So I'm starting to get the impression that I no longer tender for brand new projects competing with time and cost in order to win the bids. Recently, more and more people have been asking if I can take over a project that has been abandoned by its developer.
I've started writing this article because I find myself forgetting to ask something that could have saved an infinite number of man-hours (I exaggerate a little); but seriously, I needed a checklist that works for me.
Most Difficult?
My hardest project was (still is) one created by a PhD student who graduated and left the institution. It was a custom-built site written from scratch, and it's purpose was to manage Staff and Students within the Additional Learning Needs group. These are staff who take lecture notes for people of all disabilities and assist the students for the duration of their course. It had to allow for synchronizing with the official student record system and timetabling system (done via file upload). It included it's own timesheet / session management / invoicing system.
The website was held on a virtual host running PHP and MySQL. There was no documentation, logs, notes, and any code comments were in Hungarian (later found out it was slang or a dialect not understood by most Hungarians). Fellow students and system administrators could not accurately describe what the system was for and what it does. The developer had created the system to only last during one academic year, and the system itself only just about understood academic years (required tweaking twice a year). Then there were the error logs... some 20000 errors per use of a feature over 4 seconds. Do some developers never check the errors log?
By the time, I started maintaining the project, a revamp had been agreed with another web team. This has been delayed somewhat and still after 2 years there is no new site (blamed on the customer for not knowing what their application did in the first place... tut tut. How long have you been a developer? And this is new?).
Can the developer be contacted? Yes!
- Questions to ask the developer
- The original client's brief for the project?
(project mandate/charter/initiation document - the spec) - Details on the Development Environment
(is there a TEST system and deployment procedure in place?) - Known Issues/Bugs
(is there an "Issues Log"? Anything that still needs addressing?) - System Requirements
(in case you need to transfer/move to another server) - Critical functions used in the system?
(do this yourself anyway and use theirs as a guide only) - Site Authentication Method(s)
(will this need to be rewritten? eg. clear-text passwords) - Level of Security Testing
(XSS and SQL-Injection at least?) - Referenced common files / global assets
(especially those used in every page) - Expert/Testing/Resistant users
(contact details and informally their technical knowledge/skills) - Availability via Phone/Email/In person?
(not relying on this but it can save time... sometimes)
- The original client's brief for the project?
- Service Transition
- Security rights/roles in the system
(reasons for different accesses) - Get all known logins
(database, ftp, sftp, ssl, site logins: test & admins) - List all files, their purpose
(consider a spreadsheet of all active/legacy files) - Get new brief from the Client
(agree on maintenance & development costs/time -> custom timesheets!) - Check domain name is registered/transferred to the client
(quite a biggy - gives the client an exit strategy)
- Security rights/roles in the system
Can the developer be contacted? No!
- Security Check
- Usernames/Passwords
(formats, defaults and vulnerability)
- Usernames/Passwords
- Technical Review
- Examine all functions: what goes in, what comes out?
(accepts/returns, data types specifically, test by running each function separately) - Examine databases
(data types, constraints, primary/foreign keys, autoincrements, schema diagram, scheduled jobs) - Examine content integrity
(what is available front-end and back-end? can it be circumvented?)
- Examine all functions: what goes in, what comes out?
- Website Revamp?
- Signed Off Specification
(describing clearly the agreed work to do and expected results) - Realistic Cost & Time
(obviously agreed with client) - Additional Documentation
(timesheets, agreements, technical specifications, issue logs, product documentation)
- Signed Off Specification
- Security Check
- Usernames/Passwords
(formats, defaults and vulnerability)
- Usernames/Passwords
- Check ALL server-side errors
- EventViewer (if Windows)
- errors.log (if Linux)
Above and beyond
- Product Handover
(branded pack with contact details - make it simple and friendly!!!) - Warranty / Grace Period
(agreed support period post production - fees and estimates) - Behind the scenes
(code comments, user-defined function headers - incl. author, name, purpose, receives/returns)
I welcome any suggestions/improvements to the above. Just add a comment to this page. Also if you want to share your nightmare project takeovers, they're always fun to hear about.