CSE 370: Software Engineering Principles

W05 Team Activity: Case Study Discussion

Overview

Meet with your team and follow this outline to discuss this week's case study.

Instructions

(Before the meeting) Prepare yourself

Before meeting with your team, you need to:

If you have not read the case study you will not be able to participate with your team.

Begin with prayer

The lead student should ask someone to pray to begin the meeting.

Review the case study basics

Discuss the following:

  1. What was it about December that added complexity to Adaora's situation?
  2. What was the deadline for the GP project?
  3. What was it about the Log4Shell vulnerability that made it such a big deal?
  4. Who were the two key stakeholders pressuring Adaora's team, and what were they demanding?
  5. What was the decision that Adaora had to make at the end of the case?

Identify Christlike attributes

Disciples of Jesus Christ

As a team, discuss the following:

  1. Are there any people or actions in this case study that exemplify the way the Savior would act in that circumstance?
    • If so, do you think acting this way was difficult for that person?
  2. Are there any people in this case study that behave contrary to the teachings of the Savior?
    • If so, how could that person have achieved their overall goal in a different way?

Dig a little deeper

Answer the following questions:

  1. From the Wired article in the footnote, who was taking advantage of the exploit first? (In other words, what were the hackers using systems for?) What might the second phase of attacks involve?
    2. After you have answered the question, expand this box.

    It is important to recognize that this article was written right in the middle of events of this case study, when the vulnerability had just been disclosed and people were unsure of the exact ways that everything would unfold.

    As stated in the article, the first group to take advantage of this exploit was cryptominers. Also as mentioned in the article, during the second phase, cyber criminals would start to target systems for ransomware, espionage, and other malicious activity.

  2. What are the strengths and weaknesses of the PAC 2000 approach compared to the CI/CD deployment approach?
    3. After you have answered the question, expand this box.

    It is easy to think that the PAC 2000 approach was just old, outdated, and did not provide value. While it does have limitations, it certainly has value as well. PAC 2000 made deployment a significant event where it received lots of attention. In addition, it produced a great paper trail in case problems were encountered later.

    The weaknesses of the PAC 2000 approach should be obvious. It makes it very difficult to deploy code very frequently. The result is that, as in the case of Globemart, the updates may not have been made recently, and when a critical deployment is needed, the process is much more difficult.

    The CI/CD approach has the opposite characteristics, it makes deployment so easy that it can be done frequently and consistently. This makes updating in the future much easier. The weakness is that because deployment is not such a monumental event, each deployment may not receive the same amount of attention, and it doesn't have the same kind of paper trail explaining all the details of the update, why it was important for it to be made, and getting sign off from other tangentially related teams.

Analyze the case

Answer the following questions:

  1. What are the risks of not handling the Log4Shell vulnerability (including both financial and other risks)? What are the risks of not prioritizing the feature work on the GP/EMEA projects (including both financial and other risks)?
    2. After you have answered the question, expand this box.

    Not addressing the Log4Shell bug carries great risk for Globemart, both financially and otherwise. Financially, an attacker could potentially bring down the whole website for a period of time causing the company to lose millions of dollars in revenue during this important holiday shopping season, or requiring them to pay a ransom to have it restored. Even if the main website were not compromised, other critical parts of the companies infrastructure could be compromised, such as its shipping and receiving, order tracking, or vendor relations processes. Similarly, customer's private data could be compromised, resulting in attacks to them for years to come. Needless to say, there is significant risk to the company.

    On the other hand, there is also significant risk for not completing the EMEA project on time. As noted in the case study, this is a huge financial bet that the company is making for the future, and their may be penalties for missing the deadline. This could reasonably cost the company hundreds of thousands of dollars and risk their strategic position moving forward.

  2. Considering the decision that Adaora had to make at the end of the case, what are some specific reputational risks, or the potential career impacts for her, if she makes a poor choice?
    3. After you have answered the question, expand this box.

    As noted in the case study, Adaora had been something of a rising star at the company. This decision puts her in a very difficult place from a reputation standpoint. She is caught between leadership on the software engineering side of the company (such as the CTO to whom who she directly reports), and the business side of the company (such as the CFO who is championing the EMEA project).

    If she fails to follow through for the software engineering group, she risks being disciplined and not getting future promotions. If she fails to follow through for the business group, she risks being overlooked for future prominent projects at the company that could offer bonuses, notoriety, and grounds for promotion.

Conclude

As you finish your meeting, select a person to be the lead student for your next meeting.

Submission

Other Links: