Monday, December 8, 2008

IT as a Profession

Should the concept of IT be considered a profession? I think most of us would like to say, "yes it should." A lot of training and experience is required in order to design, create and run large systems efficiently with high levels of service. People can not just walk in off the street and accomplish this. Even though vendors are making certain tasks easier to do, all that means is that workers are expected to be able to manage complexity at a higher level. As an example, we don't *necessarily* need to know how to build a computer, but we do need to know how to spin up virtual machines on the fly and balance the load correctly, quickly and securely.

Should everyone that works in IT be considered a professional? Probably not, but where does one draw the line exactly? I can think of many ways to try and measure professionalism: customer satisfaction, specification fulfillment, information security, conduct, etc. In the end it probably needs to be a balance of all of these. Customer satisfaction on its own is not good enough because stakeholders may not know that you are not supposed to store credit card CVV/CVC numbers, but I would expect a professional to know that.

I think the reason why we don't have such a definition at this point is that the IT industry changes so fast. In contrast, the fundamental knowledge required to successfully build a physical structure such as a bridge or building, while by no means trivial, hasn't changed in a long time. Those rules also tend to have fewer layers of abstraction between them and the finished product. New building materials may change the way in which you meet the parameters, but a building must remain standing and you can use physics to determine if it will. But due to new types of hardware and software constantly being developed even the basic requirement that an information system must remain secure causes us as professionals to investigate new ways of implementing security rather frequently.

At times I am tempted to think that maybe the computer sciences just haven't been around as long as other professions. Maybe once we have enough systems existing out in the world, we will identify common requirements and basic rules that all IT professionals will need to follow. And then I remember that the only reason to write new software is to solve new problems. The new software is usually written on new platforms that were created for new hardware. It's hard to imagine finding hard physics-like rules that will continue to be valid for so many shifting purposes and layers.

Thursday, December 4, 2008

Sell Solutions To Your Own Problems

"Create tools to solve your own problems because other people are probably looking for a solution as well." Better words of advice have rarely been spoken about identifying new products. As is the theme of this site, I am stealing other peoples' wisdom and... well... merely passing it along.

I used to think that I never had any problems that needed solving. Professionally, either I thought my problems were so trivial that I just wrote the code, or I was solving a domain problem for my current employer so I just wrote the code. There are so many tools out there for developers that there always seems be a solution for any chore I come up against. In the not so professional parts of my life, problems just didn't seem big enough that anyone would need a better tool. I felt that I must be the only person that couldn't find a better way or one would already exist. I'd either tough it out, or go read some web comics.

The funny thing is, I kept running into an issue when trying to find new web comics to read. The problem was that for various reasons, I couldn't get Google to find new strips. The results I got were sites that have all sorts of cluttered lists that are hard to sort through and browse. And who knows if you have the same tastes as the people that created the lists.

Enter Is It Funny Today. While at first it looked like another one of those lists that has always disappointed me, the site is different. It is easy to read and allows users to vote for and comment on comics. It also has an excellent browsing feature that can show random comics which is the perfect way to sample what the internet has to offer in the way of humor. This problem may not be as important as the recent need to monitor the housing and banking industries, but maybe if those bankers and general contractors had been able to find just one more funny comic to read, they wouldn't have grown into such greedy people and screwed up our economy.

The point is that the Is It Funny Today guys said the exact same thing I did. "Finding webcomics is just so hard." But they had the presence of mind to do something about it. I feel like I got beat to the punch in a way. But that is not giving them enough credit because they were also the ones paying attention to their own problems in the first place. Maybe they didn't find a way to implement world peace, but I thought it was a darn good solution to an everyday problem us web comic fans have.

I guess the lesson I have learned here is that I have to think more critically when a task seems too difficult. Any time I say something along the lines of "I hate [some task]," or "this job is too [hard, tedious, etc.]," I need to try looking for a way to make that chore easier. And I need to remember that I am not so uniquely special OR especially unique that someone else isn't having the same issue.

Tuesday, December 2, 2008

Why Developers Should Write

Every developer that takes to blogging eventually has something to say on this topic. Come to think of it, the ground we tend to cover isn't that original even if some of the insights and details are from time to time. Regardless, I figured it was my turn to offer what I hope will be some nugget of inspiration to someone. Chances are it will turn out to just be an anecdote about myself allowing others to see some of my insecurities, but here it goes anyway.

The reason you always hear as to why developers should start writing is that it will improve communication skills. I always knew this was true, but I didn't understand how it happened. After writing this blog on and off for a year, I finally figured out what is probably the biggest problem in the way I communicate. And that is the most important step in improving just about any skill; identify an aspect small enough and well defined enough that you can do something about. If you can't plan out a path to get better, your goal probably isn't well enough defined. Keep refining until you can come up with a solution.

And now it's anecdote time. I was always upset that I couldn't convince others of the merits of my designs as often as I liked. Sure, my concepts are not always the best and even if they are they are, they are still not chosen from time to time. But I still felt that I could do better. That is the main reason why I started writing this blog. I just wanted to practice being convincing.

That's too big. I just didn't realize it. I kept writing trying to determine if I was making any head way. I didn't feel that I was, but you can be the judge. There are just too many ways to be convincing. Sincerity, passion and reasoning can all affect how convincing you are. Being convincing is just too broad a concept to tackle.

I kept writing. It took me a year, but I just noticed a couple things. First, I'm slow at self improvement. That's a topic for another post. More germane to this piece is that I realized that when I am writing or speaking about topics that I am excited or passionate about, I tend to jump around and try to cover twenty points all at the same time. Yes, they are all important ideas that have baring on the on the discussion. But unless my audience was sitting over my shoulder for weeks on end sharing all of my experiences, they were likely getting left behind or just outright confused.

Now that I have a well defined deficiency I can do something about it. (I have many deficiencies I'm sure, I just haven't tried to define many of them.) Armed with this little piece of knowledge I have thought of several ways to improve my writing. I will try to focus more on the point that I am making. I can bite off smaller topics to talk about. I don't need to cram all twenty ideas into a single post or conversation. If I absolutely need to write that much, I need to be more aware of the organization of my thoughts. These are just some of the several guidelines for writing you learn throughout school. My problem was that without a significant amount of my own writing to study, I didn't know which out of all those best practices I was ignoring the most.

So the story is just the long way of illustrating my initial advice. If you are trying to improve your communication skills, you need to identify an issue and come up with a solution. Coming up with solutions to well defined problems is the easy part. If you are having a hard time with the solution, you probably haven't defined the problem well enough. It turns out this is the hard part. You just need to keep writing and narrow down your scope until you can easily think of solutions.

Getting Developers Interested in Security

I find it amazing in this day and age that there are still so many common software security issues released to the wild. I'm not even talking about flaws in OS code or database or other server platforms. I'm only focusing on the common, run of the mill issues in the software written day in day out.

There is little excuse for SQL injection to work anymore. Parametrize your queries people. It only take a couple of seconds longer if you have any competency typing.

Cross site scripting attacks should be a thing of the past. HTML Encode all the content that you receive from users before showing it on a page at the very least. It's just an extra function call here and there.

Even cross site request forgery, while not much is heard about it, is very dangerous. Yet it has a simple solution. Double submit a unique value in a cookie and form field with every post you make.

The list goes on, but many developers don't take the time to make these small habitual changes in the way they code. And it's these small changes that would prevent most of the security issues in today's internet applications. Why do these vulnerabilities keep making it into production software?

One reason is that security is not usually seen as a glamorous part of the application. Yes, it's vitally important. But few others in most companies pay it much attention. They expect it, but they don't come back with stories of customers raving about security.

Another reason is that at companies writing products, most of the security work goes in (or should go in) up front. Once it is done, there is not much else to do when compared with adding new features. I'm not saying the work can stop. Good security is an ongoing task. But like any interest, if time is only sporadically allocated, becoming an expert is difficult and the interest will fade.

Furthermore security is rarely of constant interest to the managers and directors of companies. Again they expect it, but they can forget that it takes time to secure software. Time to learn and time to act on the information. If they will not make the time in their never ending road maps and milestones of new features, the developers will follow their lead and only make it an after thought.

The task of getting other developers to take enough of an interest to change their habits can be challenging though.

The first step that I see is to get the directors and managers interested. Without their support and attention, security is just another nice to have. Take the time to have your software audited by a third party and spend the resources fixing the issues. Create a position in your team that has the authority and resources to address these issues. Educate entire teams on vulnerabilities so that designers design correctly, QA tests for know problems and developers develop code to specification in order to pass the tests.

That's fine within an individual company. The next step is to get developers at large to take an interest. I don't even know how to go about that. Everyone would need to help. Software security might be a good required course in college. Bloggers need to keep on blogging to raise awareness. Make security a selling point on web sites and sales catalogs. When hiring new employees, insist that they know about basic issues and the appropriate solutions. Provide material when new employees enter the company that helps indoctrinate them into a culture that takes security seriously.

In the end, getting developers to write more secure code is not just a job requirement for programmers, it's a wider change in mind set that needs to happen. It's not only the coders' responsibility to see that the applications are written securely. It's a right of clients to demand better software. It's the duty of the directors and managers to allocate appropriate resources. And effort must be made by all employees to understand the issues and help make software more secure in whatever way they can; plan, design, write, test and buy with security in mind.

Monday, December 1, 2008

Predictions of Microsoft's Demise

I'm tired of reading blog posts by people that don't do their research. It seems like anyone that talks about Microsoft's downfall or the coming obsolescence of a piece of Microsoft software due to competition fall into one of the two following patterns, or both.

First, they compare the up-and-coming software of their favorite Microsoft competitor to the last piece of Microsoft software that they are familiar with. Most often this is a past release. Of course an old piece of software won't stack up against something new and shiny. Try picking on the current crop.

Second, even when they do pick the comparable piece of Microsoft software to talk about, they forget that Microsoft writes much of their software to work for both home users and enterprises. There are features and integration points that the average user just doesn't see.

If you're going to do product comparisons, please do a fair amount of research on all of the products you are talking about. Don't skimp or provide misleading information on Microsoft just because it's not your choice. Unless you are a shill in which case it's OK because that's your job.

Now, I will be the first person to admit that there are plenty of other options besides Microsoft software out there. And in many situations, other solutions will even provide a better value.

For instance, the movement of home, school and even small business users towards Open Office makes a lot of sense under the right circumstances. Despite that, Open Office has a ways to go before its feature set makes it a viable replacement for enterprises using the more advanced capabilities of Microsoft Office. Open Office is not going to kill Microsoft Office any time soon.

People have been predicting the demise of Microsoft or its products at the hands of competitors for a while now. At this point it all sounds like Rasputin and his prognostications. Sure people kind of sort of get close to guessing correctly once in a while. They should if they make countless vague predictions on different topics nonstop.

But even if the pundits get one right now and then, Microsoft can afford the occasional mistake. That's not a luxury that many companies have. Microsoft has proven that they can recover from large blunders even in their core market. ME was considered quite the unsuccessful stab at an operating system but it was followed up by XP which is generally thought of as a decent platform.