API
- API
Tech Readiness Assessment / Software Architecture Assessment
!Software Architecture Assessment
People Assessment
- What's the BUS factor for key parts of the application? (e.g: The bus factor is a measurement of the risk resulting from information and capabilities not being shared among team members, derived from the phrase "in case they get hit by a bus")
- What's the team composition? Are there lack of leadership or expertise?
- Does the team have Core Principles of Character? (Humility,Trust,Respect) Do the Engineers respect each other? Is there a culture of trust within the team? Are egos involved in making technical decision?
Agileβ
Measures of Success:β
- On time Delivery (Burn-up/Burn-down charts)
- Product Quality
- Customer Satisfaction
- Business Value
- Product Scope
Agile Practicesβ
- Iterative Cycles
- Daily Meetings
- Collaboration Tools
- Continuous Feedback and Growth
- Lean Development - Identify Value and reducing waste
Xtreme Programmingβ
- Pair Programming
- Test Driven Development
- Small Releases
- Simple Design
Applications
Architectureβ
- What is the technology stack? How many Tiers does your application have?
- Well Architectured Framework
- See Technical Assessment Template
API Designβ
- Idempotency? URL Structure? HTTP verbs usage? Do we have metadata/pagination/URL versioning?
Design Patternsβ
- Screaming Architecture
- 12 Factor App
- Pattern - Orchestration vs Choreography, Sync vs Async
- Domain Driven Design -> is the team using ubiquitous language? are the bounded context obvious in indivual services/applications?
Codeβ
- Design -> Low Coupling/High Cohesion? High Fan-in? Readability?
- Code Review Process? Xtreme Programming? Branching Strategy?
- Do we follow Clean Code Principles? Are the engineers aware of Code Smells? Is there Low coupling and High Cohesion in the Code? Are the packages arrange in a logical and readable way?
- How long does it take for a new developer (junior to mid-level) to set up a local environment? (seconds/hours/days)
Testingβ
- Testing Pyramid - Unit testing/Integration/Contract Testing/E2E Testing (Anti patterns: Ice Cream Cone Testing and Hourglass testing)
- Ideal Composition: 80% unit test, 15% integration test, 5% end-to-end
- Testing Strategy for E2EE? is everything mocked? do we spin up services from local to test E2EE happy scenarios or do we run tests on running servers?
- Beyonce Rule - the CI rule, if you like it put a CI test on it
- Do we have Smoke testing on production?
- Do we have contract tests on our 3rd party integrations?
11 playbook/documentationβ
Internalβ
- Getting Started
- Do we have Architecture Decision Register
- Data Flow & Entity Relationship Diagrams?
- Bugs Database?
Externalβ
- Getting Started
- API Documentation? (Exceptions? HTTP codes, Request and Response Example payloads, Getting Credentials)
Security
- How is security handled?
- Authentication & Authorization? what form of Authentications/Authorizations are used? (Password + Time, Token based, MFA Certificates)
- How many people have access to Prod environment, who are these people?
- Do we have penetration testing done from 3rd party security provider? How is Prod instances access? Are non-public facing servers hidden from the public, how are the updated? (NAT gateways)
- Are there guard rails to protect from an attack? Is there any mechanism to block any DDOS attack?
- How are sensitive keys stored? Who has access to them? How are the keys secured and rotated?
Scaling
- What/How is the software development cycle?
- Are there any load balancing in place?
- Whats the throughput we are expecting
- How is scaling handled?
- Any form of caching?
- Do you have messaging? Synchronous vs Asynchronous
- Any other background processes?
- What is the DR process? How resilient is the application?
- Are there any customer sensitive data saved?
- What is the process for PVT? How does the tester ensure that deployment was successful?
- Are the customers able to access the application during deployment?
- Access to a running dev/local instance/code base
Infrastructure
- What is the current infrastructure? Cloud or On-Prem?
- Database used? which Paradigm? (7 database paradigm: Key Value, Document, NoSQL, GraphQL, Relational, Search Engine, Multi Model) What ORM are you using?how is connection pooling done? How is the transaction handled? Is it encrypted, is the connection Secured?
- Do we have Continuous Integration and Deployment in place? How fast can we deploy code to staging from commit?
Monitoringβ
- Benchmarking - What is the average IO of the application? Is there an existing load test benchmark or Performance Monitoring? What tools were used? what is the maximum throughput of our current application?
- Are we able to trace any given transaction from the logs? Are we alerted if a transaction fail or the application fails?
- Are we able to monitor what the current state of our infrastructure in real-time?
- Have we done load testing?
DevOps - (Operations)β
- Dickerson Pyramid
- Versioning - How is the API versioned? How is the application versioned? are we able to determine what versioned is currently deployed in which environment?
- Change Management - How hard is it to release a feature/fix a bug? What's the normal cycle time? Is there Continuous Integration/Deployment in place? What's the frequency of release?
- How fast can we provision new infrastructure? Does infra scale automatically when needed?
- Are we able to replicate infra across different global geo location/different cloud provider? (Infrastructure as Code)
- How many environments are there? How many environments are used for testing/development purposes
- How many manual steps are done before deployment to production is ready?
- How is the deployment done to staging servers?
- How are the sensitive details stored? example: database password, Are they different in each environment? How is the packaging resolving to the correct instance? Is there a separate build for prod/staging environments? How are different environments handled, ie Staging environments against Production environments?
Resilienceβ
- Are we load balancing requests? How much can each infrastructure component can handle? (e.g how much connection the database can handle, how much can each application server handle, etc)
- Are we caching frequently non-sensitive data requests? (in-memory or any external caching mechanisms) Are we keeping caches up to date?
Data
Storage and Operationsβ
- Data Storage - Where is Data stored? Are there redundancies in place? How secure is data stored? How quickly can an application stored from a given location? Is data Encryted?
- Data Retention/Warehousing - What are the upper bounds of the data storage? Is data able to scale with the current? Does it need to be cleaned up/archived? Are we able to provide historical data and perform analytics?
- Cataloging - is data sanitised before inserted? Do we generate metadata on each entry?
- Are we following the necessary Data Compliance? (iso 27001, ISO 9001, IEC, Cyber Secuirty Standards, SOC, etc)
- Are there any Data pipelines at play? how is data ingested?
- Schema - Are we able to determine one source of truth?
Analyticsβ
- Do we perform analytics on existing data? Are we able to monitor data inflow and outflow?
- Are we able to apply Data Science? Is there a need to? (Machine Learning and Advanced Analytics)
- Are there any 3rd party reporting tools that has access to our data, are we exposing any sensitive data? (Tableau, Power bi)