Resilience
•
February 16, 2024
Engineers experience cycle time through risk and complexity trade-offs.
Aiming for small PRs should always be the goal but we should also embrace the realities of development where we occasionally have to make larger changes to get work done in high time pressure environments.
Being fair and more precise
Cycle Time is actually a great metric, when paired with additional data to paint a more accurate picture of what’s happening. Used in a vacuum, it can lead you down some strange paths that waste time.
Shepherdly expresses Cycle Time through objective risk measures, in three easy to grok buckets (low, medium, high). Teams should have different expectations of velocity based on how risky something is. Longer cycle times (within reason) when accompanied with adequate resiliency should be celebrated not looked upon as a metric to arbitrarily drive down.
You might think that PR size accomplishes the same thing. Not quite. Scanning popular open source projects, the size of a change is can be directionality predictive, however, the importance & thresholds are wildly different project to project. In some repositories, it barely mattered at all relative to other predictors. This is why bug prediction is an untapped and undervalued resource in our field. Developers are missing a metric that captures the essence of complexity and resilience.
Codify your risk tolerance
Shepherdly allows teams to configure their desired resilience based on the risk score. With objective risk measurements, teams can focus their velocity efforts on very low risk PRs and their resiliency and reliability efforts on high risk changes. The results in delivering most changes faster and dramatically reducing the blast radius of the most complex PRs.
Here are some examples scenarios that Shepherdly can enable:
My team needs to go fast, we can tolerate some turbulence
💡Low-risk PRs increasing test coverage can be merged without review. Moderate-risk PRs require a review on top of that, and high-risk PRs need a feature flag in addition to all previous requirements, with at least one reviewer.
This recipe minimizes context switching on a large amount of PR activity which is generally low risk. It focuses the valuable review capacity on collaborating on how to best mitigate risky changes.
My team is optimizing for rigor and resilience
💡Low-risk PRs must increase test coverage & require one review from a member of the team. Moderate-risk changes require specific steps unique to our team and a review by a senior member. High-risk changes additionally require integration tests, observability, feature flags, and multiple reviewers.
In this scenario, the team justifiably maximizes their resiliency effort by incorporating best practices and custom processes unique to their team.
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address, and account name | YES |
| B. Personal information categories listed in the California Customer Records statute | Name, contact information, education, employment, employment history, and financial information | NO |
| C. Protected classification characteristics under California or federal law | Gender and date of birth | NO |
| D. Commercial information | Transaction information, purchase history, financial details, and payment information | NO |
| E. Biometric information | Fingerprints and voiceprints | NO |
| F. Internet or other similar network activity | Browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems, and advertisements | NO |
| G. Geolocation data | Device location | |
| H. Audio, electronic, visual, thermal, olfactory, or similar information | Images and audio, video or call recordings created in connection with our business activities | NO |
| I. Professional or employment-related information | Business contact details in order to provide you our Services at a business level or job title, work history, and professional qualifications if you apply for a job with us | NO |
| J. Education Information | Student records and directory information | NO |
| K. Inferences drawn from other personal information | Inferences drawn from any of the collected personal information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics | NO |
| L. Sensitive Personal Information | NO |
Resilience
•
March 14, 2024
Inside the prediction of a bug that led to a CVE in Redis
Our predictive model highlighted the risks leading to a CVE in Redis, showing the importance of objective risk assessment over traditional methods. This blog delves into the misconceptions about small pull requests and conventional mitigation's limitations
Read More
Resilience
•
February 16, 2024
Go deeper on Cycle Time with Risk & Resilience
Engineers experience cycle time through risk and complexity trade-offs. Shepherdly helps teams measure this and codify their risk tolerance.
Read More
Resilience
•
August 7, 2023
Benchmarking Risk & Quality KPIs in Popular Open Source Projects
Analyzing six popular open-source repositories, Shepherdly examined how various established and novel quality KPIs are reflected in some of the most extensively used software tools.
Read More
