3. What we will cover in this talk
● WSO2’s software engineering processes
● Key takeaways for digital businesses
● How this thinking has influenced the development of Choreo
3
8. Development
● Communications in mailing list
● 3rd party dependency approvals
● Feature branches
● Test cases (unit test, integration tests, scenario tests)
● Documentation, samples
● Dependa bot - Automatically update dependencies to their latest version
8
9. 9
Testing
Testing Stage
Development Time
Unit Testing
Pull Request
Build
Developer
Machine
Performance
Testing
Long Running
Testing
Testing
Environment
Development Stage
Integration
Testing
Development
Environment
System
Testing
TestGrid
TestNG : For server-side feature testing
React-testing library : For React apps
Storybook : For UI design assurance
Mockito, Powermock : Test double
objects
Jacoco : Reporting
Cypress : For UI/front-end & API testing
Rest Assured : For REST API testing
TestNG : For server-side feature testing
Cypress : For UI/front-end & API testing
TestNG : For server-side feature testing
Cypress Dashboard : For Reporting
Test Case
Management
10. Release
● Release is ready when …
○ All planned features are done
○ Documentations are available for the
features
○ Testgrid reports
10
Merge
Completed
Features
All
Features
completed
Software Release
Weekly
Releases
Alpha
No Pending
L1 Issues
Beta
No Pending
L1, L2
Release
Candidate
Voting
GA
○ Long running test reports
○ Performance numbers
○ Security scanning
○ No L1, L2 issues
Merge
Completed
Feature
Integration
Testing
Cloud Release
Dev
Environment
Test
Environment
System
Testing
Ready for
Release
Daily
Release
Train
Production
Environment
Work on
Feature
11. Summary of Secure Development Lifecycle
11
Secure
Design Review
Developer
Self Review
Code
Review
Product Release Process
Static
Analysis
Dynamic
Analysis
Third-party
Dependency
Analysis
GitHub
Pull Request
Template
Security tools
WSO2
Secure
Engineering
Guidelines National Vulnerability
Database
Scan Report
Repository
WSO2
Vulnerability
Management
System
Security Leads
Start
https://security.docs.wso2.com/en/latest/security-processes/secure-software-development-process/
12. 1. Receive
2. Evaluate
3. Fix
4. Backport / Frontport
5. Release Update
6. Inform Customer
Support Portal, Customer Engagements
True Positive? Work around possible?
Change code / config. Merge to dev branch
Versions within the porting policy
Hotfix and update releases
Inform through Support Portal
12
Maintenance
Product Team Support Team
7. Apply Update
Update available for all customers
Customer
13. Continuous Monitoring of Third Party Dependency
Vulnerabilities
13
Security Team
Continuously
scan SBOM
1) Onboard new product releases
2) Maintain Software Bill of Materials (SBOM)
Vulnerability Databases / Sources
National Vulnerability
Database
Node Security
Advisories
GitHub Issues
Notifications
- New Vulnerabilities
- Licence Changes or Violations
WSO2 Customers
Initiate Vulnerability
Management Process
Engineering
Teams
Analyze
Findings
Update
WSO2 Trust Center
WSO2 Support Portal -
WSO2 Trust Center
- Update Status
- ETAs
- Justifications
14. DevOps
● Infrastructure as Code (IaaC)
⦿ Terraform
● GitOps Process
● System monitoring
⦿ Azure Monitor and Kusto query
● Application monitoring
⦿ Site24×7
● Alerting
⦿ PagerDuty to generate call alerts for all critical alerts
⦿ Email/chat notifications for non-critical failures
14
15. Build Pipeline
Mandatory Quality and Security Checks
DevSecOps
15
Software Composition Analysis
(SCA)
Third Party Dependency Vulnerabilities
License Violations
Container Scanning
Linting and
Static Security Analysis
Gosec
Super-linter
Infrastructure as Code (IaC)
Scanning
17. Key takeaways
● Record all requirements
● Inner source - Applying open source best practices
● Parallel versions, process to identify bugs in all affected versions
● GitOps
● Automated testing, deployment, and monitoring
● Security at every level, continuous security processing
17