Application Lifecycle Management / World-Class DevOps

9 min read

Development process

Scrum team, planning work in 2 week increments, reacting fast to change, following best practices in research, planning, architecture and writing software. The team’s focus is on building great software, so we want them focused on what’s important.

  • As a developer, I take on a new feature or bug that’s in the sprint and ready for development, and marks it as development in progress.
  • Then I create a new branch off of develop, and do the work.
  • Then commit one or more times, and mention #[Work Item Number] in the commit message, along with a description of what changed
  • Once I consider the work complete and “tested” locally on my computer, I’ll push the branch, go into TFS and click the shortcut to create a PR

* develop is locked, so all changes have to enter via Pull Requests
  • On the next page I’ll make sure everything looks good, by doing one more check of the changes in the code, and click Create
  • Done and move on to greater things …

Code Quality using SonarQube

4 min read Code quality, best practices and standards are often the distinction between projects that are maintainable, secure and scale well, and projects that need to be rewritten every year. We were in the latter category unfortunately for quite a long time, despite everyone preaching best practices and within a group of quite smart individuals. The problem is we all had our own idea of what best practices to apply, what standards to follow and how we defined quality. We had to find a way to track and improve, then we discovered SonarQube.

SonarQube is a static code analysis tool.

It uses language-specific analyzers and rules to scan code for mistakes, some patterns that are known to introduce security vulnerabilities, and code smells [According to Wikipedia and Robert C. Martin “Code smell, also known as bad smell, in computer programming code, refers to any symptom in the source code of a program that possibly indicates a deeper problem.] …

Securing a new web server

< 1 min read Ideally you already have a snapshot you maintain and have hardened, and just have to clone it when you need new servers deployed. If you have to build a clean image to use for your future VMs:
it’s usually easier to start with an existing VM you’ve configured, because it already has everything you need installed, but it might also have other stuff installed that you don’t necessarily want on every new VM, so here’s a way I quickly set up a new server image:

1. Install a clean version of Windows on a new VM

2. Set up your networking stack, and run Windows Update and install all the updates available…

Security Headers

3 min read


This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header are 0, which disables the protection, 1 which enables the protection and 1; mode=block which tells the browser to block the response if it detects an attack rather than sanitising the script.

app.UseXXssProtection(options => options.EnabledWithBlockMode());