ACORN Security Refactor Project Charter

Owned by Sara Rubinow
Last updated: Sept 12, 2024
7 min read


I. Problem/Value Statement

Technical Problem Statement

ACORN (A COnservation Records Network) is the Weissman Preservation Center's (WPC) primary application for documenting preservation treatments. It also supports registrarial functions, stores electronic communications, records non-treatment activities, and facilitates reporting. ACORN is convenient for staff, who access the web-based application at the location of their choice.

ACORN was built using Angular on the front end and NodeJS with Express on the back end. Over the years, ACORN’s front end has become increasingly difficult to maintain. Frequent security updates compound the challenge further and have resulted in unresolved vulnerabilities with a high security risk. ACORN’s authentication protocol also needs to be updated to align with the University’s security requirements.

Business Value

Refactoring ACORN’s front-end codebase to shift from Angular to a more easily-maintainable and popular language, like React, will facilitate sustainable maintenance and help prevent the future accrual of security risks by improving the rapidity with which Library Technology Services can respond to security updates. Updating ACORN’s authentication protocol will bring the application in line with current University security requirements.

II. Vision and Approach

The longer-term vision for ACORN is a sustainable, open-source application that supports conservation activities at Harvard and beyond. Work remains to remove references to Harvard-specific systems (e.g., DRS, HOLLIS), although some Harvard-specific dependencies have already been removed, such as Aeon integration. While work to support the move to open source is currently deprioritized within the department, updating the underlying front-end code with an eye to easier maintenance and sustainability supports this vision while also addressing immediate-term security concerns.

The ACORN security refactor aligns with the following Harvard Library multi-year goals and objectives (MYGOs) and HUIT objectives and key results (OKRs): 

    • Harvard Library MYGOsEvolve our digital infrastructure to meet our directional goals
      • Adopt a sustainable organizational approach to technology lifecycle management and preparing for the future.
      • Simplify and enhance systems that support the discovery and delivery of information resources.
    • HUIT OKRsIngrain privacy and security best practices into Harvard's culture and work

III. In Scope/Out of Scope

In Scope

    • Retire ACORN’s use of Angular for its front-end solution
    • Address security vulnerabilities and optimize sustainability for future updates
    • Ensure code is has robust integration and unit test coverage
    • Achieve 100% feature parity with refactored code
    • Update the authentication protocol to use OpenID Connect (OIDC)
    • Update documentation to support the new React front-end codebase

Out of Scope

    • New features

    • Back-end code (NodeJS with Express) changes or enhancements unrelated to the front-end refactor or authentication protocol update

    • Integration of enterprise group and access management

    • Automated QA test suite

IV. Deliverables and Work Products

  • Fully-functional ACORN application with a React front-end
  • Implementation of OIDC authentication protocol
  • Zero security vulnerabilities
  • All dependencies addressed

Definition of Done

This project will be successful once we are able to release an updated ACORN application with a React front-end and OIDC-compliant authentication that is free of security vulnerabilities and supported with clear documentation in an easily-findable location.

V. Stakeholders

StakeholderTitleParticipation
Stu SnydmanAssociate University Librarian and Managing Director, Library TechnologyExecutive Sponsor

Enrique Diaz

Manager of Library Software Engineering, LTS

LTS Discovery Portfolio Manager

Debra Cuoco

Paper Conservator for Special Collections

ACORN Service Owner

VI. Team members

Team memberRole(s)Affiliation
Enrique DiazLTS Discovery Portfolio ManagerLTS

TBD vendor

Design, development, QA testing, project management, documentationTBD vendor

Dave Mayo

Code review, documentation review

LTS

Phil Plencner

Code review, documentation review

LTS
Maura CarboneApplication deployment, automation verificationLTS

Debra Cuoco

User acceptance testing

Library Preservation

Sara Rubinow

LTS Discovery Portfolio Project Manager

LTS

VII. Estimated Schedule

Note: Schedule TBD pending vendor estimate and engagement. 

PhasePhase durationCompletion Milestone

Kickoff & onboarding


 - Project kickoff meeting
 - Developer onboarding (Harvard Sponsored Role)

Code review & analysis


 - Complete thorough review of existing Angular codebase
 - Complete review of the authentication protocol requirements
 - Create and approve code review report and requirements/features document

Design & Development & Testing & Documentation


 - Iterative QA releases:

 - Complete refactoring of the first major component/feature 

 - Test each component as it is developed to ensure functionality and security. Include regression testing.
 - Deliver new React codebase with zero security vulnerabilities
 - Deliver updated authentication protocol 
 - Complete, review, and approve documentation
 - Conduct knowledge transfer sessions with LTS team
 - Update all wiki documentation

Security & compliance review


- Complete and document security audit of new codebase and authentication protocol
- Conduct knowledge transfer sessions with LTS team

User testing & fixes, Support/Ops handoff

 - Stakeholder confirmation of 100% feature parity with no regression
 - Information session with Support and DevOps

Production release

 - Deploy app to production with no errors
 - Documentation is complete and accessible by LTS

Project close

 - Hold a project review meeting to evaluate successes and identify lessons learned for future projects.
 - Produce project delivery evaluation

VIII. Assumptions, Risks, and Constraints

Assumptions

    1. The Executive Sponsor and other stakeholders are empowered to make the decisions required for the project to be a success.

    2. Stakeholders will be available to participate in project activities and to complete tasks as requested in a timely manner.

    3. React is a suitable replacement for Angular.

    4. Existing functionality can be fully replicated in React, achieving 100% feature parity.

    5. ACORN’s back-end requires nominal or no changes to support the new front-end move to React. In the event such changes are required, they’ll have no material impact on the project schedule.

    6. All front-end security vulnerabilities can be resolved by refactoring with React.

    7. ACORN’s codebase allows for the straightforward integration of OIDC without extensive refactoring.

    8. Stakeholders are supportive of the shift from Angular to React and understand both the benefits and potential challenges of this transition.

    9. ​​The vendor is technically proficient to meet project needs. This includes proficiency in React with the ability to readily understand the current Angular codebase of ACORN as well as the OIDC authentication protocol.

    10. The vendor will continue through to project completion with no significant gaps in availability.

    11. The vendor will be available as necessary for check-in meetings.

    12. The documentation deliverable will be sufficient for LTS developers to understand, maintain, and further develop the application.

    13. The project will not require additional resources for development work beyond those identified in section VI. “Team members.”

    14. The budget is sufficient to cover all project costs.

    15. The timeline allows for the completion of all project deliverables.

Risks

DescriptionImpactPlanOwner
Integration and Compatibility Issues: The vendor may encounter compatibility issues in refactoring the front-end codebase from Angular to React, or in updating the authentication protocol. These updates may be more complex and time-consuming than initially estimated.Project delays and/or increased costs.Include sufficient time for the developer to become acquainted with the application and review extant documentation. Conduct a thorough technical assessment before starting the transition to identify and document potential compatibility issues. Conduct thorough code reviews and testing throughout the development process to catch any issues early.Portfolio Manager
Back-end Stability: Although it's assumed that the back-end does not require significant changes, unexpected issues could arise that necessitate significant changes to the back-end code, which is out of scope for this project.Project delay and added complexity. Regularly monitor and test the back end to identify any potential issues early. If back-end issues must be addressed, the selected vendor will agree to make resources available to resolve and unblock the issues in a timely fashion. The project timeline will necessarily be adjusted to accommodate the expanded project scope. Portfolio Manager
Security: The process of refactoring code and updating the authentication protocol, could inadvertently introduce new vulnerabilities. Risk to the application's security and data integrity. Resolution of new vulnerabilities could also delay the project.Implement a robust security testing and review process to identify and address vulnerabilities. Regularly update and patch the application to maintain security. Conduct regular security audits throughout the development process.Portfolio Manager
Feature Parity: Achieving 100% feature parity with the refactored code might be more challenging than anticipated. There is a risk that not all features of the existing Angular application can be replicated in React. Some might be missed. Project delays or dissatisfaction among end users.Clearly define the features that need to be replicated in the new code. Prioritize critical features during the refactoring process. Regularly review and test the application to ensure all features are functioning as expected. Perform regression testing against the old app. Portfolio Manager
Testing: The resources involved in the project might not have the availability or skillset to conduct thorough testing.Release with bugs or other issues, which would negatively impact user experience.Allocate sufficient time for user acceptance testing in the project plan. Include unit, integration, and user acceptance testing in the development and release cycle.Portfolio Manager
Knowledge Transfer: Since the development work will be done by an outside vendor, there is a risk of siloed knowledge. At the end of the project, it could be difficult for LTS developers to understand and maintain the refactored code. This would hinder the ability of LTS devs to understand, maintain, and further develop the application.Require the vendor to include detailed code comments. Hold regular check-ins between the vendor and the LTS team. Ensure the vendor’s documentation is regularly updated throughout the development process and that LTS team members review documentation to ensure it is comprehensive and up-to-date.Portfolio Manager
Stakeholder Engagement: The stakeholders might not be satisfied with the new application or the process of transition from Angular to React. There could be conflicting opinions or priorities. This could lead to project delays by adding extra time to address these concerns or lead to changes in project scope.Regularly communicate with stakeholders to understand their expectations and address any concerns. Involve stakeholders in key decisions. Manage their expectations and provide regular updates on the project's progress. Portfolio Manager
Budget: The project could go over budget due to unforeseen costs associated with the refactoring process or the need for additional resourcesThe project may require additional funds to continue. Regularly monitor and review the project's budget. Portfolio Manager
Timeline: Unforeseen challenges in coding, changes in requirements, technical approach or other external factors could render the anticipated schedule obsolete.Delayed project delivery.Develop a realistic project schedule with buffer times for unexpected delays. Regularly monitor and update the project schedule.Portfolio Manager

Constraints

    1. Time: There are constraints as to what can be accomplished within the given timeline.
    2. Scope: The project is focused on refactoring the front-end codebase, updating the authentication protocol, and addressing all security vulnerabilities. New features and changes to back-end code outside this focus are out of scope, which could potentially limit application updates or extend development time.
    3. Resources: Since the development work will be done by a vendor, the amount of work that can be done is limited by the vendor’s availability and capacity.
    4. Skillset: The project is dependent on the vendor’s proficiency in React, their understanding of the existing Angular codebase, as well as their familiarity with authentication protocols. If the vendor lacks in these areas, it could impact the project's progress.
    5. Technology: The front-end refactor is constrained by the need to shift from Angular to React. This could limit the design and functionality options for the new front-end.
    6. Quality: The project aims to achieve 100% feature parity with the refactored code. This sets a high standard for the quality of the refactored code and the documentation.
    7. Stakeholders: The project must meet the expectations of multiple stakeholders, each with their own expectations. Balancing their requirements and feedback could influence the project's direction and outcomes.
    8. Budget: The project must adhere to a budget, which could constrain development if there are unforeseen costs associated with the refactoring process or the need for additional resources.

IX. Acceptance

Accepted by Stu Snydman [8/6/2024]

Prepared by Sara Rubinow, with assistance from ChatGPT 4