Application Due Diligence Questions
4 min readApr 4, 2019
I recently had to wrap my head around assessing a piece of web-app/service software developed by third-party contractor dev shop. These are the question that came to my mind.
Dev
- What is the high-level app architecture? Services? APIs? Layers?
- What is the backend platform tech stack in use? Java version? Frameworks? Build system?
- What is the frontend tech stack in use? Angular version? Other frameworks? Build system?
- What are the frontend performance targets?
- What other 3rd party libraries/software packages are in use?
- How is login / registration / authentication / authorization handled?
- Are responsiveness / mobile devices in scope for the frontend?
- What is the quality assurance process? Manual smoke tests? Automation? Unit, integration, functional, e2e tests?
- What is the security assurance approach? Fuzzing? 3rd party audits?
- What are the coding guidelines in use?
- What is the version control approach? Git? Where are the repositories hosted?
- What is the Continuous Integration / Continuous Delivery approach? Toolchain? Feature flags? Branching?
- How is documentation handled?
- How is GDRP compliance ensured? Data audit trails? Anonymization/deletion of data?
- Is l10n/i18n in scope? How is it handled?
- How do you handle (micro)services? Are services polyglot? How is complexity managed?
- Service Configuration: Eureka vs Kubernetes?
- Is an API gateway in use? Kong?
- What dev machine specs are recommended?
- What is the debug procedure? Logs, debugger? Monitoring? Layers?
- How can errors/states be reproduced? Environments? (Not only frontend)
Data
- What databases are in use?
- What are the main DB schemas/objects?
- Describe the general database architecture
- Do you have different databases for each app or services?
- Do you use caching in front of the database?
- How do you capture changes that are made to the database?
- Do multiple apps make changes to the same database? How does one app know that something has changed in the database?
- Are there any apps or services where you feel that a better choice of database technology can be made? Perhaps using a NoSQL database?
- Is there any data that is duplicated amongst different databases, perhaps with the same values named differently? (ie: customer id)
- How are database upgrades/rollbacks handled?
- How easy is it for a new joiner to understand the main database schemas?
- How easy is it to recreate the database? Is the entire database creation process scripted?
- Do you use ORMs in the code? Which ones? Do you have any performance concerns?
- How often do you tune the database? Do you have overnight jobs that do UPDATE STATISTICS or other kinds of query optimization tasks?
- Do you have dedicated DBAs who write the queries and approve schema changes? Or do the developers write the queries?
- Are stored procedures used? Or are all queries hard-coded in the front end?
- How is data handled for each (micro)service? Dedicated DB per service? Shared DB, dedicated table?
Ops
- What is the high-level system architecture? Servers, DBs, load balancer, proxies, SSL/HTTPS?
- What is the hosting plan? Cloud, colocation, VMs, bare metal? Where?
- What is the server tech stack in use? Linux, windows? Distribution, version?
- What is the current environment landscape? Dev, test, demo, staging, prod?
- What is the process for spinning up a new environment? What is the lead time for this? What is the toolchain?
- Is a infrastructure-as-code concept in use? Terraform? CloudFormation?
- What is the deployment process? Toolchain? How often?
- What is the lead time for pushing code to prod?
- What is automated? What is not?
- How are database upgrades/rollbacks handled?
- What is the performance/scale target? Concurrent users? Response time?
- How will performance be monitored? Toolchain? Metrics? NewRelic? Datadog?
- How could the system be scaled x10 if needed?
- What is the reliability target? Uptime?
- What is the resilience approach/target? How will the system be able to recover?
- How is the system protected? Firewalls? DDoS protection?
- What is the planned backup strategy?
- How do you handle secrets? Env vars? Vault?
Process
- Which parts of $AgileMethod (Scrum, Kanban, etc) are in use? Why?
- Which parts of $AgileMethod (Scrum, Kanban, etc) are not in use? Why?
- What’s the Definition of Done / of Ready in use?
- What are the coding tactics in use by the teams? Pairing? Peer-reviews?
- How are sprint-reviews handled?
- What is the requirement tracking/visualization approach? Backlogs? Epics? Story maps?
- How is the progress/status made visible?
- What is the process tooling? Jira? Pivotal? Redmine? ProdPad?
- What is the communication protocol between stakeholders/client and team? Is there a single point of entry? Proxy PO / PM?
Team
- How is the team structured? Roles? Skills? Hierarchy?
- How are teams located? Remote? Colocation? Same room?
- How is team stability/turnover rate (maybe not something for a direct question)
- Is there a key man risk? A single point of failure?
- How is knowledge transfer handled?
- What is the current burn rate? $$$/week
Product
- What are the defined milestones? MVP?
- What is the greatest challenge? Highest unknown?
- What is the user event tracking approach? Google Analytics? Amplitude? Mixpanel?
Thoughts and comments are welcome!
Thanks to Marc Adler who gave a lot of input for the list. You can find Marc here: www.ctoasaservice.org
I live here: https://twitter.com/perelin