Home

Software practices

The following practices are not intended to be rules, but rather a collection of best practices which aim to improve the supportability and longevity of any custom developed system.

One can summarize the objective of these practices by asking the following question:

If every expert supporting a system leaves the University, with what degree of success can a new individual continue the development, operations, and support of this system?

Development

Important

• Project maintainers are documented - at least 2 individuals responsible for the ongoing development and support of the system.
• All resources required to develop and deploy the software are accessible inside a well-known source control system.
• The project maintainers have write permissions to the source code and deploy permissions to the hosting environments.
• The source code, including source control history, does not contain passwords, keys, or secrets.
• Upstream and downstream dependencies critical to the operations of the system are documented.
• Project maintainers understand any applicable obligations under Policy 46 - Information Management and WCAG standards mandated under the Accessibility for Ontarians with Disabilities Act.
• The software includes a Statement of Long Term Support, which indicates who provides support, for how long, with details on what they will do. Often, the length of support will be dictated by major framework/system component choices.

  Ex. Alice Smith will perform regular security updates and bugfixes on this application for 5 years (with review before May 2028)

Good practice

• Repository has a README.md containing at least the following information:
  • High-level system information
  • Instructions on how to run the development environment
  • Instructions on how to deploy to all environments
• Deployment procedures are easy to follow and executable from a variety of environments (Windows, Mac, Linux).

Operations

Important

• Product roadmaps, ongoing development task lists, or support requests are tracked in a centrally supported system, to which project maintainers have access.
• Data critical to the operations of the system has well-defined backup, recovery, and data retention policies. These policies are also executed and tested on a regular basis.
• A Long Term Support plan is executed.

Example LTS plan
----------------
Project maintainer will execute the following every 6 months

Perform update assessment
- Check for security vulnerabilities
- Check for component/platform updates
- Are there any deferred from last cycle?
- Assess user impact of implementing/not implementing udpates

Engage stakeholders regarding system usage and update assessment
Should the updates be implemented?
- No - document and communicate any risks with stakeholders
- Yes
    - Create plan for development, testing, and deployment
    - Communicate plan with stakeholders
    - Execute plan

Good practice

• Proactive monitoring of business critical component health exists and alerts the correct individuals.
• Important dates are documented (licenses, certificates, access, component EOL, etc.)
• Additional documentation is accessible:
  • Service Level Agreement
  • Incident response and disaster recovery plans
  • Stakeholder communication plan