Introducing a Quality Model for MVC Applications

Introducing a Quality Model for MVC Applications

Your integration, functional and non-functional testing gives you a good idea if your code will work on Production. But how do you go about measuring the quality of code that already seems to work? How do you make that measurement repeatable? How do you share it with clients in government, finance or other large enterprises who are looking for a 3-5 year shelf-life from your code? In this talk, Stuart will introduce you to SQuaRE, the international standard collection for software quality. He'll give you a tour of all of the available and upcoming standards in this area, before taking a deep dive into the Product Quality Model from ISO/IEC 25010:2011. He'll explain what a quality measurement is, how you link them to your project's quality criteria, and how you incorporate them into code reviews, QA teams and management decisions. You'll leave this talk ready to start measuring and improving the quality of your product or service, with the tools you need to not only maintain quality but also to keep increasing it over time, even when faced with staff turnover.

Talk presented at #PHPNW15 in October, 2015.

2c1dc90ff7bf69097a151677624777d2?s=128

Stuart Herbert

October 03, 2015
Tweet

Transcript

  1. A presentation by @stuherbert
 for @GanbaroDigital A Quality Model For

    MVC Applications Introducing
  2. @GanbaroDigital Today’s Talk

  3. @GanbaroDigital 1. Quality Metrics

  4. @GanbaroDigital 2. Quality Models

  5. @GanbaroDigital 3. Measuring Quality

  6. @GanbaroDigital You’ll leave this talk with a clear understanding of

    using a quality model and how to start building one for your MVC apps.
  7. @GanbaroDigital How do you currently measure quality?

  8. @GanbaroDigital You probably rely on quality metrics.

  9. @GanbaroDigital • Code coverage • Pass / Fail Unit Tests

    • Pass / Fail Acceptance Tests • Open bug reports • Cyclomatic Complexity • CRAP • High / low coupling • Number of responsibilities • … and so on Quality Metrics
  10. @GanbaroDigital Utilities for metrics: phpqatools.org

  11. @GanbaroDigital What do quality metrics describe?

  12. @GanbaroDigital A quality metric is an absolute count of one

    property of the source code.
  13. @GanbaroDigital What is a ‘good’ value for a quality metric?

  14. @GanbaroDigital The same quality metric cannot consistently be interpreted by

    different teams.
  15. @GanbaroDigital The same quality metric cannot consistently be interpreted by

    different people on the same team.
  16. @GanbaroDigital How do these different metrics relate to each other?

  17. @GanbaroDigital Quality metrics are completely unrelated to each other.

  18. @GanbaroDigital Quality metrics cannot be compared against each other.

  19. @GanbaroDigital Which quality metrics do you use in your code

    reviews?
  20. @GanbaroDigital Why don’t you use all your quality metrics in

    your code review checklists?
  21. @GanbaroDigital We measure quality to prevent things going wrong and

    to detect the things that have already gone wrong.
  22. @GanbaroDigital The most cost-effective place to resolve a problem is

    as close to the cause as possible.
  23. @GanbaroDigital The earlier that you can detect problems the cheaper

    it is to resolve them.
  24. @GanbaroDigital What if we could measure quality the same way

    across all code, all teams?
  25. @GanbaroDigital What would that look like?

  26. @GanbaroDigital

  27. @GanbaroDigital QM-1.1 QM-1.2 QM-1.3 QM-1.4 QM-1.5 QM-2.5 QM-2.12 QM-2.6 QM-2.1

    QM-3.1 QM-2.11 QM-2.16 QM-2.4 QM-1.7 QM-2.15 QM-2.7 QM-2.13 QM-2.10 QM-2.9 QM-1.6 QM-2.8 QM-2.2 QM-2.14 QM-2.3
  28. @GanbaroDigital 0% 25% 50% 75% 100% QM-1.1 QM-1.2 QM-1.3 QM-1.4

    QM-1.5 QM-2.5 QM-2.12 QM-2.6 QM-2.1 QM-3.1 QM-2.11 QM-2.16 QM-2.4 QM-1.7 QM-2.15 QM-2.7 QM-2.13 QM-2.10 QM-2.9 QM-1.6 QM-2.8 QM-2.2 QM-2.14 QM-2.3
  29. @GanbaroDigital Quality metrics are useful but you can’t plot a

    single graph with them.
  30. @GanbaroDigital SQuaRE Introducing

  31. @GanbaroDigital SQuaRE = Software product Quality Requirements and Evaluation =

    ISO 25000 standards series
  32. @GanbaroDigital Why ISO 25000?

  33. @GanbaroDigital Most informal approaches to quality focus only on what

    is wrong.
  34. @GanbaroDigital Most formal quality assessment frameworks measure the team not

    the product.
  35. @GanbaroDigital Quality Model Division 2501n Quality Management Division 2500n Quality

    Requirements Division 2503n Quality Measurement Division 2502n Quality
 Evaluation Division 2504n
  36. @GanbaroDigital ISO 25010:2011 Systems and software engineering - Systems and

    software Quality Requirements and Evaluation (SQuaRE) - Systems and software quality models
  37. @GanbaroDigital Two Quality Models • Quality In Use Model •

    Product Quality Model
  38. @GanbaroDigital Two Quality Models • Quality In Use Model •

    Product Quality Model
  39. @GanbaroDigital Quality In Use Model measures what it is like

    to live with the code that has shipped.
  40. @GanbaroDigital Product Quality Model measures the quality of the code

    that you want to ship.
  41. @GanbaroDigital Other models (e.g. data quality) are covered elsewhere in

    ISO 25000
  42. @GanbaroDigital What does the Product Quality Model look like?

  43. @GanbaroDigital • Functional suitability • Performance efficiency • Compatibility •

    Usability • Reliability • Security • Maintainability • Portability Eight Main Categories
  44. @GanbaroDigital Functional Suitability • Functional completeness • Functional correctness •

    Functional appropriateness
  45. @GanbaroDigital Performance Efficiency • Time behaviour • Resource utilisation •

    Capacity
  46. @GanbaroDigital Compatibility • Co-existence • Interoperability

  47. @GanbaroDigital Usability • Appropriateness recognisability • Learnability • Operability •

    User error protection • User interface aesthetics • Accessibility
  48. @GanbaroDigital Reliability • Maturity • Availability • Fault tolerance •

    Recoverability
  49. @GanbaroDigital Security • Confidentiality • Integrity • Non-repudiation • Accountability

    • Authenticity
  50. @GanbaroDigital Maintainability • Modularity • Reusability • Analysability • Modifiability

    • Testability
  51. @GanbaroDigital Portability • Adaptability • Installability • Replaceability

  52. @GanbaroDigital We can apply the Product Quality Model to MVC

    apps.
  53. @GanbaroDigital How? We define quality measurements.

  54. @GanbaroDigital What is a quality measurement?

  55. @GanbaroDigital It is a mathematical function: X = A /

    B or X = 1 - ( A / B )
  56. @GanbaroDigital X = A / B where A is the

    number of times that a quality criteria is satisfied B is the total number of opportunities to satisfy that quality criteria
  57. @GanbaroDigital For example: A is the number of times that

    output is correctly escaped. B is the total number of times that output needs escaping.
  58. @GanbaroDigital If we correctly escape output 25 times out of

    30 X = 25 / 30 = 0.83
  59. @GanbaroDigital If we correctly escape output 87 times out of

    1237 X = 87 / 1237 = 0.07
  60. @GanbaroDigital These measurements are comparable. We can compare 0.83 to

    0.07.
  61. @GanbaroDigital X = 1 - ( A / B )

    where A is the number of times that a quality criteria is not satisfied B is the total number of opportunities to satisfy that quality criteria
  62. @GanbaroDigital For example: A is the number of application routes

    where a GET modifies the database B is the total number of routes in the application that accept GETs
  63. @GanbaroDigital If we modify the database during a GET request

    in 5 routes out of 400 X = 1 - ( 5 / 400 ) = 0.98
  64. @GanbaroDigital If we modify the database during a GET request

    in 39 routes out of 258 X = 1 - ( 39 / 258 ) = 0.84
  65. @GanbaroDigital These measurements are comparable. We can compare 0.98 to

    0.84.
  66. @GanbaroDigital Quality measurements: X = A / B or X

    = 1 - ( A / B )
  67. @GanbaroDigital Use X = A / B when you want

    people to do A as much as possible
  68. @GanbaroDigital Use X = 1 - ( A / B

    ) when you want people to do A as little as possible
  69. @GanbaroDigital When we measure quality, a quality criteria is either:

    satisfied (a pass) or not (a fail).
  70. @GanbaroDigital Every quality measurement has a value between 0 and

    1. 0 is the worst score possible. 1 is the best score possible.
  71. @GanbaroDigital One quality measurement function measures one quality criteria.

  72. @GanbaroDigital ISO is working on some draft quality measurements. They’re

    not ready. They’re not specific enough.
  73. @GanbaroDigital We have to define our own.

  74. @GanbaroDigital Step 1: Define your quality criteria.

  75. @GanbaroDigital Start by covering the basics. Cover what is important

    to you.
  76. @GanbaroDigital 3 Levels Of Importance • Essential - must not

    ship • Major - should not merge • Minor - housekeeping
  77. @GanbaroDigital Examples: Security • Validate route parameters • Validate query

    string parameters • Validate form data • Check CSRF token • Escape output correctly
  78. @GanbaroDigital 3 Levels Of Importance • Essential - must not

    ship • Major - should not merge • Minor - housekeeping
  79. @GanbaroDigital Examples: HTTP • Do not modify database on GETs

    • Return HTTP 422 when request validation fails • Return HTTP 500 when an unexpected exception occurs
  80. @GanbaroDigital 3 Levels Of Importance • Essential - must not

    ship • Major - should not ship • Minor - housekeeping
  81. @GanbaroDigital Examples: Code Health • Follow SOLID • Follow DRY

    • Remove all unused code
  82. @GanbaroDigital Step 2: Define one or more quality measurement function

    for each of your quality criteria.
  83. @GanbaroDigital Route Parameter Verification • X = A / B,

    where • A = number of route parameters that are verified, and • B = total number of route parameters defined
  84. @GanbaroDigital CSRF Token Publishing • X = A / B,

    where • A = number of HTML forms that publish a CSRF token • B = total number of HTML forms
  85. @GanbaroDigital CSRF Token Verification • X = A / B,

    where • A = number of routes that validate the CSRF token of a HTML form • B = total number of routes that accept a HTML form as input
  86. @GanbaroDigital Verification Failure Notification • X = A / B,

    where • A = number of routes that return HTTP 422 when request verification fails • B = total number of routes that accept any form of input
  87. @GanbaroDigital Class Substitution • X = A / B, where

    • A = number of methods that accept an interface as the input type • B = total number of methods that accept objects as input
  88. @GanbaroDigital … you get the idea.

  89. @GanbaroDigital Start small. Don’t go overboard.

  90. @GanbaroDigital No-one writes perfect code. No-one can afford to pay

    for perfect code.
  91. @GanbaroDigital Design quality measurements for the things that are cheaper

    to get right first time.
  92. @GanbaroDigital Design quality measurements for the things that need to

    become habits.
  93. @GanbaroDigital How do we use the quality model in code

    reviews?
  94. @GanbaroDigital Your quality criteria are your code review checklist.

  95. @GanbaroDigital Train your developers to use the quality criteria when

    designing and writing software.
  96. @GanbaroDigital How do we use the quality model in QA

    teams?
  97. @GanbaroDigital The quality model forms the basis of your test

    strategy.
  98. @GanbaroDigital Update your quality criteria and quality measurement functions when

    QA discovers new kinds of defects.
  99. @GanbaroDigital How do we use the quality model with management?

  100. @GanbaroDigital 0% 25% 50% 75% 100% QM-1.1 QM-1.2 QM-1.3 QM-1.4

    QM-1.5 QM-2.5 QM-2.12 QM-2.6 QM-2.1 QM-3.1 QM-2.11 QM-2.16 QM-2.4 QM-1.7 QM-2.15 QM-2.7 QM-2.13 QM-2.10 QM-2.9 QM-1.6 QM-2.8 QM-2.2 QM-2.14 QM-2.3
  101. @GanbaroDigital 0% 25% 50% 75% 100% Interoperability Accountability Authenticity Analysability

    Modifiability Confidentiality Modularity Non-repudiation Testability Integrity Fault Tolerance Resource Utilisation
  102. @GanbaroDigital The quality measurements show where quality is good as

    well as where it needs improving.
  103. @GanbaroDigital Ignoring problems is just as unhealthy as only reporting

    problems.
  104. @GanbaroDigital Celebrate your successes. Fix your faults.

  105. @GanbaroDigital In post-mortems, link the root cause to the relevant

    quality measurements or to any missing ones.
  106. @GanbaroDigital Identify gaps in your quality criteria and plug them.

  107. @GanbaroDigital How do we deal when the team changes?

  108. @GanbaroDigital Quality has already been defined. That’s what your written

    quality criteria are. You just need to train new people in your quality criteria.
  109. @GanbaroDigital Talk about your quality criteria when interviewing. Make it

    part of your engineering culture.
  110. Stuart Herbert ~ @stuherbert Founder @GanbaroDigital