terça-feira, 27 de dezembro de 2016

Security: "Security Now", the Steve Gibson weekly podcast

Sharing an interesting resource (by Steve Gibson and Leo Laporte), that can for sure help us getting updated (for me it works in the sense that it is an asynchronous way of getting news, good for the ones who don't have either the time or the discipline to put a slot in their calendar to read on the news on a certain area) on the issue of...

If you prefer, the traditional way of getting reminded via e-mail reminder, it is also available (see the blog for details on how to subscribe).

PS: Also interesting (and apparently wildly popular in the US) is the "This Week in Tech (TWiT)":
https://twit.tv/shows/this-week-in-tech (Video and Audio subscriptions available).
PS2: Another security podcast brought to my attention was Gary McGraw's one: https://www.cigital.com/podcast/


sexta-feira, 2 de dezembro de 2016

Coding: In C#?

Coding in C#? I've found a good overview (from a Microsoft person, so careful with The bias) that looks like a good summary of where this programming language is going including parallel projects Rosylin, Xamarin, Unity and more:


https://realm.io/news/goto-mads-torgersen-why-take-another-look-at-c-sharp/

quinta-feira, 24 de novembro de 2016

Process: SW Construction Process and its main work products

SW Construction Process:

While building your software (aligned with the gathered requirements - SRS - and the software design that your high-level architecture defines - SAS, and eventually the detailed design - DDS) several additional topics are relevant.

For instance:
- Shall the team code against any coding standard (is it a coding standard belonging to the project, to the company or is it external, e.g. imposed by a safety standard or by your contractor)?
- What kind of comments shall the team be producing, and what tags for doc extraction shall the team embed in comments (e.g. Javadoc)?
- Do we have a minimum % of comments to comply with?
- Shall the team also leave traceability hints in the source code (Class - Requirement ID, Class - Component ID, other)?
- What static analysis tool will it be used (and who is responsible to run it and analyze the reports)?
- What other static analysis measures shall the team abide for (cyclomatic complexity < X)?
- What integration tasks shall be configured in the CI server and under what well defined circumstances shall the build fail (e.g. shall it fail if 1 of the 10K unit tests fails or not)?
- What is the coverage goal for Unit Testing (if any - see the unit testing plan)?
- What is the coverage goal for Code Reviews (e.g. only certain well identified critical parts of the code shall be reviewed) and who is doing it? And so on.

While programming:
- Remember to keep on checking that "your code does not smell" and try not to follow the wrong guidelines and/or practices (e.g. "how to write unmaintainable code").
- And if the code "smells" (be it yours or from other programmer) you can always refactor it now or later on, "when the fire stops burning" - just make sure to take note of the need somewhere persistently (tip: "issue tracker").

The main work products and documents resulting after the phase where this process is being more heavily used are:
- The code (that could not be a deliverable - you could be delivering binaries only); includes unit test code;
- Updated end-user documentation: Manuals (administration, installation, user, etc.), online help.

Further Information:

Further information can be found in the following links in the DIGEST (some are INTERNAL):
http://silvaonsoftware.blogspot.com/2016/11/digest-sw-construction-further-reading_49.html



segunda-feira, 21 de novembro de 2016

BOOK: The Practice of Programming - B. Kernighan | Rob Pike

By no-one else than Mr. Kernighan (from the Kernighan & Ritchie book you might have heard of), "The Practice of Programming" is a 1999 book on best practices while programming and more:

FFR here is the Amazon link with additional information on the book: https://www.amazon.com/Practice-Programming-Addison-Wesley-Professional-Computing/dp/020161586X/ref=sr_1_1?s=books&ie=UTF8&qid=1479759220&sr=1-1&keywords=the+practice+of+programming

Quoting:
"With the same insight and authority that made their book The Unix Programming Environment a classic, Brian Kernighan and Rob Pike have written The Practice of Programming to help make individual programmers more effective and productive.

The practice of programming is more than just writing code. Programmers must also assess tradeoffs, choose among design alternatives, debug and test, improve performance, and maintain software written by themselves and others. At the same time, they must be concerned with issues like compatibility, robustness, and reliability, while meeting specifications.

The Practice of Programming covers all these topics, and more. This book is full of practical advice and real-world examples in C, C++, Java, and a variety of special-purpose languages. It includes chapters on:

  • debugging: finding bugs quickly and methodically
  • testing: guaranteeing that software works correctly and reliably
  • performance: making programs faster and more compact
  • portability: ensuring that programs run everywhere without change
  • design: balancing goals and constraints to decide which algorithms and data structures are best
  • interfaces: using abstraction and information hiding to control the interactions between components
  • style: writing code that works well and is a pleasure to read
  • notation: choosing languages and tools that let the machine do more of the work

Kernighan and Pike have distilled years of experience writing programs, teaching, and working with other programmers to create this book. Anyone who writes software will profit from the principles and guidance in The Practice of Programming ."

BOOK: Forms that Work - Caroline Jarret | Gerry Gaffney

Designing web pages with usability in mind?
The book "Forms that Work - Designing Web Forms for Usability" by Caroline Jarret and Gerry Gaffney might help.

FFR: https://www.amazon.com/Forms-that-Work-Interactive-Technologies/dp/1558607102

Quoting:
"Forms are everywhere on the web – for registration and communicating, for commerce and government. Good forms make for happier customers, better data, and reduced support costs. Bad forms fill your organization’s databases with inaccuracies and duplicates and can cause loss of potential consumers.

Designing good forms is trickier than people think. Jarrett and Gaffney come to the rescue with Designing Forms that Work, clearly explaining exactly how to design great forms for the web. Liberally illustrated with full-color examples, it guides readers on how to define requirements, how to write questions that users will understand and want to answer, and how to deal with instructions, progress indicators and errors.


  • Provides proven and practical advice that will help you avoid pitfalls, and produce forms that are aesthetically pleasing, efficient and cost-effective.
  • Features invaluable design methods, tips, and tricks to help ensure accurate data and satisfied customers.
  • Includes dozens of examples -- from nitty-gritty details (label alignment, mandatory fields) to visual designs (creating good grids, use of color).
  • Foreword by Steve Krug, author of the best selling Don't Make Me Think!"


Tools: Code Reviews and Support tools

Why (NOT) Code Reviews? 

Code reviews is not the most beloved verification method for a developer (in the end of the day it makes you proof-read others code, and everyone knows that all code other than yours is not good enough - #irony). But remember that Code Reviews are one of the most cost-effective verification methods available: Fixing a bug in software while developing it is way much cheaper than fixing it after the formal testing phases begin (several studies on the subject can be found - just "google" for it).

Also, things that we should bear in mind before we start complaining about having to do code reviews are:

  • There are things that are much easier to verify looking at the code directly (e.g. correct use of RDBMS transactions) than by integration / system testing.  "White box" rules here and saves us hours (as a team - because on some cases we are saving testers' time).
  • For some critical parts of your code it might be a good idea to have them being checked (read: code reviewed) prior to any deployment to production, e.g., code involved in authentication, authorization, money transfers, etc..  

Code Reviews in your QMS/SDP

Your QMS/SDP might have a Verification Process defining a code review procedure on how to conduct code reviews (see "Further Reading"). And how metrics related to code reviews are to be collected (and when, and by whom). Examples are: code review speed, preferably per technology; number of defects detected, number of defects fixed, defect fix cost - e.g. in minutes, etc.

And What About Supporting Tools?

So in order to "reap the benefits" (read: improve SW Quality and save money), give the developer teams a help by supporting the procedure with tools. For instance: Crucible (a plugin to Atlassian JIRA). Or any other. Anything other than making people use printed code and / or word processor annotated documents.

Further Reading

Examples (permissions could apply; INTERNAL):


DIGEST: SW Construction - Further Reading

Additional Resources for SW Construction:

While building your software (aligned with the gathered requirements - SRS - and the software design that your high-level architecture defines - SAS) several additional topics are relevant. For instance: Coding standards to comply with (if any); comments to create and % of comments and eventual traceability to requirements IDs / component ID there left; static analysis to perform (and extracted KPIs to comply with - if any); continuous integration server and tasks to use; verification measures such as unit tests, code reviews. For more generic information on these topics see here.
   
For further detailed information please see the following links (some are INTERNAL).

Static Analysis
  1. http://silvaonsoftware.blogspot.pt/2016/05/tools-source-monitor-static-analysis.html
  2. http://silvaonsoftware.blogspot.pt/2016/05/tools-static-analysis-tools-listing.html
  3. http://silvaonsoftware.blogspot.pt/2016/10/sw-construction-static-analysis-tools.html

Code Reviews: 

  1. The QMS context (INTERNAL): Review Procedure here; Crucible Tool GBK hereCheckStyle (Java) tool GBK here.
  2. Code Reviews example - Crucible (Plugin to JIRA; INTERNAL): https://crucible.critical.pt/cru/ATG-5#CFR-11408

Continuous Integration (CI):

  1. About CI, a list of several servers available can be seen here: https://en.wikipedia.org/wiki/Comparison_of_continuous_integration_software
  2. Example - Jenkins (INTERNAL): http://jenkins.critical.pt/computer/(master)/ (INTERNAL; Teamcity could also be in use for some projects).

Unit Testing

  1. Think "developer tests" (and see Module 9 for now; again, INTERNAL)

Further reading - Coding Standards: 

Each company might have internally defined coding standards. Or it could be using external standards (e.g. HP, NASA, ESA, etc.). Google for "C Coding Standard" and see what it is meant by coding standards here: For instance this is 1994 NASA-SEL's style guide for C (PDF).

Further reading - BOOKS: 

There are lots of books on SW Engineering that focus on best practices for coding activities, with the objective of writing clearer code, easier to understand and maintain, easier to reuse, etc. 

Two must read examples might include: 
Many more books have full chapters on writing "good" code. 
Again, "Google" and/or "Amazon" for it.
Happy readings!

DIGEST: Additional Info on SW Design / Architecture - Further Reading

About SW Design / Architecture (and security as well as performance, quality attributes of architectures):
Security topic and the embedded link to the Check List repository:
  1. http://silvaonsoftware.blogspot.pt/2016/05/sw-design-security-as-design-quality.html
  2. http://silvaonsoftware.blogspot.pt/2016/07/resource-security-is-process.html
  3. http://silvaonsoftware.blogspot.pt/2016/08/security-magic-quadrants-for-mss-remote.html
  4. Slightly off-topic but equally interesting: http://silvaonsoftware.blogspot.pt/2016/11/security-industrial-control-systems.html
Additional info on Design Patterns, Code Smells, Refactoring (already shown but repeated here for reinforcement or whatever you would like me to call it): 
  1. Design patterns: "The index" in Wikipedia is here
  2. Several books to read, also called "bibles": The GOF book as well as Code Complete 2
  3. Another interesting resource is sourcemaking.com (Design Patterns, Anti-Patterns and Refactoring / Code Smells).
Performance (but not only) topic:  

DIGEST: Requirements Analysis - Further Reading

Additional info on Requirements Analysis (and SW Requirements):
  1. The requirements analysis "film": http://silvaonsoftware.blogspot.pt/2016/05/process-software-requirements-team.html
  2. To learn some specifics: See your QMS "requirements standard" (INTERNAL; includes best practices and conventions). 
  3. Writing good requirements paper here (PDF)
  4. Requirement types: http://silvaonsoftware.blogspot.pt/2016/11/requirements-requirements-types.html
  5. For even further info: Read books on the subject and related subjects: Requirements analysis, requirements engineering, business process analysis (a broader topic), writing good requirements. "Google" and/or "Amazon" them. 
(@2016-11-23: Fixed link of Req. Std.; 2017-06-08: fixed link)

terça-feira, 15 de novembro de 2016

TOOLS. Ditto clipboard manager (productivity tools; multi-PC)

Yest another free clipboard manager (see the ARS Clip link here)?
http://ditto-cp.sourceforge.net/

Quoting:
Ditto is an extension to the standard windows clipboard. It saves each item placed on the clipboard allowing you access to any of those items at a later time. Ditto allows you to save any type of information that can be put on the clipboard, text, images, html, custom formats, ...
Interesting features:

  • Keep multiple computer's clipboards in sync (encrypted)
  • It has a portable installer.


TBC: how does it stack against ARS Clip?


Requirements: Requirements Types (Functional, Non-Functional)

Requirement types are a useful categorization for your requirements catalog. There are several classifications and literature about the subject.
The following requirement types were identified according to European Space Agency (ESA) “Guide to the software requirements definition phase”.

FUNCTIONAL REQUIREMENTS

A function is a “defined objective or characteristic action of a system or component” and a functional
requirement “specifies a function that a system or system component must be able to perform”. Typically we will be describing functionality (features) with functional requirements at first. Then comes "the rest": Non-functional requirements.

NON-FUNCTIONAL REQUIREMENTS

  • Performance Requirements specify numerical values for measurable variables used to define a function (e.g. rate, frequency, capacity, speed and accuracy). Performance requirements may be included in the quantitative statement of each function, or included as separate requirements.
  • Interface Requirements specify hardware, software or database elements that the system, or system component, must interact or communicate with. Interface requirements should also be classified into “internal” and “external” interface requirements, depending upon whether or not the interface coincides with the system boundary.
  • Operational Requirements specify how the system will run (i.e. when it is to be operated) and how it will communicate with human operators (e.g. screen and keyboards etc.). Operational requirements may describe physical aspects of the user interface. Descriptions of the dialogue, screen layouts, command language styles are all types of operational requirements.
  • Resource Requirements specify the upper limits on physical resources such as processing power, main memory, disk space etc. They may describe any requirements that the development or operational environment place upon the software. A resource requirement should state the facts about the resources, and not constrain how they are deployed.
  • Verification Requirements constrain the design of the product. They may do this by requiring features that facilitate verification of system functions or by saying how the product is to be verified.
  • Documentation Requirements state project-specific requirements for documentation, in addition to those contained in Software Configuration Management Plan. The format and style of the Interface Control Documents may be described in the documentation requirements, for example. Documentation should be designed for the target readers (i.e. users and maintenance personnel).
  • Security Requirements specify the requirements for securing the system against threats to confidentiality, integrity and availability. They should describe the level and frequency of access allowed to authorised users of the software. If prevention against unauthorised use is required, the type of unauthorised user should be described. The level of physical protection of the computer facilities may be stated (e.g. backups are to be kept in a fire-proof safe off-site).
  • Portability Requirements specify how easy it should be to move the software from one environment to another. Possible computer and operating systems, other than those of the target system, should be stated.
  • Quality Requirements specify the attributes of the software that make it fit for its purpose. The major quality attributes of reliability, maintainability and safety should always be stated separately. Where appropriate, software quality attributes should be specified in measurable terms (i.e. with the use of metrics).
  • Reliability Requirements relate to the “the ability of a system or component to perform its required functions under stated conditions for a specified period of time”. The reliability metric, “Mean Time Between Failure” (MTBF), measures reliability according to this definition.
  • Maintainability Requirements relate to the “the ease with which a software system or component can be modified to correct faults, improve performance or other attributes, or adapt to a changed environment”. All aspects of maintainability should be covered in the specification of the maintainability requirements, and should be specified, where appropriate, in quantitative terms.
Source: Requirements Standard (INTERNAL) and ESA.

DIGEST: And the fresh LAST links are...

And the last fresh links are indeed these ones:

The productivity Dept. (send me your suggestions, please): 

Additional info on SW Requirements / Requirements Analysis:
  1. http://silvaonsoftware.blogspot.pt/2016/05/process-software-requirements-team.html
  2. See your QMS "requirements standard" (INTERNAL; includes best practices and conventions). 
  3. Read books on the subject and related subjects: Requirements analysis, requirements engineering, business process analysis (a broader topic), writing god requirements. "Google" and/or "Amazon" them.
  4. Writing good requirements paper here (PDF)
  5. Requirement types: http://silvaonsoftware.blogspot.pt/2016/11/requirements-requirements-types.html

About SW Design / Architecture (and security as well as performance, quality attributes of architectures):
Security topic and the embedded link to the Check List repository:
  1. http://silvaonsoftware.blogspot.pt/2016/05/sw-design-security-as-design-quality.html
  2. http://silvaonsoftware.blogspot.pt/2016/07/resource-security-is-process.html
  3. http://silvaonsoftware.blogspot.pt/2016/08/security-magic-quadrants-for-mss-remote.html
  4. Slightly off-topic but equally interesting: http://silvaonsoftware.blogspot.pt/2016/11/security-industrial-control-systems.html
Additional info on Design Patterns, Code Smells, Refactoring (already shown but repeated here for reinforcement or whatever you would like me to call it): 
  1. Design patterns: "The index" in Wikipedia is here
  2. Several books, also called "bibles": The GOF book as well as Code Complete 2
  3. Another interesting resource is sourcemaking.com (Design Patterns, Anti-Patterns and Refactoring / Code Smells).
Performance (but not only) topic:  

Additional resources for SW construction:
  1. Static Analysis: 
  2. http://silvaonsoftware.blogspot.pt/2016/05/tools-source-monitor-static-analysis.html
  3. http://silvaonsoftware.blogspot.pt/2016/05/tools-static-analysis-tools-listing.html
  4. http://silvaonsoftware.blogspot.pt/2016/10/sw-construction-static-analysis-tools.html

Additional resources for SW Testing:

The Agile Dept.: 
Agile additional info including the Agile state of scrum report, info on Product vision statements rationale and examples, and additional tools as well as books. You will not die without a pile of stuff to read if you follow these final links:

  1. Digest 1: http://silvaonsoftware.blogspot.pt/2016/09/starting-learning-agile.html
  2. Digest 2: http://silvaonsoftware.blogspot.pt/2016/07/index-agilescrum-index-of-useful-links.html
  3. Digest 3 (ufff): http://silvaonsoftware.blogspot.pt/2016/10/digest-agilescrum-links.html
  4. BOOK http://silvaonsoftware.blogspot.pt/2016/08/mr-scrum-wrote-yet-another-book-scrum.html
  5. The Product Vision "art": http://silvaonsoftware.blogspot.pt/2016/06/about-product-vision.html

And so on. So they say. Happy reading!

(@2017-06-06: fixed req.std.url)

SW Testing: List of 105 Software Testing Tools to Meet Your Testing Objectives - DZone Web Dev

One huge list of software testing (but not only) related tools, FFR:

List of 105 Software Testing Tools to Meet Your Testing Objectives - DZone Web Dev




Security: Industrial Control Systems (2016, PDF, Report)

Interesting report on the security of Industrial Control Systems (ICS), FFR:

Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
2016 Industrial Control Systems (ICS) Vulnerability Trend Report


TOOLS: NewFileGo (productivity tools - File watcher task runner)

From the same supplier of ARS Clip (Clipboard Manager), the NewFileGo is another important productivity enhancer, allowing you to perform a task every time a file appears on a certain location.
For repetitive tasks it's the dream of everyone.

NewFileGo can be downloaded here:
http://www.joejoesoft.com/vcms/170/

FFR

TOOLS: ARS Clip cliboard manager (productivity tools)

ARS clip is THE free, open source (mainly windows-based) clipboard manager: http://www.joejoesoft.com/vcms/97/

Quoting:
ArsClip is a freeware "clipboard manager" utility. ArsClip monitors the clipboard and keeps track of the entries. Pasting is done by using a triggered popup window. This window can be triggered by a hotkey, holding right-click, a special trigger window, and other methods.
ArsClip used to be barebones, but I think I can safely say that it has become a nicely featured and highly configurable program, due to user feedback. The program now specializes in copy-and-paste automation tasks.
Delphi XE2 source code included
Features
- Permanent Clips/Macros for copying and pasting automation 
- Picture, RichText, File Copy, Unicode, HTML support
- Highly configurable
- Win7 Jumplist support
- Optional Clipboard Bar -- clipboard viewer
- Optional Global Clipboard to shares clips with other Windows and Android devices 
Requirements
This program requires no installation, but an optional setup program is included. Supported on Windows XP through Windows 10.

Interesting features include:
- Shortcut to recent items as a context menu (Ctrl+Shift+Z)
- Permanent items
- Persistence between restarts
- Stripped down format paste (Ctrl+Shift+V)
- The global shared clipboard (not yet tested by me)

Cons:
- Some minor issues: Slight instability (Windows 8), initial error setting global keyboard hook and some minor problems with OneNote (copied values are always pasted as image in certain apps).

PS. Also from the same supplier, make sure to check a very interesting tool for automating file-based tasks. If you like it, think about making a donation.

TBC: How does is stack against Ditto?

quarta-feira, 9 de novembro de 2016

About long position / titles: Monty Python - Cosmetic Surgery sketch

Everytime I see a long job description like "Senior Security and Software Product Assurance Engineer", I reckon the Monty Python: Cosmetic Surgery sketch:

Quoting:
"(A man sitting behind a desk in a Harley Street consulting room. Close-up of the name plate on desk in front of him. Although the camera does not reveal this for a moment, this name plate, about two inches high, continues all along the desk, off the side of it at the same height and halfway round the room. We start to track along this name plate on which is written:
'Professor Sir Adrian Furrows F.R.S. F.R.C.S. F.R.C.P. M.D.M.S. (Oxon), Mall Ph.D., M. Se. (Cantab), Ph.D. (Syd), ER.G.S., F.R.C.O.G., F. FM.R.C.S., M.S. (Birm), M.S. (Liv), M.S. (Guadalahara), M.S. (Karach), M.S. (Edin), B.A. (Chic), B. Litt. (Phil), D. Litt (Phil), D. Litt (Arthur and Lucy), D. Litt (Ottawa), D. Litt (All other places in Canada except Medicine Hat, B. Sc. 9 Brussels, Liege, Antwerp, Asse, (and Cromer) '.
There is a knock on the door.)"

And this is the video (worthwhile seeing because the title won't fit in the room, so it "curves"):




Do you see what I mean?


segunda-feira, 7 de novembro de 2016

TOOLS: The #StartupStack

Interesting trend and article on the startup stack [software-related tools], i.e. the number of common tools that modern startups use to support them on the most common tasks (like: billing, electronic payments, managing technical work, hiring, etc.).
Modern startups now have these tools for a fraction of the cost it used to cost some years ago...

Details on the Startup Stack:
Happy readings! 


SW Construction: Clean Code vs Dirty Code? Good Code vs. Bad Code?

- Discussing the sex of angels.
Could it be the answer to what the question "What is clean code"? Guess not.

The "Clean Code" book author and SW Engineering guru Robert C. Martin asked some other software well-known and deeply experienced programmers what they thought about it. Who are those people?

- Bjarne Stroustrup: inventor of C++ and author of The C++ Programming Language.
- Grady Booch: author of Object Oriented Analysis and Design with Applications.
- Dave Thomas: founder of OTI, godfather of the Eclipse strategy.
- Mike Feathers: author of Working Effectively with Legacy Code.
- Ron Jeffries: author of Extreme Programming Installed and Extreme Programming in C#.
- Ward Cunningham: inventor of Wiki, Fit, coinventor of  eXtreme Programming, Motive force behind Design Patterns, Smalltalk and OO thought Leader. The godfather of those who care about code.

If you don't know them [and are interested in building better/cleaner code] maybe it's time to start following them and/or reading to whatever books or initiatives they have been involved in (some of those are listed above).

If you want to know their answers and what the Robert C. Martin "school of thought" thinks about it (to the point of writing an entire +400 pg. book on the subject) maybe you should read the book (Amazon link here).

sexta-feira, 4 de novembro de 2016

TOOLS: SQL Clients AKA DB Tools

A SQL client is, as the name indicates, a client for a SQL Relational Database Management System (RDBMS). It can help you manage (create, read, modify/update, delete) DBs.
Some kind of administration tool is available with each RDBMS (you could have it installed on your computer or only on the server). But sometimes you'll have productivity gains if you use a multi-DB client because using the same SW user interface you will be managing several different DB engines / instances.

Examples of DB Tools include: Aqua Data Studio (Windows, proprietary - this one scripts data into DML SQL statements)Squirrel SQL Client (open source, java-based).

A comparison of DB tools can be found - where else? - in Wikipedia so choose one according to your requirements (and that might be shaped by your budget): 
https://en.wikipedia.org/wiki/Comparison_of_database_tools


For SQL Server, as per 2016-11: 
SQL Server Management Studio (SSMS)
https://msdn.microsoft.com/en-us/library/mt238290.aspx 
SQL Server Management Studio Express

https://technet.microsoft.com/en-us/library/ms365247(v=sql.105).aspx
And a related download - SQL Server 2016 Express (the free DB engine):
https://www.microsoft.com/en-us/download/details.aspx?id=52679


(Updates: @2016-11-08: MS SQL Server example links)

Modelling: EA initial management tasks

Some common management tasks for EA (to be performed by the EA UML repository manager, which could be the Technical Manager of your project) include:

Activate Security - Turn on the option that allows you to define who alters what part of the model and who does not (lock, unlock):
http://www.sparxsystems.com/enterprise_architect_user_guide/8.0/projects_and_teams/usersecurity.html

Managing Users - Create profiles, users belonging to profiles and defining permissions for those:
http://www.sparxsystems.com/enterprise_architect_user_guide/8.0/projects_and_teams/managingusers.html

Import Users from Active Directory - Integrating existing (e.g. domain) users into EA 
http://www.sparxsystems.com/enterprise_architect_user_guide/8.0/projects_and_teams/import_user_ids_from_active_di.html

Initial EA Scripts - The DB schema that has to be loaded into the SQL DB initially: 
http://silvaonsoftware.blogspot.pt/2016/10/ea-initial-scripts.html


(@2017-06-23: Minor rephrases)

quinta-feira, 3 de novembro de 2016

RESOURCE: "How To Write Unmaintainable Code" (PDF)

Do you like learning while laughing? If so you'll like to read "How To Write Unmaintainable Code". Remember that this is irony and that you'll earn enemies for life if you follow this through.

quarta-feira, 2 de novembro de 2016

Stop and smell the... Code

Code Smells? Sometimes the code smells. So should we stop and smell the roses, or shall it be the code?

Quoting Martin Fowler:
"One of the nice things about smells is that it's easy for inexperienced people to spot them, even if they don't know enough to evaluate if there's a real problem or to correct them. I've heard of lead developers who will pick a "smell of the week" and ask people to look for the smell and bring it up with the senior members of the team. Doing it one smell at a time is a good way of gradually teaching people on the team to be better programmers." (Source: http://martinfowler.com/bliki/CodeSmell.html)

More info:
https://en.wikipedia.org/wiki/Code_smell
http://mikamantyla.eu/BadCodeSmellsTaxonomy.html
https://blog.codinghorror.com/code-smells/

A good reference resource (and a company providing consulting services) here: https://sourcemaking.com/refactoring/smells

segunda-feira, 31 de outubro de 2016

SW Construction | Static Analysis: Tools and more tools (FFR)


Yet another examples of static analysis tools (for source code metrics collection, understanding projec: 

quinta-feira, 27 de outubro de 2016

The importance of... writing

The importance of writing well can never be over-stressed. And I am not talking of code, I am talking of code comments, and even more importantly, of deliverable documents (proposal documents, technical baseline documents, user and / or administration manuals, meeting minutes, etc.) as well as formal communications.

We're talking of "proper" English (or whatever language you have to write on - I am not a native English speaker but I have had for several years to work in English). If you don't do it, your customers might think you're an amateur, unprofessional person and might run away from your... software (which is a curious thing).

There are good resources on how to write better, you might be interested in researching and subscribing to them (if applicable):

- One example of a quick recap you can find in the WWW:
Use of capital letters:
http://wmgroup.cmail2.com/t/ViewEmail/i/941747E3A36E00D2/5A0433250211844FC5EC08CADFFC107B

Doubled consonants:
https://en.wikipedia.org/wiki/American_and_British_English_spelling_differences#Doubled_consonants

- More and in "small doses" like the above (to learn a little bit at a time, as it typically works better): https://twitter.com/thewmgroup/status/695639693795446787?lang=bg


@2016-11-04: Added consonants topic

SW Construction: Let's do it like they do it on space? | NASA Coding Conventions

So I remembered that some (oldie but for sure goldie) coding conventions are freely available from NASA JPL, several languages available:
https://www.google.pt/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=nasa%20jpl%20coding%20standards

FFR. But meanwhile you can start applying it (and doing "IT" like they do it on - i,e. for - space)

SW Construction: MVC Design Patterns (and related patterns | .Net)

Here are some MVVM, ASP.Net MVC resources, with something for the ones liking it on a video format:

ASP.Net MVC (Model-View-Controller):



MVVM (Model-View-View-Model):



MVP (Model View Presenter):

Remember to keep on checking the Channel 9 Videos as well as the Microsoft Virtual Academy.

quinta-feira, 20 de outubro de 2016

Software Construction: Scripting with Python

Every programmer shall have in its tricks bag competencies in some kind of scripting language. Along the way you'll have to know a way of automating repetitive tasks to save you and your team time (while building, deploying, testing, etc.).

Good candidates include Python (do you agree on that?): It's said to be simple and fast to learn as well as free:

  1. https://www.python.org/
  2. http://www.astro.up.pt/~sousasag/Python_For_Astronomers/Python_qr.pdf (cheat sheet)
  3. https://perso.limsi.fr/pointal/_media/python:cours:mementopython3-english.pdf (cheat sheet)
  4. http://lifehacker.com/keep-this-python-cheat-sheet-on-hand-when-learning-to-c-1655521825 (cheat sheet)
  5. http://www.tecmint.com/the-truth-of-python-and-perl-features-pros-and-cons-discussed/ (Perl vs Python)


BOOK: Clean Code | Robert C. Martin

So, another good book on how to write good (clean) code to keep in mind is Robert C. Martin's "Clean Code: A Handbook of Agile Software Craftsmanship":

https://www.amazon.com/Clean-Code-Handbook-Software-Craftsmanship/dp/0132350882

Quoting:
"Even bad code can function. But if code isn’t clean, it can bring a development organization to its knees. Every year, countless hours and significant resources are lost because of poorly written code. But it doesn’t have to be that way.

Noted software expert Robert C. Martin presents a revolutionary paradigm with Clean Code: A Handbook of Agile Software Craftsmanship . Martin has teamed up with his colleagues from Object Mentor to distill their best agile practice of cleaning code “on the fly” into a book that will instill within you the values of a software craftsman and make you a better programmer—but only if you work at it.

What kind of work will you be doing? You’ll be reading code—lots of code. And you will be challenged to think about what’s right about that code, and what’s wrong with it. More importantly, you will be challenged to reassess your professional values and your commitment to your craft.

Clean Code is divided into three parts. The first describes the principles, patterns, and practices of writing clean code. The second part consists of several case studies of increasing complexity. Each case study is an exercise in cleaning up code—of transforming a code base that has some problems into one that is sound and efficient. The third part is the payoff: a single chapter containing a list of heuristics and “smells” gathered while creating the case studies. The result is a knowledge base that describes the way we think when we write, read, and clean code.

Readers will come away from this book understanding
How to tell the difference between good and bad code
How to write good code and how to transform bad code into good code
How to create good names, good functions, good objects, and good classes
How to format code for maximum readability
How to implement complete error handling without obscuring code logic
How to unit test and practice test-driven development
This book is a must for any developer, software engineer, project manager, team lead, or systems analyst with an interest in producing better code."

Table of Contents 

Clean code
Meaningful names
Functions
Comments
Formatting
Objects and data structures
Error handling
Boundaries
Unit tests
Classes
Systems
Emergence
Concurrency
Successive refinement
JUnit internals
Refactoring serialdate
Smells and heuristics
Appendix A: Concurrency II
Appendix B: Org.jfree.date.serialdate
Appendix C: Cross references of heuristics
Epilogue.

segunda-feira, 17 de outubro de 2016

DIGEST: Agile/Scrum links

Agile / Scrum recent relevant links include:
Additional resources related to Agile / Scrum:
The Tools Dept.: 
(Updated: 2016-10-20, PT BR link; minor rephrases; 2016-11-24: link to summary and minor rephrases; 2017-06-06: actionable book)


TOOL: Online Task Boards - Trello Tour

An online task board implementation so that we can leave those post-its/magnetic cards off the wall/board (when doing Agile / Scrum or even Kan Ban). Use a tool to support you on that such as Trello:



PS: Kudos to André Martins for pointing this out. Also make sure to check additional tools for remote teams collaboration here and here (sococo).




quinta-feira, 13 de outubro de 2016

Intermission: Git (the slang and the GBCS tool)

As per Wikipedia:
"Git is a mild pejorative with origins in British English for an unpleasant, silly, incompetent, stupid, annoying, senile, elderly or childish person. It is usually an insult, more severe than twit or idiot but less severe than wanker, arsehole or twat.
The word git first appeared in print in 1946, but is undoubtedly older. [citation needed] It is originally an alteration of the word get, dating back to the 14th century.[citation needed] A shortening of beget, get insinuates that the recipient is someone's misbegotten offspring and therefore a bastard. In parts of northern England, Northern Ireland and Scotland get is still used in preference to git; the get form is used in the Beatles song "I'm So Tired". [citation needed]
The word has been ruled by the Speaker of the House of Commons to be unparliamentary language.
The word was used self-deprecatingly by Linus Torvalds in naming the git source control package."
Source: https://en.m.wikipedia.org/wiki/Git_(slang)


I also have some (fun) words to say on Git:
The GB smart metering initiative is called Great Britain Companion Specification (GBCS) and there's a well known Portuguese company heavily involved in it (although that is not much publicized). One of the tools was called GFI (Git For Industry) and this is a quote from "Smart Metering for Dummies - CGI" that refers to it, as well as to the unfortunate choice of name.
But if Linus did it, why not other? 

Quoting:
"In an attempt to accelerate development of devices in the absence of a DCC environment, the DCC has commissioned Critical Software to modify a tool previously developed to validate GBCS (the unfortunately named GBCS Interface Testing, or GIT for short). The modified tool, GIT for Industry (GFI) will allow device manufacturers to generate ‘gold standard’ GBCS commands on a ZigBee HAN to which they can connect and test their devices. By the time you read this, the first version of this tool should have been released and we should be well into a series of seven GBCS Test Events organised by the DCC for budding device manufacturers to come along and test out their devices against GIT."

Quoting:
"Parse and Correlate Provider: The Parse and Correlate (P&C) Provider is responsible for
developing the software application used by DCC Users to convert GBCS (the protocol used by the DCC to talk to smart devices) into DUIS (the protocol used by DCC Users to talk to the DCC). P&C also checks that the DSP has done its job correctly when translating critical commands (really important ones) into GBCS (the correlate bit of Parse and Correlate).
This will all make much more sense when you’ve read Chapter 4 (trust me). Critical Software was appointed P&C Provider on 29 April 2014 under a three‐year contract with the option of two one‐year extensions."

The PDF can be found here (requires registration): https://www.cgi-group.co.uk/smart-metering-for-dummies

About GBCS: https://www.gov.uk/government/consultations/smart-metering-implementation-programme-the-process-to-finalise-the-great-britain-companion-specification

(@2016-10: additional text, quote)

INDEX: About Project Plans - The Hitchhiker's Guide to the Galaxy (of QMS / SDP Project Plans)

The Short Story


Plans, plans, plans… 

Q: What kind of initial QMS / SDP-related documentation should it be created at project start (also called Kick-off)?
A: "Some" plans. 

Plans, allow us to plan (which by the way everyone should do) and after approval, allow us to monitor and control the project execution against those same plans. PMs are responsible to approve them even though sometimes they will delegate their creation and maintenance to the TM and/or the most experienced SPAE (Software Product Assurance Engineer) in the team.

What plans are we talking about? The project Plan (and the related detailed plan), the QAP, the CMP, …
You'll hear of even more plans (depending on the standards we are being compliant with). Mainly it has to do with the fact that for some standards we have to plan even further (and deliver those plans so that the contractor knows how we plan - and later on, double check the execution of tasks in the plan, through the inspection of produced evidences). Examples of such standards are the ESA standards (ECSS, for space development), DO-178 (for airborne systems), CENELEC 50126 (for railway applications), and so on. 
Examples of those include:
  • Software Verification Plan (SVP)
  • Software Validation Plan or (the mix of both):
  • Software Verification and Validation Plan (SVVP)
Another PA-related artifact is the PA Log book (sometimes called SPAE Logbook). 
And Agile/Scrum projects use yet another log book: The sprint retro logbook.

What is the purpose of those main SDP plans? 
What are their goals , when are they created, when should they be updated?

Before starting, one important thing to remember is the fact that there should be a public list of QMS Process Owners (PO) and some backups for that role (called Process Representatives - PRs).

The (Very) Long Story


In order to know more about each artifact, the following "sequence of steps" is recommended:
  • Read one entry in the final table below; from there you get to know the QMS process to where it belongs;
  • Open the QMS Process and browse (at least) the main activities there described (typically there is only a single table/slide per process activity).
  • The plan/artifact in question should be an artifact of this process you've just opened and if not, it is because it probably is just updated by this process. It could be an AD of the process or not - you can check it at the end of the process document.
  • Open the template for the artifact (or the provided samples - if any), and scan read its contents. If some concrete examples are available also scan them. Google can also find them.
  • Read the associated guidebooks (or the instruction sheets in the spreadsheet files).
  • During this process, remember to list your questions / open issues so that in the end you can always go to the PO (or as a last resource the QD) and solve them.
  • The one million dollar final questions to answer are:
    • Am I able to create these documents from scratch?
    • Am I able to understand them and extract the needed information for the activities/tasks I will be performing for the project?
    • Do I know who to talk to in case of doubt (who is the doc owner? Who are the PO/PRs)?

INDEX: Plan / Artifact
Templates / Examples / Additional Relevant Docs
Templates
(Docs from MT)
<<master template -- Quality Assurance Plan.docx>>
<<master template -- Product Assurance Report.docx>>
<<master template -- Int. Configuration Management Plan.docx>>
<<master template -- Configuration Management Plan.docx>>

Templates
(Spreadsheets)
<<internal QAP pre-tailored -- CSW-QMS-2013-TPL-00997-rd-pre-tailored-qap.xltx>>
<<internal QAP -- PA Process -- CSW-QMS-2009-TPL-04681-quantitative-qap.xltx>>
<<CSW-QMS-2014-TPL-01088-sprint-retrospective-workbook.xltm>>
<<CSW-QMS-2007-TPL-0112-configuration-items-list.xltm>>
<<CSW-QMS-2006-TPL-1126-spae-log-book.xltm>>

GBKs
<<CSW-QMS-2014-GBK-01269-agile-guidebook.pdf>>
<<CSW-QMS-2012-GBK-04055-crucible-guidebook.pdf>>
<<CSW-QMS-2012-GBK-02170-research-development-projects-tailoring.pdf>>
<<CSW-QMS-2010-GBK-04838-review-report-macro.pdf>>
<<CSW-QMS-2009-GBK-04120-wise-project-module-guidebook.pdf>>
<<CSW-QMS-2009-GBK-03894-project-milestones-meetings.pdf>>
<<CSW-QMS-2009-GBK-03591-qap-how-to.pdf>>

Relevant Trainings
<<project-management-practices-at-csw-internal-training.pptx>>
<<CSW-QMS-2016-PRS-00605-QMSVerificationProcess2016DocumentandCodeR.pptx>>
<<CSW-2015-PRS-00614-managing-baselines-and-change-control-tracking.pptx>>
<<CSW-QMS-2015-TPL-00368-excel-project-tips-tricks.pdf>>




Artifact / Work Product (Plan)
Who is mostly involved
QMS Process / Doc. Level
Main Purpose
Artifact Doc Format / Tool
Generated by MT?
Example Doc. / Link
Associated Template and/or GBK / HOW-TO
More info (when to create, update and AOB)
AOB
Master Project Plan
PM
PM Process (MAN.1)
High-level plan (Gantt chart with the main WBS of the project (similar to the one produced for the estimation sum-up sheet if created during proposal elaboration);

Relevant topics and uses for this artifact include: high level view of ptoject activities (overall view); end project date determination;  resource balancing; critical path analysis; effort and cost estimation (use of PERT estimation techniques  -Best Case Scenario, Expected Case Sc., Worst Case Sc.)…
MS Project (.mpp, etc.)



For each project, the WISE export can be opened in MS Project: https://wise.critical.pt/wiseweb/projects/ExportProjectFile.action?id=7439
For MS Project planning tool info, tips and tricks, see training: https://my.critical.pt/humanresources/Documents/CSW-QMS-2015-TPL-00368-excel-project-tips-tricks.pdf
Should be always kept up to date (acc. To CRs/CCNs, approved changes to schedule, …); uploaded to "WISE Projects"; V1 ready at KOM (based on info from PRL, if existent)
Previously: There were ECS and ASD master plan templates as QMS artifacts.

A guide for the "WISE Project Module" (covering EVM indicators, managing baselines and more) can be found here:
Detailed Project Plan
Typically: PM/TM
PM Process (MAN.1)
Used for detailed planning (day to day tasks, concrete resource allocations, % progress…)
MS Project (.mpp)

Optional: Created if a finer planning and control is needed (by the TM): details the Master Plan (and could be used to report %s progress for each task and calculate overal % progress, etc.)
N/A
Updated weekly (with progress)

External QAP
SPAE (PM typically delegates)
Software Product Assurance Process (MAN.8)
A written statement on how we intend to perform QA activities (i.e. how will the QMS apply to the project). 
For instance: Describes the QA aspects of verification including
  • Review activities to be performed
  • Transition criteria for review activities

The external QAP is a doc; The internal QAP is a XLS (see entry in this table).
MS Word (Master template, template ID = TBD - empty at MT at the moment, reported PROCIMP-819);
Yes
See template TOC.
See template and "fill in the blanks";

Optional: If DL, it is created at KO; tailored with the QD (in case of doubt)
Note: This document could not be requested by the customer as deliverable (DL).
Internal QAP
SPAE
Software Product Assurance Process (MAN.8)
XLS that includes all process tailorings: e.g. Verification Process tailoring

Includes a record of all tailoring decisions e.g. How will verification be performed (e.g. will the project do code reviews?)? Validation? Reqs, Design and SW Construction?
Spreadsheet (see template ids at right)
No
See spreadhseet contents.
See XLS template:


Also see the QAP GBK (link above)
Same as Ext. QAP
Old Ids:
CSW-QMS-2003-TPL-2570 (EN),
CSW-QMS-2004-TPL-2755 (PT)
CMP (External Config. Mg. Plan)
Typically: CM (Project Role; PM assigns this role to a team member)
CM Process (SUP.2)
A written statement on how we intend to do  Config. Management (activities).
This document is optional but if done typically is to be delivered to the customer; this doc  consolidates info in a single document some information already stated in other internal docs such as the ICMP, QAP, CIL, …

MS Word (Master template, template ID = CSW-QMS-2004-TPL-0234)
Yes
See template contents; check list contents
See template(s) and "fill in the blanks";



Optional: If DL, it is created at KO and kept up-to-date during the project (CRs/CCNs could impact this DL);
Note: This document could not be requested by the customer as deliverable (DL).

Template Variants: External and Internal; pre-tailored for certain life cycles: See doc list.

EN
[CSW-QMS-2004-TPL-0234]
{CMP}
Configuration Management Plan (CMP)
EN
[CSW-QMS-2006-TPL-3196]
{CMP}
Internal CM Plan (ICMP)
EN
[CSW-QMS-2013-TPL-01989]
{CMP}
Internal Maintenance Pre-Tailored CM Plan (ICMP)
EN
[CSW-QMS-2013-TPL-00995]
{CMP}
Internal R&D Pre-Tailored CM Plan (ICMP)

Internal CMP (ICMP)
CM (project role)
CM Process
The ICMP is a simpler document (when compared to the CMP) that includes the CM process tailoring decisions (what activities in the CM process are to be performed and what are not and with what formality and frequence) and the CM strategies (such as check-up strategy, build, baseline, tagging and branching strategies); it specifies the conventioned text for the TAGs to be applied at certain moments to the Version Control System (VCS).
MS Word (Master template, template ID = CSW-QMS-2006-TPL-3196; pre-tailored templates: CSW-QMS-2013-TPL-01989 (Maintenance); CSW-QMS-2013-TPL-00995 (R&D)
)

Yes
See template TOC and pre-tailored templates.
See above

As seen above, there are 3 ICMP templates being generated by the MT.
CIL
Typically: CM (PM approves)
Verification Process
Contains the review strategy (usually internal). It list internal and external configuration items under configuration (built from the proposal and including CFIs received from the customer - be it software or hardware, external input docs, etc.) and for the internal, how we plan to do the reviews.
Excel Template: CSW-QMS-2007-TPL-0112
No
See spreadsheet contents; see CM check list contents;


At KO; aligned with the DLs (and outputs) indicated in the PRL;

Typically the CM check list shall be ran before the end of each phase.
Sometimes the CIL info is included in the SVP (Software Verification Plan):
The SVP might be provided by the customer or be required by regulatory standards such as ECSS with the detailed review plan (i.e. while te CIL is typically internal, we could have one additional deliverable, the SVP)
More Project Documents









SPAE Log Book
Most experienced SPAE
SPA Process (MAN.8)
A guide for the performance of Product Assurance activities, including verification check lists before milestones
Excel macro-enabled template:  CSW-QMS-2006-TPL-1226
No

See Milestone meeting prep. GBK:
Created at KO, updated during phases and at least once per milestone

PAR - External Product Assurance Report
SPAE (PM Approves)
SPA Process (MAN.8)
A report with several metrics collected regarding the project execution. Could be requested by the customer as a deliverable.

In case of milestone meetings, the detailed quality verification is performed and the software product assurance report (PAR) is produced, reporting a sum-up of the results. Actions must be created whenever problems are identified and/or when a potential problem is identified. The PAR shall be released for all interested parties (PM and project team, and other departments such as the QD).
 MS Word (Master Template, template ID = CSW-QMS-2003-TPL-1860)
No
See template TOC
See template and "fill in the blanks"
If required: Create one new PAR document per milestone (except KOM).

A guide for milestone meetings (where the PAR contents could be presented) can be found here:

Sprint Retro Log book
Scrum Master / SPAE
Agile Guidebook (to be split in Scrum/Agile Development SDP)
A book to support sprint retrospectives (which is one of the last events to take place in a Scrum/Agile sprint), with some macro integrations to speed up the collection and display of agile metrics, as well as sheets to collect lessons learned and perform action management from them...
Excel template: CSW-QMS-2014-TPL-01088
No
See spreadsheet contents
See template, namely the instructions sheet: