser riktiga problem, och det är den möjligheten jag vill skapa – speciellt när det gäller stora komplexa lösningar där det verkar omöjligt för många i dag att göra rätt. Jag ser år ut och år in alldeles för många upphandlingar göras i dag i Sverige där man inte ger projektet eller programmet den möjligheten, möjligheten att hitta och förstå vad de verkliga behoven och problemen är och tillsammans lösa dom. Jag har själv blivit drabbad av den typen av projekt, även lyckats vända ett par av dom till att faktiskt få arbeta Agilt och leverera värde. Men det är frustrerande, väldigt frustrerande, och väldigt, väldigt kostsamt och onödigt. read more »

The Minimum Loveable Product

I recently attended a course (the excellent LeanUX course held by my colleague Martin Christensen) and again the topic of what a MVP is or is not came up in a discussion. In the Lean startup-world an MVP is defined as the smallest thing you can make to validate a hypothesis which helps you decide if you should continue developing something or if you should stop. For more information about this, I suggest you read Eric Ries’ blog post on the topic. However, in (very) many companies and organisations the term is used to describe the first version of a product released to the end customers. This “version one release MVP” usually contains as little functionality and features as is possible without making the end customers too upset, disappointed or unwilling to pay.

Another colleague of mine, Henrik Kniberg, wrote a quite thorough and lengthy blog post about MVPs a while back where he touched upon the point I’m about to make. While quite a few people see the different uses of the word MVP as problematic, I see it as a symptom of a need for a better word for describing at least one of its currently used meanings, i.e. the “version one release MVP”. Luckily enough a good friend and coworker gave me the answer to that need a few years ago: He called the first release of the hardware product we were working on at the time the “Minimum Loveable Product”.

read more »

Team Shapes – Simulating the challenges with component teams

A common pitfall for large and medium size organizations who are adopting Agile is to organize teams based on software component boundaries instead of feature teams. Some of the aspects of long term code ownership are more straightforward this way, but the negative consequences in terms of business agility and costs of coordination are huge. A few years back I designed a simulation exercise that I call Team Shapes which illustrates some of the issues and now I would like to share this simulation with the community. read more »

Reactions to “No CEO” by the BBC

no-ceo-by-ceo-guru-bbc

When the BBC published their “No CEO” piece where Crisp is featured with an article and a 4 minute video, there were a lot of reactions. Friends cheered on Facebook. Colleagues gave a thumbs up on LinkedIn. The article was featured on Hacker News and Slashdot. Here are our reflections on some of the comments we found.

read more »

4+3+2+1 Team Success Factors

I’ve now published a new YouTube video where I present 4+3+2+1 Team Success Factors, a model that captures and describes what you can do to help make your team become strong and successful.

These 10 factors are split into four groups.
* The first group describes four dialogs we need to have as a team.
* Next we have three aspects of hard work.
* Then there are two dialogs I need to have with myself.
* The final one is about how we communicate with the organisation around us.

To download a printable version click here, or the image below.
4+3+2+1 Poster (v2)

And here is the actual video 🙂

 

What is Agile – easy to grasp material for the non-techie

I frequently get the question (often from people outside IT): “how can I quickly understand what Agile is?”.  I’ve collected a suite of links and videos over the years to help people grasp the basics concepts in 10 min or so. I thought I’d share them with you.

(pls note: the list is intended to give people a quick introduction, short and sweet. The intent is not to cover all aspects.)

Brief explanation of Agile (8 min video):

https://www.youtube.com/watch?v=Tj-lavaMkxU&t=3s

How a Product Owner works –  “PO in a nutshell” (12 min video)

https://www.youtube.com/watch?v=502ILHjX9EE

Article highlighting cultural aspects – Experimenting, Awesome people, Deliver continuously, Safe to try

https://www.infoq.com/articles/modern-agile-intro

Behaviours displayed by agile teams – 12 seemingly normal things agile people do

http://blog.crisp.se/2016/04/04/mattiasskarin/12-seemingly-normal-things-agile-people-do

Case: Agile at Scale with 200 people @ LEGO (50 min video).

– Pay attention to how engagement/responsiblity was created for both team and department deliveries, and how positive energy was nurtured.

https://vimeo.com/146522457

I hope you find it useful. I expect this list to evolve over time, so don’t be surprised if new links pop up here in the future.

Cheers Mattias

Feature Verification Funnel

verificationfunneloverviewYou have a feature to implement, and there are several implementation solutions available. How do you choose the best one?

Start out with all your potential solutions for a feature idea. Next, filter based on how the solutions perform using a set of verification methods. Finally, implement the feature knowing that you’ve found the solution that meets your needs.

Verification Methods

The following are the verification methods I’ve experienced most often on the projects: read more »

How to set role expectations and working agreements

teamcultureConflicts in teams about how to work are common. There are expectations from team members on each other that aren’t being met. In a given team, members might be implicitly expected to perform a certain task. The team might have unspoken policies that seem to be common sense. Sometimes people pick up on these unspoken rules and implicit expectations, but when they don’t, you have a team in conflict. You can’t avoid all conflict (and a dose of healthy debate and discussion is good for teams), but you can help teams by explicitly defining the roles and working agreements. Instead of dealing with conflict after the fact, you start with discussion and agreement. The following workshop is the one I use with my teams and organizations.

read more »

Mål: Lösa global uppvärmning

Igår möttes 9 av oss på Crisps kontor för att diskutera vad vi kan göra för klimatet.

goal

För många av oss på Crisp ligger denna fråga nära hjärtat. Tyvärr är det som konsult inte alltid lätt att hitta passande uppdrag. Men klimatfrågan är planetens största utmaning, och många av oss vill inte längre sitta inaktiva.

Vi spånade tillsammans med Niclas Gross Martinsson och Erik Martinson (som Hans Brattberg och Henrik Kniberg redan samarbetar med) ihop ett antal idéer vi ska försöka jobba med:

  • Erbjuda vår unika kompetens till företag som jobbar med miljöfrågor, gratis eller till rabatterat pris
  • Hitta och hjälpa investerare att utvärdera och kickstarta miljöprojekt och startups
  • Utmana andra företag att minska miljöpåverkan
  • Informera om hur situationen ser ut, vad man som privatperson och företag kan göra
  • Blogga om lyckade och intressanta miljöprojekt
  • Hitta partners som kan stärka eller komplettera oss

Vi hoppas bli fler företag som vill jobba med detta, så vi kommer att öka kontaktytan och erbjuda vår kunskap. Vi är duktiga på:

  • Programmering – vi har erfarenhet inom nästan alla områden, från UX till kontinuerlig leverans
  • Agila metoder – hur man tar fram användbar mjukvara på snabbast möjliga sätt
  • Startups – vi 35 konsulter har tillsammans startat eller jobbat på över hundra startups

Kontakta oss gärna om du vill hjälpa till!

Se filmen om upphandling som ger mer “Bang for the Buck”​ i offentlig sektor

Nyckeln till en lyckad upphandling är ett Agilt upphandlingsförfarande som lägger tonvikten på användarcentrerad utveckling och mätbara effektmål. Så går det tyvärr väldigt sällan till i verkligheten, är du intresserad av att veta mer ska du se filmen, och läsa bloggposten.

Jag har som flera av er säkert vet engagerat mig under ca 2,5 år tillsammans med ett par kollegor för att lyfta frågan kring hur en bra upphandling skulle kunna genomföras inom LOU för att ge möjlighet till bättre leveranser som löser riktiga problem och skapar önskad effekt. Framför allt har det här arbetet inneburit att vi har letat upp ett antal lyckade exempel från offentlig sektor där man har upphandlat Agilt och fått lyckade leveranser i tid och på budget. Det har varit svåra exempel att hitta, både på grund av att dom tyvärr är alldeles (på tok) för få, och att man tydligen inte riktigt känner sig trygg i att berätta HUR man gjorde upphandlingen.
read more »

Agile in a Nutshell poster – Translated to Spanish

A few days ago I received my free Agile in a Nutshell poster translated to Spanish. I’m so happy to receive all the feedback and help that I have done with this poster. Hope you all enjoy it too 🙂

Resume Agile – Spanish translation
Resume Agile - Spanish translation

Thank you Juan Carlos Perez Amin!
jcperez@easynube.co.uk

Here is my original post >

Agile in a Nutshell poster – Translated to French

A while ago I received a Tweet from Nicolas Mereaux that he had translated my free (the wonders of creative common 🙂 poster on Agile in a Nutshell, to French, as well as the blog post it self 🙂 Such a nice gesture. Hope you enjoy it too!

Agile en resume poster

Here is the full Agile in a Nutshell blogpost in French.

Here is my original post >

Design Studio – Collaborate towards a shared understanding

Design Studio is a design method that focus on a specific format for collaboration to create a shared understanding of the problem. This is done by, together as a team, coming up with a solid foundation for a design solving the problem.

Here’s the short version:

  • Illuminate – In the first step, the team gets a presentation of the problem and possible boundaries (such as a certain target group or a platform).
  • Sketch – The second step is all about creativity. Let everyone in the team sketch solutions to the problem within a timebox of about 5 minutes. It is important that the sketching is quick and dirty, since giving people time gets them stuck on unnecessary details.
  • Present – In the third step, each and everyone presents their design. A good timebox is one minute per person. When a person has presented, a critique sessions for that particular person’s design follows.
  • Critique – As a fourth step, an open discussion about the design is held. The critique is meant to churn out the key issues with the ideas previously presented and inspire the other members for the next sketching iteration. Try to answer the question: Does the design solve the problem? A good timebox is 2 minutes. The discussion will make everyone think deeper about both the problem and the solution. After the critique, listen to another team member’s presentation until everyone has been given the opportunity to present and discuss their designs.
  • Iterate – Run the last three steps at least 2-4 times. Iteration is the key to finding reliable solutions and getting a shared understanding of the problem.

The overall rule for Design Studio is to never dwell on details to get most value out of the least amount of time. After a Design Studio session, the UX designer, have plenty of material to work with to take the design towards implementation. Try it out in the course Agile UX or read on to find out the details.

read more »

Global warming – simplified summary

OK, here’s a (very) simplified summary of what I’ve learned about global warming after digging deep the past few weeks.

  1. Global warming is a major threat to life as we know it. It’s ALOT worse than most people realize.
  2. Global warming is caused (mostly) by increasing CO2 in the atmosphere.
  3. The CO2 increase comes (mostly) from us burning oil & coal (“fossil fuels”). Adds about 20-30 billion tons of CO2 per year.
  4. So we need to (mostly) stop burning oil & coal.
  5. We burn oil & coal (mostly) for electricity and transport. Coal power plants, car/plane/ship fuel, etc.
  6. We want to keep electricity and transport, but we also want to stop global warming, therefore we need to get electricity and transport without burning oil & coal.
  7. We know how to do that (solar, wind, electric cars, etc). The technology has been figured out, and the prices are at the tipping point where oil & coal can’t compete economically.
  8. So now we just need to hurry up and roll out those solutions! Every single reduced ton of CO2 counts.
  9. Unfortunately shit is going to hit the fan either way (because it’s already launched so to speak), but at least we can slow it down, reduce the impact, and buy us some time.

So pull whatever strings you can to help out – technology, policy, economy, communication, etc. Inform yourselves & each other. People have varying degrees of discretionary time, money, knowledge, voting power, contacts, influence, and motivation. But the more people try to help in one way or another, the more difference it will make as a whole.

read more »

Transforming the pyramid to an agile org

I recently published a video exploring how an agile team based organization could look like. How does it function under the hood? In the video I also discussed how you get there.

I got tons of great feedback so I decided to provide the contents of the video in the format of a blog. If you prefer to read instead of watching a 11-minute-long video, then this is for you 🙂

AgileOrg

read more »

Planning as a social event – scaling agile at LEGO

The past couple of years I’ve been travelling back and forth to LEGO’s HQ in Billund Denmark, helping out with their agile journey. Super interesting! Learned more than we could ever fit in an article, but here’s an attempt to capture at least some of it, written together with LEGO colleague and co-instigator Eik Thyrsted Brandsgård. Enjoy!

Planning as a social event – scaling agile @ LEGO

Agile @ Lego

 

Hur Karlstad sjukhus byggdes på tid och budget med Agila kontrakt

centralsjukhuset_karlstad_512x

Karlstad sjukhus har i flera omgångar byggts om och byggt ut. Samtliga hus har levererats på tid, budget och med en fungerande vårdverksamhet från dag 1. Sjukhuset har sparat 300 miljoner åt Värmlands läns landsting. Lösningen? Effektstyrd upphandling med Agila kontrakt och Partnering. Vad skapade förutsättningarna för att lyckas? Vi intervjuade Lars Nilsson, som ledde upphandlingen av Karlstad sjukhus.

(How Karlstad hospital was built on time, on budget and with working medicare from day 1, using Agile contracts). Read the interview here (in swedish)

http://agilakontrakt.se/hur-karlstad-sjukhus-upphandlades-med-ratt-effekt-pa-tid-och-budget-del-1

Did the math on my contribution to global warming

I was curious about how many tons of carbon dioxide that my family pumps into the atmosphere (= global warming). Looked at the most direct variables: flying, driving, and home electricity. There are obviously more variables to look at (like beef!), but I’m starting with these three, as the data is readily available and I gotta start somewhere.

Result (updated):

  • Flying = 14.6 tons per year
  • Driving = 4.1 tons per year
  • Electricity = 0.5 tons per year

So, 19 tons of CO2 per year. Damn! Sorry about that, earth and future generations. Good news is that I now know how to reduce it by ALOT (like 5 times less)!

CO2e emission before and after

read more »

A/B testing at King

page0a

I gave a lightning talk at tonight’s Lean Tribe Gathering in Stockholm about A/B testing at King, how we develop games, features and decide which improvements to make. Here are my slides and notes from the presentation.

read more »

How I wrote a book publicly online

I love visualization and I collect visualizations. Why? Well, I love drawing and have a very visual way of thinking. But more importantly, I’ve been amazed time and time again, how great an impact a valuable and useful visualization can have on a team’s ability to focus, collaborate, and adopt new behaviour.

This passion for post-its and whiteboards finally manifested itself in the form of a book; “Toolbox for the Agile Coach: Visualization Examples – How great teams visualize their work”. Not only am I proud and happy of the final result, I’m also very excited about the way it came about. This blog is about how I wrote a book, publicly and collaboratively online, with frequent increments and tight feedback loops.

just-got-it-printed-600

read more »

Agile Everywhere – slides from my keynote at Agile Tour, Montreal

Here are the slides from my keynote Agile Everywhere at Agile Tour Montreal. In the keynote I shared my experiences from applying agile in lots of different non-software contexts.

Enjoyed the trip! After the conference I spent a day at Ubisoft Quebec to discuss REALLY large-scale agile (like 1000-person video game projects). I see more and more companies applying agile at really large scale and my key takeaway is that, the larger the project is, the more important the agile principles are. For tiny projects any process can pretty much work. Also interesting to see how different types of organizations – such as video game development, banking, and aerospace – arrive at very similar patterns for how to deal with dozens or hundreds of agile teams building a product together. Just keep in mind that big projects are super-risky with or without agile, so your first priority should be to de-scale.

Anyway here are some sample pictures from the keynote.

takeaways

read more »