Subscribe by Email


Saturday, May 3, 2025

The Critical Role of Meeting Notes, Agendas, and Follow-Ups in Effective Team Collaboration

 In today’s fast-paced business environment, meetings are an essential part of collaboration, decision-making, and strategic planning. Yet, countless organizations experience unproductive meetings that lead to confusion, repetition, and missed deadlines. One of the simplest but most powerful ways to enhance meeting effectiveness is by diligently maintaining meeting notes, generating clear agenda items, and conducting systematic follow-ups. These practices may seem mundane, but they serve as foundational elements in driving accountability, clarity, and momentum in any team or organization.

This article explores the importance of documenting meeting notes, setting agenda items, and implementing effective follow-up strategies. It also discusses who should be responsible for these tasks and why these functions are essential for project management, team coordination, and overall business efficiency.


Why Are Meeting Notes, Agendas, and Follow-Ups So Important?

Meetings are only as effective as their outcomes. When conversations are not documented or tracked, even the most insightful discussions may lose their impact. The real value of a meeting lies not just in the ideas exchanged, but in the action steps that follow. Here's why proper documentation and follow-up are critical:

1. Clarity of Objectives and Expectations

An agenda sets the tone for any meeting. It communicates what needs to be discussed, helps participants prepare, and keeps the conversation focused. Similarly, capturing notes during or after the meeting ensures that everyone is on the same page regarding what was discussed and what was decided.

Without these tools, miscommunication becomes more likely. People may leave the meeting with different interpretations of their roles or what is expected. This lack of clarity leads to project delays, unmet goals, and frustration.

2. Accountability and Ownership

Meeting notes serve as a public record of decisions, responsibilities, and deadlines. When specific tasks are assigned during a meeting and clearly recorded, it becomes easier to track progress and ensure accountability.

Follow-up communication reinforces this process by checking in on commitments made during the meeting. Teams that practice consistent follow-up tend to be more organized and more effective at completing tasks on time.

3. Historical Record and Reference

Maintaining meeting notes creates a reference library that team members can revisit when needed. Whether it's to clarify an old decision, resolve a dispute, or onboard a new team member, well-documented notes provide critical context.

This historical documentation is particularly important in long-term projects, where continuity across weeks or months depends on having reliable records of what was discussed and agreed upon.

4. Time Efficiency

Meetings without structure often go off-topic, run long, and require follow-up meetings to clarify what should have been resolved in the first place. An agenda keeps meetings efficient, while notes and follow-ups reduce the need for rehashing previously discussed topics.

By improving the quality of meetings, organizations save time—and time saved is productivity gained.

5. Improved Communication and Collaboration

When team members know that there will be a documented summary of the meeting and clear next steps, they are more likely to stay engaged and contribute meaningfully. Follow-ups foster a culture of collaboration, where everyone’s contributions are acknowledged and actioned.

In cross-functional teams, where multiple departments collaborate, meeting documentation becomes even more critical to ensure that everyone stays aligned and that no task slips through the cracks.


Who Should Be Responsible for Meeting Documentation and Follow-Ups?

Assigning responsibility is crucial to ensuring consistency. While it might vary depending on the size and structure of your organization, the following roles commonly take charge of this process:

1. Meeting Facilitator or Organizer

The person who calls the meeting should ideally prepare the agenda and take the lead in assigning note-taking duties. This person is responsible for ensuring that the meeting stays on track and that outcomes are clearly captured.

2. Designated Note-Taker or Scribe

In larger teams, a rotating note-taker system can be implemented. The role of the scribe is to capture the key points, decisions, action items, and responsibilities discussed during the meeting. Tools like shared Google Docs, Notion, or Microsoft OneNote can make this process collaborative and transparent.

3. Project Manager or Team Lead

For formal or recurring meetings—especially in project environments—the project manager or team lead often plays a dual role. They ensure that notes are taken and that action items are followed up in subsequent meetings or stand-ups.

4. Administrative or Executive Assistants

In executive-level meetings, support staff often manage agenda creation, take minutes, and track follow-ups. Their role ensures a seamless experience for senior leaders who need to focus on strategic decision-making.

No matter who performs these functions, the key is consistency. Once expectations are set and the process is integrated into your team’s workflow, the benefits compound over time.


Best Practices for Agendas, Notes, and Follow-Up

To maximize the benefits of these practices, consider adopting the following best practices:

Creating Effective Agendas:

  • Share the agenda at least 24 hours before the meeting.

  • Include time estimates for each topic.

  • Allow space for additional items or last-minute updates.

  • Clearly state the purpose of the meeting and expected outcomes.

Taking Useful Meeting Notes:

  • Record decisions, assigned tasks, deadlines, and key discussions.

  • Use bullet points for clarity.

  • Highlight action items and tag responsible individuals.

  • Store notes in a centralized and accessible location.

Following Up After the Meeting:

  • Send a summary email or shared note within 24 hours.

  • Recap key points, decisions, and action items.

  • Confirm deadlines and owners.

  • Revisit these items in the next meeting or follow-up check-in.


Common Pitfalls to Avoid

Even teams with good intentions can fall into certain traps:

  1. Skipping Documentation: Don’t assume everyone remembers what was discussed.

  2. Being Too Vague: Use specific language in notes—who, what, and when.

  3. Failing to Follow Up: Unchecked action items lead to missed deadlines.

  4. Overloading Agendas: Prioritize and focus; don’t try to solve everything in one sitting.

  5. Keeping Notes Private: Share notes openly unless there's a confidentiality issue.


Conclusion: Small Habits, Big Impact

In a world of constant communication and collaboration, structured meetings can be a game-changer. Preparing a clear agenda, documenting discussions, and following up on action items might seem like minor administrative tasks—but they have an outsized impact on project success, team morale, and operational efficiency.

These habits encourage transparency, reduce misunderstandings, and promote accountability. More importantly, they help teams move from conversation to execution seamlessly.

Whether you're leading a project, managing a department, or participating in a weekly team huddle, embracing structured meeting practices is one of the simplest and most effective ways to drive results.


Friday, May 2, 2025

Using Scrum - what are some of the benefits ?

Benefits of Using Scrum as a Development Model

What is Scrum?

Scrum is an Agile framework designed to help teams develop and deliver high-quality software efficiently. It is widely used in software development to enhance collaboration, flexibility, and productivity. Scrum follows an iterative approach that ensures continuous improvement and quick adaptability to changing project requirements.

Why Use Scrum for Software Development?

Scrum provides numerous benefits for developers and businesses alike. Here are some of the key advantages explained in detail:

1. Increased Flexibility and Adaptability

One of the key reasons organizations prefer Scrum is its adaptability to changing requirements. Unlike traditional development models, Scrum allows for modifications even in the later stages of development. This makes it ideal for projects where requirements evolve frequently due to stakeholder feedback or market conditions. Developers can make necessary changes without disrupting the entire project, ensuring a product that aligns with current user needs.

2. Faster Delivery of Software

Scrum divides the development cycle into short, time-boxed iterations known as sprints, typically lasting 2-4 weeks. Each sprint results in a working product increment, which means customers receive a functional version much earlier than they would with traditional waterfall development. This rapid iteration enables companies to respond to market changes quickly and gain a competitive edge.

3. Improved Collaboration and Communication

  • Daily stand-up meetings: Teams hold brief, focused meetings to discuss progress, challenges, and action items, ensuring that everyone is on the same page.
  • Open discussions: Scrum encourages direct communication between developers, testers, and stakeholders, reducing misunderstandings and improving efficiency.
  • Transparency: The entire team has visibility into progress, obstacles, and deadlines, leading to a collaborative environment where everyone works towards the same goal.

4. Higher Product Quality

Scrum emphasizes continuous testing, code reviews, and feedback, all of which contribute to higher product quality. Developers frequently test and refine their work throughout the sprint rather than waiting until the end of the project. Additionally, user stories and acceptance criteria ensure that each feature meets the desired functionality before it is considered complete.

5. Better Risk Management

Since Scrum follows an iterative process, risks are identified and addressed early. By breaking down the project into smaller sprints, the team can proactively identify obstacles and adjust their strategy before issues escalate. Regular sprint reviews help evaluate progress and keep potential risks at bay, ensuring a smoother development process.

6. Higher Customer Satisfaction

Scrum actively involves customers and stakeholders throughout the development cycle. Regular feedback loops ensure that the final product aligns with customer expectations. Customers can review and request changes in real time, leading to a product that better meets their needs. This approach builds stronger customer relationships and reduces dissatisfaction due to mismatched expectations.

7. Increased Team Accountability

  • Defined roles: The Scrum team consists of the Product Owner, Scrum Master, and Development Team, each with clear responsibilities.
  • Ownership of tasks: Every team member takes responsibility for their assigned work, promoting accountability.
  • Self-organization: Scrum encourages teams to be self-managing, where members decide how best to achieve sprint goals without micromanagement.

8. Continuous Improvement

Scrum incorporates retrospectives at the end of each sprint, where teams discuss what worked well and what can be improved. This continuous learning process allows teams to refine their workflow and enhance efficiency in future sprints. Over time, teams become more adept at identifying pain points and finding solutions, leading to consistent process improvement.

9. Reduced Time and Cost

Scrum optimizes development time by prioritizing features that deliver the most value first. Since changes can be implemented early, there is less rework, which helps reduce costs. Additionally, rapid feedback loops prevent teams from spending resources on unnecessary functionalities that do not add value.

10. Better Predictability

Scrum provides a structured approach to project estimation. Teams use velocity-based estimation methods to measure their capacity and forecast delivery timelines accurately. Since each sprint delivers a working increment, teams and stakeholders gain better visibility into project progress, making it easier to plan for future releases.

Final Thoughts

Scrum is an excellent choice for software development due to its flexibility, speed, and focus on continuous improvement. By adopting Scrum, teams can enhance productivity, deliver high-quality products, and ensure customer satisfaction. The iterative approach allows organizations to remain adaptable while fostering a collaborative and transparent development environment.


Thursday, May 1, 2025

Determining the urgency of defects

Determining the Urgency of Resolving Defects in Software Development

Why Defect Resolution is Critical

Software defects can impact user experience, security, and overall functionality. Knowing when to prioritize defect resolution is essential for maintaining software quality and reliability.

Factors That Determine Defect Urgency

Not all defects require immediate attention. Some can wait for a later release, while others demand urgent resolution. Here are the primary factors that influence defect urgency:

1. Severity of the Defect

  • Critical defects: Issues that cause system crashes, data loss, or security breaches must be fixed immediately.
  • Major defects: Problems that significantly affect functionality but have workarounds can be scheduled for the next release.
  • Minor defects: Cosmetic issues or minor inconveniences can be resolved in future iterations.

2. Impact on Users

The number of users affected by a defect is a key consideration. If a bug impacts a large user base or a critical feature, fixing it should be a top priority.

3. Business Implications

Some defects may lead to revenue loss or compliance violations. In such cases, resolving the issue quickly is crucial to maintaining business integrity.

4. Frequency of Occurrence

Bugs that occur frequently require more immediate attention compared to rare issues. High-frequency defects can indicate deeper systemic problems that need to be addressed.

5. Security Risks

Security vulnerabilities should always be addressed urgently to prevent potential data breaches or cyber-attacks.

6. Dependencies on Other Features

If a defect affects multiple components or prevents other features from functioning, resolving it becomes more urgent.

How to Prioritize Defect Resolution

Using a structured approach to defect prioritization ensures that resources are allocated efficiently. Consider the following strategies:

1. Categorization Using a Defect Matrix

Developers can use a defect matrix to classify issues based on severity and impact, helping teams prioritize effectively.

2. Utilizing Agile Methodologies

Frameworks like Scrum and Kanban help teams assess defects dynamically and allocate sprint resources accordingly.

3. Stakeholder Involvement

Engaging product owners and end-users ensures that defect prioritization aligns with business and customer needs.

Final Thoughts

Determining defect urgency is essential for maintaining software quality, user satisfaction, and security. By leveraging structured prioritization methods, teams can optimize resources and enhance software reliability effectively.


Wednesday, December 4, 2019

Mastering Risk Management in Project Leadership: A Practical Guide for Project Managers

In any comprehensive course on project management, one theme repeatedly emerges as central to project success: effective risk management. It's not simply a best practice—it is a core discipline that every competent project or program manager must master. Many seasoned professionals even argue that once a project is underway, risk management becomes the most critical and continuous area of focus.

Despite its importance, risk management often gets sidelined in the hustle of project execution. A large part of this is due to its subjective nature—risk isn’t always visible or easily quantifiable. However, subjective does not mean intangible. With the right processes and mindset, project managers can consistently identify, assess, and mitigate risks in a structured way.

Based on my own experience leading and mentoring project teams, I believe that there are two fundamental pillars of effective risk management:

1. Recognizing Common, Known Risk Areas

Every organization that operates at a mature level has a set of known risk factors that tend to repeat across different projects. These risks are often related to:

  • Schedule delays

  • Team attrition or sudden personnel transfers

  • Feature creep or uncontrolled scope changes

  • Budget constraints

  • Vendor reliability

These types of risks are considered "known knowns"—they're the usual suspects. A proactive project manager should have access to historical data or a shared risk register that documents past risks, their impact, and how they were mitigated.

A best practice here is to regularly review and update this organizational risk repository. This enables the team to stay ahead of predictable problems. For instance, if historical data shows a 20% increase in scope-related delays during Q4 due to end-of-year product push, your project schedule should already account for this.

Project managers must periodically assess these known risk areas throughout the lifecycle of the project. Risk logs should be living documents, not static checklists filed away after kickoff. If a known risk manifests because it was ignored or underestimated, the responsibility lies squarely with the project manager.

However, it is not uncommon for even experienced professionals to get caught up in daily operations, firefighting deliverables, and managing stakeholders. In doing so, they lose the mental bandwidth required to continuously review and assess known risk factors.

Avoiding this pitfall means embedding risk review into your routine processes. This could be as simple as adding a five-minute discussion point in weekly status meetings or setting aside 30 minutes each week to review the risk log and evaluate current triggers.

2. Navigating the Unknown: Identifying Emerging Risks

The second category of risk is much harder to pin down: the unknowns. These are risks that aren’t documented in any database. They haven’t occurred before, or they manifest in new, unpredictable ways. But make no mistake—they're just as real.

Consider a real-world example: your competitor suddenly launches a disruptive update to their product, forcing your team to recalibrate features that were in development. This, in turn, impacts timelines, resource allocations, internal communications, and possibly even the entire release strategy.

While you can’t predict every market move, you can put systems in place to surface emerging risks early. This involves:

  • Regular sync-ups with cross-functional leads and product managers

  • Encouraging a culture of transparency and early escalation

  • Tracking subtle signals from the field, such as customer support feedback, developer bottlenecks, or sales sentiment shifts

  • Reviewing change requests not just for technical feasibility but for strategic alignment

The key here is visibility. You can only mitigate what you can see, and the earlier the better. Every change request, every team concern, and every product pivot should be reviewed with a "what could go wrong?" lens.

To manage emerging risks effectively, project managers should use a hybrid approach combining traditional tools like a RAID log (Risks, Assumptions, Issues, and Dependencies) with more adaptive practices like lightweight agile retrospectives and real-time issue tracking platforms.

Building a Culture of Risk Ownership

Project risk management should never be a one-person responsibility. An effective project manager builds a risk-aware culture across the team. This means:

  • Encouraging team members to report potential risks without fear

  • Rewarding early detection of issues, even if they don’t materialize

  • Assigning clear ownership of risk items

  • Embedding risk impact discussions into change request reviews

By normalizing risk conversations, you reduce the stigma around raising concerns. This ensures that your team becomes an early warning system rather than a passive set of executors.

Integrating Risk Management into Daily Practice

Effective risk management doesn’t happen in isolation. It must be integrated into everyday project management activities. Here are a few best practices:

  • Risk Workshops: Conduct short risk brainstorming sessions at the start of each major phase.

  • Risk Review Cadence: Build a rhythm of reviewing the risk register weekly or biweekly.

  • Trigger-Based Tracking: Define what "early indicators" might suggest a risk is developing.

  • Risk Scoring: Use a simple matrix to score risks based on probability and impact.

  • Scenario Planning: Consider “what-if” exercises to prepare the team for critical disruptions.

Over time, these habits not only reduce the number of surprises but also equip your team to respond more calmly and effectively when things do go sideways.

Measuring Risk Management Success

One of the challenges in risk management is measuring its effectiveness. Unlike deliverables or velocity, risk mitigation doesn’t always have immediate, visible results. Still, you can track:

  • Number of risks logged and actively monitored

  • Percentage of risks mitigated before impact

  • Stakeholder satisfaction during crisis periods

  • Response time to emerging issues

You can also gather qualitative feedback post-project to evaluate how prepared the team felt and whether contingency plans were effective.

Common Pitfalls to Avoid

  1. Treating Risk Management as a Phase: Risk isn’t just for kickoff. It’s a continuous, adaptive process.

  2. Ignoring Soft Signals: Risks often start as subtle concerns before becoming showstoppers.

  3. Overengineering the Process: Keep tools and logs simple. Focus on actionability, not bureaucracy.

  4. Shifting Responsibility: Everyone owns risk, but the project manager is accountable for visibility and response.

  5. Not Updating the Plan: A risk register is a live document. If your plan never changes, you're likely missing real-time shifts.

Final Thoughts: Risk Is Inevitable, Unpreparedness Is Not

Every project, regardless of size or complexity, will encounter risks. The difference between successful and failed initiatives often lies in how well those risks are understood, communicated, and managed.

Project managers must resist the temptation to view risk management as optional or peripheral. It is, in fact, one of the most strategic capabilities you can develop as a leader. Done well, it not only protects timelines and budgets—it builds trust, boosts team morale, and enhances your reputation as a calm, reliable, and forward-thinking project professional.

So, the next time you lead a project, remember: risk isn’t the enemy. It’s a signpost. And how you respond to it will determine not just the outcome of your current initiative but the trajectory of your career.

You may not be able to follow everything listed above :-), but you still should evaluate what works best for you. And if you are doing something else that works well for you, please add below.




Tuesday, August 27, 2019

Tackling Feature Creep: Lessons in Effective Product Management and Project Delivery

When managing software projects, success doesn’t depend solely on having skilled individuals in key roles. It also hinges on how teams navigate scope, requirements, and real-time adjustments. Our experience with one such project showed us just how important structured planning and boundary-setting are—particularly when it comes to managing scope expansion, also known as feature creep.

We had a great Product Manager for one of our flagship software initiatives. She was highly knowledgeable, had strong working relationships with the product support team, and direct lines of communication with several of our enterprise clients. Her ability to gather customer feedback and translate it into actionable requirements made her an invaluable part of the project.

The design team appreciated how she worked with them to evolve high-level ideas into detailed specifications, facilitating the creation of high-level design documents (HLDs) that were both comprehensive and realistic. Moreover, she remained actively involved throughout the design and development phases, consistently available for clarifications, reviews, and feedback. Her dedication earned the trust of everyone on the team.

Yet, despite all these strengths, we continually ran into a frustrating issue: teams consistently found themselves rushing to meet final feature deadlines. On multiple occasions, developers worked weekends and late nights in a last-minute sprint. Remarkably, we never missed our deadlines by more than a day—and we always met the quality benchmarks. But the strain on the team was undeniable.

During project retrospectives, team members flagged this pattern, asking why it kept recurring and why we couldn't better plan for it. They pointed out that while commitment and hard work were admirable, this recurring last-minute push was unsustainable. Something needed to change.


Identifying the Root Cause of Project Pressure

To get to the bottom of the issue, we launched a structured investigation. There was always a chance that we had flawed time or effort estimation processes. Alternatively, some feared that certain developers might not have been contributing their fair share.

Two of our most experienced leads were tasked with reviewing the project documentation, HLDs, effort tracking sheets, and defect metrics. Their goal: identify where and why our estimations consistently fell short.

What we found was surprising—but also enlightening. Time spent on core tasks—requirement preparation, coding, testing, and documentation—was generally in line with projections. In a few instances, certain segments had a 20% overrun, but there was no clear pattern linked to specific individuals or phases.

The real issue? Feature creep.


Understanding Feature Creep in Project Environments

In project management, feature creep refers to the uncontrolled expansion of product features beyond the original scope. It usually happens incrementally—one small change here, one improvement there—until the cumulative impact becomes significant.

In our case, this occurred subtly. As HLDs were being prepared and development moved forward, suggested enhancements came in—some from the development team itself, and many from the Product Manager. These were almost always well-intentioned. They improved the product, addressed edge cases, or reflected late-stage customer feedback.

Because these changes seemed “minor” and “beneficial,” there was a tendency to implement them without formal impact analysis or schedule adjustment. No one wanted to push back. After all, we were building something better for the customer.

But over time, these small changes added up. They chipped away at buffers, consumed developer focus, and led to crunches near the end of each development cycle.


Changing the Process: Structuring Scope Management

Once we identified feature creep as a recurring issue, we knew we had to act. Continually burning out the team wasn’t an option. We needed to instill a discipline around how post-freeze changes were handled.

Our solution was simple but effective: after the design freeze, any new requirement—regardless of size—would be classified as a “feature enhancement.” These enhancements were treated like change requests or defects and entered into a formal review and approval process.

We set up a Feature Enhancement Review Board composed of tech leads, QA, and product representatives. They met weekly to review all proposed enhancements. Only after careful evaluation of the effort, risk, and impact on schedule would a change be approved.


Outcomes of the New Approach

This change immediately brought several benefits:

  1. Clarity and Visibility: Everyone could now see what was being added post-freeze and why.

  2. Better Decision-Making: We were able to weigh the customer benefit of a change against its impact on delivery timelines.

  3. Improved Accountability: Product suggestions weren’t automatically implemented; they were scrutinized just like technical defects.

  4. Informed Resource Planning: Teams could plan capacity with fewer surprises.

Perhaps most importantly, this new framework ensured that the final sprint before release wasn’t a chaotic, high-stress period. Developers could plan their time more predictably, and team morale improved as they regained a sense of control over their workloads.


The Role of the Product Manager: Balancing Value and Discipline

This experience also reshaped how we viewed the role of our Product Manager. Her instincts were always customer-first and value-driven—but even the best intentions can have unintended consequences.

By including her in the Feature Enhancement Review Board, we preserved her vital input while also encouraging a more strategic approach. Instead of recommending enhancements during active development, she began to note them for future releases unless the business case was strong enough to warrant immediate inclusion.

This helped her maintain her customer advocacy while contributing to better team performance and smoother deliveries.


Lessons for Project and Product Leaders

Every project faces the temptation to “just add one more thing.” But without guardrails, those additions become silent killers of time, focus, and quality. Our experience taught us:

  • Feature creep is often a process problem, not a people problem.

  • Good documentation and post-mortems are key to surfacing hidden patterns.

  • Formalizing how changes are proposed and reviewed encourages better planning.

  • Empowering the product team with structure—not restrictions—leads to stronger results.

Ultimately, the discipline of saying “not now” is just as important as the innovation of saying “what if?”


Conclusion: Managing Growth Without Losing Control

Software development is a dynamic process. Customer needs evolve, ideas improve, and developers discover better ways to build. But growth must be managed.

Feature creep may not always be obvious. It can masquerade as helpful suggestions, customer-centric improvements, or low-effort tweaks. But if not managed carefully, it erodes deadlines, impacts quality, and drains team energy.

Through formal tracking, cross-functional review, and a shared understanding of priorities, we transformed a recurring delivery issue into a point of strength. Our teams now deliver with greater confidence, and our products still evolve—with intention, not chaos.


Tuesday, August 20, 2019

Don't hard-code URL's into the software or documentation

This is something that we discovered during the initial versions. We had placed some URL's into the documentation which pointed to some external resources. Then an year later, we got a defect logged into the system, a defect logged by a customer. This was a low level defect, about some URL in a Help Page that was not working, giving a 404 error. However, when the defect got to review, it was the tip of the iceberg, We realized that this had the potential for huge problems further ahead and we needed to change how we do things. Till now, we used to put URL's inside the software and documentation and so far had not seen any problem. However, in this case, the URL was pointing to the page of an external component help file and the external organization had changed the mapping on their site and hence the exiting URL would not work.
Now, this was a minor issue, but it was a pointer to something that was far more serious. There could be numerous reasons why a hard-coded URL might not work:
- Like in the above example, there could be linkages to external sites that are not in control
- Even internal sites could be a problem. We once had a change in the way that the Help file system was working because of a change in the software that they were using (the old software was out of date, and the new one promised a lot of advantages, so there was no option).
- Sometimes there is a change in the Help, and rather than spend a lot of effort to redo the various pages, it makes sense to update the link to point to new pages (which would take far less time).
There can be other advantages once you start thinking about, primarily the increased flexibility you get. So what is the solution ? The solution is to implement a policy of using URL redirects everywhere. What are URL redirects ? These are redirects that instead point to the end URL, but you can change the final destination anytime you want (the redirect is on an internal server and can be modified anytime).
The one thing you need to do is to ensure that you map every redirect URL, where it is used and the final destination on a file along with the date, some comments about what it is for, and who had asked for the redirect. This needs to be saved along with the other components of the code on a source safe kind system, and ensure that any changes to these redirects need to be done through the process of a defect mapping so that the entire information about why the change needed to be made can be mapped.
This policy adds a layer of extra effort, but anytime you need to make a change to the URL and you find that you are not able to make one because it has been hard-coded inside released software, you will realize the advantage of such a policy. 


Thursday, August 15, 2019

Keeping up with security fixes / patches and the like

Every other day, you hear about some major security flaw letting hackers steal credit card information, steal passwords, social security numbers or something equally serious. Such news can seem remote, but not for the organization that gets impacted by such news. In such an organization, the impact of such security lapses can be shocking and dramatic, including people getting laid off and stock prices getting impacted (unless it is a mega-billion revenue earning organization which need earth shaking news to cause upheaval, small scale security scares are something that they are used to).
You might think that this is something that does not impact you too much, since nothing major has happened in the past and you are not likely to be the target of hackers. However, it is not necessary that hackers directly target you, but that there are some problems in the code that has been discovered that is not yet fixed (or fixed and not incorporated by customers) which can cause security related attacks. What is a likely scenario ?
Most large or even medium scale projects use external components for features that they need to deliver - my favorite example has been the use of decoders for handling the different image, audio and video formats, as well as the inbuilt capability within the Operating System. It is impossible for most applications to write their own software for such purposes, and they use external components for such purposes (paying a license fee or royalty or using free software for the same purpose). There are numerous other examples of the use of external components. Now, when you have incorporated an external component, it is practically a part of your own software and gets distributed with it.
If a security hole or some other such problem is there in the external component, then till the time it is patched and the patch is incorporated in your software and installed with components, there is an ongoing risk. It becomes even easier since there are numerous tools that become available which allow even non-hackers to exploit such holes or security issues.
So what is the method to reduce the risk of your customers getting impacted by such a problem? You can never entirely reduce the risk to zero, but there are a couple of strategies you can do to learn and handle the issue.
- Have a matrix of the various components you use, the critical nature of these components, is their usage such that they can be exposed for a security attack
- For each component, how would your team get informed that there is a new security flaw with the component, the severity of the flaw, when it is likely to get fixed and who is the person within your team who has the primary responsibility for evaluating any such flaw
- Detail the next step of action were such a flaw discovered. This would of course depend on the nature of the flaw, how likely it is to be exploited and other such factors, but you need to have a pre-defined strategy on how to respond (you cannot try to detail such strategies when the issue is faced, it can lead to a flawed execution)
- This one is more tricky. What should you do if the issue is found in the last released product / previous releases. This depends on the level of support you provide for previous fixes and the evaluation of the previous steps. For example, for a release that was done 2 versions back, if a small security flaw is found in an external component, and the presumed impact is minor, you may choose to not provide a fix
- Define a communication strategy for customers to let them know and to alleviate any concerns that they might have   


Facebook activity