December 2005 - Posts

John Morales is blogging!
Wednesday, December 28, 2005 9:17 AM

John Morales joined thycotic back in October and has been impressing us since the start with his knowledge of keyboard shortcuts (how often do you see *your* fellow developers writing their own macros in VS.NET?), Regular Expressions, Resharper, DotLucene and his ability to solve problems.  After a little prodding, we now have him blogging with a few gems already on Regular Expressions, a great CruiseControl.NET fix and at least one enjoyable rantSubscribed.

Now if we can just get him in front of a .NET User Group! :-)

John is also the person who has written the most code in Secret Server - our exciting new product!


Jonathan Cogley is the CEO and founder of thycotic, a .NET consulting company and ISV in Washington DC.  thycotic has just released Thycotic Secret Server which is a secure web-based solution to both "Where is my Hotmail password?" and "Who has the password for our domain name?".  Secret Server is the leader in secret management and sharing within companies and teams.

by thycotic | with no comments
Filed under: , ,
thycotic becomes a Custom Development Microsoft Certified Partner
Wednesday, December 21, 2005 9:38 PM

Our company, thycotic, has become a Microsoft Certified Partner in the new Custom Development competency that was launched in November 2005.  This is the result of hardwork on the part of our development team in completing Microsoft Certification exams and many successful project experiences from our clients.

We have also been working towards the Independent Software Vendor (ISV) competency for the last few months.  On October 15th 2005, we launched our first "off the shelf" product, Secret Server, which was built as our software product for the Microsoft Empower Program for ISVs.  Completing the ISV competency will require having the product officially tested by VeriTest and will require customer references ...

Please contact me if you are willing to provide a customer reference for Secret Server.

Jonathan Cogley is the CEO and founder of thycotic, a .NET consulting company and ISV in Washington DC.  thycotic has just released Thycotic Secret Server which is a secure web-based solution to both "Where is my Hotmail password?" and "Who has the password for our domain name?".  Secret Server is the leader in secret management and sharing within companies and teams.

by thycotic | with no comments
Filed under: , ,
Interview with FusionAuthority on TDD to a ColdFusion audience
Saturday, December 17, 2005 2:01 PM

I was recently interviewed by Judith Dinowitz in this article from FusionAuthority.  The interview came about after I blogged about my experiences presenting TDD at our local Maryland Cold Fusion User Group.

Jonathan Cogley is the CEO and founder of thycotic, a .NET consulting company and ISV in Washington DC.  thycotic has just released Thycotic Secret Server which is a secure web-based solution to both "Where is my Hotmail password?" and "Who has the password for our domain name?".  Secret Server is the leader in secret management and sharing within companies and teams.

by thycotic | with no comments
Filed under: ,
Keep the numbers meaningful in Security Reviews
Tuesday, December 13, 2005 12:42 AM

I just came across this post (older) by Robert Hurlbut titled "DREAD is dead" and it reminded me of our experiences with these same ratings today.  We are in the middle of a Security Review for a client and have been working through our threat model to assess the risk associated with each item.  DREAD is a technique for assessing such risk using the factors: Damage potential, Reproducibility, Exploitability, Affected users and Discoverability.  As Robert mentions, the idea is to rate the threat on each of these factors using a scale from 1 to 10.  Then add up all the numbers for each threat (average it if you wish) and you can list the threats in DREAD priority.

The obvious problem ... what is the real difference between a 7 or a 8?  That is a tough call especially when you have 50 or more threats to evaluate (consistency in your evaluation gets challenging across that many items!).  We decided to settle on a simple system of low (1), medium (2) or high (3).  We also simplified our analysis to just include the traditional Criticality/Severity and Likelihood of Occurrence - interestingly this is very similar to the Microsoft Solutions Framework (MSF) approach to categorizing and managing risk on a software development project.

Why all this effort to rate the risk?  Most projects (yes, even Security Reviews!) have limited budget.  This makes it important to use your resources on the most risky areas of your system.  This becomes even more necessary when you have to trade off against items you will never have time to investigate.

Our risk analysis yielded a nice list of threats in the 4-6 point category which we can now investigate starting with the most risky threats.

(Ps.  The authors in Writing Secure Code, 2nd Edition, mention always giving a 10 for Discoverability as things will always be discovered at some point ... this again shows how DREAD is too detailed and is not a meaningful measurement)

Jonathan Cogley is the CEO and founder of thycotic, a .NET consulting company and ISV in Washington DC.  thycotic has just released Thycotic Secret Server which is a secure web-based solution to both "Where is my Hotmail password?" and "Who has the password for our domain name?".  Secret Server is the leader in secret management and sharing within companies and teams.

by thycotic | 1 comment(s)
Filed under: ,
Automatic reporting of client-side script exceptions
Wednesday, December 07, 2005 1:26 PM

Error reporting is enormously powerful.  Knowing when your customers are seeing errors is the first step to improving the quality of your application.

In my previous post, I mentioned capturing client-side script exceptions while discussing a dreaded hot fix that had to be made.  You may have been wondering exactly what I was talking about and if it might be useful for your applications?

Hopefully you have already tapped into the Application_Error method in global.asax.cs to publish exceptions (maybe to a log file or as email).  We tend to prefer getting exceptions in email because it is a strong incentive to the development team to fix the problem. :-)  However, Application_Error only catches server side exceptions which means that many of the different browsers hitting your application may be choking on your client-side script and you wouldn't even know!  You may be thinking that you can stop reading now because your application is intranet-based and everyone is using Internet Explorer ... not so! - different versions of Internet Explorer can behave very differently with the same Javascript. 

Our solution is to tap into the onerror event on the window.  You can have your own custom Javascript function fire anytime an error occurs in client-side script.  Now you need call back to the server and cause an Application_Error call by throwing an exception on the server side - this then allows your regular exception publishing to kick in.  We do this in the function below by calling back to the ASPX page using a temporary Image with specific values in the QueryString (onerror_message) - our base page class (you really should have your own PageBase derived from System.Web.UI.Page but that is another discussion) then checks for these messages and throws an exception if they are present.

  1 <script language="javascript">
  2 // <!--
  3 // onerror
  4 window.onerror = window_onerror;
  5 function window_onerror(message,url,lineNumber) {
  6 	var queryString = '?onerror_message=' + escape(message) 
  7 		+ '&onerror_url=' + escape(url) 
  8 		+ '&onerror_lineNumber=' + lineNumber;
  9 	var onerrorImage = new Image();
 10 	onerrorImage.src = queryString;
 11 	return true;
 12 }
 13 // -->
 14 
 15 </script>

Please note that the user nevers sees the exception message so it is silently reporting the errors without disrupting the user experience.

Tip:  You can test your page for client-side script exceptions by going to your page and then replacing the URL (in the browser window location textbox) with javascript:CallABogusFunction().  This will make it call back to the server but nothing will be apparent on the screen.  You can also test your page directly by adding ?onerror_message=xyz in the QueryString.

Long live reporting *ALL* your exceptions!

Jonathan Cogley is the CEO and founder of thycotic, a .NET consulting company and ISV in Washington DC.  thycotic has just released Thycotic Secret Server which is a secure web-based solution to both "Where is my Hotmail password?" and "Who has the password for our domain name?".  Secret Server is the leader in secret management and sharing within companies and teams.

by thycotic | 1 comment(s)
Filed under: ,
Working around global.asax at runtime
Tuesday, December 06, 2005 1:15 AM

While this doesn't classify as great development practice, sometimes a well tested hotfix to a production site is just the right thing to solve a client's problem quickly.  In our case, the problem was too many emails being sent due to ClientScriptExceptions (our own custom Exception that is thrown when a Javascript onerror event fires in the browser ... yes, we do some tricky stuff with an Image in Javascript to get the message back to the server).  Anyway, the exception is caught in global.asax.cs in the Application_Error method.

So, how do we override this behavior at runtime?  Change the global.asax to the following:

  1 <%@ Application Codebehind="Global.asax.cs" Inherits="Thycotic.xxx.Web.Global" %>
  2 <script runat="server" language="C#">
  3 protected new void Application_Error(Object sender, EventArgs e)
  4 {
  5 	if (System.Web.HttpContext.Current != null) 
  6 	{
  7 		Exception outer = HttpContext.Current.Server.GetLastError();
  8 		Exception inner = outer.InnerException;
  9 		Exception actualException = (inner == null) ? outer : inner;
 10 		if (!(actualException is Thycotic.Foundation.WebControls.ClientScriptException)) 
 11 		{
 12 			 Thycotic.Foundation.ExceptionManager.HandleApplicationErrorEvent();
 13 		}
 14 	}
 15 }
 16 </script>
Voila!  Problem fixed without a recompile or binary redeployment!  Unfortunately, we hadn't marked the original method as virtual so we had to use "new" on the method signature - something we very seldom use.

Hope you find this trick useful and never have to use it! :-)

Jonathan Cogley is the CEO and founder of thycotic, a .NET consulting company and ISV in Washington DC.  thycotic has just released Thycotic Secret Server which is a secure web-based solution to both "Where is my Hotmail password?" and "Who has the password for our domain name?".  Secret Server is the leader in secret management and sharing within companies and teams.

by thycotic | with no comments
Filed under: , ,
Refactoring is not free (so defer it)
Sunday, December 04, 2005 11:13 AM

Paul Gielens has an interesting post discussing the cost of refactoring and deciding when to do so.  I agree with Paul that refactoring is certainly not free and is in fact a very expensive process since it lacks one of the central benefits of Test Driven Development - knowing when you are done!  The process of refactoring is very subjective and it is easy for a pair to spend extra time tweaking things with "Introduce Base Class", "Extract method" and "Introduce explaining variable" until it is just right.

Refactoring doesn't provide any direct business value to the customer and as Paul hints you only get the payback for refactoring when that area is revisited.  It seems to make sense to defer the refactoring until that change is necessary.  I have talked about this before as WhenRefactoringIsYAGNI.  You get to push on with further features instead of the refactoring and that may be OK because you may never need to visit that code again.  Hurrah!  You have saved your customer time and implemented new features.  If you ever do revisit that code then:

  1. You have the same (and potentially more) unit tests to help you refactor it.
  2. You will be looking at it with more knowledge of the system (the best time to do something is the last possible minute it can be done, since you will have the most information possible about the situation - this is usually applied to business decisions but is still relevant here).
  3. You will also be looking at the problem with fresh eyes having not just spent a long time developing the functionality.  (this could be a plus or minus depending on your perspective)

Our practice is to typically defer large refactorings until that area of code is revisited and will just put in a TODO tag in the meantime.

Jonathan Cogley is the CEO and founder of thycotic, a .NET consulting company and ISV in Washington DC.  thycotic has just released Thycotic Secret Server which is a secure web-based solution to both "Where is my Hotmail password?" and "Who has the password for our domain name?".  Secret Server is the leader in secret management and sharing within companies and teams.

 

by thycotic | 3 comment(s)
Filed under: , , ,
When should ports go native?
Friday, December 02, 2005 1:35 PM

Our product, Secret Server, uses the DotLucene API for searching of items ("secrets") in the application.  DotLucene is an impressive API which creates index files on disk based on the data you feed to it.  It then allows for some very powerful text searches to find data such as "amazon.com~" which will find all secrets containing various spellings of amazon.com.  (More info here).

The DotLucene API is, as you might have guessed, a port of the Java Lucene search API and herein lies the problem.  Lucene is written in Java and therefore the API has a Java flavor to it.  This makes it harder and less intuitive for a native .NET developer to use. 

To index a secret, we use:

  1 IndexWriter writer = new IndexWriter(_indexLocation, new StandardAnalyzer(), false);
  2 Document document = new Document();
  3 document.Add(Field.Text("Name", secret.Name));
  4 document.Add(Field.Text("Created", secret.Created.ToShortDateString()));
  5 document.Add(Field.Keyword("Id", secret.Id.ToString()));
  6 writer.AddDocument(document);
  7 writer.Optimize();
  8 writer.Close();

A typical .NET developer would probably expect IndexWriter to implement IDisposable but it doesn't.  How do we ensure the file is closed should an error occur while indexing?

Our problem was figuring out how to reindex a "secret", simply adding it creates duplicates in the index.

  1 IndexReader reader = null;
  2 try
  3 {
  4 	reader = IndexReader.Open(_indexLocation);
  5 	reader.Delete(new Term("Id", secret.Id.ToString()));
  6 } 
  7 finally
  8 {
  9 	if (reader != null)
 10 	{
 11 		reader.Close();
 12 	}
 13 }

The solution is to use the IndexReader (?!).  Yes, not very intuitive.  This can't really be attributed to a "language style" issue since a Java developer probably wouldn't expect this either!

I have talked about language style before but porting an API has even more issues.  NUnit broke away from their Java porting heritage in 2.1 by rewriting it to use custom attributes instead of jUnit's naming conventions for testfixtures and tests.  This had many benefits since they could produce a more elegant design that would harness the power of the .NET platform and it would be more in the style of typical .NET APIs.  These benefits come at a cost however since anyone familiar with jUnit can no longer easily transfer their knowledge to NUnit. 

It also means that many other areas of knowledge from the original API are not always useful for the native port:

  • Newsgroup posts
  • Online documentation
  • Tutorials

When does it make sense to go native with a port?  Is going native a sign of maturity for an API?

Jonathan Cogley is the CEO and founder of thycotic, a .NET consulting company and ISV in Washington DC.  thycotic has just released Thycotic Secret Server which is a secure web-based solution to both "Where is my Hotmail password?" and "Who has the password for our domain name?".  Secret Server is the leader in secret management and sharing within companies and teams.

by thycotic | 2 comment(s)
Filed under: , ,
Summer Internship in Software Development with TDD and .NET
Thursday, December 01, 2005 12:59 PM

This is an opportunity to get incredible work experience with hardcore .NET consultants defining the current state of the art in Agile .NET development.  A Thycotic Summer Internship in Software Development will allow you to work on interesting projects (such as Secret Server) and develop your own solutions working with security protocols, open source software and sophisticated encryption.  You will work with highly experienced developers and learn to master the necessary skills to excel in today's competitive programming environment.

This internship is based in the Washington DC Metro Area which means you will have opportunities to visit the nation's capital and explore the nightlife, restaurants, theatre and endless events happening every day.

Requirements for this position include:

  • You have excellent grades and/or provable skills
  • You have an intense desire to write code and solve problems (preferably of the C# flavor)
  • You want to develop using Test Driven Development (yes, that is *ALL* we do!)
  • You enjoy or are prepared to try Pair Programming
  • You have a good understanding of Object Oriented principles, relational databases and web application development
  • You have the permanent legal right to work in the United States
  • You have excellent written and spoken English
  • You are willing to work in the Washington DC Metro Area (no telecommuting)

Preferred but not absolutely required:

  • You are familiar with the .NET framework and ASP.NET
  • You are familiar with Microsoft SQL Server - stored procedures, triggers, functions and general SQL
  • You are in your final year of a Computer Science degree or post graduate degree

Intangible criteria:

  • Work with others in an environment that encourages new ideas and improvement
  • Able to discuss and learn while solving problems with our highly experienced software development consultants

About Thycotic:

Thycotic is a developer-minded consulting company operating in the Washington DC area.  The company is a leader in agile techniques on the Microsoft .NET platform including Test Driven Development and Extreme Programming.  We continually deliver successful projects that are on time and on budget to happy customers while developers maintain sensible hours, vacation schedules and drink lots of FREE soda.  Thycotic also offers opportunities to perform training and work on our own software products.  Stop reading about TDD and come join Thycotic to practice it!

If your internship with our developer team is very successful then we might just want to hire you after the internship!  Our employees receive an annual incentive bonus based on mutual goals.  The benefits include full healthcare, retirement and generous vacation and conference time.  Thycotic always looks to provide the optimal working experience (however possible) to retain and stimulate the most talented developers.

Please send your resume and a brief summary explaining your interest in TDD and Thycotic to tdd_me_now@thycotic.com

Applications must be received by February 1, 2006.

(Sorry, no visas or sponsorship available)

Jonathan Cogley is the CEO and founder of thycotic, a .NET consulting company and ISV in Washington DC.  thycotic has just released Thycotic Secret Server which is a secure web-based solution to both "Where is my Hotmail password?" and "Who has the password for our domain name?".  Secret Server is the leader in secret management and sharing within companies and teams.

by thycotic | with no comments
Filed under: , , ,
More Posts
Go

This Blog

Syndication