Summary of XP2018

Dennis Mancl
MSWX Software Experts
Bridgewater NJ


The XP conference is a conference focused on agile software development. The XP conference has always been one of the main European agile conferences going back to 2000. Prior to 2018, this conference was a small independent conference, but now it is sponsored by Agile Alliance (the organization that also runs the much larger annual Agile conference in the US). The conference usually draws 200 or 300 people, from a cross-section of academia and industry. Many agile experts from North America, Asia, and Australia also attend the conference, so it has a worldwide flavor.

XP2018 was held May 21-25 in Porto, Portugal. I attended this conference as a panelist in the Agile Education and Training panel.

Keynote talk on security

There were three main keynote talks, but only one talk had any real technical and process contect -- the talk "Continuously Deploying Security" by Laurie Williams from North Carolina State.

The video of Laurie's talk is available online:

Laurie opened her talk by pointing out how we are living in a world where data security and network security are constantly being challenged. Political parties are having emails stolen, health data is at risk of being used inappropriately, some websites aimed at children have serious security issues that might compromise personal information, and the security credit card information continues to be a big financial problem.

Laurie cited studies from 2017 that claim there is $600 billion of cyber damage per year.

When we focus on "getting functionality out," security is often a secondary concern. Laurie insists that everyone should embrace cybersecurity and privace as part of their work.

Unfortunately, the level of cybersecurity knowledge is low across the software development community. Most security people are in "silos," separated from the rest of the development community rather than being team members in an agile team. This often creates an adversarial relationship -- the job of a security person is to "stop" a project from being shipped, to police the security standards. But some companies are having success at putting security experts into development teams -- Laurie cited Microsoft and Slack.

How can we make things better? One idea is to make developers more acccountable for security issues. For example, we might force developers to be responsible for fixing their own security defects -- if they run the risk of getting a midnight call to fix a problem, they may be more careful during development.

Retrospectives can be a good way to increase awareness of security issues. Laurie advocates a "shameless retrospective" culture -- where developers have the ability to admit mistakes and sharing information about security problems without being blamed personally for the failures. The participants in the retrospectives may be able to find ways to prevent these issues from happening again.

Laurie mentioned some ideas from the BSIMM model (Building Security In Maturity Model - This mode contains practices to look for security vulnerabilities: how to prevent, detect, and respond to security attacks.

Laurie also talked about a process for estimating the effort and value of addressing security issues -- Protection Poker. It is technique for prioritizing which security issues to focus on in the short term. The participants need to do two rounds of relative estimation for each of the security risks, to determine how easily the system can be attacked and the value of preventing that security risk.

Other keynote talks

Crista Lopes (Univ. of California-Irvine) spoke about "On Software and Buildings" -- this talk was an interesting discourse on her experience with a "building refactoring" problem. She owns an apartment in a older building with 10 apartments in Lisbon, and the building has had some structural problems She tells the story of the interactions with structural engineers and construction contractors to design and execute repairs to the building. The video of Crista's talk is available online:

Kent Beck gave a rambling talk about some of the challenges to agile methods and culture -- especially the problem of how to be more "inclusive" of women, minorities, and disabled people. He pointed out that it is a terrible idea to define our agile practices in a way that makes people feel unwelcome. I have extracted some notes from the first part of Kent's presentation. -- Kent shares some stories of how he discovered how badly women are treated by many developers. The entire video can be found online:

Panel sessions

I participated in an interesting panel on education and training issues, but we didn't really come to any new and interesting conclusions.

On the other hand, there were two very good panels during the rest of the week: one on mission critical systems and the other on using agile in the development of IoT systems.

The mission critical systems panel had some good discussion about security and safety issues, how to incorporate agile practices even if there is an audit of your development processes, and whether Facebook is a mission critical system. Here are some notes from that panel: Notes from the Mission Critical Systems panel.

The IoT panelists talked about the wide variety of IoT products, the cross-functional skills agile teams will need, and the value of thinking about the enterprise as a whole rather than just a single isolated IoT device. Here are some notes from that panel: Notes from the IoT panel.

The next XP conference: XP2019

XP2019 will be held May 19-24, 2019 in Montreal, at École de Technologie Supérieure. This conference will be held the week before the ICSE 2019 conference (which is also in Montreal next year). See for more details.

Last modified: Mar. 19, 2019