Application Security Testing: An Integral Part of DevOps
When talking about software development lifecycle and the processes associated with it, many developers immediately think about the waterfall model. In this model, you first design an application, then write and test it, and finally move it to production. However, with today's agile methods, the development process is different and contains frequent repetition of design, coding and testing (but not necessarily in this order).
To write software professionally, one needs a process. Whether this process is an ad-hoc one or a more formal one, a process is still in place. But to create maintainable code that still works years after the initial version requires both a good process and a sound design.
Although there is no miracle cure to solve all software development problems, one can get far by using the right tools and processes that have already been thought out. Microsoft has also noticed this, and in 2005 delivered a product suite called Visual Studio Team System (VSTS). The product helped software development companies focus on what they know best: development.
Fast forward to today, and you will find that VSTS has become Visual Studio 2010 with a server-based product called Team Foundation Server (TFS). This server application is in the core of Microsoft's ALM strategy, and thus worth knowing. TFS matters to both .NET developers and native C++ developers alike. In addition to developers, the product offers many things for testers, graphical designers, architects, project managers, and even customers. TFS can be thought of as being a multi-role product.
What is TFS, Anyway?
Team Foundation Server (TFS) is a server product from Microsoft that allows a development team, among other things, to communicate, share information, file bugs, manage requirements, collect timesheets, and work with source code versions.
Specifically, TFS implements robust version control as core functionality of the server, and on top of that, a multitude of functions. The basic architecture is that a TFS server works along with an SQL Server database (a central store for information) and with one of more client applications. The most notable client application is Microsoft's own Visual Studio development tool, but plug-ins have been written for other development environments as well, including Eclipse. Also, Microsoft's own Expression Blend has built-in integration into TFS. Figure 1 shows the TFS architecture on a high level.
Figure 1. The high-level architecture of Team Foundation Server.
TFS server communicates with the outside world using web services over the HTTP protocol. This means that the solution is not limited to a certain geographic location or a single office. Provided that network connections are available, developers and other people in the team can connect to the server no matter where they are.
In addition to advanced version control - much more robust than Visual SourceSafe ever was - TFS offers integration with other Microsoft products to help for instance in document sharing, team collaboration and reporting. That said, TFS can be integrated with SharePoint and Microsoft Project. It uses SQL Server Reporting Services (SSRS) internally to create reports.
Since TFS is a server product, it does not have an end-user user interface. Instead, all the functions that TFS offers are to be used through a client application, Visual Studio being the premium client at this writing. Using the Team Explorer window (Figure 2) in Visual Studio, a developer (or any other team member) can see how the current projects are going, how many bugs are still open, or how many hours of work is still required to get to the next milestone.
Figure 2. The Team Explorer window is the main integration window for working with TFS.
In addition to the Visual Studio integration, TFS can also be accessed through a web based interface (Figure 3). Previously, this was a separate product, but today, it is automatically installed and enabled when you install TFS version 2010. With the web interface, you can do many of the same things you could with the integrated Team Explorer client inside Microsoft Visual Studio.
Figure 3. Team Foundation Server Web Access provides an easy way to get an insight into a team project.
TFS and Team Work
If version control was everything that TFS offered, then there would not be much to distinguish it from other good version control solutions. However, TFS is much more than just version control, and one of the areas where TFS shows its power is team collaboration. One of the most important ways TFS helps team reach its goal is to let everyone in the team know the current status of the project. This is done through what are called work items, which can be considered electronic forms of different types. Common work item types are requirements, bugs, tasks and user stories (Figure 4).
Figure 4. Work items provide key functionality within TFS.
By filling these electronic forms properly, everyone in the team can get a list of active bugs, or query all the tasks assigned to them. For the whole team, TFS can estimate the remaining work based on the information in the work items. Work items can be queried through the Team Explorer window which contains standard queries for bugs and tasks, and also work assigned to an individual team member.
By default, work items are filled directly inside Visual Studio or the TFS web interface. Sometimes however, it would be much more convenient to manage work items using Excel. Luckily, TFS contains a ready-made Excel integration that allows you to download work items into an Excel sheet, edit them, and upload back to the server. This works through a handy add-in that can be installed to Excel 2007 and 2010 (Figure 5). There is also integration with Microsoft Project.
Figure 5. Working with dozens of work items is easy with the Excel add-in.