Before starting any work with a software development agency, it’s important to learn how the agency delivers quality and approaches security. These software attributes are critical to your project’s success. A single mistake can cost you. Say you launch an eCommerce platform but eventually find it has some performance issues. Ouch, that might cost you thousands of dollars in revenue. Or take a clinic management solution. An EHR-related error not only threatens your revenue and reputation but puts patients’ lives at risk.
This guide covers how we manage quality and security at Steelkiwi. We talk about how we meet customers’ quality requirements, deliver on our promises, and ensure our products and services are safe and reliable, comply with laws, standards, and regulations, and meet environmental policies.
We could have just highlighted a few abbreviations and ISO standards that govern important software development processes. But we aren’t here to leave you in the dark, so we’ll explain in simple terms how we ensure quality and secure software development.
Quality principles at Steelkiwi
We follow CI/CD (continuous integration and continuous delivery) practices and createbuild, staging, and production environments. This allows us to implement consistent project management practices and communicate openly. We rely on user feedback to find out users’ needs, generate feature ideas, and validate our assumptions. Once a concept is proven and functionality is regression tested, we move to production.
We never start development unless project requirements are clearly documented with user stories and acceptance criteria. By doing so, we avoid unexpected results and ensure all stakeholders and users are satisfied with what they get in the end.
User stories and acceptance criteria are important elements of software documentation. They help us:
- Properly set client expectations for a product
- Clarify expected outcomes and provide precise details about functionality
- Ensure everyone on the team has a shared understanding of the requirements
- Accurately plan and estimate tasks
- Give developers and QA specialists a clear-cut way to define if a feature is done
- Check if we built the right product and built it correctly
Apart from this, we employ certain practices to ensure we create secure and high-quality software.
#1 Create a clear definition of done (DoD)
We create a definition of done (DoD) for every task, be it research, documenting, auditing, refactoring, development, A/B testing, deployment, or any combination of these. Only once the DoD is clearly defined do we get started on a task. By doing so, we attain a shared understanding of expectations that the current increment must meet to be released to users, create a transparent threshold of quality, and deliver software on time.
#2 Use coding best practices
There’s a clear relationship between development processes and product quality. Our developers assess their code against coding standards and coding best practices to ensure everyone follows the same coding style and to improve code readability, consistency, and maintainability. Also, we refactor legacy code when necessary to reduce its complexity and clean up the codebase.
#3 Test early, test often, and test through the entire development process
It’s important to make sure we maintain product quality at each step and in each sprint. Therefore, our development team works together with quality assurance specialists to ensure software is of the highest quality throughout the entire development process.
Before rolling code out to production, we double test functionality and do regression testing (which we’ll talk about a bit later).
#4 Communication is critical
Good communication saves effort, time, and money. At Steelkiwi, we stand for open communication and encourage every team member to share their ideas and experiences, actively participate in meetings, and ask questions.
It’s also important to document bugs and issues fully and clearly as well as to rely on user feedback loops and translate them into development tasks.
#5 Identify and manage risks
Software development is a complex process that may contain risks regarding estimations, costs, scope variations, end user engagement, stakeholder expectations, and more. To mitigate threats to project success and minimize their impact on the project, we identify potential risks and define responses to be taken if those risks materialize — all by drawing on our experience and knowledge.
#6 Think long-term
Quick wins matter. But long-term perspectives are important too. Before starting a project, it’s important to discuss the product’s overall concept and expectations with developers and project stakeholders and to assign clear roles and set clear responsibilities for the entire team. Additionally, you should communicate your scaling plans with the development team to define which scaling method is right for your project and design the architecture so that scaling the solution is painless when the time comes.
Types of software testing we provide
Based on project requirements and the project scope, we decide on QA activities to undertake during development. Typically, we include manual functional testing, automation testing, and high load performance testing.
Manual functional testing
Functional testing is an essential part of the QA process. During manual functional testing, we ensure each function is working as designed, in conformance with the specified functional requirements.
To validate features effectively, we use different functional testing techniques, including:
- Unit tests to see if individual pieces of code provide the desired results
- Smoke tests to verify that basic functionality is working well when developers deliver a new build
- Regression tests to confirm that recent code changes haven’t negatively affected existing features
- Integration tests where we combine individual components or modules to test them together and see how they perform
Unlike manual testing, automation testing (also known as test automation) is performed using special software tools to execute tests and compare actual results with predicted outcomes.
This type of testing helps us:
- Reduce the feedback cycle and validate newly developed features faster
- Cut testing costs in the long run
- Improve test coverage and get better insights into an app’s internal state
- Get higher accuracy
High load performance testing
It’s also important to check how your application behaves under normal and high loads. For this, we use load, stress, scalability, and performance testing. Typically, we run tests of up to 100K concurrent users to see if your software can meet high traffic demands while providing fast and efficient performance.
What about security?
We use particular technologies, approaches, and architectural principles to provide a secure environment at different levels.
We use data protection best practices during software development as well as infrastructure configuration to make sure servers and user data are safe.
Mainly, we develop apps in the cloud using Amazon Web Services (AWS), one of the most flexible and secure cloud computing environments that’s great for complex software solutions.
Since security is AWS’s strong suit, this cloud computing platform plays a big role in highly sensitive sectors including healthcare, government, and banking. AWS provides a lot of strong security tools to prevent cybersecurity breaches, perform regular penetration testing and security auditing, and handle high traffic volumes while providing fast and efficient performance.
For software products to work well under high loads and in the event of hardware faults (what we call fault tolerance), it’s important to keep to performance optimization best practices not only at the app level but also at the infrastructure level.
At Steelkiwi, we use the following mechanisms and technologies:
- Layer 4 network load balancing to handle millions of requests each second
- Load balancing for global businesses that operate across time zones so there aren’t work interactions in any region
- AWS auto scaling to automatically adjust capacity to maintain predictable, steady performance
- Vertical database scaling to add more power to a platform by upgrading a project’s infrastructure
Horizontal scaling (when vertical scaling isn’t enough) to add more machines
As many apps deal with complex or sensitive data, we take strong security measures from the outset, including:
- Virtual private clouds (VPC) for data isolation
- Private AWS S3 buckets for confidential storage
- Private networks and network address translation (NAT) for network security
We ensure network security by using:
- HTTPS over SSL, SSH, and other security protocols to transfer data
- A firewall combined with custom rules to protect data from cybersecurity attacks such as SQL injection and cross-site scripting
- A virtual private cloud to enable advanced security features including security groups and network access control lists for inbound/outbound filtering
- Bastion hosts in each public subnet to allow inbound secure shell access to EC2 instances in public and private subnets
As for data security, we benefit from:
- S3 server-side encryption to encrypt data at the object level
- Database encryption to transform data stored in a database into cipher text that is incomprehensible without first being decrypted
- Instance store encryption to encrypt information that frequently changes but isn’t encrypted by default (for example, buffers, caches, and scratch data)
User access mechanisms
Often, applications feature user roles and permissions, with each role granting access to certain functionality. This allows us to restrict access to sensitive and financial data and expose only relevant data to specific users. Some of the access mechanisms we implement are:
- Role-based restrictions through restricted API access
- Role-based access control
- Session management techniques
- Strong user authentication processes
- Checks for weak passwords
We hope this guide has given you a better understanding of how we manage quality and security. If you have unanswered questions or would like to hire a software development team, message us.