About me

• Software Engineer
  • Programmer
  • Developer
  • Whatever
• Contributed some open source code here and there
• KISS is a great way to think about software
• Just ask questions along the way

Using Drupal in unconventional ways

• Building apps
  • 100k+ custom lines of code
  • Connects with number of external APIs
  • Uses a number of AWS technologies
    • Well past the traditional LAMP stack
    • Follow OWASP S-SDLC

Technology is empowering

Drupal is empowering

Drupal is also software

We should treat Drupal as such

Drupal and the SDLC

Here I am violating the Don't Repeat Yourself (DRY) principle

Phases of building/development

Planning

• Get a rough idea of how difficult a given request is
  • Possibly split it off into multiple parts
  • Get rough time cost

Analysis

• Gather all requirements (Functional, Technical)
  • Possibly filter back to Planning if scope is too big and needs to be split up.
  • Get better timeline and see how it fits into project
  • Create tickets

Design

• Figure out how feature will be built
  • Use modules
  • Use theme
  • External js library
  • Custom work
  • etc

Implementation

• Run through plan of attack in Design phase
• Write code
  • Go through code review
  • Ensure it matches requirements

Testing

• Automated
• Manual
• Ensure nothing else broke
• Ensure requirements are met by stakeholders
  • Sign off

Release / Maintenance

• Deploy to servers
• Keep it maintained
  • Stable
  • Secure

Hardest parts of software

• Planning
  • Where do you start?
• Analysis
  • Making sure you're headed in the right direction
• Maintenance
  • Buildup of everything that happened in the last steps
  • Making sure your software continues to remain stable, secure

Drupal's Strengths

• Design
  • Drupal is not too shabby on this front.
• Build
  • Drupal's biggest strength due to number of modules
  • Custom development can be tricky
    • Decoupled apps, removing jquery, etc
    • But that is most software

Not so great

• Testing
  • Check out Shawn's session on Practical CI and Testing
  • Learn PHPUnit and Behat/Codeception
    • Will go a long way

Weakness

• Maintenance
  • Lots of external dependencies
  • Lots of tracking
  • Different people manage software differently
• Not taking away from wholly custom development
  • Security holes
  • Everyone writes shitty code

How do I make planning easier?

Use a planning document

• Lullabot has a great article on estimation
  • Also includes a planning document
    • Run estimates on next set of steps
    • Rough plan of attack (before analysis stage)
  • Google Docs, Excel are excellent at this
    • Basecamp, Unfuddle can do some of this as well

How do I make analysis easier?

Very collaborative

• Lullabot document again goes over some of this
  • Involve the developers
    • Get their estimates, preliminary research, hours
    • Compare what they say
      • Huge deviation = requires clarification

How do I make design easier?

Planning

• Come up with a plan of what needs to be done
  • Do any modules solve this? Hours to enable/configure?
  • Do any vendors solve this? Cost?
  • Custom work? Hours needed?
  • Infrastructure? Is anything custom necessary?
• This may get separated into multiple tickets
• Use a ticketing system
  • Jira, Basecamp, Unfuddle are all good options

Use the right tool

• Don't use Drupal all the time
  • Wordpress
  • Laravel
  • Python/Ruby/Go
  • Squarespace/Wix
• Try not to self-host
  • Platform, Acquia, Pantheon, etc

Story from hell #1

• Client uses Drupal 7
  • Does not update core or contrib for over 4 years
  • Gets hacked
  • Has to spend $500 to get things sane again
• Recommended move to Squarespace

How do I make implementation easier?

Lots of ways

• Become an expert, for one!
• Contrib versus custom work
• Automated testing
• Peer review to ensure code
  • Works
  • Is not too shitty

Custom code will carry you

• A custom module or snippet might be just fine for your needs
  • Trying to contribute to complex module
    • Beneficial for others but you may not have time, budget constraints
  • Roll your own
    • Blog about it?

How do I make testing easier?

Learn to write tests

• Could be as simple as visiting pages in your site/app
• Could involve logging in and writing a lot of custom steps
• https://www.drupal.org/project/drupalextension is great for that

Use external services to help you get started

• Learn jenkins, set it up, etc
• Or use something like Probo, codeship, bitbucket pipelines, etc
  • Fire on every pull request
• https://slides.com/btmash/easy-testing-drupal-with-behat

How do we make maintenance easier?

Story from hell #2

• Client uses Drupal Lightning
  • Does not stay up to date over course of year
• Lightning requirements weren't pinned
• Required spending over 30 hours to get back up to date
• Functionality used from Lightning
  • < 30%

Story from hell #3

• Client uses Drupal 7
  • Does not stay up to date over course of year
  • Requires over 50 hours over span of 2 weeks to get site to be compatible with PHP7

Story from hell #4

• Client was upgrading Drupal 8.x to 8.(x+1)
• Workflow stuffs had changed
• A robust notifications module was being used
  • Broke
  • Over 1k lines of code
• Analyzed old code and what was being used
  • Rewrote in under 80 lines of code

Use fewer modules

• Bring down your list of dependencies
  • Do you really want a Lego bucket if you just need a 2x5 (rules module versus minor custom module)?
  • Do you really need Fontyourface when its a two line snippet to add to your theme library file?
• Audit the modules as much as you can
  • Some are obviously more difficult than others
    • Maybe pay somebody to do that for you

Know Drupal's weak points

• Versioning means different things to different people
• Drupal Schema updates are pretty awesome
  • Entity updates are the exact opposite
    • Drupal tries to guess their schema change
    • Sometimes fails if there is content
  • Might have to go through Drupal module versions one by one
    • Might still not work

Keep custom code up to date

• Know of the changes coming to Drupal
  • or even PHP (such as moving from PHP5 to PHP7(1,2,3,etc)

Key takeaways

• Plan, plan, plan
• Introduce automated testing where possible
• Drupal is amazing
  • A tool in your toolbox
  • Learn some new tools!
• Vet your dependencies as much as possible
• Writing code is a lot of fun
  • Don't be afraid

Other key takeaways

• Follow security groups
  • Drupal
  • CVE
• Mitigate hosting related issues
  • Acquia
  • Pantheon
  • Platform.sh
  • Wordpress.com

Resources

• Lullabot and art of estimation
  • Spreadsheet and how to use it
• OWASP Secure-SDLC
• OWASP Top 10 security issues
  • OWASP Mobile Top 10 security issues
• Drupal site problems

(Possibly) Related camp sessions

• Beginners Guide (Rick Pine)
• Easily Accessible (Rain Breaw Michaels)
• Intro to performance analysis (Oliver Seldman)
• Getting Ready for Drupal 9 (Chris Charlton)
• Configuration Management (Rick Pine)
• Keeping a Drupal App Simple will make your life easy (Isaac Garcia)
• Practical CI and Automated Testing (Shawn DeArmond)
• A world without Features (Jen Lampton)