Open in app

Sign in

Write

Sign in

Application Due Diligence Questions

Sebastian Patiño-Lang
4 min readApr 4, 2019

--

I recently had to wrap my head around assessing a piece of web-app/service software developed by third-party contractor dev shop. These are the question that came to my mind.

Dev

  • What is the high-level app architecture? Services? APIs? Layers?
  • What is the backend platform tech stack in use? Java version? Frameworks? Build system?
  • What is the frontend tech stack in use? Angular version? Other frameworks? Build system?
  • What are the frontend performance targets?
  • What other 3rd party libraries/software packages are in use?
  • How is login / registration / authentication / authorization handled?
  • Are responsiveness / mobile devices in scope for the frontend?
  • What is the quality assurance process? Manual smoke tests? Automation? Unit, integration, functional, e2e tests?
  • What is the security assurance approach? Fuzzing? 3rd party audits?
  • What are the coding guidelines in use?
  • What is the version control approach? Git? Where are the repositories hosted?
  • What is the Continuous Integration / Continuous Delivery approach? Toolchain? Feature flags? Branching?
  • How is documentation handled?
  • How is GDRP compliance ensured? Data audit trails? Anonymization/deletion of data?
  • Is l10n/i18n in scope? How is it handled?
  • How do you handle (micro)services? Are services polyglot? How is complexity managed?
  • Service Configuration: Eureka vs Kubernetes?
  • Is an API gateway in use? Kong?
  • What dev machine specs are recommended?
  • What is the debug procedure? Logs, debugger? Monitoring? Layers?
  • How can errors/states be reproduced? Environments? (Not only frontend)

Data

  • What databases are in use?
  • What are the main DB schemas/objects?
  • Describe the general database architecture
  • Do you have different databases for each app or services?
  • Do you use caching in front of the database?
  • How do you capture changes that are made to the database?
  • Do multiple apps make changes to the same database? How does one app know that something has changed in the database?
  • Are there any apps or services where you feel that a better choice of database technology can be made? Perhaps using a NoSQL database?
  • Is there any data that is duplicated amongst different databases, perhaps with the same values named differently? (ie: customer id)
  • How are database upgrades/rollbacks handled?
  • How easy is it for a new joiner to understand the main database schemas?
  • How easy is it to recreate the database? Is the entire database creation process scripted?
  • Do you use ORMs in the code? Which ones? Do you have any performance concerns?
  • How often do you tune the database? Do you have overnight jobs that do UPDATE STATISTICS or other kinds of query optimization tasks?
  • Do you have dedicated DBAs who write the queries and approve schema changes? Or do the developers write the queries?
  • Are stored procedures used? Or are all queries hard-coded in the front end?
  • How is data handled for each (micro)service? Dedicated DB per service? Shared DB, dedicated table?

Ops

  • What is the high-level system architecture? Servers, DBs, load balancer, proxies, SSL/HTTPS?
  • What is the hosting plan? Cloud, colocation, VMs, bare metal? Where?
  • What is the server tech stack in use? Linux, windows? Distribution, version?
  • What is the current environment landscape? Dev, test, demo, staging, prod?
  • What is the process for spinning up a new environment? What is the lead time for this? What is the toolchain?
  • Is a infrastructure-as-code concept in use? Terraform? CloudFormation?
  • What is the deployment process? Toolchain? How often?
  • What is the lead time for pushing code to prod?
  • What is automated? What is not?
  • How are database upgrades/rollbacks handled?
  • What is the performance/scale target? Concurrent users? Response time?
  • How will performance be monitored? Toolchain? Metrics? NewRelic? Datadog?
  • How could the system be scaled x10 if needed?
  • What is the reliability target? Uptime?
  • What is the resilience approach/target? How will the system be able to recover?
  • How is the system protected? Firewalls? DDoS protection?
  • What is the planned backup strategy?
  • How do you handle secrets? Env vars? Vault?

Process

  • Which parts of $AgileMethod (Scrum, Kanban, etc) are in use? Why?
  • Which parts of $AgileMethod (Scrum, Kanban, etc) are not in use? Why?
  • What’s the Definition of Done / of Ready in use?
  • What are the coding tactics in use by the teams? Pairing? Peer-reviews?
  • How are sprint-reviews handled?
  • What is the requirement tracking/visualization approach? Backlogs? Epics? Story maps?
  • How is the progress/status made visible?
  • What is the process tooling? Jira? Pivotal? Redmine? ProdPad?
  • What is the communication protocol between stakeholders/client and team? Is there a single point of entry? Proxy PO / PM?

Team

  • How is the team structured? Roles? Skills? Hierarchy?
  • How are teams located? Remote? Colocation? Same room?
  • How is team stability/turnover rate (maybe not something for a direct question)
  • Is there a key man risk? A single point of failure?
  • How is knowledge transfer handled?
  • What is the current burn rate? $$$/week

Product

  • What are the defined milestones? MVP?
  • What is the greatest challenge? Highest unknown?
  • What is the user event tracking approach? Google Analytics? Amplitude? Mixpanel?

Thoughts and comments are welcome!

Thanks to Marc Adler who gave a lot of input for the list. You can find Marc here: www.ctoasaservice.org

I live here: https://twitter.com/perelin

Development
Microservices
DevOps
Agile

--

--

Sebastian Patiño-Lang

Written by Sebastian Patiño-Lang

6 Followers

people, products, software, tech, orgs

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams