Tag: Process

More Group IT Tales

Rogue PC

I was looking at my asset form and I saw that I had 3 devices assigned to me, 1 laptop and 2 PCs. I only own 1 laptop and 1 PC, so what is this rogue PC? Has it been assigned to me incorrectly? Is it a security risk? Could it be on the network in my name and used by a hacker.

I logged an urgent ticket with our IT department, telling them I do not recognise the device. The device name didn’t seem correct since I could not remote onto it with the usual domain name.

The response I got back from them was:

as per above details this seems to be in working.

 if this is not your systme , pelase let us know for decomissioning?

What sort of question is that? If it isn’t my computer and is someone else’s, why am I in charge of deciding whether to disable it or not? Shouldn’t we work out if one of our employees own this? Could it be that a malicious person has managed to get a PC on the network and assign it to an employee? This could be a major security threat.

Turns out it was my PC, just that the same PC had been entered twice under completely different “Computer Names”. The Head of IT saw my ticket and the response I got and intervened. Surely it should have been easy to see who was signed in. The original technician should have seen I was logged in, and told me more info about the device like the IP address, Make/Model etc so I could confirm.

Can’t Update

Recently, they made a change to remove admin access which is a problem when it comes to installing some software; but that’s their main intention. However, we often get told to update software when there are security updates, but we cannot because we aren’t admin users anymore. It’s a frustrating situation having Group IT on your back telling you to update your software but you cannot because they took admin access away. They should have made sure they can do it remotely before taking your access.

I had switched projects and needed to install some extra software as well as update the couple of Visual Studio versions I have so I logged a ticket.

Sometimes I find that you can install software and then later on realise you needed to install optional components so it was frustrating logging the ticket to do the initial install, knowing I probably need to log another ticket next week.

After speaking to other colleagues, they said they had some kind of admin access override and I needed to request that. All overrides are audited so they can see what you are doing.

I don’t understand how they can say we “can’t have admin access” then it turns out most people in the department do, but it’s inconsistently implemented.

Out of Tune with InTune

As you may have seen in my recent Post, Group IT are now beginning the rollout of InTune Hybrid-Join across our computer estate. This is to ensure we have a consistent view of the security compliance status of our computers. Connecting them all to InTune allows us to benchmark our compliance to determine what work (if any) is needed to improve it.

A week later…

Following on from the below I can confirm that your device has already been successfully Hybrid-Joined into InTune.
This is likely due to your presence at a site where the policy has pulled through from the corporate network or regular use of the VPN in your day-today.
No further action is required on your part.

Couple of days later..

Hello!
Further to the below I can confirm that your device has been successfully imported into InTune.
Apologies in advance if this is repeat information but no further action is required on your part.
Many thanks!

Couple of days later..

Hello!
Following on from the below it looks like your device still hasn’t been imported into InTune.
If you have already followed the below instruction and had it fail, please sit tight – further instructions will follow. You do not need to reply.
If you are still to action the below, please do so ASAP.
Many thanks!

It really sounds like they have no idea if you have been added to the system or not. I think I was added straight away, but I never visited an office like they claimed.

Group IT Windows Update Script

Last year, there was a major Windows Update and Group IT stated it was a big project to update all the employees in the company (around 1500), but they had a script that can run automatically if we left our laptops on out-of-hours and would run at 7pm.

So I left it on, and so no update. Next day, same thing. Next day, same thing.

They posted an update to say what a success the rollout had been so far; 200 computers have been updated. That seems really low to me (13.3% in a month). They then declared there were some known failures but they haven’t bothered looking at why they are happening but they will continue to run the script and won’t contact affected people either. Everyone has to keep leaving their laptops on at 7pm each night.

A few people said they noticed it had failed due to low disk space and I thought that is a great point. If it’s a 5GB update, then they should state people need to ensure there is free space. As it turned out, it seemed like it downloaded 5GB or so, then was copied into a different file format, then installed. So you ended up needing around 15GB, and had to clear the 10GB of files after.

CE+ certification

Quick heads up: we’re making some important changes to boost the security of our systems and get us closer to achieving CE+ certification. Starting tomorrow at 10:00am BST, we’re going to be removing some old .NET software from your computer. 

These are versions that have reached end-of-life and are either critical or high vulnerabilities as reported by Nessus. If you’re using Visual Studio and encounter any issues after the removal, please follow this guide in order to repair your VS installations:  https://learn.microsoft.com/en-us/visualstudio/install/repair-visual-studio?view=vs-2022

 If you notice any other software reliant on .NET has stopped working, please log a ticket with the Group IT Service Desk. Thanks for your understanding and cooperation on this matter.

We have a few products that we make that rely on the older .Net Frameworks. I love how they assume our products are supported and give us 1 day notice. Surely they know exactly what they are removing, they’re so unspecific too; “some old .NET software”. Is it to do with: .NET Framework, Visual Studio, SQL Server?

On the same day, I got added to a chat where they were discussing how upgrading Docker Desktop has broken a tool used by our products. It’s the classic case of just assuming we can update/change things without asking the experts involved.

Anyway, later that day:

Our apologies for the promptness of the previous email, we have made a decision to postpone the scheduled removal of .NET. The decision comes after careful consideration and listening to your valuable feedback and concerns regarding the removal. We understand the importance of providing you with appropriate time to consider the impact this would have on the software you use. The postponement will also afford you the opportunity to inform us of any software currently utilising end-of-life .NET versions, allowing us to address and raise these concerns with Security where applicable. We will be sending out another email next week with comprehensive details on the specific .NET versions that are set to be removed. For now, I can tell you these will be SDK, ASP.NET and CORE versions of .NET and not Framework. Thank you for your understanding and cooperation on this. Should you have any immediate questions or concerns, please do not hesitate to reach out.

Wallpaper

Years ago, we were allowed to change our desktop backgrounds. Some people chose cool artwork and others left it as the default Windows. One day, Group IT decided to change it to our company logo. Many people were outraged by it but I wasn’t bothered. I suppose Matt made a good point here though:

Please can you explain the best practice behind the wallpaper? Unless you do not work all day, you have programs over the top of the wallpaper, so on the rare moment you have to look at your wallpaper: why would we need the company logo? All this is doing is reducing company morale. I would have understood if you had locked down the lock screen image.

I think a sensible rationale is when we worked in the office and could have visitors from other companies. It is more professional. Now we are at home, it is less important.

MFA Policy change – effective today

Good afternoon, as per the Group IT update at the beginning of the month, today we have implemented a planned change which sets all accounts to prompt for MFA each day when accessing Microsoft 365 services. This is in line with many other products and helps improve our overall security.
Some people will have noticed (or may notice as the day progresses) they have been forced to sign out of Outlook or Teams - and may need to restart those (or other) applications to continue.
Existing meetings do not appear to be affected - users will be asked to sign in again once their current meeting ends.

Next week:

Good morning everyone,
As you will know on Thursday we implemented a change to improve our security. Please read the following information carefully to understand what happened as a result, what has happened since, and what to do if you are adversely affected.
The change had the unforeseen side-effect of requiring people to re-authenticate at the point of implementation - between 10 and 10.30 on Thursday. This also meant there would be a requirement to repeat that processes each day at the same time.
Users of Apple Mac laptops may have found themselves signed out of Teams when this happened, even if a meeting was in progress - For Windows Teams users this should not have been the case.
Over the weekend, the policy has been reset, it was re-implemented at 6pm yesterday. We updated the policy setting, to prompt every 23 hours rather than every day.
This means that the following should now be the case:
This morning you should have been asked to re-enter your MFA token
You should not be asked to do this again for another 23 hours
Which should therefore mean - for most - the next time you should be asked to enter your M365 MFA token is when you next sign in for work.
There is an added annoyance on the company phones as it requires your 16 character MS password prior to reauthenticating using the MFA code
I'm having to  password and MFA  on Outlook and Teams on my company mobile  separately.
Is this the way now

Signing into Teams each day appears to take a lot longer than signing into other apps. The ‘One moment…’ dialog is on my screen for around half a minute and it takes another minute or two for Teams to fully load all new messages into it.

Wondering if it’s the same for others, is it expected to take this long?

Annoyed colleague, stating how these apps aren’t even designed for repeated sign-ins

Then a week later, it was fully reverted: 

A further update to the MFA policy

On Saturday, the MFA policy was updated again. The frequency with which you should be prompted has been extended to 30 days.
This means, that anyone who authenticated prior to Saturday at 6pm, should not be prompted for 30 days from that date and time.
Anyone who authenticated this morning should not be prompted for 30 days from that time.
We hope this provides an effective balance of security and functionality.

I think AzureDevops always asked us to sign in daily, but after this new change to make things more secure, it was changed to 30 days. So was actually less secure and was probably unintentionally changed as a blanket policy.

Conclusion

I think these stories illustrate a point that you need to consult with the experts and understand the impact of your changes before declaring them. Having to revert policies that obviously would have a negative impact just makes the team look foolish. You also need a good balance between people being able to do their work effectively, and keeping systems safe and secure.

Complex Processes lower morale and encourage bad practice

I always find it interesting when people work in a particular job then get promoted into management. It’s a completely different set of skills and if it’s a fair promotion, the idea of getting so good at your job, that you no longer do that job anymore; is another illogical aspect of it.

One thing that always amazes me is when people make decisions that they know are a bad idea from their experience doing the job.

When I worked as a software tester, my view is that we were essentially there to find any bugs that exist. Part of finding them is to document how to recreate the bug so that developers could fix it. Extending this process so it’s more complex, more stages, or involves more people – causes people to not want to find bugs.

There were times where I witnessed people do the bare minimum and they would ignore bugs that didn’t appear severe to them.

One of the worst people I’ve worked with was an average tester who wanted to become a Test Manager, and he ended up trying to make the process more complex and often announced changes in a condescending way.

When testers found a bug and wanted to investigate it, they would often try to recreate it, sometimes under different scenarios to work out the scope and impact of the bug, then will tell a developer their findings and only then get it logged.

Therefore there was a delay between finding the bug and actually logging it. So we got an email from the Test Manager like so:

All,It is important that as soon as you discover a defect, you raise a defect for this BEFORE you speak with the developer. Any defects raised can easily be closed if they have been raised in error or discovered by the developer to not be an issue. We run the risk of releasing with defects that could potentially cause serious issues for our customers.

I understand his point that – if managers are checking the system to see what bugs are outstanding and they don’t see them all, then potentially, the software could end up being released with bugs. However, the process started getting worse from then on

Please can you include myself and Becky on any emails that are discussing a defect with a developer. This is so that we are both kept updated with any defects that could cause issues. Also for every defect you raise, I’d like an email to myself and Becky with the follow information :
--        WorkItem ID
-          Title
-          Area
-          Any other information you feel relevant.

So now when we discover a bug, we had to log it straight away without the investigation, email two Test Managers, then copy in any further emails to them. Then as more information is known, update the bug report, and making sure we also had an appropriate workaround if the bug did get released (or is already released).

All,When you are filling out the SLA tab for a defect you need to ensure that if you’ve specified that there is a workaround available that the Workaround box is filled in with the Workaround.
 
If you’ve raised any defect that is a Severity 3 this MUST be fixed before the branch is signed off. This is our exit criteria, we do not sign a release off with any Sev 1, 2s or 3s. if the developer disagrees with this, escalate it to myself and Becky and we’ll deal with it.

Often when we logged a bug, he was either emailing you or comes to your desk to ask why you haven’t triaged it with a developer yet. Sometimes he did that within 10 minutes of you logging it. So he wanted you to log it before triaging, but would then demand that you triage it even if you haven’t had chance to contact an appropriate developer.

You’d also have other test cases to run which he was always on your back to give him constant status reports. It was hard to win because if you have tests to run and have found bugs, then he will want you to triage them but sometimes helping the developer could take hours which means you aren’t testing, so he will be asking why you haven’t run your tests.

That level of micromanaging and demanding updates wasn’t great for morale and also encouraged Software Testers to stop logging the bugs they found because it just added to their own workload and stress.

It seemed better just to steadily get through the tests, but I suppose if you didn’t want to log bugs, then what was the point in actually running the tests? I did suspect some people just marked them as passed and hoped there wasn’t an obvious bug they missed.

Cutting Corners With AI

I’ve written about how Large Language Model AI is great for generating text but it’s not necessarily accurate when it comes to facts, because its essentially just plugging in grammatically correct words. When people don’t understand this, then there can be some embarrassing failures like lawyers producing case numbers that don’t exist.

A scary idea is students getting expelled for plagiarism because AI was asked to be the judge and claimed false credit.

Report of a teacher who seems to think running portions of a student’s essay through ChatGPT will allow ChatGPT to tell them if the AI wrote the paper. ChatGPT lies and will just give you an answer that may not be true!

https://x.com/paleofuture/status/1658227685548785665

Students need to be aware that if they use AI, then teachers can too.

Recently, we were using a third party API and realised it was accepting a message that it should reject because the content wasn’t using the correct digital signature. We were previously using the Sandbox environment which we thought should basically have no validation, but we were then sending the same message to the Integration environment and expected a Rejected status.

So we logged a helpdesk ticket with them and quickly got a reply back. It was a long-winded answer and basically agreed with us it was incorrect behaviour. The wording was clearly AI. But at least they admitted they had just used AI.

It might have been the case that their technical staff were unavailable so a manager made an attempt to deal with it without actually reading or understanding the problem at all.

I have just ran this through the chatbot and have had the following response: The details provided do not specifically mention the behavior of the Order endpoint in relation to the signature from the example request, especially in the context of different environments such as INT. However, it is common in software development to have different configurations for different environments such as development, testing (often referred to as int for integration), staging, and production.   

In many cases, the integration or testing environment is configured to be more permissive to facilitate testing and debugging, which might include accepting a static example signature for all requests. This would not be the case in a production environment, where security and proper verification of digital signatures are critical for ensuring non-repudiation and the integrity of the order. 

Based on standard practices, if the order endpoint is accepting a specific example signature in an integration environment, it could be by design for testing purposes. However, for a production environment, this would be a significant security risk and would not be by design. 

Since the provided documentation does not explicitly confirm the intentional behavior for the order endpoint in the int environment, it is advisable to refer to the specific implementation details or consult with the development team responsible for the API to understand the intended behavior.  

Can you confirm if this answers your query, please? 

New Laptop

I was quite excited to receive my new work laptop given that my current laptop is old, has a low resolution display, and has been running really slow recently (mainly due to the increasing amount of “security software” mandated by IT).

After being told I was in the next group to receive mine, I was asked if I would be in to be able to take the delivery. So I responded that I would be in all week since I was working Mon-Fri

I received an email mid-Friday saying it had been dispatched next day delivery, but I planned to be out Saturday. Despite staying in to receive it, it never arrived. On Monday, I checked the tracking number and had a status update of “Partially Dispatched” then “Complete“; whatever that means. On a different page, it said it was “Out For Delivery”, but showed the expected delivery date as “tomorrow”. Soon there was a knock on the door, and there it was. So the status pages weren’t helpful at all.

So I turned it on and tried to add my account to it. However I saw a message saying the feature wasn’t supported.

A member of IT contacted me and said I should receive my laptop today. A bit late. He was on call to help me set it up which was nice. I asked if there was anything special to do because it wouldn’t let me log in. He sends me a PDF of instructions. Why wasn’t this sent to me before the laptop arrived? Why did I have to request it after attempting to set it up myself?

Regardless, I had selected the correct options so told him the step it was failing on. He suggested maybe I didn’t have an internet connection. So I enabled aeroplane mode and got an error about not having a connection, so it wasn’t that.

I messaged someone that I knew had the same new laptop. He said a team member had just received theirs too and it was supposed to have some kind of initial setup on it where it would have a Device Name. The first thing it asks when I turn it on is to set a device name so it hasn’t been set up. It was also supposed to have an Asset Sticker on it, but mine was a brand new, sealed laptop with no sticker on it.

It sounds like that IT put an order in via a third-party who are supposed to order the laptops. configure them, put a sticker on them, then ship them out. So they had 1 job, and didn’t do it.

So I told IT and they said they could configure something on their end which they did. As usual though, despite their process installing some default apps like Office, nothing else was configured so I had to install SQL Server and Visual Studio, and configure loads of options to set everything up. It’s such a time-consuming and error-prone process. Why can’t we just have a standard “Image” that gives us the majority of what we need?

A few days later, my Asset Number sticker arrived in the post. A large padded envelope inside another larger padded envelope. For 2 stickers. There was also 2 A4 paper which was the invoice; it didn’t need to go to 2 pages but it was badly formatted. Then they put in a couple of adverts for their services. What an absolute waste.

Recently, we promote “green” ideas, talking about reducing carbon emissions and being energy efficient etc. We also seem to want to reduce costs where possible. Then they do stuff like this. Even though it’s a third party that has caused the problem, it is still part of their business process isn’t it?

Minimum requirements when logging defects

A colleague wrote a list of ideas to improve bug reports. The more detail a report has, the more stakeholders are aware of the impact and can triage it accordingly. When it comes to fixing it, software developers can work out the issue more easily…

It is important that all the required information is added to a defect at the time of raising it. This stops the need to refer it back to the original author for more information and therefore saves time.

It should also be noted that we report all defects raised to certain user groups, and it is important that they are able to understand what the issue is and how severe the issue is to them.

In order to meet the minimum requirement all bugs should contain the following:

Title

  • The title must be clear and concise
  • It should describe the problem
  • Avoid using technical jargon

Description

  • The description must clearly outline the problem being experienced
  • It should explain the impact to the customer
  • It should describe a workaround if known.

 Reproduction steps

  • Reproduction steps to recreate the issue
  • These should be clear and easy to follow
  • Include any required environment configuration
  • Include the actual and the expected outcome

 System info

  • Enter the version of software the bug was found in

 Other checks

  • Have the Area and Iteration paths been set correctly?
  • Are relevant examples present with the record? (record number, sample data, screenshots etc.)
  • Have the relevant error details been included? (stack trace, error message, error number etc.)
  • Has the bug been linked to the test case/user story etc?
  • Has this been linked to a relevant user story, requirement, or similar bug report?

 Root Cause Analysis (RCA)

If the defect is found during integration testing, the following must also be completed

  • Stage Detected In
  • Use Release Testing
  • Complete Release Introduced In field

The Outage Part 2: Feedback on the new process

In my blog, The Outage, I described a Major Incident and a knee jerk response from the CTO.

He described this situation as a

“major incident that impacted the whole estate, attributed directly to a failed Change. We recognise that the change was not intended to have the adverse impact that it did, but sadly the consequences have been a major blow to Users and us. Therefore, we are seeking to create immediate stability across our estate, and are implementing several amendments to the way Technology Changes are approved and implemented”

CTO

He came up with 5 changes that he came up with, presumably with no consultation from others. I gave my view on them in the blog. After a few months of carnage, the CTO has put out some revisions to the process.

CTO = Chief Technology Officer

SLT = Senior Leadership Team.

ELT = Executive leadership team

BAU = Business as usual

Suggestion from CTOMy View at the timeCTO’s update
“There will be a comprehensive change freeze for the month of June, with only changes meeting enhanced criteria being passed for implementation.”The size of the release wasn’t the problem, so cutting it down won’t solve anything. It might annoy the users even more if we then delay features that we announced.“as a knock-on effect, we have also reduced our delivery capacity and timescales.”
 “Pre-approved changes are suspended”The idea of a “pre-approved” change is that it is something that is often run on the live servers to fix common issues and is low risk, hence it is pre-approved (eg the ability to restart a crashed server/service.). This is just going to annoy staff members in Deployment. The CTO also remarks:  “Preapproved changes are wonderful. They have been reviewed and tested to death. My goal is to increase the number of preapproved changes in the future. It’s just with the existing ones, we don’t know if they have been reviewed or not”.  You don’t know if they have been “reviewed” but they have been run 100’s of times, and never caused an issue. So you are temporarily banning them on the grounds that they could cause an issue?“The door for pre-approved Standard Change has been re-opened. Standard Change templates can be proposed and put forward as before. As part of our continued governance and enhanced view of change taking place, we do ask for the following:   Each Standard Change template requires approval from one SLT or ELT member. A full review of both the implementation and rollback steps needs to have been undertaken.”
“Any changes submitted for approval will require TWO members of SLT. ”How many times has there been some kind of approval process and the people with authorisation are too busy or on annual leave? Why are we going from 0 approvers to 2? Would the managers understand a change to enable a feature for users belonging to company A, B and C? Would they go “hang on, C don’t have the main feature! I’m rejecting this”? It’s going to be a box-ticking exercise.  We already have a problem when changes are Code Reviewed by Developers – there’s not enough “expert” people that can review it in the required level of detail. So how would a manager understand the change and technical impact? It will be more like “does this make us money? Yes we like money”; approved.“A significant challenge impacting time to deliver has been the ‘two eyes on’ stipulation. We recognise that not every type of Change requires two sets of eyes and so are refining this slightly.   Standard Changes will need to follow the above process. Where ‘two eyes on’ is not deemed necessary, two SLT approvers will need including in the template submission verifying that this is not required. Normal Changes will follow the BAU process. Where ‘two eyes on’ is not deemed necessary, two SLT approvers will need including in the submission verifying that this is not required.”
“Implementation activity must be witnessed by two or more staff members. Screen sharing technology should be used to witness the change. No additional activities are carried out that are not explicitly in the documentation.”This might actually help, although might be patronising for Deployment. The CTO made a comment on the call about having “Competent” people involved in the deployment process. So if a Developer has to watch a member of Deployment click a few buttons; it feels like babysitting and not respecting them as employees.no specific comment was made
“All changes must have a comprehensive rollback plan, with proof of testing. The rollback plan must be executable within 50% of the approved change window.”The rollback idea is one of these ideas that sounds logical and great in theory but this is the biggest concern for the technical people in Development.no specific comment was made

So in conclusion, it seems I was correct.

Ultimate Code Review Guide

A few years ago, I was talking to my manager about how we have a lack of people that like to perform Code Reviews, and it needed to change. He said since I had gained a reputation of being a good code reviewer, maybe I should do a presentation. I said it probably wasn’t that easy to come up with something generic and it needs a lot of thought. Maybe I would attempt to write a guide one day. Over the years, I have bookmarked a few blogs, collated some notes and ideas; but never put them together. So here is my attempt.

What Does Code Review Mean?

When a software developer has code they think is ready for Testing, they need to commit these changes to the main branch. Before this happens, there is often an approval process by their peers. This is the Code Review. The Github terminology is Pull Request. I’ve always found that to be a strange name.

Andy: 
pull requests?! 
since when do we use that term? 
Me:
when nerds go dating

I suppose you could say the aim is to attempt to perfect the code. But “Perfect” is not defined;  does perfect code even exist? The goal is to always write better code

There’s the 80/20 rule of Project Management which states that 80% of the feature can be written in 20% of the time; but then to perfect it, it then takes the remaining 80% of the time.  Sometimes you have to be pragmatic between programmer effort and actually delivering features on time

Code Reviews are a great opportunity to learn either as a reviewer or the reviewee. Receiving questions, suggestions, or instructions from your team members help you learn about the programming language, design patterns, common practices, alternate ways of approaching problems, or learn about the actual domain. As the reviewer, you are practising critical thinking and essentially debugging in your head which is a skill you will be doing every single day; since more time is spent reading code than writing code.

We all benefit from an extra pair of eyes. Sometimes you think you have written some great code, and keep reading over it and think it is fine. Then another team member glances at it and spots improvements which you agree on. I’ve seen plenty of smart developers write poor code which I know they would flag up if their colleagues wrote it.

Looking at Code Reviews helps team members gain context on other pieces of the code base. Having more awareness of what code is changing gives you a headstart in fixing future bugs when you know exactly where to investigate.

Code Reviews take time, and time is money. Formal reviews are costly; that cost has to be justified by the nature of the software project. Delaying new features and bug fixes can have an impact on users, but also other team members due to higher code churn causes merge issues when it is checked in. The longer code changes stay in a branch, the more likely you run into these merge issues.

Readable code

I have heard some developers say “reading code is way more difficult for me (than writing)”. Given that programming actually involves more reading than writing, then I think developers that struggle to read code need to be questioned! 

Since code is read many more times than it is written, you need to write code that is easily read by humans. If we were writing code just for the computer, we’d be writing in binary. Programming languages are meant to communicate to humans first, then computers after that. Although you don’t want to be too verbose, if you are optimising for the fewest lines of code; you are probably optimising the wrong thing.

Tone of your comments

The art in reviewing is to flag all possible problems, but you need to be careful how you word comments because finding problems in someone’s code can be seen as a personal attack, and people can feel like you are questioning their coding abilities. Reviewers can easily come across as condescending and demoralising their team members. The aim of the review is to improve the code, and grow your team member’s skills. It’s not about the reviewer’s ego or a chance to show off.

However, developers should take pride in their work, so attempting to submit some code that took no thought probably deserves a wake-up call. The severity of bad code can differ between systems. Does the software involve the potential loss of life (e.g. a medical device, vehicle safety system) or the handling of millions pounds of assets? Or is it a simple command-line utility that your colleagues use? In these severe situations, I can understand how reviewers lose their patience and write brutal comments. See Brutal PR Comments section.

The reviewer often holds a senior position, but could also be on the same level as the author. Regardless of any power dynamics, you need to bear in mind the author may have way more context and be involved in other meetings about the work; leading them to write the code in the way they did. Given that possibility, it’s better to phrase comments as questions rather than stating something with authority. Instead of “You should do it Y way” you could say “Can you talk about your reasons for choosing X? In most cases I’d use Y, is there a reason not to here?“. This approach comes across as more collaborative and friendly. In the case your suggestion was correct, they should realise when they try to answer. In the case that you are wrong, they can explain the additional information they have; and so all participants can learn.

You don’t always have to be negative as well. You can even add comments to add praise, or to admit that you learned something by reading their code. A bit of positivity helps negate any negative tone you had in previous comments.

Reviewers are empathetic that the recent joiner might not be aware of all the coding guidelines especially ones that are informal ones (not written down anywhere). Reviewers are also well aware that a new joiner is still ramping up with the codebase, and won’t be up-to-date with conventions and functionality.

Where To Start:

Sometimes I just dive straight into the code and start reading. Sometimes this can give you the best judgement to whether the code is clear or not. If it isn’t immediately obvious, or the code looks/”feels” strange, then I will try to gain more context. I read the Title, I read the description provided. I look at the linked Bug/Requirement and read the information that the developer had, and understand the problem they were trying to solve.

To get an overview of the change, you can glance at which files were changed/added/deleted. Sometimes reading the folder names gives you more context. Are you looking at client or server code? Are there database changes? etc. Do the files match up with what you expect; maybe they added a file by mistake. Maybe they added some temporary “hack” they made to test their code and haven’t deleted it.

Read In More Detail

Two questions to keep in mind are

        • How could I improve that?

        • What could go wrong?

You can review it by two approaches: readability and functionality.

If you can’t understand that code now, in one year you won’t get it either. If code is hard to understand, then it is harder to change, and more error prone. An easy thing to look for are typos, unclear names (“Variables with intent”), ambiguous names, wrongly named code.

Small functions are easy to read, are less likely to need code comments, and also easy to test. You can look for large functions and consider if they can be broken down. 

If there are code comments, are they needed? Do they add value? Comments are good to explain hard-to-read code, or weird design decisions the author made because you can’t think of a better solution. Maybe there is a way to make the code more readable without the comments.

Does the code conform to your “coding standards”. An example can be casing eg:

  • // camelCase
  • // PascalCase
  • // snake_case
  • // kebab-case

Your team may have other rules about styling such as:

  • “returning early from methods”, 
  • using certain syntax,
  •  Keep argument list small.

However, if a given piece of syntax should never show up in your codebase, you should really add an automatic “linter” rule that will either flag it, or automatically fix it. It’s a waste of time to make this a manual process and it doesn’t provide a ton of value. You could say “if it’s not worth it to add the rule; then it’s probably not worth it to highlight it in the code review either”. Not all things can be linted though such as coming up with good names for variables/methods/classes. 

Sometimes, you may have a recommendation that should not prevent the code from moving forward, but you want to note anyway. Marking these things with a prefix such as “NB” or non-blocking can be a great way to flag a small annoyance that the author can ignore if they don’t want to fix now. You might do this if you don’t feel too strongly about the issue, or think it’s not worth holding up the change. You always need to remember to be pragmatic.

The functionality approach would be considering code for how it meets the requirements, as well as “non-functional” requirements like scalability and security. Is there any code that is redundant or duplicated? Are there any obvious bugs like the classic Null Reference or Index out of bounds? You could also ask yourself “How would I have done it? Is it my way better? Could that logic improve the current one?” 

  • Has the person added any Unit Tests, and if not, can they? If tests have been deleted, is this the correct thing to do?
  • Does this change impact another system?
  • Are errors handled correctly?
  • Is the functionality over-engineered? Are there new third-party dependencies that are unnecessary?
  • Are they using a design pattern incorrectly?
  • Does the feature cause problems as the number of users scales? It might work on their machine, but will it work in live?

What should I do when I don’t know the language of the code?

There can be scenarios where you don’t know about a certain coding language or technology, but you have to review it. You can make it clear that you have limited knowledge before making comments. If there is no automatic linting on the code, a good starting point is the superficial review: look for typos and well-name of variables. Try to ask questions so you can learn, and also check their understanding. Sometimes asking questions gets them thinking and they find flaws in their own code. 

A related point to make here, is that if someone is writing in a language they aren’t fluent in, they can write against the convention. We had a developer writing C# but was fluent in C++, so we often see him write If statements backwards like: “if  (false == value)” which is a c++ naming convention.

“If you’ve ever seen Java code written in a C++ style or vice versa, you’ll know what I mean. I’ve previously referred to this in terms of speaking a language with an accent – you can speak C# with a Java accent just as you can speak French with an English accent. Neither is pleasant.” – Jon Skeet

Approve/With Suggestions/Reject

Once you have written your comments, you can set an overall status of the review. The terms differ depending on the system (ADO/GitHub etc) but it generally follows Approve/With Suggestions/Reject.

It’s possible to select an overall status that doesn’t match your comments.

 Andy rejected the pull request
The change is implemented perfectly, I’m just thinking we could alter the design slightly to provide better flexibility.

One developer explained his process of what he selects. So he can Approve, but also leave comments. But that is a different message from when he uses the “With Suggestions” and leaves comments.

The way I do code reviews is as follows
·  Just comments – I’m starting a conversation on the change, and will Finish it later, usually I am expecting you to reply, so feel free to reply to my comments. I usually choose a “finish reason” after discussion.  
·  “Looks Good” – just check it in.  
·  “Looks Good” + Comments – just check it in but I had something to say.  
·  “With Comments” + Comments – there are minor things, style/formatting that I'd like changing, please make where appropriate (I can be wrong) and check in. I don't need another review.  
·  “With comments” + No comments – I am agreeing with someone else’s comments, or if I was first, I probably clicked the wrong button - check with me for clarification.  
·  “Needs work” + Comments – Please make the suggested changes and submit a new Code Review.  
·  “Needs work” + No comments -  Agreeing with someone else’s comments, or if I was first, I probably clicked the wrong button - check with me for clarification.

Brutal PR Comments

John
If you want something done, do it yourself.
Yesterday at 10:06

John
Well, this shows that you did not even attempt to OPEN the DB Utility Tool, let alone test via the DB Utility Tool. It would crash opening this.
Line 351 | 5 hours ago  

John
I have not reviewed any of the C# code, I expect it to be as depressing as the DB code though.
5 hours ago
 
John
What the hell is this doing in here? 
Also why have you stopped inserting the ONE important thing from this trigger - the change to the organisation!
Line 101 | 5 hours ago

When To Do A Project Review

When it comes to merging an entire project, this can consist of hundreds of files. Despite being reviewed by team members, the final merge will be reviewed by an Expert. We have tried to get Experts involved early in the projects but since it can take a long time and the deadline can be far away, they aren’t inclined to do it. Then when you want to release it in the next few weeks, they will review it and dump loads of comments on it, blocking the merge.

“This is taking a long time and there are quite a few problems with it, nothing that can’t be fixed in a week or so, but some things that should have been flagged up by someone / thing before it gets to me. This process has to change.” – Expert

You probably need to ensure that each team has an Expert Reviewer in the team, so that quality reviews are done throughout the project. We often didn’t have teams structured in this way.

“they need to stop having teams that don’t have at least one person who knows what they’re doing” – Dan

One of my colleagues wrote the following about this issue. He often gets blamed for holding up projects when he is being asked to review with limited time. Any feedback he gives then blocks the project, and if he doesn’t review in time, then he also blocks the project:

Mike’s Pull Request (PR) ideas

For the most part we are doing a good job with pull requests, but occasionally I feel we can do better. I’ve thought of some useful guidelines, that will ensure quality, again most people are following these, so great job, but please keep them in mind PR Guidelines

Your team should be self-sustaining: 

  • As a developer you should always be able to send your PR to someone in your team for a thorough review.
  • If you’re regularly having to pull in external resource to review your code, you should make your team leader/scrum-master aware, so they can discuss this with resource managers.
  • Code should always be reviewed internally before someone external to the team is added to the review, this ensures that the external reviewer only sees code which has survived the initial review pass.

If external expertise is required:

  • Let your team leader/scrum-master know that expertise is required, identify the person with expertise and contact them to let them know you will require their time, preferably a sprint in advance, so they can discuss with their team and prioritise time in the next sprint.
  • Your PR is not “urgent” unless its SLA is at risk of expiring.
  • You are not to refer to external reviewers as “a blocker”. If external expertise is required, then it is an essential part of the development process, and they are only seen as blockers due to poor planning.

Draft PRs are not very useful to external reviewers, since you can only comment on them: not approve, but they’re great for sharing day-to-day progress updates between remote developers.

They should be used to update your team’s senior developers and technical architects on your progress, and receive feedback.

I would say in a well-oiled team, that developers should share code each day, by some mechanism that makes it visible to their seniors for feedback, this ensures valuable short feedback-cycles and is the most cost-effective way of ensuring quality during development

Respect the reviewer

I think a key takeaway from this idea is that you need to respect the reviewer. They are kindly dedicating their time. You also need to understand that the review process is there to improve code quality and not just a box-ticking exercise.

I find that sometimes people create a review, then instantly message you about it – even though you are often notified through alerts you have set up, or will check your review list when you have free time. Being nagged is not nice.

There have been times where I have submitted comments then am messaged a few minutes later asking to re-review. If you ask that quickly, then I know that you didn’t even build your changes never-mind test them to see if they work. Should I really approve something you took no care with? (Maybe a 100% unit tested solution would mean that this is possible though).

We also usually have a rule that 2 people need to review, so even if I approve it; then it still cannot go in, so I hate being nagged to approve when there is time. Sometimes code needs more thought to consider if there’s more aspects to it than initially thought. A rushed review isn’t a quality review.

Making statements like “please approve this, it needs to be released tomorrow” isn’t good for the reviewer. I want to be able to review it properly, leave comments as I wish, and even Reject it if I really don’t think it will work. 

Conclusion

If you see reviews as just a box-ticking exercise, then it defies the whole point of the review. It really needs buy-in throughout the team. If you want quality and continuous improvement, then support the review process. If you want speed, then it can be sacrificed at the expense of quality, and other benefits.

The code review process has a wide range of benefits and outcomes: teams see improved code quality, increased knowledge transfer within and across teams, more significant opportunities for collaboration and mentorship, and improved solutions to problems.

References:

https://dev.to/camilaleniss/the-code-review-guide-4gfo

https://laurieontech.com/posts/code-reviews/

Programming “in” a language vs programming “into” a language

https://softwareengineering.stackexchange.com/questions/422479/how-can-i-defend-reducing-the-strength-of-code-reviews

The End Of The Desktop-Based Authenticator

A few years ago, we were told we must use two-factor authentication. (I’m sure I had a blog on that but can’t find it). Two factor authentication is much more secure because even if someone has your username and password, then they cannot get in without being able to generate your codes.

The idea of a Desktop-based authenticator is absolute nonsense to me, because if you want to log into a website on a different device, you cannot because your authentication codes are on your main device. Maybe you could install on multiple devices? But even if that is allowed, then isn’t that still increasing the risk? So if you are restricted to only using your computer where the authentication codes are, then if the malicious user has got access to your computer – they also have access to all your authentication codes.

A few years ago, we got a new security expert, and have been increasing security over time. Recently, one of the companies we own was hit by a ransomware attack so security has increased once again.

We were told there would be placing more restrictions on personal use of company devices, and instead, we should buy our own tablet/laptop/computer for internet browsing.

I was really surprised that they are only now advising getting rid of the desktop based authentication, and now say that we all need to install it on our phones. I did that years ago.

“Having a desktop based authenticator is no longer an appropriate feature as unfortunately external threats are becoming extremely more clever and a compromised laptop or workstation would mean the authenticator could be accessed and that would lead to credential compromise and extremely damaging to our organisation hence the authenticator is no longer deemed safe on the same device.”

They also stated that authenticator apps are “required everywhere”.

One employee launched into an absolute tirade about it. He did make some good points about how necessary equipment should be provided and managed by the employer. 

The Tirade

I have to disagree that authenticator apps are used everywhere. I only need it for work. My bank uses my biometrics for authentication, it is the same for my bitwarden (password vault), health app interactions and credit card companies. I feel you are trying to use grammar to try and mitigate the fact that this is an app I only need for work vs a "work app". The reality for me is this is an app I need only for work purposes, and whether I call it a work app or an app I need for work, it is the same thing.

It seems hypocritical that at a time when we are being told that no personal use can be made of work laptops and that we should use the new benefit introduced to buy a personal laptop, that the organisation is forcing us to install applications for work onto our personal phones. My wife is the Pro vice-chancellor at a university that was hit (last year) with a cyber attack and they are still recovering from that incident now. The impact has been devastating. They use MFA for access to all their systems and the university has provided devices to all staff to ensure that they can continue to access the systems they need to without the need to purchase personal equipment for work or use personal devices to enable them to work, because they understand that securing their systems requires investment.

The reality for me is I already have a number of work apps on my personal mobile phone... whatsapp for Business Continuity purposes, webexpenses to be able to claim expenses and now Authy. It is becoming increasingly difficult to have a clear distinction between work and personal life. I can totally understand why some people may be unhappy with this continued blurring of the lines on mental health grounds, but there are also those who have reverted back to unsmart phones - I considered this at one point when I decided the toxic nature of social media platforms was extremely unhealthy. In the end I just removed all those apps from my phone because I decided the value the other applications was worth sticking with a smartphone. If you don't own a smartphone are you now expected to buy one to do the job? If we lose our smartphone, do we need to inform IT that our work authenticator has been lost and therefore potentially compromised? There needs to be a clear policy on expectations above and beyond the "just do it" messaging so far. 

There have also, unsurprisingly, been a number of cases taken to court in recent years for people unwilling to install applications on personal phones that are required to perform work functions. Most cases have ruled in favour of the employee with advice given such as:"[...]Secondly, employers facing resistance from employees about the use of technology should explore whether any other solutions are available.  In this case, the issue may have been swiftly resolved by providing a work phone or installing the app on a laptop.  Had the Claimant continued to refuse to use the app in those circumstances, it is likely that the employer could have fairly dismissed for misconduct, subject to following a fair procedure.[...]"So are there alternatives available? I know we have a huge number of work mobile phones that are unused - couldn't these be provided to those wanting that work/life separation protected? They wouldn't need a SIM as the app will work over WiFI, so the cost is minimal.

Closing Thoughts

Personally, it’s not a big deal for me because I do use an authenticator app for everything that supports it, and I only have maybe 4 codes for work-related websites. I think it would be more inconvenient to have a separate device, and if I did, I would end up leaving it next to my laptop. So if the laptop was stolen from my house (where I work), then they would steal the phone next to it too; therefore it is like the Desktop-based authentication scenario. Although if the phone has password/biometrics to access, then it will be secure. If I only have 1 phone, then the phone will leave the house with me, having the benefit of security and not being as much of a pain to replace.

Manager feedback

When it comes to performance reviews, I find it hard to fill in the forms about myself, but it’s even harder to fill them about others. I often think you can write something to describe people’s general approach/attitude to work, and maybe point out a few strengths and weaknesses, but trying to answer specific and sometimes cryptic/ambiguous questions just frustrates me. I always think it should just be:

  1. Strengths
  2. Weaknesses
  3. Other comments

But instead, last year we had to fill in the following about our manager. I think it was generally just scoring 1-5, but with optional comments to justify it. Some questions are easy to answer, but questions with nonsense buzz phrases like “change agent” and “builds internal networks” just frustrate me, and destroy the little enthusiasm I had for filling this in. I would have thought having fewer questions would mean people spend more time thinking about each one, and therefore get more accurate results and better comments. 

  1. Mary leads by example aligned to Our Values. Mary exemplifies values within their own teams and organisationally: Collaborative, Responsible, Supportive and Transformative
  2. Mary is responsible for their team and takes accountability for delivery
  3. Mary provides guidance and support in the setting of performance objectives at individual and group level
  4. Mary manages performance of objectives (individual and group level) ensuring achievement of objectives through reviews
  5. Mary builds an environment where people understand, and recognise, the contribution they make and how their role fits into the wider organisation and its performance
  6. Mary is a change agent, leading change to ensure delivery through people with effective communication, support and results
  7. Mary builds people knowledge and business understanding through regular communication with their people and teams
  8. Mary engages with their team, encourages engagement amongst their team and cross-departmentally to drive solutions through collaboration
  9. Mary builds internal networks to drive and collectively deliver through positive relationship-building and understanding
  10. Mary embraces and encourages collaboration within their own team and between teams managing problems directly
  11. Mary is aware of, and responsive to, the changing needs of their people (own team) and their wellbeing at work
  12. Mary supports the engagement, retention and loyalty of key people as well as providing an environment where new people feel empowered and trusted
  13. Mary is solutions-focused not problem-focused bringing all relevant parties together to deliver
  14. Mary provides opportunity for all relevant parties to contribute, build and achieve collectively whether in their own teams or broader cross-department teamwork
  15. What one thing is Mary doing that is having a positive impact on the team?
  16. What one thing could Mary do to have a greater impact on the team?

Development Environments

This blog is basically stealing “Healthy Software Developers” explanation of “Development Environments – Isolating Customers From Your Changes

Introduction

“Development environments” allow software engineers to view a particular version of the software and control who has access to it. 

If you go back about 20 years ago, there was much less maturity with how changes were rolled out to customers, and every company had a different process. In some companies, developers would just immediately roll them out, straight into production. This might work for the most part if you have a very small and trusted team without the process or contractual requirements. These days, the standard is that most companies need a minimum of three separate environments when developing software.

Even where I work, people used to tell me it used to be much less professional, and without as much legal scrutiny – allowing them to drop DLLs onto a server to quickly fix a bug for a single customer. Now there’s all kinds of people who need to sign it off, and 99% of changes are released as an official version to multiple customers.

Development Environment

The main development environment is a place where an individual engineer can actually work on the software in isolation from any other stakeholder such as a Tester or Customer. Instead of making changes directly to a live website/application, the changes can be run on a local copy on the developer’s machine. The developer can begin looking at the impact of the changes he’s making, and will use test data. Any problem introduced only affects the single developer.

It could be as simple as a copy of a database and a version of the website. A more sophisticated program may have even more dependencies, so need multiple websites or services configured – so you could leverage modern technology like “cloud services” or “containers” to easily deploy this setup. The decision of how this looks depends on the complexity of the software architecture, team size and process.

Staging Environment

The “User acceptance” test environment, sometimes known as a “staging environment”, is another copy of the application, but developers aren’t making any changes to it, and it is also using test data. The purpose of this environment is typically to run exhaustive testing to find any issues before deploying the changes to the end users. 

When companies rely on manual testing, and don’t have modern “continuous delivery” processes, an unreleased version may sit in the staging environment for an extended period of time. In a more automated environment, automated tests can be run, and the version easily deployed to customers if passed. This could take as little as fifteen minutes to an hour depending on the tests, software complexity, and process involved.

Production environment 

The Production environment, or Live environment, is where your customers use your product; so the actual website or application. 

Demo environment

You can have other environments like a Demo environment. This is another copy, but not used by Developers or Testers. The version can be “work in progress”, or a version that is deemed to be ready; but the purpose is to show customers upcoming features and to gather feedback.

Capacity testing

You could create a special kind of test environment for capacity/load testing. This is meant to  stress test the software and see how it’s performing under heavy load. Systems can have increased traffic at specific times of the day, e.g. users all logging in at 9am to start the day, increase in website hits during lunch breaks, more shopping traffic during Christmas period etc. If users are paying to use your service and it goes down; it’s a huge problem. If you sell a product/service on your website and it goes down; then it can cause lost sales. So performing this testing can be essential.