Case Study: MetLife looks to BuildForge to improve its it security processes.
As one of the largest insurers in the world, MetLife works hard to ensure that its 70 million customers get what they expect. For the New York-based companys IT department, that means juggling hundreds of projects and developing and maintaining hundreds of applications simultaneously with its cadre of 1,500 application developers.
With that much activity, efficiency and accuracy are key, and to keep the company on track, executives insist on routine internal audits. In 2004, auditors discovered that the process the IT department was using to build applications lacked the discipline needed to maintain efficient operations.
The audit found that there was no centrally managed process for builds, which could result in rogue code finding its way into production. Whats more, the audit identified that the IT departments programmers were using unsecured laptops and desktops as build machinesa significant security risk.
To mitigate risk and ensure compliance with the Sarbanes-Oxley Actwhich aims to improve corporate governancethe auditors recommended that the IT department shore up and standardize its build processes by implementing a more regimented and automated system.
When researching alternatives, Tom Pierno, MetLifes enterprise version management director, first created a list of must-haves for any product or approach chosen. Not only did it have to be easily implemented and tolerated by MetLifes IT team and users, but it had to be simple to manage and track and highly scalable.
After consulting with Gartner and conducting his own research, Pierno narrowed the choices down to two: a highly touted build engine that many considered top in its category, and BuildForge, a build management framework (acquired by IBM in 2006
and now called IBM Rational Build Forge).
After comparing the two, it became clear that while the first optionwhich Pierno declined to namewould mean a major conversion effort, BuildForge would allow the framework to manage the entire build process without having to materially change languages or scripts.
Once Pierno made the choice in 2005 to use BuildForge, the real work began. He knew that once MetLife had fully switched to BuildForge, the build process would be more automated and efficient. However, getting there took some effort because more than 230 of the companys applications had no build scripts at all, while the rest had existing build scripts that needed to be retrofitted.
As a result, the switchover consisted of a two-phase implementation. The first phase involved adapting and migrating all existing build scripts, while the second phase focused on creating and implementing build scripts for the rest of the companys applications.
Pierno chose to get outside help for both phases; at the time, the IT department didnt have enough Internet competency to engineer the solution or enough programmers to write all the build scripts needed.
For the first phase, MetLife contracted with Black Diamond Software, a Ridgefield, Conn., integrator that worked with the auditing team to understand how to best map business and legal objectives with the technical implementation. Once that was worked out, Black Diamond created a BuildForge adapter based on the BuildForge adapter tool kit to ensure that all sources were derived from the source control system.
"We designed it so that before anyone begins a build, they have to run this interface, which scans the build area to see what files are new, what has changed and what has been deleted," said Richard Elberger, managing consultant for Black Diamond Software and primary project architect. "Thats where the source control comes in." For the second phase, MetLife hired an Asian developer, whom officials declined to identify. The developer was tasked with writing build scripts in a Citrix environment using the BuildForge framework, which then were tested by internal developers. From that point, the scripts were put into production, and those became the only ones used.
Pierno and his development team found BuildForge to be fast and easy to use. Not only does it provide extensibility for any command that can be executed at the command prompt, but it also offers role-based access and allows existing scripts to be used with minor adaptations, and the scheduling of builds.
The ability to scale was of particular importance to MetLife, a large company with ever-changing and increasing needs. With BuildForge, scalability is accomplished by using the Web-based interface, which allows developers around the globe to pool server capabilitiesin this case, VMware and SQL serversto increase hardware use.
"Its very dynamic," Pierno said. "You can use less coordinators to do the builds, and you can run a series of builds on the central build environment up to the capacity of the machine."
Another important feature for MetLife was the instant availability of information. BuildForge automatically collects critical information about a release, such as what code went into the release, what tests were performed and what defects were resolved. These features not only help resolve customer issues but also can make preparing for audits easier, said Cheri Bergeron, go-to-market program director for IBM Rational, in Austin, Texas.
In addition, productivity has never been higher, and satisfaction has never been greater, Pierno said. A developer in MetLifes auto and home division said that BuildForge has added another level of quality to the companys applications through a process that makes it easier to use the correct code, Pierno said.
The project, completed late last year, took about 21 months and cost approximately $200,000 less than what was budgeted. Now MetLife is running about 750 projects in BuildForge, with 7,700 to 8,000 builds between the companys two test-and-build machines per month.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.