Retrospectives

This page contains executive summaries of retrospectives done by the Secure::static analysis group. The purpose of these summaries is to externalize lessons learned during the retrospective process.

Access to internal retrospective documentation is available to the team and their immediate counterparts only.

17.0

This milestone focused on the deprecation and migration of functionality from various SAST analyzers to the semgrep based analyzer.

During this milestone the following concerns were raised in no particular order:

  1. Lack of awareness of QA processes that failed during the final moments of the milestone caused confusion.

  2. The release process for the sast-rules/semgrep pair is cumbersome and needs streamlining.

  3. Implementation plans were not kept up to date during the milestone and caused unnecessary difficulty during the review process.

Specific Remediations raised during the discussion:

  1. Undertake maintenance tasks to reduce complexity of semgrep & sast-rules release.

  2. Apply strict review processes for implementation plans, and refer to the MVC principle more frequently

17.1

This milestone focused on SAST in the IDE and various maintenance tasks. During the retrospective discussion, the following points were raised:

  1. The format of weekly team meetings is inefficient. The second iteration of the meeting often repeats discussions from the first iteration. To address this, the meeting format will now include “Carry-over” items that need further discussion in the next timezone. All other items will be marked as read-only.

  2. The policy for handling vulnerabilities is unclear. To improve this, we will create a runbook detailing the required steps.

Last modified July 16, 2024: Adds 17.1 retrospective summary for Secure::static analysis (4581d278)
View page source - Edit this page - please contribute. Creative Commons License