Authors: Michael Baierlein (DFN-LRZ), Bartosz Walter (PSNC), Stefan Kelm (DFN-CERT), Branko Marovic (UoB) and Marcin Wolski (PSNC)
Human intervention in well-functioning eco-systems can often trigger unintended and unwelcome side effects. Just as well-intentioned crossbreeding led to the creation of ‘killer bees’ in nature, so the same principle can be observed in software engineering: just one malicious new line of code or one minor modification can destroy a smoothly running system.
Being well aware of this potential implication, a typical software development team spends a large amount of time and resources to address important questions such as, “Is my code easy to maintain and well-documented to allow easy and secure enhancements?”, or “How can I objectively check the quality of the code?”, or even “Is there a way to prove that my code is really secure and does not harm the entire system, or even infrastructure?”
The majority of these questions relate to software quality, software reliability and security. Software quality relies on several pillars: software testing, optimised cooperation within development teams and software reviews can all have a decisive impact on the quality of services built upon software systems.
GÉANT services that are developed for the European research and education community particularly need applications of the highest possible quality.
Dedicated software testing
To respond to this challenge, a dedicated Software Testing and Analysis team within the GN4-3 project’s Work Package on Operations Support (WP9) provides independent verification
and validation tests at a system level to all GÉANT software projects.
In collaboration with the Software Management and Processes team, guidance and assistance is provided to the software project teams to organise their own Quality Assurance processes. The software verification process is supported by a combination of domain expertise and dedicated tools delivered through GÉANT’s internal infrastructure.
Chief among these is SonarQube, a web-based open-source platform used to measure and analyse several dimensions of the source code quality. It delivers comprehensive information about security, reliability and maintainability of software systems written in all mainstream programming languages.
SonarQube is complemented by WhiteSource, a tool that checks for known vulnerabilities, as well as verifying the open-source licenses of dependent libraries. Thus, WhiteSource determines
mutual compatibility and compliance with GÉANT’s policies. All these features reduce the risk of deploying broken, unsafe or untested code, particularly throughout the maintenance phase.
To support full collaboration with the software teams, the Software Testing and Analysis team offers services based on ITIL recommendations, with mutual expectations and commitments explicitly documented in a Client Document, which details the scope, schedule, KPIs and methods of communication between the review and the client team.
A range of service options
Within the broad range of potential software quality improvement measures, the Software Testing and Analysis team in WP9 is responsible for code quality reviews and security code reviews. The
verification and validation are currently offered through four types of services, corresponding to the diverse needs of the client teams.
In its simplest form, the service relies on providing assistance in setting up the SonarQube, configuring it for the project and providing assistance in interpreting the results. The foundation of this
service is to hook up the development teams to GÉANT’s leading-edge Quality Assurance infrastructure as quickly as possible and let the teams work based on their own rules and at their own pace. In many cases, the fully automated review needs to be supported by in-depth knowledge, experience and intuition. Subject-matter experts who are specialised in software maintainability
and security will validate SonarQube’s findings or perform their own, independent review.
Such reviews are offered by three other types of WP9 review services. They differ in review methodology and analysis granularity, which also impacts the time and effort needed to complete the review. At the final step of the software review, the output of the automated SonarQube scan and the findings from the manual review are combined into an easy-to-understand report.
Apart from the results and their interpretation, the report also includes a list of recommendations on how to improve the quality of the code. For more details, please visit our Confluence site at Software Review Requests.
The advantages of a dedicated testing team became apparent at the end of the GÉANT GN4-2 project, when it was agreed that code quality reviews performed by independent experts were
appraised as more objective and that some issues could be detected more easily from an outside perspective with related services and tools. The Software Testing and Analysis team was set up as a dedicated project unit.
By taking advantage of its review services, product owners can now be more confident about the quality of their products and that the services based on them will be more reliable. To date, a number of reviews of various types have been performed, helping teams to fulfill the requirements for passing the Product Lifecycle Management gates, as well as contributing to the quality of GÉANT’s services.
An increasing number of review requests, together with positive feedback from clients suggests the team’s approach is highly valued, and GÉANT’s continued delivery of independent, robust and high-quality services is clearly benefiting from a dedicated Software Testing and Analysis approach.