• Home
• About
• Contact LÛCRUM
• Polls
• Archives
• Calendar

• Business & Leadership
• Culture
• Featured
• Information Technology
• Jobs
• LUCRUM News
• Podcast

Subscribe

February CINNUG - I *Feel* Dumber

You ever work someplace that blocks access to Yahoo! or Google? Please, allow me to repeat this. It’s important. This is an IT blog. You, as an IT professional, have you ever had to do your job in an environment that blocks access to Yahoo! or Google. Uh…yeah. It’s happened to me. It’s happened to a lot of us. I generally see this happening to consultants because of the security risk. Okay, good argument, “I’ll hire you, Mr. Consultant, and I’ll give you access to the tools you need to do your job so that you can rob us blind, ruin your own reputation, and never find work in this town again.” Besides, consultants are the experts and they shouldn’t need “tools.” Never mind that [F1] takes you to a website anymore.

I’ll stop. And restart. Tuesday’s CINNUG (.NET User Group) took information exchange to a new level. We’ll get into that in a minute. But first, I wanted to tell you about Susan Papert, a local KForce senior developer. What a great person! This was her first meeting, and she walked away with a really nice VisualStudio-branded laptop backpack during the swag give-aways. No, I’m not bitter that I’ve been attending for months and have only ever received a t-shirt. Okay, that and a Microsoft FLASK, yep, a Microsoft-branded alcohol flask, but that’s another story. Susan was quick to chime in and made herself right at home. In fact, she described the meeting as a much more positive experience than she expected. The evening’s subject matter had three experts comparing and contrasting, say, seven-ish version control platforms, and the discussion could have easily degenerated into a bash-fest with 43 people in the room. It didn’t. Anyway, Susan reminded me of my experiences not having internet access at a client site [shudder...]. As Susan’s co-workers stood around discussing “the situation,” the conversation went something like this:

“Hey, why do you think they’re blocking internet access?”

“To keep us dumb.”

“Is it working?” [pregnant, ponderous pause]

“I FEEL dumber.”

After I wiped the Pepsi off my nose and sleeve, I thanked Susan for a great conversation and adding some life to the party. Susan, it was a pleasure meeting you.

Hmmm…I have a feeling this one’s going to be a long one, so you may want to go get yourself a cup of coffee before continuing. I’m sure you’re not reading this at work, right?

So, I also ran into one of LÛCRUM’s software architects, Rich Rayburn, and Clarence Klopfstein (Clarence’s blog), a web developer at Quality Gold. Rich was in my wedding almost 15 years ago, and Clarence and I attended the same church for a while. We still keep in touch off and on to this day. I run the children’s ministry at our church and got to know Clarence’s bazillion children pretty well. I also said hello to Tim Apke, who runs S.S.T. Solutions. Tim and I got to know each other some time ago through Aaron Aude, a mutual friend and senior manager at Centric Consulting. Aaron is a friend and colleague who will soon be leaving the Cincinnati market for the warmer fields of Florida. Good luck, Aaron.

I don’t know how he does it, but Mike Wood continues to one-up himself in terms of the quality of content each month in the .NET User Group. This month he tried something new and put together a panel discussion that reviewed a number of version control products. Justin Kohnen (Justin’s blog), senior software engineer at Triune Software and MCTS in .NET 2.0 Web Applications; Mike Sheilds, Resurgent Capital’s TFS administrator and software developer; and Microsoft MVP and Avanade principle software developer, Nino Benvenuti, composed the panel with Mike moderating. The platforms discussed were CVS, TFS, Vault, Subversion, ClearCase, and VSS. This list was not a formal list. The participants discussed the platforms based on their experience with their use. And that is where Mike has been most valuable in his leadership of CINNUG - he puts experienced people in front of the group that can talk about real-world situations.

We dove right into a Q&A session with the panel with the first question addressing file locking and checkout processes, i.e. optimistic vs. exclusive. In the context of checkout, VSS employed a lock-the-file model where most other products give the developer a copy of the file. So semantics becomes an issue because “checkout” means different things to different products. One note, especially for new TFS users, is that get-latest in TFS is not the expected get-latest behavior. Apparently in TFS when you do a get-latest you check out the file you were using and not the latest versions that others developers may have since modified. You’ll need to ensure you ask for the copy of the file you intend to use.

The conversation meandered a bit as we learned that check-in in TFS will display a conflict resolution window if you had, indeed, made modifications to an unintended target file and try to check them in. And the merge function in TFS works pretty well. The merge process happens locally, and you’ll merge and build before committing back to the repository.

Mike got us back on track and a question was asked about the benefits of merging and how the different platforms handle merging. The panel explained that the benefits of merging, an option that some teams never need to exercise, allows multiple developers to modify the same file and then synchronize their changes in a merge process. For example, in larger classes with many methods, multiple developers could be modifying different methods at the same time. Things get interesting when multiple developers simultaneously work on the same method

The obvious next topic became best practices around branching and merging. The Branching and Merging Primer was cited as an excellent resource. Also CodePlex’s TFS Server Branching Guidance documentation. From the experts’ perspective, configuring source control and development team processes to take advantage of branch and merge functionality requires a tremendous planning effort. Without planning, a development team can easily get burned by the process.

What is a branch was a question from someone new to the concept. A branch is a copy of X number of items from the repository, or trunk, at a point in time. A snapshot. Subversion and Vault handle branches at the folder level. TFS at the file level. Don’t try this with VSS. Most of the platforms required manual processes when branching a code-base. Changes in a branch, say, for critical bug fixes, get difficult to merge back into the trunk if any sizable refactoring effort has been applied to the trunk.

From an experienced VSS user, why is it bashed so often? What’s wrong with it? Most issues experienced with VSS surface with large repositories that don’t get regular maintenance. If you’re using VSS, make sure your administration processes include regular maintenance. 4GB repositories are said to be unstable. That said, experience with 3GB VSS repositories show that weekly maintenance keeps the repository functioning fine. Other comments include the branch process is not pure, the raw functionality is not as robust as other platforms, the platform does not scale well when the number of users approach 100, VSS will move items around after check-in. One major issue that really affects a development team is the network and bandwith issues, especially over VPN, that VSS users experience. You’ll waste a lot of time dealing with VSS in a remote environment. Apparently the latency and timezone issues are fixed in VS’08. Finally, VSS does not implement a transactional commit, so if your check-in fails at the half-way point you’ll have to manually bring your repository to a previous state. TFS, Vault, and Subversion use a transactional commit.

Next, data stores were addressed. Subversion can use the file system or Berkley db. TFS uses SQL Server. VSS, a proprietary file system. ClearCase a database. And CVS a file system.

Cost? CVS and Subversion are free. VSS is free with VS’08. TFS retails for $3,000, but no one pays that price. TFS comes with a 5-user license with an MSDN subscription. You can leave the rest up to MS licensing details that, I believe, take up a wing in the Library of Congress. Vault is free for 1 user and then something like $300 after that.

How much time does setup take? Vault, 30 minutes. TFS single server takes the better part of a day. Subversion could take 5 minutes to 3 hours. Include Apache integration and you may be looking at a day. Although there is a one-click Windows installer for Subversion that does all of the above in just minutes.

What are the pros and cons of File System vs. Database Storage? File system formats don’t require database licensing costs but are also not transactional. Database storage allows transactional commits and provides flexibility in backup and restore options.

What are the client-side features? Tortoise is available for CVS and Subversion, but you’ll need to be aware that you don’t want to use the OS rename feature. Make sure you use the Tortoise rename function. Team Explorer integrates as a window in VisualStudio and is an easy install. Vault integrates with VisualStudio.

So which products integrate with VisualStudio? VSS, TFS, Vault all work nearly identically and fairly seamlessly. ClearCase integration is a nightmare and is also an expensive option.

Can these products automate builds? Essentially all the products implement command-line interfaces and allow scripting automated builds.

What’s in your repository? The short answer - Everything. That way any developer can do a get-latest and be ready to go. Even include tools, like the build of NUnit you were using, so that you can recreate the environment to replicate any build at any point in time. This includes your database objects. If you have a production level bug you’ll be glad you included everything as you won’t need to hunt any items down. Output of the build process is not included in the repository because that’s what the code-base is for. Documentation *could* be included, but that is what platforms like MOSS are for.

An interesting discussion took place around the concept of building FOO against a constantly changing BAR where FOO is your code-base and BAR could be something like a dll built by another team. Consensus is that there is no right answer here and it depends on the organization. If FOO and BAR simply *have* to live in separate repositories, then include the binary BAR in each build of FOO. Another option is to wrap the component and write personal test cases to prove the expected functionality for your use.

How do you handle backup and restore? Hmmm…isn’t that what version control is for In VSS you kick everyone out, make a copy, and then open the repository again. TFS requires administration of 7 databases along with any necessary config files. Vault requires a couple of databases and a web config. If your repository is on a VM, just take a snapshot of the VM. Subversion you dump and load to a text file. VSS has an archive facility, but it is not really meant as an option to restore from.

Some notes on restore: test your restore process. You can backup to your heart’s content and all your effort and resources would be wasted if you can’t actually restore any of your backups.

Practices for dealing with code common across a number of projects. Consensus here is to manage your code-base, as well as the common code-base, in the same repository. If you need multiple repositories then include the binary releases of the common tools in your repository.

That was essentially it for the panel discussion.

Along with high-quality content, Mike Wood also brings a ton of swag to the table each meeting. This month was no different with a number of timely and relevant books, t-shirts, fleece VisualStudio-branded vests, a laptop backpack, button down shirt, one re-sharper license, and a 2GB thumb drive. No, it wasn’t the XBox or the Zune given away at the December meeting, but it does make for a lot of fun watching Mike give all this stuff away. I think 15 or so items in all were given away. I didn’t get a thing. I’m not bitter.

After the meeting we gathered around some pizza for good conversation. Matt Brewer, technical analyst in Western Southern Life’s Enterprise Architecture division, introduced himself. Well, reintroduced himself. We had been in a meeting together probably 15 months ago at WSL and he remembered me. He got me at my own game. I have fun trying to remember people I had only met once a long time ago. Matt beat me to it this time. He then said, “Do you want to know why we didn’t go ahead with your project?” Cringing inside, suspecting a you-guys-really-screwed-up-x kind of response, I put on a smile and enthusiastically said, “YES!” Phewww, I breathed a sigh of relief when the real answer was that Microsoft extended runtime support for VB6. So, if you’re looking for a good job in VB6, try the financial services firms. WSL isn’t the only one looking to extend the platform’s life as the real ROI for migrating simply isn’t there. And if it is, its usually wizard-based migration. Ugh.

I got a minute with Leon Gersing (Leon’s latest SharePoint musings) who recently moved from Cardinal Solutions to Telligent Systems. If you know Leon, the guy’s brilliant, and this seems like a good fit for him. Congratulations Leon.

Next month at CINNUG Ineta speaker Miguel Castro (scroll down the page a bit) will present on Sexy Extensibility Patterns…whatever that is. Note the meeting will NOT be held on it’s regularly scheduled day. Instead, the March CINNUG meeting will take place on Wednesday, March 12th. There will be no meeting on the 18th.

April 15th will be the [VisualStudio|SQL Server|WinServer]‘08 Community Launch event featuring Telligent’s Dan Hounshell (Dan’s blog) and Stefen Kyntchev.

Saturday, April 19th is the Central Ohio Day of .NET. The Central Ohio Day of .NET is a joint venture between the Dayton .NET Developers Group, Central Ohio .NET Developers Group and the Cincinnati .NET Users Group. The event originally was called the Cincinnati-Dayton Area Code camp and ran in 2006 and 2007 under that name. With the inclusion of the Columbus group the event has been renamed to the Central Ohio Day of .NET. The event is a FREE day of technology discussions devoted to helping the local development community grow.

I’ll be attending the Columbus regional VS’08, et. al. launch event on March 20th. Apparently, those who attend will get a license of VS08, SQL Server 08, and WinServer08. You can sign up here.

Check out the calendar of other CINNUG related events.

- Andy

Sphere: Related Content

Mobile applications and a glass of wine

I read the Wall Street Journal every day.   Well, almost every day.  The delivery service has been outsourced to the Cincinnati Enquirer paper delivery service and so that guy in my neighborhood throws both papers at about 6:30 in the morning.   Being a former paperboy (I had 4 different papers I delivered in my youth:  Albany Sun Times, NY Daily, New York Times ….the liberals will be proud of me, and the Evansville Courier), I appreciate an on-time delivery.   The guy misses my WSJ about 1-2 times per week.  I call the Enquirer Delivery customer service and they can’t get another WSJ to me; in fact, they always give me another Murder Paper (Enquirer)!   Why??? 

Ok, so, there was a really interesting article in the WSJ last week about a mobile application that allows a farmer out in the field to analyze his grapes on the vine and figure out what nutrients or fertilizers are needed without leaving the field!   Here’s an excerpt of the story courtesy of the WSJ (Cris Prystay) and my mouse. 

One day in mid December, Subhash Arve stood in his grape field, just outside the village of Boregaon in the Western Indian state of Maharashtra, fretting over whether it was time to spray the first crop of the season with a growth hormone. So he whipped out his mobile phone.

The phone’s software prompted him to click various icons and answer some simply worded questions to indicate what variety of grapes he was growing, when he had pruned his vines and what type grafts he had used. It also instructed him to take four or five photos with the phone’s camera. He then keyed in a code, and, minutes later, the details of his crop and photos of the grapes popped up on a computer screen at the Maharashtra Grape Growers Association in Pune, 220 kilometers away.

A reading from a soil-analysis sensor planted in the village and a local weather forecast also appeared on the screen. A scientist at the association then sent Mr. Arve the answer he sought, via brief text message: Spray now, and use gibberellic acid, a plant hormone that regulates growth and is tricky to apply. Too little or too much can damage the crop. The scientist recommended an exact amount.

But this project is about far more: The mobile phone is now one of the hottest development tools world-wide. Nongovernmental organizations see cellphones as a way to bolster incomes of the world’s poor, while corporations eyeing untapped rural markets hope new mobile-phone services can boost rural incomes and corporate revenue at the same time. South Asia, where mobile-phone use is rapidly growing, has become a test bed.

“Mobile phones are a pretty important tool for development. I’d put it up there, just behind education and public heath, in the importance to economic growth,” says Leonard Waverman, a professor of economics at London Business School who has studied the impact of telecommunications on economic growth and productivity. 

Here is a link to the full article for subscribers to the online WSJ 

http://online.wsj.com/article/SB120276870150260233.html 

So, I really believe that our software development and consulting industry will morph one more time in Corporate America with new applications that bring customers more intrinsic value to their business processes and services just like the example cited.  In fact, LUCRUM is working on a project (confidential) that involves leveraging mobile devices in ways that their industry has never been able to do.  These kind of projects are in LUCRUM’s sweet spot with enabling users to increase their productivity and allow for business processes to be faster and more adept at leveraging business opportunities.   I’ll write some more about the mobile application marketplace in the future. 

 About that glass of wine…here’s one tip:  Sonoma Cutrer Chardonnay is a great year-over-year bottle that is priced about 23 bucks a bottle.   I love Russian River Chards and this one is always a winner!  

That it for now, JB

Sphere: Related Content

More Birthday Fun

More birthday fun, courtesy of LUCRUM recruiter / amateur videographer Andy Erickson. Here is a clip from our birthday lunch last week. Note that the most popular response to “what do you love about LUCRUM?” was the people - with Andy’s mom coming in a distant second. All in good fun. It is a great place to work. I just surpassed 15 days (business days) with the company, and it is already clear to me why the company has been around for that same number of years. Great people. Thanks for the footage Andy.

Sphere: Related Content

Chief Cook or Manager?

When I was 16, I worked at The Beach Waterpark. By the end of my first summer, I was promoted to a “Lead Sales” position. This was one step below “Supervisor” and I really wanted to be a Supervisor. In order to move up, I took on any assignment that I was given. I moved around a lot and I learned from my Supervisor all the necessary tasks (like timesheets, money management, scheduling, etc.) and by the end of the second summer, I was promoted. Once I made it to Supervisor, it became my job to start identifying the next person that should become the next Lead Sales.

I worked in the largest food stand in the park. Things that were important in that stand were effeciency, cleanliness and timeliness. Essentially, we needed to serve the customers quickly, get them the right order, and keep the place clean. So, who to promote? Which of those qualities were most important and which would get you promoted quickly. The truth? None! What I learned when I was 17 was that just because you were great at your job, did not mean that you would be great at managing people. By promoting our fastest, cleanest, most efficient cook, we had to teach someone (who wasn’t interested), how to do timesheets, balance a cash drawer and order inventory. Now I had 2 problems:
1. I was 1 cook short and
2. My cook had no interest in cash drawers, inventory and timesheets.

I have found that the IT industry has similar challenges. We want to recognize and reward our best employees with advancement, but the only track available is typically to advance into management. For most technologists, this is not interesting or rewarding and we lose the best architect or developer in the process. Seems to me that we need to recognize that the advancement path for a technical person is not into management (most of the time). So what is the right path? It seems to me that a truly technical person wants to be recognized for their accomplishments and wants to take on bigger technology challenges. How can we make these fit together? Seems to me that there should be a track for that. A track that allows a person to grow into a leadership role that is more creative, challenging and innovative. The trick is to still give them a voice on the senior team, and remove the management responsibility. Is that possible? I’d love to hear your thoughts…

Sphere: Related Content

LUCRUM: 15 Years and Counting…

Today’s the 15th anniversary of the founding of LUCRUM. Wow, that’s seems like a long time ago! At the same time, it also feels like yesterday! Our industry is a great industry because it never gets boring. The idea that we can problem solve in our customers’ business using some of the latest technology and techniques is still as rich in opportunity as the first day we were in business. I still remember that first day. I called about 20 different customer/prospects that I knew in the regional marketplace with the announcement that I had formed a new consulting company called, “Client Server Associates.” We were going to focus on the new paradigm of developing business software outside of the mainframe on PC’s and their network servers. It was a very “bleeding edge” concept at the time, and as you know, the rest is history.
It was also very “new” to think of business cycles lasting only a few years instead of the normal 7 year cycles. In fact, I was brash enough at the age of 33 to tell customers that the cycles were going to be “months-long” instead of years long. Boy, was I ever disruptive! In today’s economy, the switch from “build product and the market will come” to “mass customization of all products and services” has created such a huge market in business consulting and developing software solutions. I’ve skied out in Utah this season a few times and the ski “ticket” is now an RFID card that “swipes you” when you go through the turnstiles onto the ski lift! No more checking your ski tag! They also allow for you to go to their website and see how many ski runs you made and what the vertical feet added up to! Another benefit for the avid skier! Our whole world is going to change over the next five years in leveraging the RFID technology, mobile computing with Blackberries and other platforms, as well as the whole concept of “predicting” what the customer wants and suggestively selling or recommending your services in a way that you think they “really know you.” The fact is, they really do know you! “Predicting” needs and requirements is a big portion of the “data management” strategy of any company. They won’t be able to do this themselves in most situations since most companies don’t have an “inventive and build” culture. This is where LUCRUM is going to leverage our strengths and brain-power to provide these kind of services for the market. It’s going to be a very interesting “next 5 years!”

Happy Anniversary! JB

Sphere: Related Content

Going Global

It looks like Mahendra Vora, the prolific Cincinnati-based entrepreneur and venture capitalist, is strengthening his offerings in the local and global sourcing and IT project market. Vora Ventures announced today through VTech Holdings the acquisition of Cincinnati’s own Professional Data Resources, or PDR, and Bangalore’s Electronic-City-based Ascendum Systems. The combined entity, Ascendum Solutions, will operate out of Blue Ash.

This one really hits home for me. I am friends with Mahendra, and very good friends with both Viral Vora, President, and Parminder Saini, Sr. Director and Head of Global Delivery of Ascendum Systems. I’ve been to their facilities in Bangalore on two separate occasions. They have some great people there. I have also had the opportunity to meet with PDR’s VP of Business Development, Walt McLaren. The leadership style of the two organizations should complement each other very well.

Congratulations! And good luck.

- Andy

Sphere: Related Content

Okay To Be Jealous?

I had lunch today with Joni Burton, who recently moved from CIBER to Trasys. Joni took the president role at Trasys and has the opportunity to guide and work with that organization unencumbered by delivery responsibility for organizations that had no reporting responsibility to her.

We talked about the current market and the need for offshore options. I’ve had my opportunity to work on three offshore projects over the last couple of years, and I don’t see offshore ever going away. Offshore will probably become more diverse as sourcing takes place in new markets and third-world countries, as the world becomes smaller. I believe we’ll have to learn, and grow, and take the time to understand our world cultures to make offshore options work. 10 years from now these won’t be offshore anymore, they’ll simply be one more sourcing option. And we’ll accept it as much as we accept Toyota and have helped make it arguably the world’s largest auto maker.

My conversation with Joni left me somewhat jealous of the folks she joined at Trasys. Her leadership style reminds me of Jim Collins‘ estimation of Wells Fargo in Good To Great. Collins compared Wells Fargo to Bank of America. Bank of America instituted a stoic, top-down management structure where even the high-level executives were afraid to speak up and have a voice in the company. Wells, on the other hand, put a confident CEO at the top of its leadership structure who was not afraid to surround himself with strong and talented people who were not afraid to debate and make difficult decisions together. Wells outperformed BofA, and the market, many-fold through the Good-To-Great years. Joni’s leadership is similar, and I think the folks in her organization will grow tremendously as they work with her as a team to make Trasys great.

Have you had any offshore experience? I’d love to hear about it, although I’m sure I’ll get a string of highly negative comments How about Good To Great. Any readers that have had the experience of working under a Level 5 leader? Tell us. We all deserve the opportunity to know where those organizations are in our community.

- Andy

Sphere: Related Content

Locks Are to Keep the Honest People Out

The latest DevCares, from my perspective, was an appropriate deep dive after Tuesday’s MSDN Event covering application security. The MSDN Event was a little less than stellar, and we found out why at DevCares. Uber presenter (and ex-LÛCRUM-ite) Bill Steele had a family emergency, so the MSDN presenter was probably working off of one-day’s notice. It’s forgivable. Mike Wood picked up the ball and handled DevCares. Given the circumstances, Wood handled the ball with the heart of the bat. Get it? Wood? Bat? Oh, never mind.

Before things began, I had an interesting conversation with Joe Wirtley, a fairly well-known, independent .NET developer in the Cincinnati community. We talked about the benefits of presenting at events like this when you are an SME on the material. We also talked about the pitfalls of having the presentation material given to you from a third party. In the second case, everything works well until it doesn’t. As long as no one has a question about the materials (uh…yeah), you’re good to go. Then Joe verbally lamented the continual pounding on SQL injection that pervades almost any application security talk. You know, you’d think with all the coverage, SQL injection simply would not be an issue anymore. I suppose it’s the laziness of experienced developers because they have not been caught with their hands-down yet, the inexperience of younger developers who are many times handed the more mundane SQL tasks, and the pressure of GET IT DONE NOW that keeps developers from following through on disciplined security practices. These things are not too difficult to design into an architecture or framework in the first place, still they get missed. What do you think?

I got a chance to meet and talk with Xavier CompSci grad and Sogeti Senior Consultant Kevin Arand. I was somewhat surprised to hear that Xavier had a CompSci program. We had an interesting discussion about different training strategies and the ever-present requirement to balance billable hours with training time. Given all the consultants I talk to in Cincinnati, this is a fairly common theme. The company is in business to make a profit while at the same time needing to address employee retention strategies. Training seems to be a central retention topic. I hear from most that training hours need to be made up, so training is not a foremost pursuit in the consultant’s mind. And that is generally at odds with the annual review process which inevitably has the “what did you learn this year” question in some form or another. How does this work at your company? The consulting firm that creates a training model that allows the company to make a profit while really benefiting their employees may find themselves in an enviable and strategic front-runner position when folks are looking to move.

Tim Adams, the Microsoft Developer Solutions Specialist (this week), attended DevCares bearing VisualStudio branded hoodie-vests. Nice touch.

Congratulations are also in order for Kavitha Allam. I had a few moments to speak with her. She let me know she’s moving from First Data Government Solutions to Cintas in a couple weeks. Good luck, Kavitha. Although, I gotta say the ties and name badges are a formality I could live without.

USBank’s .NET Framework Architect, Brad Butts, was also in attendance. We talked a bit about application security and how he leads efforts to implement best practices in their enterprise framework. If I remember correctly, Brad is an experienced consultant having spent a number of years at EDS. He’s been able to settle into a role at USBank that has kept him off the road and nearer to his family. Brad is definitely a talented architect, and he currently serves in a hands-on consultative role to the enterprise.

Okay, so Mike dove into the application security presentations, and to his credit, given the short notice, most of the demo’s succeeded. We didn’t have much experimenting in this talk. Microsoft provided most of the slide deck, and I thought it was interesting to see the material built around the OWASP top ten vulnerabilities. It’s good to see MS leaning on the efforts of an Open project from time-to-time.

The material covered the topics of:

• Information Leaking - revealing too many system internal details to the user. Symptoms include returning developer level error messages to the user which can reveal sensitive and detailed infrastructure and configuration information. I saw one of these plastered on the Macy’s Fountain Square big screen once. You can thwart this with consistent exception handling approaches - no one-offs. Update 2/13/08: I was at Brueggers and logged onto their free WiFi in Firefox (did not work in IE). On their submit page I submitted a form with all blank fields and got this Bruegger’s Exception response.
• Broken Authentication and Sessions - generally a condition when you allow the browser, and not the server, to manage sessions and authentication too much. You’ll find this when you rely on cookies and “remember me” functionality. See the next issue, Failure to Restrict URL Acces, for more detail. Manage these issues by authenticating your user at every access to secure functionality, and let the server, and not the browser, manage the session.
• Failure to Restrict URL Access - security through obscurity and poor authentication.
• Cross Site Scripting (XSS) - usually iframe tags that hijack information stored in user cookies due to “remember me” functionality. Suffice it to say that you probably never want to check that box. Let your browser remember your passwords, don’t let the sites you visit remember them, unless you enjoy fixing thousands of dollars worth of unauthorized charges to your credit card. Use Captcha as just one of many ways to short-circuit XSS.
• SQL Injection - see conversation with Joe Wirtley allowing free form user data to pass through your application invalidated and unscrubbed. Remember “Little Bobby Tables.” Two words: Parameterized Queries.
• Injection Flaw - similar to SQL Injection, Injection Flaw is when unscrubbed and invalidated data is injected into any process, i.e. XML processing, etc. For this one, constrain and sanitize all user input. User input is Evil.
• Malicious File Execution - allowing arbitrary file uploads and then execution of those files or commands. Since these exploits will many times try to connect to networks outside your own, don’t allow outbound traffic through your firewall from your app and database servers. Don’t allow functions to take filenames as parameters. And run your applications in unprivileged states.
• Insecure Direct Object References - referencing files and other objects by name rather than by some mapping or reference to those objects, i.e. http://someurl.com/locations?store=cincinnati.txt rather than store=18, where 18 is some arbitrary map to the referenced object.
• Insecure Cryptographic Storage - coming up with your own encryption algorithm. You are not that smart. Use existing, proven algorithms and implementations. Or create your own and send me the URL.
• Insecure Communications - not using SSL at appropriate certificate encryption levels. And pay attention to your URLs, as SSL, obviously, does not encrypt the URL. What do you have hanging off the end of your query string?

Remember, locks are to keep the honest people out. You really have to ramp up and be diligent to handle the pounding that hackers will try on your applications. Put up the barriers necessary to frustrate attempts to exploit your apps. I hate to say this, but you really just want the hacker to go somewhere else in the spirit of, “I don’t have to outrun the bear, I just have to outrun you.”

Part two of DevCares focused on building Office apps in Visual Studio ‘08. The nicest learning here is the VSTO comes with VS’08 and implements document level code-behind. We were running out of time, and some of the demos in this section were going slow. That, coupled with the sheer amount of information in the first three hours, and I started fading in my attention span.

Mike provided some nice give-aways at this event. In addition to the hoodies, a couple of books about secure code, a nice laptop backpack, and a copy of Office Pro ‘07 were given away. Doughnuts and danishes were provided in the morning.

Check out these links for more valuable information:

• Fiddler web debugging proxy
• Wireshark network protocol analyzer
• We were given a DVD with the iBuySpy reference implementation for all these exploits at the MSDN Event earlier this week. I don’t see it online, but you might be able to get more information at some point at the Event website. I do have the DVD if someone would like to borrow it.
• MSDN threat modeling
• MS anti-XSS library
• The PCI Security Standards site for working with credit card information
• The NSA Security Configuration Guides
• Captcha
• The MS Hello Secure World site - a Silverlight implementation
• MS Ramp Up to access TONS of .NET training materials
• Central Ohio Day of .NET to be held April 19th

Holy cow. Wordpress is telling me I’m at 1600 words. Thanks for reading this far. It’s been a packed week with the MSDN Event and DevCares. I’m glad these only happen quarterly. I’d be interested in your thoughts about how your organization handles training and your personal response to training policies. I’d also like your understanding of why some of the basic exploits still make it into our apps. Take care, and I’ll see some of you soon.

- Andy

Sphere: Related Content

Some Meanderings and Project Management

This week I had the opportunity to spend some time with Ciber’s Global Program Manager, Tom Kent. Tom has been a mentor to me for the last seven years or so. We discussed the different dynamics in the corporate world in comparison to the consulting world, over french toast and oatmeal at the Kenwood First Watch. Many of you probably understand this, still I cannot stress enough the positive affect a mentor can have on one’s life and career. I know that my father struggled when his best friend and confidant moved away, and my dad stressed to me over the years the importance of having someone to talk to. If you don’t have a mentor, look around. Look for someone who’s life you respect and approach them. Ask them if you could get their advice. Most folks are flattered by this question. Use it to begin a valuable relationship that will serve both of you well.

I also bumped into PDR’s Natasha Allie again at the Panera across the street. We chatted for a moment.

Tom Trame, Haverstick’s ace program manager, and I shared some time at the Blue Ash Ruby Tuesday for lunch. We discussed some of the endemic issues in project management and focused on the problem that many, if not most, project managers don’t create an environment conducive to straightforward discussion about schedule, scope, and cost, and the give and take between the three when inevitable project changes happen or more information is learned. Tom is the man to manage your portfolio of projects, and, if on the off chance one of your projects begins to go sideways (cough…wouldn’t happen to you…cough), he knows how to step in, recalibrate communications and expectations with project sponsors, mentoring the PM to get the thing back on track.

Our conversation served as a segue for some time I spent with Xavier Professor Tim Kloppenborg, Ph.D. Tim recently published Contemporary Project Management with CENGAGE, where I’ve done work in the past. Tim and I talked in his Schott tower office about project management, his new book, and how we might be able to collaborate in ways that would help his students. Tim had some good perspective on today’s project management not being the project management based on the fundamentals created 40 years ago, the main differences being how communication has changed over time, and the array of communication tools at our disposal today. As usual, when you throw people and the passing of time at disciplined processes, you generally have an easier time tweaking the processes than the people to fit new paradigms.

In any case, I came out of our meeting with a few to-dos, including presenting to one of his undergraduate classes, working with one of his star students who graduates this semester, and perhaps serving on an IS or Management program advisory board. The advisory board role may dovetail nicely with a similar role that I serve in at UC. I look forward to continually working with Professor Klopppenborg.

- Andy

Sphere: Related Content

A Little Uncomfortable

I’ve known Mark Windholtz, currently of ObjectWind, for a number of years. In fact, while I led LÛCRUM’s custom application group and was considering a different role within LÛCRUM, I contacted Mark to see if he would be interested in taking over in my place. I led a team of about 20 incredibly talented developers and architects. My leadership and management philosophy required my giving my full attention to my guys. They came first. I practiced servant leadership, I trusted fully in my team, and they gave me their full respect in return. Not that I’m anything special, but I didn’t want just anyone taking over this team. Now it’s not that Mark and I are best friends - our families don’t hang out together on weekends or anything like that - still, I considered a very short list of folks to take the reigns, and Mark was on that list. Although flattered, Mark declined the offer, and he and I are still friends.

“ Everything’s set in sand ”

A couple years ago Mark started the Cincinnati Agile Round Table (ART). Before then it may have been called the XP User Group, then something OO before that. In any case, Mark’s value to the community has been his ability to bring proponents of cutting-edge, productivity-boosting development philosophies, processes, and frameworks together to discuss and debate, and compare and contrast the characteristics of them all. That, alone, is a fantastic reason to participate in the ART. But do you know why I attend? Because the group makes me very uncomfortable. It challenges me. I walk into this forum and I know I am out of my league. This group is SMART. And Experienced. And I can only strengthen my game by participating. This isn’t your mother’s user group.

This week’s event had Mark and Ed Summerfield comparing and contrasting XP and Scrum. As usual, they both did a great job. Ed and Mark were both recently certified as ScrumMasters, which, despite the title, apparently only means they’ve been presented the Scrum material in a formal setting, paid a good amount of money to sit there, and then, I presume, get some certificate of completion. So the ScrumMaster is the beginning, and not the end. With some practice, they can become Certified Scrum Practitioners.

Ed described the phenomenon of emergent teams and decision making, which sparked a spirited debate. The idea, from my understanding of the discussion, is that, although facilitated to some small extent by the ScrumMaster, the ScrumMaster has no authority, and the team collectively chooses it’s own path. The team is therefore fully and entirely accountable for any success or failure. The team stands or falls together. All the aspects and practices of Scrum align with this philosophy, from sprint planning, to the daily stand-up meetings, to the sprint review where the team proves it completed the work committed to.

Some excellent resources about Scrum are:

• Mountain Goat Software’s Scrum site
• Scrum Alliance
• Advanced Development Methods
• Mike Cohn’s Agile Estimating and Planning

Mark then took his turn at the reigns. Well, I can’t really say “reigns” because once the “presenter” begins the discussion, this group degenerates into what every user group dreams of - a hotly contested debate and respectful consideration of every aspect of the point at hand. And that’s what I LOVE about this group. Many of the other groups I attend begin with the presenter explaining that “this is a dialog, and if you have thoughts or questions, please just speak up.” Well, in this group they do! It’s understood. There is so much mutual respect in this room that the issues that make all of us more productive as software practitioners get their due consideration. I don’t doubt that folks leave this room with clear ideas of how they will change their personal if not organizational processes to become more productive. I’d even bet you’ve become a better developer because of their influence in the community, and you don’t even know it.

Okay, Mark started into the talk about XP, and, unfortunately, as I do every Tuesday evening, I had to leave at 8:30 to pick up my daughter from dance. About the only real point I took away with me is that XP is very granularly defined, and that is in contrast to the more coarsely grained Scrum processes.

Now don’t let my description of this group scare you. While everyone here is at the top of their game I am amazed at the humility with which they approach their discussion. Everyone gets their say, they understand “the system” and know how to work within its constraints, they don’t get too bent out of shape when “corporate” doesn’t get it, and they don’t take themselves too seriously. Comments I heard this week:

• about XP - “Everything’s set in sand”
• “We’re agile, so we moved the deadline”

You’ll meet some great people, too. EdgeCase’s Chief Scientist, Jim Weirich, regularly attends. I love his presentation style. When you have an opportunity, you owe it to yourself to listen to him speak.

There were also discussions based on experience on the use of Objective C for better performance from OS X and then a comparison of the learning curve to write high performing software in Windows in .NET. Yep. And this is because someone used it, not because someone read about it in a blog somewhere and brought empty, theoretical knowledge to the table. This is the group that you’ll hear some comment about Erlang, references to emacs, a stray sarcastic comment on vi, and meet developers that regularly work in Ruby on Rails or PHP. And somehow they ALL know the most low-level details about OS X. This group is different. That is why I come.

- Andy

Sphere: Related Content

« Previous Page — Next Page »

Latest Headlines

• LUCRUM Radio - Episode 4: Craig Jolley Part 1
• Our Clients Need…..YOU!
• On Sales…
• A Blast from the Past
• What Happens When You Miss A Deadline?
• Lucrum Radio - Episode 3: Debba Haupert
• Team Journey: Steps from people to real team results!
• InOneWeekend - Some Perspective On Enterpreneurship
• A Call To Action
• My Education at LUCRUM

Recent Comments

• Josh Davis on What Happens When You Miss A Deadline?
• Scott Felten on A Call To Action
• Dave Heilmann on InOneWeekend - Some Perspective On Enterpreneurship
• Scott Felten on Part 2, Collaboration “It’s not about technology” - expanded! (Statement 2)
• Jodie Heflin on Part 2, Collaboration “It’s not about technology” - expanded! (Statement 2)
• JacintaSpinola on We are…..LUCRUM!
• Christy Rollyson on A Call To Action
• Andy Erickson on InOneWeekend - Raising Up A Leader…In 24 Hours
• Stuart on InOneWeekend - Raising Up A Leader…In 24 Hours
• Sharon Louallen on InOneWeekend - Raising Up A Leader…In 24 Hours

Polls

California's Mandatory Law Mandating Use of "Hand's Free" in Vehicles

• Good Idea
• Bad Idea

View Results

 Loading ...

• Polls Archive

Tags

Anniversary BI Blog blogging Business Business Development Business Intelligence Career Cincinnati Cincinnati IT Cincinnati IT Jobs Cincinnati Ohio Collaboration Consulting Culture Customer Loyalty Customer Service Data Management Data Warehousing David Cordas Dayton development Enterprise 2.0 Information Technology IT J2EE Java Jeff Rollins Jobs John Bostick Leadership LUCRUM marketing News Ohio Philanthropy Raveen Rajavarma Sales Scott Felten Service SharePoint SharePoint 2007 Technology Web 2.0

Links

• Cincinnati Business Courier
• Cincinnati Enquirer
• Cinformation Technology
• LUCRUM, Inc.
• Soapbox Cincinnati
• The Circuit
• WordPress Planet

Copyright © 2007 TheFutureValueofBusiness.com · Revolution News theme by Brian Gardner · Log in