Introducing a Quality Model for MVC Applications

Transcript

1. A presentation by @stuherbert
 for @GanbaroDigital A Quality Model For

   MVC Applications Introducing

2. @GanbaroDigital Today’s Talk

3. @GanbaroDigital 1. Quality Metrics

4. @GanbaroDigital 2. Quality Models

5. @GanbaroDigital 3. Measuring Quality

6. @GanbaroDigital You’ll leave this talk with a clear understanding of

   using a quality model and how to start building one for your MVC apps.

7. @GanbaroDigital How do you currently measure quality?

8. @GanbaroDigital You probably rely on quality metrics.

9. @GanbaroDigital • Code coverage • Pass / Fail Unit Tests

   • Pass / Fail Acceptance Tests • Open bug reports • Cyclomatic Complexity • CRAP • High / low coupling • Number of responsibilities • … and so on Quality Metrics

10. @GanbaroDigital Utilities for metrics: phpqatools.org

11. @GanbaroDigital What do quality metrics describe?

12. @GanbaroDigital A quality metric is an absolute count of one

    property of the source code.

13. @GanbaroDigital What is a ‘good’ value for a quality metric?

14. @GanbaroDigital The same quality metric cannot consistently be interpreted by

    different teams.

15. @GanbaroDigital The same quality metric cannot consistently be interpreted by

    different people on the same team.

16. @GanbaroDigital How do these different metrics relate to each other?

17. @GanbaroDigital Quality metrics are completely unrelated to each other.

18. @GanbaroDigital Quality metrics cannot be compared against each other.

19. @GanbaroDigital Which quality metrics do you use in your code

    reviews?

20. @GanbaroDigital Why don’t you use all your quality metrics in

    your code review checklists?

21. @GanbaroDigital We measure quality to prevent things going wrong and

    to detect the things that have already gone wrong.

22. @GanbaroDigital The most cost-effective place to resolve a problem is

    as close to the cause as possible.

23. @GanbaroDigital The earlier that you can detect problems the cheaper

    it is to resolve them.

24. @GanbaroDigital What if we could measure quality the same way

    across all code, all teams?

25. @GanbaroDigital What would that look like?

26. @GanbaroDigital

27. @GanbaroDigital QM-1.1 QM-1.2 QM-1.3 QM-1.4 QM-1.5 QM-2.5 QM-2.12 QM-2.6 QM-2.1

    QM-3.1 QM-2.11 QM-2.16 QM-2.4 QM-1.7 QM-2.15 QM-2.7 QM-2.13 QM-2.10 QM-2.9 QM-1.6 QM-2.8 QM-2.2 QM-2.14 QM-2.3

28. @GanbaroDigital 0% 25% 50% 75% 100% QM-1.1 QM-1.2 QM-1.3 QM-1.4

    QM-1.5 QM-2.5 QM-2.12 QM-2.6 QM-2.1 QM-3.1 QM-2.11 QM-2.16 QM-2.4 QM-1.7 QM-2.15 QM-2.7 QM-2.13 QM-2.10 QM-2.9 QM-1.6 QM-2.8 QM-2.2 QM-2.14 QM-2.3

29. @GanbaroDigital Quality metrics are useful but you can’t plot a

    single graph with them.

30. @GanbaroDigital SQuaRE Introducing

31. @GanbaroDigital SQuaRE = Software product Quality Requirements and Evaluation =

    ISO 25000 standards series

32. @GanbaroDigital Why ISO 25000?

33. @GanbaroDigital Most informal approaches to quality focus only on what

    is wrong.

34. @GanbaroDigital Most formal quality assessment frameworks measure the team not

    the product.

35. @GanbaroDigital Quality Model Division 2501n Quality Management Division 2500n Quality

    Requirements Division 2503n Quality Measurement Division 2502n Quality
 Evaluation Division 2504n

36. @GanbaroDigital ISO 25010:2011 Systems and software engineering - Systems and

    software Quality Requirements and Evaluation (SQuaRE) - Systems and software quality models

37. @GanbaroDigital Two Quality Models • Quality In Use Model •

    Product Quality Model

38. @GanbaroDigital Two Quality Models • Quality In Use Model •

    Product Quality Model

39. @GanbaroDigital Quality In Use Model measures what it is like

    to live with the code that has shipped.

40. @GanbaroDigital Product Quality Model measures the quality of the code

    that you want to ship.

41. @GanbaroDigital Other models (e.g. data quality) are covered elsewhere in

    ISO 25000

42. @GanbaroDigital What does the Product Quality Model look like?

43. @GanbaroDigital • Functional suitability • Performance efficiency • Compatibility •

    Usability • Reliability • Security • Maintainability • Portability Eight Main Categories

44. @GanbaroDigital Functional Suitability • Functional completeness • Functional correctness •

    Functional appropriateness

45. @GanbaroDigital Performance Efficiency • Time behaviour • Resource utilisation •

    Capacity

46. @GanbaroDigital Compatibility • Co-existence • Interoperability

47. @GanbaroDigital Usability • Appropriateness recognisability • Learnability • Operability •

    User error protection • User interface aesthetics • Accessibility

48. @GanbaroDigital Reliability • Maturity • Availability • Fault tolerance •

    Recoverability

49. @GanbaroDigital Security • Confidentiality • Integrity • Non-repudiation • Accountability

    • Authenticity

50. @GanbaroDigital Maintainability • Modularity • Reusability • Analysability • Modifiability

    • Testability

51. @GanbaroDigital Portability • Adaptability • Installability • Replaceability

52. @GanbaroDigital We can apply the Product Quality Model to MVC

    apps.

53. @GanbaroDigital How? We define quality measurements.

54. @GanbaroDigital What is a quality measurement?

55. @GanbaroDigital It is a mathematical function: X = A /

    B or X = 1 - ( A / B )

56. @GanbaroDigital X = A / B where A is the

    number of times that a quality criteria is satisfied B is the total number of opportunities to satisfy that quality criteria

57. @GanbaroDigital For example: A is the number of times that

    output is correctly escaped. B is the total number of times that output needs escaping.

58. @GanbaroDigital If we correctly escape output 25 times out of

    30 X = 25 / 30 = 0.83

59. @GanbaroDigital If we correctly escape output 87 times out of

    1237 X = 87 / 1237 = 0.07

60. @GanbaroDigital These measurements are comparable. We can compare 0.83 to

    0.07.

61. @GanbaroDigital X = 1 - ( A / B )

    where A is the number of times that a quality criteria is not satisfied B is the total number of opportunities to satisfy that quality criteria

62. @GanbaroDigital For example: A is the number of application routes

    where a GET modifies the database B is the total number of routes in the application that accept GETs

63. @GanbaroDigital If we modify the database during a GET request

    in 5 routes out of 400 X = 1 - ( 5 / 400 ) = 0.98

64. @GanbaroDigital If we modify the database during a GET request

    in 39 routes out of 258 X = 1 - ( 39 / 258 ) = 0.84

65. @GanbaroDigital These measurements are comparable. We can compare 0.98 to

    0.84.

66. @GanbaroDigital Quality measurements: X = A / B or X

    = 1 - ( A / B )

67. @GanbaroDigital Use X = A / B when you want

    people to do A as much as possible

68. @GanbaroDigital Use X = 1 - ( A / B

    ) when you want people to do A as little as possible

69. @GanbaroDigital When we measure quality, a quality criteria is either:

    satisfied (a pass) or not (a fail).

70. @GanbaroDigital Every quality measurement has a value between 0 and

    1. 0 is the worst score possible. 1 is the best score possible.

71. @GanbaroDigital One quality measurement function measures one quality criteria.

72. @GanbaroDigital ISO is working on some draft quality measurements. They’re

    not ready. They’re not specific enough.

73. @GanbaroDigital We have to define our own.

74. @GanbaroDigital Step 1: Define your quality criteria.

75. @GanbaroDigital Start by covering the basics. Cover what is important

    to you.

76. @GanbaroDigital 3 Levels Of Importance • Essential - must not

    ship • Major - should not merge • Minor - housekeeping

77. @GanbaroDigital Examples: Security • Validate route parameters • Validate query

    string parameters • Validate form data • Check CSRF token • Escape output correctly

78. @GanbaroDigital 3 Levels Of Importance • Essential - must not

    ship • Major - should not merge • Minor - housekeeping

79. @GanbaroDigital Examples: HTTP • Do not modify database on GETs

    • Return HTTP 422 when request validation fails • Return HTTP 500 when an unexpected exception occurs

80. @GanbaroDigital 3 Levels Of Importance • Essential - must not

    ship • Major - should not ship • Minor - housekeeping

81. @GanbaroDigital Examples: Code Health • Follow SOLID • Follow DRY

    • Remove all unused code

82. @GanbaroDigital Step 2: Define one or more quality measurement function

    for each of your quality criteria.

83. @GanbaroDigital Route Parameter Verification • X = A / B,

    where • A = number of route parameters that are verified, and • B = total number of route parameters defined

84. @GanbaroDigital CSRF Token Publishing • X = A / B,

    where • A = number of HTML forms that publish a CSRF token • B = total number of HTML forms

85. @GanbaroDigital CSRF Token Verification • X = A / B,

    where • A = number of routes that validate the CSRF token of a HTML form • B = total number of routes that accept a HTML form as input

86. @GanbaroDigital Verification Failure Notification • X = A / B,

    where • A = number of routes that return HTTP 422 when request verification fails • B = total number of routes that accept any form of input

87. @GanbaroDigital Class Substitution • X = A / B, where

    • A = number of methods that accept an interface as the input type • B = total number of methods that accept objects as input

88. @GanbaroDigital … you get the idea.

89. @GanbaroDigital Start small. Don’t go overboard.

90. @GanbaroDigital No-one writes perfect code. No-one can afford to pay

    for perfect code.

91. @GanbaroDigital Design quality measurements for the things that are cheaper

    to get right first time.

92. @GanbaroDigital Design quality measurements for the things that need to

    become habits.

93. @GanbaroDigital How do we use the quality model in code

    reviews?

94. @GanbaroDigital Your quality criteria are your code review checklist.

95. @GanbaroDigital Train your developers to use the quality criteria when

    designing and writing software.

96. @GanbaroDigital How do we use the quality model in QA

    teams?

97. @GanbaroDigital The quality model forms the basis of your test

    strategy.

98. @GanbaroDigital Update your quality criteria and quality measurement functions when

    QA discovers new kinds of defects.

99. @GanbaroDigital How do we use the quality model with management?

100. @GanbaroDigital 0% 25% 50% 75% 100% QM-1.1 QM-1.2 QM-1.3 QM-1.4

     QM-1.5 QM-2.5 QM-2.12 QM-2.6 QM-2.1 QM-3.1 QM-2.11 QM-2.16 QM-2.4 QM-1.7 QM-2.15 QM-2.7 QM-2.13 QM-2.10 QM-2.9 QM-1.6 QM-2.8 QM-2.2 QM-2.14 QM-2.3

101. @GanbaroDigital 0% 25% 50% 75% 100% Interoperability Accountability Authenticity Analysability

     Modifiability Confidentiality Modularity Non-repudiation Testability Integrity Fault Tolerance Resource Utilisation

102. @GanbaroDigital The quality measurements show where quality is good as

     well as where it needs improving.

103. @GanbaroDigital Ignoring problems is just as unhealthy as only reporting

     problems.

104. @GanbaroDigital Celebrate your successes. Fix your faults.

105. @GanbaroDigital In post-mortems, link the root cause to the relevant

     quality measurements or to any missing ones.

106. @GanbaroDigital Identify gaps in your quality criteria and plug them.

107. @GanbaroDigital How do we deal when the team changes?

108. @GanbaroDigital Quality has already been defined. That’s what your written

     quality criteria are. You just need to train new people in your quality criteria.

109. @GanbaroDigital Talk about your quality criteria when interviewing. Make it

     part of your engineering culture.

110. Stuart Herbert ~ @stuherbert Founder @GanbaroDigital