In the Certified ScrumMaster course, Jeff Sutherland said something that keeps running through my mind. The Agile principle is based on quick feedback cycles and quality of code (xP). A story is not finished until after a 'proxy customer' check. A 'mini acceptance' of the analist representing the customer, if you will. Later on, maybe after the sprint, the story is tested again in some form of integration environment.
To get that feedback in different phases early, he told us to treat the the proxy customers as fat boyscouts. If someone during a boyscout hiking trip can't keep up, it slows down the whole group. You should therefore walk beside them to motivate them. If they still can't follow, you take their backpack. If it's still going too fast, put them in front of the whole group. Make them determine the paste.
I think he's right. We should aid and guide our testers as much as we can. If during the daily scrum stand-up, you hear that someone is blocked from testing, this should deserve your immediate attention.
Sunday, September 25, 2011
Friday, May 6, 2011
Proposal based
A month ago I followed the ScrumMaster (CSM) course of Jeff Sutherland and I'm an official ScrumMaster now. It was interesting to hear the guy that invented SCRUM - a former Phantom fighter jet pilot in Vietnam - expressing his vision on the IT industry. A couple of things stood out in the WAY he said them. He likes to formulate things differently. In the Passionate Programmer they talk about the transistion of being technology-centric to being solution-centric. You could tell that Jeff had an infinite respect for the developer (more than for management) but made an interesting statement: 'Developers are always whining and complaining about what's not right. In stead they should offer management clear choices'. For instance in stead of complaining 'we don't get the time to write tests' we as a community should say: 'Either we test and it will save (x-amount of) money in the long run or we don't and it will us cost money'. He's right. I've seen a lot of peers whining :)
Another thing a lot of developers don't do which I always try to, is the way we report issues. Before I communicate a problem to management or the customer, I try to have a list of possible solutions in my mind to propose to them. Not everyone does this, even if the answer to the report of a problem mostly is 'ok, what can we do about it?'.
Another thing a lot of developers don't do which I always try to, is the way we report issues. Before I communicate a problem to management or the customer, I try to have a list of possible solutions in my mind to propose to them. Not everyone does this, even if the answer to the report of a problem mostly is 'ok, what can we do about it?'.
Sunday, May 1, 2011
Dual core processing
I'm reading one of the best books EVER right now (and I do mean EVER), called 'Pragmatic thinking and learning' by Andy Hunt. The reason I like it so much is because it links my interest in IT and in psychology/biology (I did one year of Psychology at the KUL but failed).
Andy talks about the brain as a dual core processor, where CPU1 is the L-mode (lineair or also called left mode, but this is less correct) of the brain and CPU2 is the R-mode (rich mode or right mode). There also is a contention at the message bus level that allows communication between the two, which implies that only 1 mode can dominate your brain at a certain moment in time. In this context he explains why in eXtreme Programming 'pairing' is so important. If you 'drive' you brain uses the L-mode to deal with the words, correct syntax. High level patterns and relations are made by the R-mode however. This is why sometimes your navigator says 'and if you refactor this bit here out, we can re-use it in that other place'. He also explains that this is the reason that when you're not pairing and you face a difficult problem it's important to step away from your desk, giving your R-mode a chance to kick in. I used to experience this in the past when I still smoked. Often the solution to a problem came during my sigarette break!
Fa-sci-na-ting stuff. To be continued no doubt...I'm off buying an Andy poster.
Andy talks about the brain as a dual core processor, where CPU1 is the L-mode (lineair or also called left mode, but this is less correct) of the brain and CPU2 is the R-mode (rich mode or right mode). There also is a contention at the message bus level that allows communication between the two, which implies that only 1 mode can dominate your brain at a certain moment in time. In this context he explains why in eXtreme Programming 'pairing' is so important. If you 'drive' you brain uses the L-mode to deal with the words, correct syntax. High level patterns and relations are made by the R-mode however. This is why sometimes your navigator says 'and if you refactor this bit here out, we can re-use it in that other place'. He also explains that this is the reason that when you're not pairing and you face a difficult problem it's important to step away from your desk, giving your R-mode a chance to kick in. I used to experience this in the past when I still smoked. Often the solution to a problem came during my sigarette break!
Fa-sci-na-ting stuff. To be continued no doubt...I'm off buying an Andy poster.
Sunday, April 3, 2011
XML escaping
Did you ever want to define a constant in your code containing an XML string? For instance in a unit test to test if you can transform a piece of XML via XSLT into some desired format? You can do this the hard or the easy way: Either you take the chunk of XML, copy it in your IDE or some text editor and replace all double quotes with \" to escape them. Then you can start adding carriage returns in the String to have a somewhat readable piece of text. In case your XML contains all streets in Belgium, you will feel very, very useful doing this.
Or, you can have your IDE doing the work for you. In eclipse simply go to 'Window>Preference>Java>Editor>Typing' and check the “Escape text when pasting into a string literal“ option. As you can see it also adds the newlines and carriage returns:
I remember thinking 'Damn, I wish I knew about this before' when I first discovered this option. That might just be the criterium for any useful IDE feature I guess.
Or, you can have your IDE doing the work for you. In eclipse simply go to 'Window>Preference>Java>Editor>Typing' and check the “Escape text when pasting into a string literal“ option. As you can see it also adds the newlines and carriage returns:
I remember thinking 'Damn, I wish I knew about this before' when I first discovered this option. That might just be the criterium for any useful IDE feature I guess.
Friday, March 4, 2011
No worries, we got SSL
Last Tuesday evening a colleague and me attended an OWASP meeting of the Belgium chapter. The topics were:
-The Thinking Person's Guide to the Cloud. HOWTO: Keep your head in the clouds and your feet on the ground (by Gunnar Peterson, Arctec Group).
-Threat modeling (by John Steven, Cigital).
Especially the presentation of Gunnar Peterson was magnificent. He was funny, to the point and also explained the basic stuff, so you didn't have to be an expert to understand everything. He especially explained that a general mistake often made by non-security people, is to think that SSL secures your entire application. SSL is great, but there is a lot more to think about than just this one aspect.
There are a lot of methodologies to make your security vulnerabilities visible. This is called 'Threat modeling'. A simple and common used methodology is 'STRIDE', which stands for Spoofing, Tampering, Repudiation,Information Disclosure, Denial of Service and Elevation of privilege. These are the things you want to counter. The following table gives possible security solutions targeted at each specific problem.
Spoofing - Authentication
Tampering - Digital Signature
Repudiation - Audit Logging
Information Disclosure - Encryption
Denial of Service - Availability
Elevation of privilege - Authorization,Input validation
For each of the 6 items we have 3 categories where we could implement a security solution. You can implement it on the data level, method level and channel level. An example of the different levels:
• Data: XML
• Method: SOAP, URI
• Channel: HTTP
This means that you have 18 possibilities for implementing security. SSL however only is a solution for information disclosure, because you encryt the data on the channel level. Mostly that's not enough and you should for example encrypt parts of the xml message too.
SSL alone is not enough to secure your application!
-The Thinking Person's Guide to the Cloud. HOWTO: Keep your head in the clouds and your feet on the ground (by Gunnar Peterson, Arctec Group).
-Threat modeling (by John Steven, Cigital).
Especially the presentation of Gunnar Peterson was magnificent. He was funny, to the point and also explained the basic stuff, so you didn't have to be an expert to understand everything. He especially explained that a general mistake often made by non-security people, is to think that SSL secures your entire application. SSL is great, but there is a lot more to think about than just this one aspect.
There are a lot of methodologies to make your security vulnerabilities visible. This is called 'Threat modeling'. A simple and common used methodology is 'STRIDE', which stands for Spoofing, Tampering, Repudiation,Information Disclosure, Denial of Service and Elevation of privilege. These are the things you want to counter. The following table gives possible security solutions targeted at each specific problem.
Spoofing - Authentication
Tampering - Digital Signature
Repudiation - Audit Logging
Information Disclosure - Encryption
Denial of Service - Availability
Elevation of privilege - Authorization,Input validation
For each of the 6 items we have 3 categories where we could implement a security solution. You can implement it on the data level, method level and channel level. An example of the different levels:
• Data: XML
• Method: SOAP, URI
• Channel: HTTP
This means that you have 18 possibilities for implementing security. SSL however only is a solution for information disclosure, because you encryt the data on the channel level. Mostly that's not enough and you should for example encrypt parts of the xml message too.
SSL alone is not enough to secure your application!
Saturday, February 19, 2011
No need to check that now, check it later...
Let's say you have an Oracle DB containing a table A with a foreign key to a table B and we want to add a foreign key constraint to ensure referential integrity. This might look something like this:
ADD CONSTRAINT "A_FK_B_CONSTRAINT_NAME" FOREIGN KEY ("COL_IN_A_REFFING_B") REFERENCES "TABLE_B" ("PK_ID")Now if your A object has a oneToMany collection of B objects and you cascade delete these B objects whenever you remove A, you might run into a problem in the way the constraint is defined now. Hibernate deletes the A and B rows in 2 steps or statements, within the same transaction. If Hibernate first updates the PK_ID to NULL, COL_IN_A_REFFING_B will reference a non-existing row, which will cause an exception from the FK constraint checker.
This is why you need to add 'DEFERRABLE INITIALLY DEFERRED' to the constraint:
ADD CONSTRAINT "A_FK_B_CONSTRAINT_NAME" FOREIGN KEY ("COL_IN_A_REFFING_B") REFERENCES "TABLE_B" ("PK_ID") DEFERRABLE INITIALLY DEFERREDThis allows the constraint checking to be deferred or postponed till commit time. A constraint that is not deferrable (or DEFERRABLE INITIALLY IMMEDIATE) will be checked immediately after the execution of every statement. Currently only FK constraints accept this clause, other constraints are not deferrable. A good 'chicken or egg' post can be found here.
Subscribe to:
Posts (Atom)