Low code CoE thoughts

Key areas to address for a Low Code CoE:

1. Portfolio of Products
2. People/Skills/Experts
3. Process/ALM
4. Platform/Governance/Cleanup/Architecture/NFR's (scalability, SLAs)
5. Promotion/delivery/training

Consider putting project thru a Business case validation particularly over a larger projects.  Business case is how your business visualises and communicates a proposed project, should continuously be refined.  Points to cover:

1. Business Case (Idea)
2. Customer Segment >
3. Value Proposition (what do they get) > 
4. Channels (API, website, AI Services, .. ) Customer Achievement (get and retain) >
5. Revenue (how to make money)
6. Key Resources (patches, maintenance) covers technology & data.  What tech, people needed to build and continue delivering.  Data where does it come from, quality, restrictions, relevancy.
7. Partners (dependency e.g. AWS, Azure, Mendix, Outsytems, UiPath, Microsoft, and backup options)
8. Cost breakdown

CoE needs to clearly understand is boundaries and responsibilities.  

I am a big fan of Total Ownership, clear requirements and goals, using RACI, and stand ups.  For the rest I try to be agile and malleable.  Big projects require more oversight and planning so allow teams to change and focus on delivery.  

Consultant Bingo - A master class

I love a useless term to baffle the room as much as the next fellow but watching a master in a meeting today:

STRIDE Model is Microsoft's Security/Threat classification model.  I had to look it up and found another acronym.  STRIDE is for Threat modelling as part of risk management.  Acronym for: 

1. Spoofing a server
2. Tampering a file
3. Interlude: Scope and timing
4. Reputing an order
5. Information Disclosure
6. Denial of Service
7. Elevation of Privilege's

DREAD Model is pretty much the same thing as STRIDE.

CIS framework or MITRE framework - Security framework for benchmarking.  Closely related to SOC (Security Operation Centre).

'RESPECT' for: "I evaluated my DTAP environments cross Federation services using the STRIDE model over the DREAD model because it is simpler.  Of course, all the cross-cutting concerns have been dealt with." 

Three Amigos - Backlog review: PO, SM and Team members get together to discuss design, dev and testing.

YAGNI is an XP principle "You Ain't Gonna Need It", which is basically only create code for requirements not what you feel may be needed later on.  

Pareto Rule - roughly 80% of consequences come from 20% of the causes.  Or 80% of outputs come from 20% of inputs.  So 80% of revenue may come from 20% of your clients.  Also referred to as 80-20 rule. Same principle for 90-10 rule.  Pareto analysis 80% of a projects benefits can be achieved by doing the right 20% of the work.

Rindelmann Effect - Individual members become less effective as the size of the group grows.  I opt for small focused teams even for large programmes as more people does not equa more technology delivery. 

A hockey stick pattern is a chart pattern that shows a rapid increase after a period of relative stability.  For example pizza sales might drastically increase when a pandemic strikes as people no longer go out to eat and people tend to order more delivery pizza.

GIGO - Garbage In Garbage Out.  Same idea as FIFO or LIFO.  

WSJF (Weighted Shortest Job First) is used in Scale-able Agile Framework (SAFe) for prioritizing tasks.  It is pronounce "Wiz-jiff".  I'm not a fan of this technique.

The CIA Triad - Confidentiality, Integrity and Availability of data.

OMGA - (Owner, Member, Guest user, Application Users) is a security structure used to control access.

6 hats/ Six hat thinking - helps with creative thinking within groups making decisions.  

ProActivity Hunt - SOC tries to imaging scenarios/hypothetical situations and using data capture verify if there are security risks.  Only  ever heard this term at Microsoft

Useful Glossary:

Architecture Review Board (ARB) - functions as the governance to ensure IT projects/programs align with the businesses IT Architecture.  Ensure IT initiatives align with the companies IT goals.

Change Advisory Board (CAB) - board of members that evaluate changes and the associated risks to the business.  Has a strong technology influence but not only technical.  Some time CABs in companies are IT focused dealing with IT change requests and are more like a ARB.

ExCo (Executive Committee) - collection of decision makers mainly board members/higher ups that make strategic decisions.

MMSP (Managed Security Service Provider) - People, Process and Technology to protect your business. Outsource service that manages & monitors enterprise security.  Includes IAM, Cloud security, app security, data security, network security.  Includes MXDR - Core monitoring.

Kill Chain - the steps that trace stages of an attack from the early reconnaissance stages to the exfiltration of data.

SOC (Security Operations Centre) - normally the CoE/security team within a business. 

PAM (Privilege Access Management) - CyberArk and Azure have a PAM allows for temporary recorded privilege escalation for users pref. dedicate admin accounts.

Enterprise Architecture - 1 level up from solution architecture, main frameworks are: (TOGAF - I am 9.1 certified), there is also the Zachman framework and Federal Enterprise Architecture Framework (FEAF) also refereed to as FEA.  I have use ArchiMate for modelling within the TOGAF framework to describe the Architecture of a government department, it's okay.

Open Source Software Licencing for dummies/me: 

1. Public Domain Licence: No restrictions, go for it.

Following are Permissive licences from most open to most restricted:

2.1 MIT Licence: Is a common permissive (open too use) licence.  Simple to understand, anyone can reuse and modify code but the creator is no liable for any future use.  MIT is almost identical to a 2.2 BSD licence.  Great as you can freely use and I like to offer my code with MIT licencing.  

2.3.GNU General Public Licence (GPL): nice open source licencing that you can reuse or modify but your work must be open-source and available to all.  If you use GPL must make source code available and anyone can use yours derivative.

2.4 Apache and Apache 2: is also Permissive but more protective than MIT licences.

3. Copyleft: More restrictive, users can reuse but any derivations are bound by the copyleft licence on the originals.

4. Proprietary: Most restricted, closed source, no change or redistribution is allowed.  

Code Reviews for SharePoint

Overview:  Customisation in SharePoint takes different forms and having suitable environments to test code in before setting it free in production is essential.  This post looks at various types of customization and how to code review.  As a solutions architect and when I was running the Application Development CoE for a large multinational having standards and a code review checklist help immensely.  Improving code quality and finding issues early reduces the cost of building applications so code reviews are a good idea.

There are several automated tools for performing code review that target different application platforms (think FTC in SP2010 vs App Model in SP2013).  When automating the tools, it is good to select the templates/rules that match your organisation and maturity.  Ensure you customise the rules so they not reporting issues when in fact these are your standards (an example is naming in FxCop differs from the SharePoint code naming conventions used by different businesses).

Note: The code review requires depends on CSOM, FTC or JavaScript.  Depending on what is being created/built will require different code review.

There are several automation tools that can help identify poor quality code early within the development process.  Like peer reviews, these tools can help developers implement their code in the correct manner.

Note:  Define your coding standards, have up to date architecture diagrams for architects and have the rules when and what features your developers can use.  It's fairly common for outsourcing companies to build a solution to find out you don't allow the technology they have built with.  I remember an InfoPath based solution coming into my app development center a few years ago and they could not understand that the organisation would not merely turn on InfoPath.

Note: A lot of the tools we previously used in SP 2010 for FTC solutions are not relevant to SP 2013, namely SPDisposeCheck.

Code Review Tooling Options:

1. Visual Studio
2. FxCop (Config in VS so it runs with the same rule set as SPCAF)
3. StyleCop (Config in VS so it runs with the same rule set as SPCAF - forces enforcement of code style at design time)
4. SPDisposeCheck (SP 2010 only, don't use in SP2013 even for FTC solutions)
5. MSOCAF
6. SPCAF (SharePoint Code Analysis Framework)
7. Black Duck - Build into CI/CD pipeline checks for open source software and identifies potential security issues and highlights licencing concerns.

The 3 areas where code reviews can be performed are:

1. Developer at run time (think Visual Studio)
2. Continuous delivery (think gated check-ins)
3. Formal Code reviews (think solutions architect and quality manager) 

Manually reviewing code is better than nothing (automate where possible) and some basic rules and guidance is provided below.

Summary:
Code reviews improve maintainability, pick up bugs, ensure efficient code, code that shall run in production, improve security, performance and reduce the total cost of ownership.  Automated tools are worth considering and the top tool for me is SPCAF.  Do code review early, often and automate.

JavaScript Code Review Checklist:

1.> Project Structure - js into script folder in the solution file (group images, css, js and file types so the projects are easy to understand and consistent in layout)

2.> use strict directive on all pages "use strict";

3.> Always use Javascript namespaces - avoid conflicts

4.> Move hard coding to constants at the top of the file, not single use meaningful info like undefined in.  Move declarations to the top.

5.> Only used approved frameworks like jquery, notify if any other frameworks are used.

6.> Commenting.  Ensure method names tell coders what the method is performing.  Add comments that explain the method.  Don't be afraid to add value by adding inline comments. 

7.> Display friendly messages to the users if something goes wrong and add error handling to tracking /logging such as console.log() or log to ULS from an app using the provide JS api or log to a common logging mechanism.

8.> Single spacing  (no flower potting)

9.> Remove commented out code/unused comment out calls etc.

10.> Always end your switch statements with a default statement.

11.> Ensure coding standard are consistent consider using http://www.jslint.com/

12.> Code adheres to your agreed coding standards and example is http://google-styleguide.googlecode.com/svn/trunk/javascriptguide.xml

C# Coding Standards for SharePoint

This is a checklist, the recommendations need to be matched to your business and some scenarios such as complied C# for PowerShell plugin won’t use all the items in this checklist.

1. Have you followed the Enterprise design guidelines, branding guidelines and coding standards.
2. Have you used the Commenting standards e.g. http://msdn.microsoft.com/en-us/library/b2s063f7.aspx
3. Avoid declaring inline literal strings
4. Check empty string using length e.g. if (email.Length()=0) don't use if (email.Empty || email = "")
5. Use StringBuilder for concatenation don’t keep appending strings
6. Return Empty array rather than null
7. Methods must be short and focused.  Method names must be meaningful
8. Use method Overloading, not different names for the same method.  Try keep Classes small i..e under 500 lines.  If larger use #Regions to split up the code.  Pass objects into Methods rather than multiple variables if more than 6 parameters.
9. Enumerators should be used where possible, code is more understandable and options are easy to reuse.
10. Only import namespaces you need and dlls.  Split code into separate assemblies and use company standard naming with appropriate namespaces naming.
11. Make helper functions i.e. don't rewrite code several times - refactor
12. Open connections (SQL and SharePoint) as late as possible and ensure you wrap in error handling and dispose of connections in the finally statement
13. Reuse core code libraries (ensure commonly re-used functionality is add into core libraries cross-cutting concerns/logging/ email)
14. Use exception Management/Try catch.  Try catch must try catch specific errors and lastly catch all errors.  No business logic must rely on using catch statements.  Don't throw exceptions within exceptions.  Catch errors as specifically as possible, die gracefully and appropriately, log the errors using the CoE code core block that puts exceptions in the farms ULS and event viewer.   And potentiall the enterprise logging platform.
15. Dispose of SPSite and SPWeb Server site objects where appropriate. Run http://code.msdn.microsoft.com/SPDisposeCheck before deployment
16. Run stylecop and code analysis on code regularly and before deployment
17. Your code is x64 bit compiled. 

Have a common code/core code library that deals with cross cutting concerns, logging, caching etc.

using Microsoft.Practices.ServiceLocation;

using Microsoft.Practices.SharePoint.Common.ServiceLocation;

using Microsoft.Practices.SharePoint.Common.Logging;

ILogger _logger = SharePointServiceLocator.GetCurrent().GetInstance<ILogger>();

Exception ex = new ApplicationException("This is my test exception");

_logger.LogToOperations(ex); 

Security in C# and SP

1. Plain text passwords are not in stored Web.config, Machine.config, or any files that contain configuration settings. 
2. Input surfaces such as application pages, site pages, web parts and other customizations perform client and server side validation to protect from cross-site scripting (XSS) and SQL injection. 
3. Minimal use of elevated privileges to interact with SharePoint objects. 
4. Sensitive data is not stored in URLs, unencrypted cookies in hidden form fields, query strings or with code. 

HTML/CSS

Section 508 US Standard to ensure federal agencies 

WCAG 2.1 compliant standard should be adhered to and will cover: Jaws/Browser testing, screen zooms and brail readers.  WCAG 2.2 is due out in 2021.

RWD testing e.g. Mobile/Phone testing

SEO

SQL Standards (Establish SQL standards), a small example is:

1. No spacing in naming objects
2. Do not use reserves words in SQL
3. Name tables in sigular e.g. "Patient" not "Patients"
4. No Underscore in table naming and use Camel case e.g. "PatientResult", underscores are fine in column and Store proc naming.  
5. Do not prefix tables e.g. "tbl_Patient" or "tblPatient" 
6. Prefix view with "vw" e.g. vwPatientHistory
7. Boolean columns prefixed with "Is" e.g. IsActive
8. Stored Procs prefix with "usp" not "sp".  E.g. uspDeletePatient, use the format usp_Verb_Noun
9. Prefix functions with ufn 
10. label foreign key using the prefix fk and follow the format fkTableColumn e.g. fkPatientId 
11. Make your -SQL readable not on 1 line.  Use line-breaks, no empty lines and indent spacing to make the code readable.
12. How to comment must be standardised

This list goes on but as a starting point...  Pls post if you feel anything else is relevant.

SharePoint CoE & Estimating SharePoint Projects

Overview:  On Tuesday 21st of February I present a real world experience of a method of estimating and providing a high level design for SharePoint projects as done in our CoE at the SharePoint User Group UK (SUGUK) meeting in Nottingham.

Here is the slide deck (pptx) 1.1MB

Also see:
http://blog.sharepointsite.co.uk/2011/11/sharepoint-center-or-excellence.html

SharePoint Center or Excellence

Overview: What is a SharePoint Centre of Excellence (CoE)?  I suppose that all CoE's share the maxim of "Realising the potential of SharePoint".  There are a lot of consulting firms and large organisations claiming to have CoE's.  I have come across different meaning for a SP CoE, ranging from a group of developers that are assigned out on projects; to CoE's providing guidance on development, customisations, infrastructure, processes, governance and advising on IT pro tasks/administration.  I'm far more in the advisory/governance camp for your CoE to add the most value.

Sonny Mian describes a SharePoint CoE as "In its simplest form a SharePoint CoE is a team of SharePoint experts which promotes collaboration and best practices around SharePoint in order to assist business adoption of SharePoint solutions by establishing and governing information architecture, defining platform strategy, addressing challenges and evolving SharePoint practice/development to economize delivery of SharePoint solutions while mitigating ever increasing security, privacy, regulatory and compliance risks.
The purpose of a successful SharePoint CoE is then to ensure that it remains closely aligned with business strategy by managing Cost, Risk and Adoption of SharePoint."

My Answer: I guess it all comes down to what you need for your CoE, I see it as predominately a solutions mapping advisory service that maps solutions based on your Infrastructure.  Customers bring an application in for review/suitability on SharePoint, the project/solution is verified for it's suitablility to SharePoint (on-premise or SharePoint 365), I get the high level requirements and map each of these to a Work Breakdown Structure (WBS) and lastly do solution mapping.  The solution mapping allows me to choose a suitable way to achieve the requirement.  This allows me then to estimate the time for each piece of the solution mapping.  It works well for both creating your high level design and estimating efforts/cost on a project.  An added bonus is that external agencies/consultancies don't go out and over engineer coded solutions that SharePoint can easily achieve. 

For me CoE is for guidance, making sure all development and usage fits in with the SharePoint Governance document.  This keeps the farm stable, reduces delivery time, improves service to the business ... the list goes on.

SharePoint governance should focus on the implementation of standards, roles and responsibilities, and processes to extract value from SharePoint data while managing risks, dealing with compliance requirements and keeping people and entity information secure.

CoE needs to be tied closely to your platform providers i.e. infrastructure.  You need to know what is available on your farms, capacity considerations, patches, service running, this allows me to map solutions that are appropriate given our capability while maintaining the integrity of the farms.

Another nice benefit is all code and architecture needs to be reviewed and meet our CoE development standards.  So we minimise risk as the architecture developed has to be approved, code is checked, and it is pushed through the correct environments and testing is required to move the application to the next environment. 

The CoE should also speak to infrastructure to highlight missing features, potential changes to the service and review the architecture with the Infrastructure team.  In my experience Infrastructure can get useful information from the CoE about forthcoming requirements that they need to respond to.

The CoE should also provide core coding library's for code that is shared across custom developed applications.  The best example of this is a common logging block.  In my CoE we used Microsoft's SharePoint logging block and customised it for simplicity and to ensure uniform use.  We also have a developer standards document that we require all development to adhere to.  Another core block is a configuration list that is used at a site collection level.  This is like a property bag but can be edited using SharePoint as it goes to a SharePoint list.  The list values are cached for 2 minutes to ensue optimum resource usage.

In large enterprises, the various business units benefit as the CoE provides concise advice as generally it has been seen before.  The SME working on spefic rojects are aware of similar or re-usable code.  The CoE can also assist with vendor selection and building relationships with partners.  This centralised pool of expertise also allows for providing expertise in more specific areas of SharEPoint such as search, workflows or BI are good examples.

What Does the CoE SME need to know

• Farm(s) architecture
• Governance - What service is offered and how is it offered via SharePoint
• Experience in building a wide range of technical solutions using OOTB features, SPD, InfoPath, PowerShell, Visual Studio, 3rd party software such as Ninetex and web parts.   This includes consulting, implementation
• Experience in integrating SharePoint with various technologies to build business solutions.
• Migration experience such as SP2007 upgrades, moving sites and content databases, migration tools such as Metalogix, Quest, AvePoint, the list goes on...
• Upgrading solutions - How to upgrading deployed solutions, how to install patch and service packs safely, change control in your DTAP environments.
• Good communication skills.

This list really does go on and it's hard to find the right candidates for a CoE but I think they key takeaway is you need good communicators to interact with each other, the business service divisions and the clients (projects requested).

Other opinions:
Sonny Mian - has written a series of posts on CoE for SharePoint - Part 1.

ShareFest session on Coe for Shire

Also See:

http://blog.sharepointsite.co.uk/2012/02/sharepoint-coe-estimating-sharepoint.html  - Updated 25 Feb 2012.