Azure Boards Integration

The Azure Boards integration is now available to help you visualize sprint progress, understand the costs behind unplanned work, see how much each feature and epic costs, and more.

Learn how to integrate with Azure Boards here.

NEW - Project Costs & Resource Planning reports

We're excited to introduce our new budgeting reports. As an engineering executive, you can now see how much each feature and epic costs, understand the costs behind unplanned work, bug fixing, and visualize the progress for each of your key business initiatives. Read more about the new reports below.

Project Costs - Accelerate Innovation and Maximize Business Impact

The Project Costs report provides insight into the progress and costs of key initiatives and deliverables to help teams ship on schedule.

It enables engineering executives to effectively communicate the engineering team’s progress, results, and constraints to the business leaders to establish unified goals and success metrics.

Resource Planning - Visualize the Financial Costs of Engineering Work

The Resource Planning report helps engineering executives understand how well resources are allocated and how to optimize team dynamics to improve software delivery velocity. It helps identify how bug fixes and issues impact roadmap and delivery velocity.

Gain complete visibility into engineering teams' work and how that work aligns with the organization's key business initiatives and across the engineering department.

These reports are available for Jira users at the moment. You can access the new features in the Reports section.

Introducing Cycle Time

We're excited to introduce one of the essential metrics for engineering organizations - Cycle Time! In essence, Cycle Time indicates how fast does code go from a developer's workstation to production. Studies show that measuring and improving the Cycle Time will enable organizations to innovate at a faster pace, while also improving their teams’ morale and sense of ownership.

The Cycle Time metric is an indicator of an organization's development velocity. The Cycle Time metric is the sum of four metrics, each of these metrics corresponding to a stage in the software development process:

CODING - Time to Issue PR from First Commit. This metric corresponds to the coding time, and is the time elapsed from the first commit to creating a PR.
PICKUP - Time to First Review. This metric indicates how fast do reviewers pick up their peers' PRs for review, and is the time between when a PR is opened and the first time an engineer reviews that PR.
REVIEW - Time to Merge from First Review. This metric signifies how fast do submitters incorporate feedback from their peers in code review, and is the time from a PR's first review to that PR being merged.
DEPLOY - Time to Deploy from Merge. This metric is an indicator for how fast does code get deployed into production, and is the time between when a PR is merged to when it gets released into production.

What does each color indicate?

We've aggregated benchmark values from our platform for each stage of the cycle time. Green bars indicate leading values, yellow bars indicate average values, and red bars indicate below-average values.

For CODING:

Green: Less than 48 hours
Yellow: Between 48 and 72 hours
Red: More than 72 hours

For PICKUP:

Green: Less than 24 hours
Yellow: Between 24 and 72 hours
Red: More than 72 hours

For REVIEW:

Green: Less than 24 hours
Yellow: Between 24 and 72 hours
Red: More than 72 hours

For DEPLOY:

Green: Less than 10 hours
Yellow: Between 10 and 24 hours
Red: More than 24 hours

You can visualize your teams' cycle time in the Dashboard, Project Timeline, and Teams Stats reports. Individual cycle time can be found in the Developer Summary, and Developer Stats reports.

Introducing our new design

We're excited to announce our new design! It features a more friendly user interface and usability improvements that effectively convey our vision of engineering leadership. View more snippets of our new design below.

Developer Summary Redesigned

The new Developer Summary report is designed to help you visualize work patterns and track individual progress over time. With it, engineering managers can quickly spot and eliminate any blockers that are holding their team members down.

Gain a better understanding of what's going on before one-to-ones and add a layer of data to performance reviews with the Developer Summary.

Team Stats Overhaul

The new Team Stats report was developed to help engineering executives build customizable high-level performance reports.

Introducing our new website

We’ve brought our new brand positioning and visual identity system to life on our website with a better articulation of how Waydev can transform engineering work metrics into impactful decisions for technology organizations across the globe.

Compare Developers Improvement

We've added the option to compare engineer stats with team average stats using the Developer Compare feature. This will help you spot underperformers and identify coaching opportunities. Comparing engineer stats with team average stats can also help you discover top performers and recognize their wins.

PR Stats for Team and Developer Compare, Hide Developer Names, and Azure DevOps Server integration

We've added PR stats in the Team Compare and the Developer Compare features. Learn more about Team Compare and Developer Compare.

If you want to hide developers' names from other users in the platform, you can do it by following this guide.

We've just launched our integration with Azure DevOps Server. Learn more about integrating Azure DevOps Server here.

GitHub & GitLab OAuth - security update

-- (July 7, 2020, 5 am PST update)

July 2, 2020, 11:20 am PST

We learned from one of our trial environment users about an unauthorized use of their GitHub OAuth token. The security of your data is our highest priority. Therefore, as a precautionary measure to protect your account, we revoked all GitHub OAuth tokens.

July 3, 2020, 9:45 am PST

Our Security team, along with the Bit Sentinel team (independent company), identified that between June 10, 2020, and July 03, 2020, attackers:

performed multiple attacks over an AJAX call;
performed exploratory activities;
launched automated scanners;

July 3, 2020, 12:45 pm PST

The Waydev team fixed the issues and eliminated any potential threats supposedly linked to the incident.

July 6, 2020, 11 pm PST

We learned from the GitHub Security Team that the attacker might have cloned repositories from the users who connected via GitHub OAuth. Due to GitHub's privacy policy, they will inform the affected users personally.

July 7, 2020, 1 am PST

Here are the latest updates regarding our ongoing security investigation:

The attackers managed to retrieve personal details, such as emails, first and last names, but they did not retrieve any passwords.
There is a possibility that the attackers cloned different GitHub & GitLab projects. We have no evidence that the attackers managed to clone projects from any other Git providers.
There is a possibility that the attackers gained access to our source code. At this moment, we are in the process of a full code review and we will solve any issues that we identify.
We are working closely with teams of legal, technical, and communications specialists. We are in the process of notifying law enforcement authorities regarding our investigation.

The security measures that we recommend our users to take are:

Check for any suspicious activity in your GitHub & GitLab account.
Perform a review over your codebase and change all the passwords, private keys, API secret keys, etc. We recommend using a tool like DumpsterDiver or truffleHog, which can perform high entropy search to help you discover all of these within the code.
Enable a web application firewall such as Cloudflare, mod_security, or any other WAF solution.
Perform a code review to identify any potential vulnerabilities that an attacker may exploit (static or dynamic code analysis), or a manual security code review, and fix all the critical vulnerabilities discovered during the engagement.
Check for any error logs to any of your main services (eg. web service, database service, application level logs etc).
If you have any suspicious activity or you think your database was exposed, contact a cyber security company to assist you with an incident response plan and other technical forensics capabilities. Be ready to reset user passwords.
Enable logging (including POST data). Create a benchmark of the user’s traffic, for example, total number of requests/IP and analyze any suspicious activity for high traffic users to check for potential exploitation attempts.

For example, you can run the following command to (for apache only):

Sort your most popular IP addresses based on number of logs generated in apache: awk '{ print $1 }' *access*log | sort -n | uniq -c | sort -nr | head -50
Find the most popular users based on number of POST requests and see what they are doing
Find most popular users based on unique suspicious user agents and see what they are doing: awk -F'"' '{print $6}' access.log | sort | uniq -c | sort -rg | head
Find most popular users based on number of error generated (non 200-response codes, especially 4XX or 5XX) and understand what they are doing

Our Indicator of Compromise are:
a. IP Addresses of the hacker: 193.169.245.24, 185.230.125.163, 66.249.82.0, 185.220.101.30, 84.16.224.30, 185.161.210.xxx, 151.80.237.xxx, 185.161.210.xxx, 81.17.16.xxx, 190.226.217.xxx, 186.179.100.xxx, 102.186.7.xxx, 72.173.226.xxx, 27.94.243.xxx
b. User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
c. Email addresses:
i. saturndayc@protonmail.com
ii. ohoussem.bale6@sikatan.co
iii. 5abra.adrinelt@datacoeur.com
iv. 4monica.nascimene@vibupis.tk

If you need any technical assistance, please let us know and we will introduce you to our security team.

The investigation is still in progress and we will post updates whenever we have any relevant information. If you have any other questions regarding this topic, do not hesitate to contact us at security@waydev.co.

-- (July 2, 2020, 11:20 am PST)

We learned from one of our trial environment users about an unauthorized use of their GitHub OAuth token.

The security of your data is our highest priority. Therefore, as a precautionary measure to protect your account, we revoked all GitHub OAuth tokens. However, no other suspicious activity was identified during our initial analysis.

Our Security Specialists are currently investigating this alongside GitHub's Security Team to understand how we can prevent events like this from happening. Even though there is no evidence of any data breach, we are working hard to strengthen our defenses.

You can now reconnect through GitHub OAuth, but for security purposes, we strongly recommend you to connect through GitHub Personal Access Token.

If you have any other questions regarding this topic, do not hesitate to contact us.

July 10, 2020, 5:50 pm PST

GitHub sent an email to all the users that connected Waydev GitHub application, which included users affected and non-affected users. Please check the GitHub logs in the last period to see if you were affected or not.

Below are Waydev's IPs from where we pull data:

142.93.239.72
167.99.223.224
134.209.196.25

If you need any technical assistance, please let us know and we will introduce you to our security team.

July 24, 2020, 1 am PST

In the last period, Waydev didn't encounter any potential threats.

What we can tell you right now is that we treat this situation very seriously, we managed to identify the vulnerability right away and applied a fix immediately. Moreover, we enabled stronger monitoring and defense mechanism and with the help of a professional third party company, we actively monitor all our assets to make sure no other issues are in place.

We decided to perform a full manual security code review with the help of a professional third-party company and fix all threats. After this initial audit, we will continue performing incremental security audits after each major change or every month on changes.

What other actions we've taken for improving our security:

Manual access - It is now impossible to create an account without approval from our security team;
Monitoring all the activity;
Tokens resetting two times a day;
Reported the incident to authorities.

We will keep a better level of security monitoring over our assets for any suspicious activity and improve our security policies and procedures based on this event to prevent situations like this from happening but also to improve our overall attack detection capabilities.

If you were affected by the attackers please contact us at security@waydev.co in order to connect you with the authorities.

June Updates

The Time Card feature now displays the time zone used for the stats.

We added Throughput, Productive Throughput, and Commits/ Active Day in Targets. Learn more about Targets.

You can now view more than 5 engineers in the Work Log, using the 'Per Page' filter.

You can now sort individual engineer stats in the Dashboard. You can do this by clicking on each metric's name.

We created a new Role Management permission - 'Assign all repos'. Providing this permission automatically assigns any newly added repos to users with this permission. Learn more about Role Management.

We’re live on Product Hunt

We’re thrilled to announce that Hiten Shah decided to hunt us on Product Hunt today! Since our last launch, we’ve managed to add Pull Request stats and Tickets stats using the integration with Jira and soon Azure.

I would be delighted to have your upvote and know your feedback. Without feedback from our community, we wouldn’t have made it to this point. Thank you, Waydev Community!

Show Previous Entries

Waydev announcements

https://app.waydev.co