Changing Development Methodology Horses

Changing Development Methodology Horses

Date: June 4, 2019
Tags: , , , ,

Transitioning Methodology In Midstream

Have you wanted to switch from the waterfall methodology to an agile and DevSecOps approach? After all, agile methods coupled with DevSecOps process automation can drive quality, performance, and security improvements while increasing program-wide productivity and controlling risk.

So, yes, you may have several reasons TO switch:

  1. Agile and DevSecOps are better, faster, and cheaper than traditional methodologies.
  2. Many developers prefer to — and are used to — working this way.
  3. It’s how to achieve DevOps benefits of continuous delivery and cloud infrastructure-as-code.
  4. You have organizational mandates.
  5. Or, you just may have the desire to modernize or be feeling external pressure to do so.

Agile methods are iterative and incremental development processes require rapid and flexible responses to change. A complete solution may not be fully defined at the beginning but quickly evolves. A team can take on the highest priority requirements, build production code, and launch within weeks.

With DevSecOps, testing for threats is constant, automated and fast—instantaneously doing what would have taken humans weeks or months to perform. Security is integrated throughout the product lifecycle and is a fundamental part of every stage of development, so there are no surprises or delays because of security reviews or issues.

But, you may also have plenty of reasons NOT TO switch:

Contractual: Your project and contract structure, published schedule, and progress payments may be tied to milestones or other project events that specify or imply waterfall.

Project state: There are BDUF (Big Design Up Front) implications — the time and capital already invested in requirements, design, documentation — and the implication that all requirements will be fulfilled at launch.

Security and quality risks: Agile methods can push new or refactored code into production every few weeks, but traditional manual security compliance and manual testing require longer timeframes, even months.

Personnel: For an agile approach to be successful, at least one experienced team, product owner, and stakeholder are needed, and coordination must be increased substantially.

Organizational: Substantial change to “business as usual” is necessary to make agile work. All of the processes that stakeholders, project managers, business analysts, users, designers, and developers work under will change to some degree. Users and stakeholders have to attend end-of-iteration demos, accept the results, and be empowered to say yes to launch and to continually improve, update, and reprioritize the requirements. So, teams need to self-contained – everyone needed to build the answer for the next iteration must be a member of the team.

How do you know if transitioning is the right move?

Making the switch may not be possible, depending on your contract, and it could be detrimental depending on your team’s experience. Is the timeline and delivery date flexible? Does the budget allow for making a change? Is the client program team familiar with the agile approach and is the project development team thoroughly experienced in working that way?

If you’ve answered no to any of these questions, you’d be advised to ride out the waterfall and possibly plan for a bug fix team after launch to be your first agile test group or define a set of version 2 features to be built and assign that task to an agile team.

If your project has some time and budget flexibility and may be hitting some barriers, it can be smart to make the transition, though maybe not entirely. For a large, multi-year project, think in terms of risk segregation. Choose a pilot that won’t impact overall success, milestones, deliverables, or budget.

If the siloed pilot is successful, the method can be expanded to other areas of the project. For a smaller project, if time and money aren’t a problem, switching to an agile approach can mean getting to a better product faster.

Remember, transitioning is not just a shift in methodology.

Transitioning requires a shift in culture, and that requires a commitment from everyone involved because they will be adopting new tools, new procedures, and maybe even new team members who are experienced at transitioning from one method to another midstream.

T-Rex employs SAFe® (Scaled Agile Framework) and a proven, proprietary process for implementing agile approaches on both new and in-process projects. We’ve used our tailored SAFe on one of the government’s largest, most secure, and most complex mission critical projects ever with the U.S. Census Bureau.

For more than a year, we have been releasing top-performing software with zero security defects, leveraging our highly successful tailored agile approach to assess, define, develop, implement, and integrate mission-critical applications. Contact us to learn more about the benefits and potential risks of transitioning your project.

Contact Kelly Ralston



recently posted
Zero Trust Lift: Network Visibility and Analytics Maturity using Zeek

Zero Trust Lift: Network Visibility and Analytics Maturity using Zeek

Zeek is a proven open-source network visibility and analytics tool that you can leverage to increase your agency’s Network Visibility and Analytics Capability maturity under CISA’s Zero Trust Maturity Model Version 2. Zeek (, formerly named Bro) is a network […]

T-Rex is Hiring at Hill Air Force Base

T-Rex is Hiring at Hill Air Force Base

Since 2016, T-Rex has been supporting large scale hybrid-cloud migrations and systems modernization, to include the successful deployment of the first-ever online U.S. Census in 2020. We are excited about expanding our IT Modernization services within the National Security market, […]

Secure by Design and Zero Trust: Integrating Supply Chain Risk Management with DevSecOps

Secure by Design and Zero Trust: Integrating Supply Chain Risk Management with DevSecOps

Agencies are seeking innovative ways to mature their Zero Trust posture. In this article, we have focused on improvements to your DevSecOps to increase maturity in two pillars: 1) Devices and Applications and 2) Workloads.

Protecting Government Apps and Workloads from Zero-Day Cyber Threats

Protecting Government Apps and Workloads from Zero-Day Cyber Threats

In April 2023, CISA released Zero Trust Maturity Model Version 2, which added a fourth security maturity level and reaffirmed application and workload cyber requirements. In this article we consider Application Threat Protections security levels within the Applications and Workloads […]