Jonathan Cogley's Blog

I just came across this post (older) by Robert Hurlbut titled "DREAD is dead" and it reminded me of our experiences with these same ratings today.  We are in the middle of a Security Review for a client and have been working through our threat model to assess the risk associated with each item.  DREAD is a technique for assessing such risk using the factors: Damage potential, Reproducibility, Exploitability, Affected users and Discoverability.  As Robert mentions, the idea is to rate the threat on each of these factors using a scale from 1 to 10.  Then add up all the numbers for each threat (average it if you wish) and you can list the threats in DREAD priority.

Error reporting is enormously powerful.  Knowing when your customers are seeing errors is the first step to improving the quality of your application.

While this doesn't classify as great development practice, sometimes a well tested hotfix to a production site is just the right thing to solve a client's problem quickly.  In our case, the problem was too many emails being sent due to ClientScriptExceptions (our own custom Exception that is thrown when a Javascript onerror event fires in the browser ... yes, we do some tricky stuff with an Image in Javascript to get the message back to the server).  Anyway, the exception is caught in global.asax.cs in the Application_Error method.

Paul Gielens has an interesting post discussing the cost of refactoring and deciding when to do so.  I agree with Paul that refactoring is certainly not free and is in fact a very expensive process since it lacks one of the central benefits of Test Driven Development - knowing when you are done!  The process of refactoring is very subjective and it is easy for a pair to spend extra time tweaking things with "Introduce Base Class", "Extract method" and "Introduce explaining variable" until it is just right.

Our product, Secret Server, uses the DotLucene API for searching of items ("secrets") in the application.  DotLucene is an impressive API which creates index files on disk based on the data you feed to it.  It then allows for some very powerful text searches to find data such as "amazon.com~" which will find all secrets containing various spellings of amazon.com.  (More info here).

This is an opportunity to get incredible work experience with hardcore .NET consultants defining the current state of the art in Agile .NET development.  A Thycotic Summer Internship in Software Development will allow you to work on interesting projects (such as Secret Server) and develop your own solutions working with security protocols, open source software and sophisticated encryption.  You will work with highly experienced developers and learn to master the necessary skills to excel in today's competitive programming environment.

One of the problems that we come across as our projects mature is that the number of tests increase and so do test suite times.  It seems inevitable ... something like the sun setting in the west and the CPU speed doubling every few years.  The obvious problem with this inevitability is that it takes LONGER to test the entire application.  Sweeping changes therefore take longer as the feedback loop increases and pairs have to begin context switching during the day ... "Did it get to green yet?  No ... where were we?"

Andrew Duthie (our local DE and organizer extraordinaire!) has published the session list for the Microsoft Mid-Atlantic Security Code Camp this Saturday (10/29/2005).  There will be a good mix of content and interesting speakers.