Software Development West 2005, March 15-19

by Howard Dyckoff

Another March, another SDWest in the SF Bay Area... this one in a persistent wet spell. Once again, leading lights in Software Development met, networked, and proclaimed their views on the direction, or diverging directions, of their craft. But this year there was more agreement on key approaches, including Agile methods. There were over 200 conference sessions in 12 tracks and 6 very interesting keynotes. The attendance was also on the upswing, with over 3000 attendees, marking the recovery in at least the developer end of the computer industry. [This in a year where Comdex got cancelled again.]

It was often hard to pick a technical session with all of these tracks, especially as key tracks like Java, Web Services, and Security often had 2 sessions per time slot in different locations:

• .NET
• C++
• Java
• Modeling & Design
• People, Process & Methods
• Requirements & Analysis
• Scripting
• Security
• System Security
• Testing & Quality
• Web Services
• XML

The number of sessions on Agility and XP in programming show that these practices are rapidly becoming mainstream; linked with these trends was acceptance of test-driven development [TDD] methodology. Model-driven development [MDD] and UML tools also were featured in many sessions, often linked to Eclipse plugins, along with a re-emergence of Web Services.

Web Services - Redux

We were told about the brand-new Web Services standards that are still being hammered out - but this version is really much closer to what developers need. The new-new wrinkle is SOA - Service-Oriented-Architecture [which may embody the other meaning of SOA]. Several sessions discussed the convergence of these two design points and an incisive keynote by David Chappell included how these new services relate to objects and, more importantly, why services/SOA imply the rise of business process management. WS, he predicted, will move deeper into the organization and become the infrastructure for business logic. [His weblog summary of the presentation appears here.] This was echoed in a later keynote by Chris S. Thomas, Chief Strategist at Intel, where he described a future Service-Oriented Enterprise framework (SOE) spanning from the datacenter backend to the wireless edge, a system that will provide the foundation for future business growth.

Several Web Services sessions dealt with design and security issues. Some sessions were platform agnostic, although many of the presenters were .Net consultants. A team of speakers from idesign.net anchored many of the Web Services presentations, with Michele Bustamonte appearing at most of these. Her blog, dasblonde.net, summarized some of the sessions and listed many of these newer Web Services standards emerging from the standards bodies:

On the .Net side of Web Services, Microsoft's vision for Visual Studio 2005 was described in a technical keynote by Craig Symonds, General Manager of Visual Studio, in a session heavy with video testimonials. The audience participated by encouraging him to 'move on' to the technical details after many minutes of talking heads [he complied]. The session described flexibility options in the MS tools platform and new features that help software teams collaborate.

Security in software design

One of the best presentations I saw was given by Gary McGraw on "Exploiting Software: How to Break Code", about finding SW flaws in the development cycle. He started by noting that SW patching was relatively cheap to a vendor like Microsoft, but very costly in both time and $$s to SW users. Patches, he said, "are vulnurability pointers and they also create new holes."

McGraw's main point was that security personnel are not adequately trained in SW development techniques and often miss major flaws in SW design and execution. He wants skilled developers to learn cracking techniques and move into prominent security roles - to even up the growing skills gap with criminals and cracker gangs. "We have to stop pretending that attackers can't reverse engineer our code.", he said.

Some of the ways in which bad coding and testing can break application software:

The proposed solution map includes using full testing suites and coding to capture and pass all errors up the stack. Gary McGraw's full presentation as a PDF will be available shortly at http://www.cigital.com/presentations.

"J2EE Secure Coding Guidelines," by Roshen Candran, of Paladion Networks, summarized many web-based attacks, including the infamous SQL injunction, and Cross-Site scripting. He also discussed the issues using POST and GET in Java Servlets, and favored using POST since variables were not visible in the URL, the user history, or in the web logs as they would be with GET methods. One of Chandran's guidelines was to set cookies and to encrypt these when carrying sensitive info:

 Cookie myCookie; myCookie.setSecure(true); 

The password in the cookie can also be salted and hashed to add additional security and authentication between browser and server.

Chandran's presentation should be posted to the Paladion web site soon, but similar conference presentations are available at: http://www.paladion.net/papers/index.htm. He also presented a session on "Built-in Intrusion Detection: How Smart Software Stays Ahead of the Attacker."

Here are 2 sets of slides posted on the web for sessions taught by Allen Holub at SD-West:

Everything You Know is Wrong!

These slides, originally used at the 2004 Software Development conference, discuss two significant problems of OO systems: fragile base classes and the inappropriate use of accessor and mutator (getter/setter) methods. The slides describe how overuse of implementation inheritance (extends in Java) can get you into trouble, how getter/setter methods can make code unmaintainable, and solutions to both problems.

Security 101

These slides are an introduction to security and cryptographic technology, from a presentation given at the Software Development conference. This version introduces some big-picture issues as well as focusing on the crypto technology.

It was refreshing that there were so many tracks on developing software with security in design. Other tracks dealt with software security and also system level security.

TDD, code and test

Several sessions focusing on testing and test-driven methods. Many of the Design seminars also endorsed TDD. Even Scott Ambler's session on "Agile Data" gave a few nods to TDD.

On of the clearest seminars showing this convergence of Design Patterns, TDD and code refactoring was a too-short seminar with a very long title: Emergent Design: evolving systems with high efficiencyby Scott Bain.

I think the best way to introduce this is to list the detailed but succinct description from the longer tutorial he gave the previous year at SDWest:

Session Title: Emergent Design: Design Patterns and Refactoring for Agile Development
Track: Modeling, Design & Quality
Format: Tutorial

Description: Many modern design practices (XP for example) suggest that code should be developed in a highly incremental way, with frequent opportunities for validation, refactoring, and that we should embrace change as an ally, rather than seeking to avoid it through heavy analysis. At the same time, the Design Patterns movement has opened up powerful new ways of thinking about Objects and their relationships, and how we can efficiently find our way to the best designs in a given context. Initially, these two points of view would seem to be at odds with one another. However, layered architectures suggested by the proper use of patterns leads to more flexible designs, designs that tolerate change better than traditional OO would, and patterns are a great refactoring existing code, in the light of new and/or better-defined enabler for an incremental approach. Furthermore, we have found that requirements, often leads to patterns, and that an understanding of this can make for a much more efficient development process overall. The purpose of this tutorial is to introduce you to the essential tools needed to work in this way: Agility in process Unit Testing (a la test first), Refactoring, Design Patterns as forces in code, and then we will demonstrate how they work together in an incremental process.

Here's the slide text from the conclusion of his Emergent Design talk:

Conclusions

Design comes from:

"Good Principles" are:

And an earlier slide:

TDD - When to Use it

Scott Bain's company, NetObjectives, has several books in progress online and his book on Emergent Design has this chapter on Unit Testing. NetObjectives also runs discussion groups on topics of interest to SW developers.

Scott Ambler held 5 thought provoking presentations covering the Enterprise Unified Process {or EUP, based on Rational RUP], UML 2, UML Data Modeling, Object Relational Mappings, and Agile Data [and design]. These all reference the trinity of Design-first, TDD and Agile methods. Here are his critical observations about software development from the Agile Data session:

Modern Development

Cultural

Ambler encouraged developers to "...actively strive to find the 'sweet spot' for any issue, avoiding the black and white extremes to find the gray that works best for your overall situation."

For more info on Agile methods and database design, visit www.agiledata.org.

And Robert Martin offered a complete tour of TDD with a little tour-de-force of how the rigid Waterfall Development Cycle may have been intended to be more interactive: slides of Winton Royce's original notes for Waterfall Development in 1970 show feedback arrows throughout the development process a la Agile. [It was DOD's rigid version in spec 2167 and 2167A that gave us the linear model, according to Martin, but then they had all the SW $s in the '70s.]

The final plenary session was a panel on evaluating SW Dev tools, with luminaries such as Scott Ambler and Joel Spolsky. A side discussion there focused on how to use magazine reviews. Rick Wayne, the moderator and a regular at SD, suggested avoiding the new-product type of review, most of which are slanted to be pro-vendor. In-depth reviews are better since they often list some negative points about a product. But a more telling situation is a lack of reviews - this means the reviews were bad and they were pulled from appearing in various publications [Rick stated that often happens at SD Magazine]. So no review at all, bad news.

Vendor-sponsored Expo Tracks

These were detailed and technical, for the most part, and ran in parallel with the conference tracks but were open to Expo attendees. Intel sponsored a mobile app developer seminar the day of SDWest tutorials, available to any Expo attendee. The majority, however, were Microsoft presentations on new developments and features in products like Visual Studio and MS-SQL Server, but some of these were interesting offerings. An Introduction to Design Patterns, by Microsoft's Ron Jacob, was surprisingly vendor neutral and informative. There are links below [in the expo section] to the Microsoft Design Patterns web resources, but Jacob told participants to check his own website for a link to a similar presentation: http://www.Ron.Jacobs.com/.

SPI-Dynamics presented a session on "New Exploits" which focused on Cross-Site-Scripting (CSS) and the new phenomena of 'Google Hacking'; this is where crackers search for systems with certain characteristics. In a minute or so, a search for URLs sensitive to an SQL injection attack pulled up over 500 sites. An alternative hack steals a websites' ranking via 302 redirects. A list of web secuity white papers at SPI-Dyamics and web security webinars is here.

The 15th Annual Jolt Awards

There were some standard bearers here, but there were some surprises as well. Macrovision's InstallShield was inducted into Software Development Magazine's Jolt Awards Hall of Fame, after having won Jolt awards for several years running. They Also Won Programmer's Paradise's Best Installation and Deployment Tool for Sixth Consecutive Year. In addition, InstallShield was given the "Riding the Crest" award for the 2004 best-selling installation tool by Programmer's Paradise. Check out this link for the full list of winners.

Products from a small expo

This may be considered a weakness of the conference. This was the smallest expo I ever recall seeing for this conference, although there were interesting vendors and products to be found. Only IBM, Intel and Microsoft were in attendance as major vendors. And these companies had small booths. In contrast, hardware manufacturers Dell, HP, and Sun joined IBM in being at the MySQL user conference, and Google has a demonstration booth there.

Microsoft actually had a second small booth to discuss their software design patterns initiative where CDs with white papers were handed out. Some of this material, aimed at developers of .Net class libraries, is available at the following link:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/cpconnetframeworkdesignguidelines.asp

BuildForge

This build and report suite is gaining traction at major software houses. Their lead developer and CTO also appeared on a January SD webinar: "Real-World Agility Lessons: A Conversation with Peter Schuh". The PDF is available here - http://webcast.on24.com/event/10132/1/documents/slidepdf/10132.pdf

Here's what Buildforge attempts to do: Bob Setterbo, architect and development manager at Adobe, strongly supports BuildForge as an enabling tool for Agile Development. "BuildForge integrates well into existing tools, like scripts, ant, etc. You don't have to have developers retool or relearn, you are just productive from the start." He has over 20 developer product teams participating in over 70 builds each day. "One of our product builds used to take 10 hours and was deployed to 4 targets. With BuildForge, the same build now takes 4 hours and is deployed to 72 targets." Another suite user [who spoke off the record] claimed 10x-50x throughput gains. BuildForge is now in use at EMC, Electronic Arts, Symantec, and other technology companies.

Visual UML

This Hong Kong company was a finalist last year and a Jolt award winner for 2005. They provide a best-of-breed visual modeling tool at several purchase increments. They gave expo attendees the personal copy of their tool, which is a step or two up from the web downloadable 'community' version. Although this is worth $60 retail, this version creates but does not export UML diagrams and meta-information. Of course, you could develop a full-blown model with the CD they handed out and later purchase the full package with code-generating capabilities and model exports for a mere $300. This is truly the cheapest professional tool in its class, but should be weighed against rolling your own modeling tools with Eclipse plugins.

Bottom line: there was a lot to learn and a lot of interesting speakers. Software Development is still a good conference to find out what trends are emerging. But choose your sessions carefully.

Back to Overview