Driving Guidelines

Shift-left security

  • By architecting applications with “security” in mind from the outset (i.e. earlier in the development process), organizations save over 50% on security related issues after launch.
  • We build applications around a standalone OpenID Connect Identity Provider (e.g. Okta, Auth0, Keycloak, etc.). This helps standardize Identity and Access Management, keeps user details separate from the application(s), and allows new applications to be built along-side the old with relative ease. (more reasons?)

Best-practice security

  • We outshine the average developer with respect to security and Identity and Access Management as we engage with other security leaders on standards and best practice
  • We use the authorization code flow for all user authentication. This way we follow best practice and never collect user credentials in the application itself.
  • We avoid using OAuth2 public clients (those that cannot keep a secret secure) if confidential clients are reasonably possible. If we use public clients, we must take extra precautions to protect tokens and use PKCE.

Open-source community participation

  • We use and contribute to open source technologies; specializing in

      Java, Spring Boot, Spring Security, JPA
      React/Redux
      PostgreSQL
      OpenID Connect/OAuth2
      Docker
      JHipster
      Kubernetes, GKE, etc.
      CI/CD (including Jenkins X)

Evidence-based approach to accelerating software delivery performance

“high IT performance correlates with strong business performance” ~ Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations

  • We follow an evidence-based approach to software delivery performance that has been shown to correlate to strong business performance regardless of organizational size or industry. Research shows that there are certain capabilities that drive improvements in software delivery performance – so we help organizations accelerate their business by focusing on these categories of capabilities:
    • Continuous Delivery
    • Architecture
    • Product and process
    • Lean management and monitoring
    • Cultural
  • We use GitOps so that what is deployed (code and infrastructure) are declarative and version controlled.
  • We do Continuous Integration and Continuous Deployment; deploying and releasing even the first commit if all tests pass