Monday, October 29, 2018

Tips for passing the PSD exam

Looking for help regarding Scrum.org PSD exam? Take a look at these tips

Not sure if you are aware but I'm a Certified Scrum Master. Back in 2014 I wanted to work as a Scrum Master but turns out I love to work with development so I never exercised that role. Lately however, I've been working on a project and realized that as a developer, I wanted to help my company to improve their Scrum. This time, instead of pursuing the PSM II, I decided to go for the Professional Scrum Developer certification.

The Professional Scrum Developer certification

But what is the Professional Scrum Developer certification (PSD)? According to Scrum.org:

Professional Scrum Developers are members of the Scrum Development Team and demonstrate knowledge and understanding of Scrum and their ability to build software using Scrum in real-world situations. The value of certification is intimately tied to the demonstration of knowledge needed to achieve it. By that measure, the PSD assessment is significantly more valuable than available alternatives for Scrum.

Why you should consider the PSD exam

I think every developer that wants to work or works in an agile team should try to get this certificate. Why? Because most teams think they do Scrum right. My experience (as a contractor and employee) is that, it's rare to find a team that does scrum the right way and a company that respects and understands the Scrum framework.

And on the flip side, the certificate shows recruiters and co-workers that the developer studied, understands and knows the foundations of the Scrum framework validated by Scrum.org, managed by Ken Schwaber, one of the fathers of the Scrum framework.

What to Study

First, understand the Scrum Guide. This is the most important resource in Scrum. It may seem simple but you'll see how much each work in there makes sense (and makes a difference). Remember, Scrum is difficult to master. Second, especially for developers, study topics related to agile practices, Extreme Programming and how they apply to Scrum. It's amazing how many concepts were imported from XP for example into Scrum and people most people have no idea that they aren't required.

My suggestions are:

How to use scrum in a development project
Working within a Scrum Team
Why and how a Definition of Done is important
General development practices
Agile architecture practices to slice features
Test driven development
Agile requirement management practices
DevOps tools in Scrum
TDD, BDD, ATDD, CI, CD, Code Quality

Tips for passing the exam

Okay so let's take a look at some tips to pass the exam.

Tip 1: Read and understand well the Scrum Guide

The Scrum Guide is the most important document in the Scrum framework. You should read it multiple times carefully reflecting on each word. Understand well the Scrum Guide and the scrum foundations including the associated roles, events, artifacts, and rules. I suggest reading it 3 or 4 times before doing any assessment.

Tip 2: Practice with the Open Assessments

You should make exhaustive use of the Open Assessments. Basically they are a subset of the questions that you may encounter in the exam. I suggest that you only move to the next step once you get constant 100% on all exams for at least 3 days.

Suggestion: after studying the Scrum Guide, do a couple of assessments. Validate each of your answer against the assessment answer and be sure to review it back on the Scrum Guide and understand the reason for that.

Tip 3: Explore related content

Once you understood well the concepts and the Scrum Guide, it's time to search for related resources on the web. A good start point is the Scrum.org web site:

Scrum.org Resources - multiple relevant resources
Scrum.org Forum - There is lots of interesting discussions there.
the Scrum for developers page
Scrum Glossary - describes important terms of Scrum.

Also try to find exercise questions and try them. My approach was before seeing the answer I tried to answer it in my mind to then, look at the response. It helped me memorizing and understanding better. However, don't trust all the answers that you see online. Be critical and reflect if the answer that you see (apart from those in the Open Assessments) is correct. I saw multiple errors around. Be critical!

Tip 4: Study developer-specific content

Apart from Scrum foundations, developers will find lots of technical questions. For developers, you can find on this page a lot of relevant information. The recommended bibliography is:

Suggested Reading for PSD
Professional Scrum Developer Glossary - provides an overview of terms specific to software development teams using Scrum and agile software development techniques.
Scrum Myths - I really enjoyed the series and helped me understand way better the Scrum Guide;
DevOps Cake!
The Convergence of Scrum and DevOps
The Evolution of the Development Team
25 Characteristics of a Great Development Team

Tip 5: Exam Time

Okay so you prepared well, understood all the Scrum Guide and know the foundations of the related development questions you saw. How to deal with exam time?

Review a couple questions in the morning just so that information is reloaded in your mind
Take a few hours and go do something completely unrelated to the exam. Relax
Grab a coffee and start the exam.
Pay attention to the remaining time but don't be concerned. Time is enough. You have 60 minutes to answer 80 questions. Time is more than enough as the questions are usually small;
Don't waste too much time on each question. When in doubt, bookmark it and move to the next;
Use the bookmark feature - this is good to mark the questions you're not sure about and come back to them later
Remember: keep calm

Final Thoughts

Even if you don't consider taking the exam, just studying the Scrum Guide and doing the online assessments is a big step. It's common to see teams violating some of the foundations of the Scrum framework. The result is usually unsatisfied team members, lack of visibility and dysfunctional projects. Knowing what, why not reserve some time to review how's your understating of Scrum doing?

Monday, October 22, 2018

Integrated security vulnerability alerts on GitHub - Why it matters

How GitHub's integrated security vulnerabilities could help developers using the platform?

Last week during GitHub Universe 2018, GitHub announced support for security vulnerability alerts for Java and .NET platforms. It's a significant contribution for the .Net and Java communities on GitHub because it simplifies, clarifies and alerts organizations and project owners about vulnerabilities on dependencies used on their code base.

Sounds complicated? Let's review what the announcement says:

With security vulnerability alerts, organization owners and repository admins receive a notification when any of their projects has a dependency with a known vulnerability.

How it works

By tracking public vulnerabilities in packages from supported languages on MITRE's Common Vulnerabilities and Exposures (CVE) List, GitHub notifies repo owners and alerts them of the risk. By default, security alerts will be sent to owners and people with admin access in the affected repositories.

Apart from alerts, you should also see on your dashboard something like the below on the Insights tab, Alerts navigation menu of your GitHub repository:

GitHub now alerts about public vulnerabilities on your project

Apart from the above, other nice additions were added:

You will get weekly emails summarizing security alerts for up to 10 of your repositories
Most of that is configurable within GitHub
Works for both public and private repos
More importantly, GitHub never publicly discloses identified vulnerabilities for any repository.

Fixing the vulnerability

But knowing of potential vulnerabilities is just the first step. The next step is to address the issue and update the packages. Since .Net users usually update their packages using the Nuget package manager with packages located on Nuget.org, let's look at a concrete example: how to fix a recent vulnerability on Microsoft.Data.OData.

Microsoft.Data.OData is a very popular package. With 33+ Million downloads, it's being used in multiple 3rd party packages and probably you're using it on your projects too. Here's what I see on Nuget.org:

According to GitHub, CVE-2018-8269 was opened just last month and includes a vulnerability on every version < 5.8.4. Here's what the issue says:

A denial of service vulnerability exists when OData Library improperly handles web requests, aka "OData Denial of Service Vulnerability." This affects Microsoft.Data.OData.

So let's update the dependency and patch the vulnerability.

Updating Microsoft.Data.OData

As you know, the update of a package can be done in multiple ways. Using Visual Studio or from the command line with:

Using the Package Manager:
Install-Package Microsoft.Data.OData -Version 5.8.4

Using the .NET CLI:
dotnet add package Microsoft.Data.OData --version 5.8.4

Once you've done that, rebuilt and redeployed, you're protected from CVE-2018-8269 at least =) .

Conclusion

Bugs security issues are always being found and fixed on libraries that we use. Reason why we should always try to keep our packages up to date.

But it's not trivial to scan all packages we use against the CVE database. Note that the CVE above does not state which version it applies to. Imagine how difficult and time-consuming it would be monitoring all the dependency chain ourselves. That's why this service from GitHub is very much appreciated!

Let's leverage this very useful feature for our benefit and keep our code secure.

And please, spread the word!