Who’s On Phirst

If you ever watch “Pimp My Ride” you can relate to this statement: "We heard you liked frameworks so we put a scripting framework on top of your application server so you can write code while you write code." During every episode of “Pimp My Ride”, Xzibit will install something into the now pimped ride that is relevant to something the owner enjoys doing. The one episode I saw had him installing turntables and a mixer in a hatchback because the car owner was an aspiring DJ. It made me think about those of you that want a scripting framework. It seems just as ridiculous.

In my last blog posting, I said that scripting was bad and you should just stop. The most common reasons why most Java EE admin’s still script include job security, hacking scripts for hacking’s sake, and inability to affect change in your organization.

Frankly, these are absolutely horrible reasons to script. But, I’ve seen something worse than scripting: script frameworks.

First, I want to point out how absolutely ridiculous it is to purchase or build a scripting framework in the first place. First, the entire reason you are using a Java Application Server is because it cuts down on the code you have to write. For example, back in the day, you had to create your own security, persistence, messaging, you-name-it framework. With Java EE, you don’t need to do that. It’s built into the API and Application Server for you. But, because of the configuration headaches, you are simply reintroducing any costs that were saved by writing less code. Shame on you for trading one head ache for another.

Second, the idea of writing code that does not generate revenue or cut costs, is just bad business. Think of it like this: why do construction companies rent scaffolding and not just buy it? Because it’s not their core competency. Managing, constructing and breaking down scaffolding will never make money for a construction company. But, it’s necessary for other revenue generating tasks, like brick laying or façade work. So, there is no reason to have scaffolding techs on duty when an outside company can provide better resources than the construction company can. So, construction companies use outside scaffolding company to not only deliver the scaffolding to the job site, but they also provide support for maintenance, reconfiguration or final pickup.

Look, times are rough. The tech industry is getting hit hard by layoffs. However, if you think that you will be the last one laid-off because of your position as the Script Guru, you are mistaken. I would argue that you might be the first; here’s why. Companies that are exposed to Phurnace for the first time, immediately start doing calculations on how they become more effective and efficient with Phurnace. Typically, that will mean utilizing the existing resources to perform more tasks with less resources. We see new customers begin tasking their resources with larger levels of responsibility. This could include the updated disaster recovery plan that has been languishing, or the upgrade to WAS 7 everyone wants because WAS 5.1 support is now costing so much more than in the past. But, if you have been simply the “Script Monkey” for the past several years, your kung-fu is rusty.

If you really want to stand out, offer your manager an alternative to scripting. Provide an ROI model that shows how adopting Phurnace Deliver can save your company hundreds of thousands a dollars yearly. Show how the time to value is in days, not months.

Of course, that does sound like more work. But, don’t worry; we have account managers that can do that for you. Heck, you can even say it was you that put it together. We promise not to tell.

So, save your company money and save yourself some headaches. Don’t buy into a scripting framework.

In Scripts
Comment (1) Read More...

In my previous post, "Automatically generate XPath Expressions in Java,” I showed you how you could use Java to automatically generate XPath expressions from a single xml document or a group of XML. So now you have your XML files and the XPath expressions to validate them…but how do you do it?

Below is a sample Java class for verifying your XML using XPath expressions. Enjoy!

In Xpath Expressions, XML
Comment (0) Read More...

Data center automation and transformation are in the news again as CIOs look for ways to cut spending in their companies. A survey recently published reveals that 84% of technology organizations have this on their list to control costs and reduce business risks. From the report: “Today’s CIOs are challenged more than ever to control costs and quickly achieve returns on technology investments. According to the study, respondents named reducing operational costs (31%) as their top driver for 2009 DCT spending. Enhancing security (29%) followed as a close second.”

The survey reports the type of projects companies would implement independently to achieve specific technology goals are:

• Automation – 64%
• Green IT – 60%
• Operations management – 59%
• Virtualization – 59%
• Business continuity – 58%

An important point on automation that I need to make: Automation of tasks or individual projects can be addressed without embarking on a major IT re-architecture campaign. This is why, I believe, that automation is ranked so high. Small and manageable steps may be taken in this area even while IT staffs are stretched or even reduced.

Deployment automation is the most likely place to start. Customer facing applications are even more important during these tough economic times and they must be maintained and updated. Automating this process and getting customer-applications moved out into production quicker and with fewer errors makes so much sense, and it will be a driver for reduced costs.

Please read the survey results, your peers have identified the cost savings opportunities. Consider it friendly advice; advice worth taking.

In Data Center Automation
Comment (0) Read More...

I am including a copy of a recent InformationWeek article in my blog this time. The article talks about errors in programming that can lead to security breaches in applications. Apparently a government-sponsored software assurance initiative has been formed. This is positive news in our fight for cyber security. I personally believe that the threat of a coordinated cyber attack is as likely as another 9-11 type physical attack. A large scale cyber attack could cause serious disruption of business and worsen this already stagnant economy. I urge all IT organizations to look into their development practices and at their applications to assure that they are secure. The IW article points out common areas that are vulnerable. This must be a priority for IT executives today.

Although it may not be politically correct in some circles to openly declare that our civilization is under attack, I will say that it is. There are organized and often state-sponsored enemies of western civilization that have made it their mission to disrupt or destroy our way of life. The battlefront is varied and it is dynamic. Cyber security should be of concern to all of us. Think of it as a vulnerable and exposed “supply line” that is analogous to the supply lines that stretched far behind battlefields of old. Those supply lines could be attacked and cut off, therefore limiting a force’s ability to function. The analogy holds true for cyber lines today. We are exposed.

It is not just about firewalls and filters, but it is about HOW code is written and HOW it is deployed. Errors can be dangerous. Not just frustrating, but downright dangerous. You should remove as many errors from your processes as possible. My advice to IT managers is to spend time and resources eliminating errors. Not only will it save your company money, but it could be an active defense for ALL of us.

InformationWeek Article:
By Thomas Claburn
Jan. 12, 2009
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=212701491

25 Most Dangerous Programming Errors Exposed

By publicizing these common programming errors, the participating organizations hope to make software code, and by extension the nation's cyberinfrastructure, more secure.

Experts from more than 30 U.S. and international cybersecurity organizations plan to disclose the 25 most dangerous programming errors on Monday, at a media event in Washington, D.C.

The CWE/SANS Top 25 List was compiled with help from organizations and individuals including Apple, CERT, Microsoft, Oracle, Red Hat, and Symantec, to name a few. It is managed by The SANS Institute and Mitre, and funded by U.S. Department of Homeland Security's National Cyber Security Division and the U.S. National Security Agency, both of which also contributed to the development of the list.

CWE stands for Common Weakness Enumeration, a government-sponsored software assurance initiative.

By publicizing these common programming errors, the participating organizations hope to make software code, and by extension the nation's cyberinfrastructure, more secure. Just two of these errors led to more than 1.5 million security breaches in 2008, according to the groups.

"This activity is an important first step in managing the vulnerability of our networks and technology," said Tony Sager, director of the Vulnerability Analysis Office at the National Security Agency, in a statement. "We need to move away from reacting to thousands of individual vulnerabilities, and focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause. This allows us to then target improvements in software development practices, tools, and requirements to manage these problems earlier in the life cycle, where we can solve them at large scale and cost-effectively."

The hope is that the errors list will serve four major purposes: To make software more secure for buyers by requiring that vendors certify their software is free of these top 25 errors; to incorporate awareness of these errors into software testing tools; to provide information necessary for educators to teach more secure programming techniques; and to provide a guide for employers to determine the abilities of programmers to write code free of these errors.

"The first two errors on the Top 25 are improper input validation and improper output encoding, and they earned the top rating for good reason," said project editor Steven Christey of Mitre in a statement.

"In 2008, hundreds of thousands of innocent, and generally trusted, Web pages were modified to serve malware by automated programs that burrowed into databases using SQL injection," he said. "The attack worked because countless programmers made the exact same mistake in their software. In a 2005 incident exploiting these same two errors, a teenager used a cross-site scripting attack to create a worm that hit the profiles of over 1 million MySpace users in less than a day, causing a temporary outage for the entire site."

The Top 25 List consists of three categories of programming errors: Insecure Interaction Between Components (nine errors), Risky Resource Management (nine errors), and Porous Defenses (seven errors). Examples of errors in the respective categories include: CWE-20: Improper Input Validation; CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer; and CWE-285: Improper Access Control.

For the complete list and explanatory information, visit sans.org/top25 or cwe.mitre.org/top25.

In Untagged 
Comment (0) Read More...

My family and I took a last-minute New Year's vacation this year to Angel Fire Resort, in New Mexico for a few days of skiing. We drove from Austin to Angel Fire, stopping in Clovis, New Mexico, both going out and coming back. On the way back to Austin, we stopped for a delicious family-style meal at Allen Family Style Meals, in Sweetwater, Texas. If you ever get near this place, you have to stop and try it out, if you like an incredible Southern-style home-cooked meal.

Angel Fire is a great place to ski for both beginners and intermediates, with lots of green and blue runs, most of which are nice and wide. The area had received snow fall during Christmas, and still had a significant base of 40+ inches. The skiing was great, although we did experience wind gusts on the last day of up to 50 MPH. The wind was so strong, in fact, that my daughter was stopped in her tracks while skiing straight downhill! Skiing is something that we enjoy a lot, as it is an activity that all four of us can do together. My kids can handle almost all the greens and blues, and my wife and I can ski all the greens, along with some of the blues. This gives us a wide enough range of courses to try, to avoid boredom of doing the same runs over and over.

We have been skiing to New Mexico at least once a year since 2003, but the last couple of times have been particularly enjoyable, as my wife and I have discovered the joy of parallel turn skiing. Previously, we sort of muddled through by using, the "wedge", or snowplow turn technique, which is effective for easy runs, but less effective for steeper courses. Wedging down a hill is also hard on the inside of the knees, as they are under almost constant strain. Skiing parallel greatly reduces strain on the knees, since the turn is affected by rolling the skiis, and shifting your weight from once side to the other. When skiing with the parallel turn, the moment of truth for me is when you come out of the turn, pointing your skis downhill in order to begin setting up for the next turn. To me, it is basically a controlled fall down the hill for a couple of seconds, and it doesn't take long to build up speed. While this is a bit frightening for a low-level intermediate skier like myself, it is also exhilarating for that couple of seconds. This process of falling and turning allows you to really control your speed, which is best way to prevent nasty falls.

This same sort of thing happens in an Agile, iterative software development environment that we practice at Phurnace. The turn is akin to the period of planning that takes place before the iteration, where you control your speed and recover, while the fall downhill is the iteration itself, where your use your speed to make progress in getting down the mountain. Without proper execution of both of these segments, you will most likely end up in an Epic Fail, which can cause injury to both your physical and emotional well-being. On the other hand, non-iterative development is like trying to do that wedge down a steep hill. Since you are in a constant attempt to control your speed, you can't get down the mountain as fast, and inevitably you wear out, unless of course, you have the knees of my ten-year old daughter.

So, in skiing, or software development, remember, you have to try to fall down the hill, if you are going to make the most efficient effort to achieve your goal.

In Untagged 
Comment (0) Read More...

Hello readers, sorry for the lack of new content over the holiday break. We decided to give all of our contributors some time off from writing. We are back now and will have some great content throughout the new year.

On another note, we have a webinar coming up in 2 weeks. I know cost cutting is on everyone's mind so this presentation will discuss how Phurnace can help you find immediate savings in your IT budget.

1/22/09 Webinar - Stop the Scripting and Cut Your IT Spending - Deployment Automation with Phurnace

Date: Thursday, January 22, 2009
Time: 11:00CST
Presenters: Daniel Nelson, Vice President of Products, Phurnace Software

Worried about your IT Budget? You should be. Budgets are being slashed. But there IS a place to find immediate savings. This is the time to learn about Phurnace and deployment automation. Stop the scripting and reduce costs instantly. This webinar will provide an overview of why automation should be used to fill the gap between development and IT operations. We will present Phurnace Deliver™, an innovative software tool that speeds app deployments and automates the configuration of IBM WebSphere®, Oracle WebLogic®, and RedHat JBoss®.

We will also discuss several examples of how customers are putting Phurnace Deliver™ to use. We will explain how companies have implemented a uniform, fully automated build and deployment process without the use of scripts or manual intervention:

• Preview configuration changes
• Keep logs of configuration and code deltas
• Compare configurations across servers
• Manage the often chaotic process of deploying complex enterprise applications.

Please click here to register.

In Untagged 
Comment (0) Read More...