Part 2 of this series of articles described how the Business Recovery Matters leadership team quickly configured their project environment and got started in hours, not days. You saw how the team used proven patterns of success to create plans and work items. You also saw how each work item provided links to relevant and contextual guidance so that team members were able to get up to speed quickly on the team's process.
This article describes a more advanced scenario in which the Business Recovery Matters development team needs to perform security testing throughout the development lifecycle. The approach is to customize the process assets included in IBM® Rational® Method Composer and IBM® Rational Team Concert™ to accommodate that need.
In this scenario, the leadership team has been notified that the project needs to follow a security policy and make sure that their final product is free of vulnerabilities and exposures to hacker attacks. They determine that this affects the team that is developing the Dividend Deposit component.
This scenario focuses on these actors and roles:
Peter, process engineer (project leadership team)
Sally, security lead (project leadership team)
Marco, team lead (Dividend Deposit feature team)
The subsections that follow describe how they proceed.
Peter, Sally, and Marco investigate whether there are any security testing practices available to support the development team. The Rational solution for Collaborative Lifecycle Management (CLM) process assets that they are currently using do not contain a practice to deal with product security assessment. Good news: there is an Application Vulnerability Assessment practice in the practices library included with Rational Method Composer. The team agrees that this practice addresses their project needs.
Moreover, they learn there is a practice for tailoring the project process, so they decide to follow the tasks and steps in that practice for their customization. Peter also relies on tutorials available in the Rational Method Composer online help to get up to speed with process customization. The steps that follow show how he uses the tool to customize the process while Marco and Sally make the decisions about how best to incorporate the new security assessment practice in the team's process.
- Peter has a Rational Method Composer license. Rational Method Composer is installed in "shell-shared" mode with Rational Team Concert. He confirms that there are content reader licenses for the entire team.
- To prepare Rational Method Composer for the customization process, Peter performs the following actions:
- He opens the practices library included in Rational Method Composer and exports the Application Vulnerability Assessment practice plug-ins, following instructions on the Rational software information center under Exporting a method plug-in.
- He downloads the CLM process library available on the IBM Rational Solution process assets page.
- He opens a copy of the CLM process library, and imports the Application Vulnerability Assessment practice plug-ins that he previously exported, by following instructions in the Rational software information center "Designing and managing process" section, under Publishing and exporting, for Importing a method plug-in.
The set of practices that come with the CLM process library and the Application Vulnerability Assessment practice are now available in the Rational Method Composer installation.
- In the Authoring perspective, Configuration Editor view, Peter makes a copy of the CLM configuration and edits it. (In simple terms, a configuration is a selection of practices to publish.) He adds the vulnerability assessment folder to the configuration (see Figure 1). That folder contains all elements that are part of the Application Vulnerability Assessment practice, such as roles, tasks, work products, and guidance.
Figure 1. The CLM configuration includes the Application Vulnerability Assessment content
- In Rational Method Composer, Peter switches to the Browsing perspective and expands the Application Vulnerability Assessment practice node to see the elements that it contains. Under the Activities node (see Figure 2), there are three suggested workflows that a team can follow:
- Application Vulnerability Assessment - Auditor
- Application Vulnerability - QA
- Application Vulnerability Self-Assessment
- Marco and Sally decide to use the Self-Assessment workflow, which consists of three tasks, as shown on Figure 2:
- Develop security test policy (performed by security lead role)
- Conduct security assessment (performed by developer role)
- Fix vulnerabilities (performed by developer role)
Figure 2. Options and diagram of the Self-Assessment workflow
At this point, they have customized the Rational Method Composer process description as much as they need to do. As you will see later, they use these tasks to create a work item template in the Rational Team Concert project area.
- Peter publishes the modified CLM configuration as a Web archive file, clm.war. He follows the guidance under Publishing configurations as Web sites.
- When the publishing ends, Peter goes to the output folder and copies the clm.war file to this Jazz™ Team Server (JTS) folder:
The published Rational Method Composer content is now available to team members.
Now it is time to update the Rational Team Concert project area to reflect the changes made to the process description in Rational Method Composer.
Due to the addition of the Application Vulnerability Assessment practice to the CLM configuration in the previous steps, the following new roles were added to the process description:
- Security Lead
- Security Tester
- Security Developer
- Peter adds those roles from Rational Method Composer to the Rational Team Concert project area so the team lead can assign team members to perform tasks defined in the process. He follows the steps in the How to update a Jazz Project Area using Rational Method Composer technical note under the "Create a Jazz Role from a Rational Method Composer role" section.
- Marco goes to the Rational Team Concert project area where these roles are now available and associates team members with these roles, such as assigning Sally to the Security Lead role.
In the previous step, Peter added three security tasks to the Rational Method Composer content. Now he needs to make those tasks available in Rational Team Concert so Marco can assign them to team members performing security roles. He can do this by adding tasks from Rational Method Composer to work item templates in Rational Team Concert.
- Peter finds instructions in the How to update a Jazz Project Area using Rational Method Composer technical note under the "Create a Work Item Template from a Rational Method Composer Process Element" topic.
- In the Team Process perspective of Rational Method Composer, he finds the Application Vulnerability Self-Assessment workflow and selects the Create a Jazz Work Item Template menu.
Figure 3 shows Peter's actions.
Figure 3. Steps to create or update a work item template
From the previous step, the development team now has a work item template that they can instantiate to populate iteration plans in Rational Team Concert with security tasks.
Marco follows the information center instructions from the Planning an iteration topic, in the Scenarios section, under Iterative development section.
- In Rational Team Concert, he creates an iteration plan for the first Construction iteration that the development team is about to perform.
The resulting plan has no tasks (or planned items) in it yet. To populate the plan, Marco follows the guidance for Creating work items from a template
- Marco uses the Development Team – Construction Iteration work item template to populate the iteration plan with typical planning, development, and testing tasks.
- Then he uses the Application Vulnerability Self-Assessment work item template to add security testing tasks to the same iteration plan.
After it is populated with all of the Rational Method Composer tasks that the development team needs to run that Construction iteration, including the new security testing tasks, the plan editor in Rational Team Concert looks like the one shown on Figure 4.
Figure 4. Construction iteration plan populated with tasks
Given that the team is new to security testing, they will need help getting started. Fortunately, each of the work items created includes links to the Rational Method Composer practice guidance, so team members have all the guidance that they need at their fingertips to adopt the new practice successfully.
This article described how the team quickly updated their process to adopt a new practice. You saw how easy it is to create an iteration plan that incorporates the new practice and how team members get in-context guidance to easily adopt the new practice.
- Read the entire series Document and automate processes with Rational Method Composer and Jazz.
- Learn more about Rational Method Composer:
- Check the Rational Method Composer overview, page, where you can also download it for a free trial, as well as the links to technical articles and other resources on the developerWorks page.
- To learn about using Rational Method Composer with Jazz, including FAQs, links to enablement materials, and tips and tricks, see the Rational Method Composer and Practices wiki on developerWorks.
- Explore the Rational Process Library, a diverse set of method content, guidance, templates, and processes with more than 100 selectable and customizable process best practices that can be applied to a variety of processes and domains.
- Find out more about Rational Team Concert:
- Find Rational Team Concert articles and links to many other resources on IBM developerWorks, and check the product overview page, features and benefits, system requirements, and the user information center.
- Check the Rational Team Concert page on Jazz.net.
- Watch the Using Rational Team Concert in a globally distributed team webcast or a demonstration of the Dashboards and reports, or listen to the podcast about IBM Rational Team Concert and Jazz.
- You can find more information about the Rational solution for Collaborative Lifecycle Management on the CLM page on Jazz.net.
- Visit the Rational software area on developerWorks for technical resources and best practices for Rational Software Delivery Platform products.
- Subscribe to the developerWorks weekly email newsletter, and choose the topics to follow.
- Stay current with developerWorks technical events and webcasts focused on a variety of IBM products and IT industry topics.
- Attend a free developerWorks Live! briefing to get up-to-speed quickly on IBM products and tools, as well as IT industry trends.
- Watch developerWorks on-demand demos, ranging from product installation and setup demos for beginners to advanced functionality for experienced developers.
Get products and technologies
- Download Rational Method Composer to try it at no charge.
- Download Rational Team Concert from Jazz.net and try it free on up to 10 projects for as long as you want (requires registration). If you'd prefer, you can try it in the sandbox instead, without installing it on your own system.
- Download free trial versions of other Rational software.
- Evaluate other IBM software in the way that suits you best: Download it for a trial, try it online, use it in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement service-oriented architecture efficiently.
- Ask and answer questions in the Methods and Practices forum and the Rational Method Composer forum on developerWorks.
- Join the Rational software forums to ask questions and participate in discussions.
- Ask and answer questions and increase your expertise when you get involved in the Rational forums,
cafés, and wikis.
- Join the Rational community to share your Rational software expertise and get connected with your peers.
- Rate or review Rational software. It's quick and easy.
Ricardo Balduino is a senior software engineer at IBM. He leads and contributes to the development of solutions such as the Eclipse Process Framework, IBM practices, Collaborative Application Lifecycle Management, Jazz-based software, and the Rational Unified Process. His 17 years of experience in the software industry also includes developing software for industrial processes automation and financial services, as well as providing training and consulting services to help organizations adopt formal and agile software development practices. Ricardo is a certified Project Management Professional (PMP). He holds a B.S. degree in Computer Sciences from Sao Paulo State University, Brazil, and an M.S. degree in Software Engineering from San Jose State University, USA.