Quality, Specification by Example

I have been using Specification by Example (a.k.a BDD, ATDD) for the last couple of years. This has helped bridge the gap between technical people and business people. It has also helped ramp up new members on our team, since we have a living documentation of the system. This isn’t always easy and we’re continuously looking for ways of improving the structure of our BDD specification files.  There are some questions that help us spot improvement points:

  • How easy is to have an overview of what the product does?
  • What are the main business areas of the product?
  • How easy is to find a specification?
  • How easy is to find related specifications?
  • How does this feature relate to that feature?
  • If you just point a new joiner to the specifications folder, will she have a decent idea of what the system does?

In this blog post I hope to give you a few tips that might help answer some of these questions. These aren’t new ideas, but I find them pretty effective. Continue Reading

Quality

In a previous blog post we discussed why building the right product is hard and some tips on how to achieve a high perceived integrity. But if you’re building a strategic solution that should support your business for many years, this is not enough. With time, new requirements get added, features change and team members might leave the project. This, together with hard deadlines, means that technical debt starts to incur, and the price of adding new features increases until someone says it will be easier to rebuild the whole thing from scratch. This isn’t a situation you’d like to be in, so that’s why it is important to build the product right.

Building the product right

In their book, Mary and Tom Poppendieck define this dimension of quality as the conceptual integrity of a product. Conceptual (internal) integrity means that the system’s central concepts work together as a smooth, cohesive whole.

How can you maintain the conceptual integrity of a product during its lifetime? You rely on communication, short feedback loops, transparency and empowered teams. These are the same principles that can lead to a high perceived integrity. The only difference is that you apply them at an architectural and code level. Continue Reading

Books

Enterprise Integration Patterns by Gregor Hohpe and Bobby Woolf is a seminal book on Messaging. Every developer working on messaging solutions should read it. Even though it’s more than 10 years old, the content is still relevant. This is because the book focuses on patterns and principles and it’s technology agnostic. The authors do a good job on describing how you can combine the patterns together and present the trade-offs of different approaches.

Enterprise Integration Patterns

Continue Reading

Books, Security

On my current project we are using OAuth 2.0 and OpenID Connect for securing our Web APIs. I have used OAuth in the past, but OpenID Connect was something new to me, so I decided to get a deeper understanding of these two protocols. In my search for a good book on the subject, I’ve found Advanced API Security: Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE by Prabath Siriwardena. As the title says, it’s about OAuth and OpenID Connect. But, while I was skimming the book I noticed that it’s about more than that, as it presents the evolution of different security protocols. The book looked promising so I decided to read it and I must say that I have gained a lot from it. It provides a good overview of the most important topics on API Security.

Advanced API Security: Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE

Continue Reading

Quality

If you ask a hundred developers to define software quality, you’ll probably get a hundred different answers. There are a lot of ways to categorize quality, but one that I find most useful is building the right product and building the product right.

Building the Right Product

First we have to make sure we are building the right product. The most performant and secure product, having the cleanest and most extensible architecture, covered with unit tests and acceptance tests is in vain if nobody uses it.

In their book, Lean Software Development: An Agile Toolkit, Mary and Tom Poppendieck define this dimension of quality as the perceived integrity of a product. Perceived (external) integrity means the totality of the product achieves a balance of function, usability, reliability, and economy that delights customers.

Traditionally, when customers want to build a product, they talk with business analysts and write down the requirements. These documents are then handed over to architects, who then define the high level architecture and pass the design documents down to programmers who start implementing. There’s a gap between each step and as we go through the process, we lose more and more information and our chances of building the right product get slimmer.

Continue Reading

Books

Writing good tests is hard. Writing good specification is even harder. On my current project we treat test code with the same care we treat production code (which should be the norm on all projects), but we could still improve the readability, reliability and maintainability of our test suite.

With this in mind, Fifty Quick Ideas to Improve Your Tests by Gojko Adzic, David Evans and Tom Roden was the perfect choice for our book reading club. I’ve previously read Gojko’s Specification by Example, which really helped me better understand BDD and how to use it in practice, so I had high hopes for this book.

50 quick ideas to improve your tests

Continue Reading

Security

In the previous post we talked about delegated authorization with OAuth 2.0. After the success of OAuth 2.0, many companies tried using OAuth as an authorization method, which has known pitfalls. The main issue is that if a malicious application manages to steal an access token, it can use it to impersonate the user. Many OAuth 2.0 providers modified the OAuth protocol to implement authorization, which made them less interoperable and possibly even vulnerable to impersonation attacks. Since OpenID was an existent standard for federated identity, there was interest in combining these two protocols, so the third generation of the OpenID protocol was built as an OAuth 2.0 extension.

OpenID Connect

OpenID Connect is an identity layer built on top of OAuth 2.0. It specifies a RESTfull HTTP API that is interoperable (it uses JSON as the data format), simple, mobile friendly and secure.

Since identity is an overloaded term, OpenID Connect defines identity  as a set of claims (attributes) related to a an entity (person, service, machine).
Continue Reading

Security

Let’s say you’re developing a SOA application. The user interface is a website that needs to be accessible from the public internet. You are using service composition in the UI, so you have JavaScript components from each service deployed in the UI. These components talk with their corresponding Web API over HTTP. Since the Web APIs are public facing, they’re sitting in the DMZ, so you need to secure them.  In this blog post series I’d like to give a high level overview about the de facto standard for authorization – OAuth 2.0 and the emerging standard for federated authentication – OpenID Connect.

Authentication & Authorization

First, let’s define what authentication and authorization mean:

Authentication is the process in which we validate that someone is who they claim to be. Usually you can authenticate by providing at least one of the following factors:

  • something you know – a password or a pin
  • something you have – a certificate or an RSA token
  • something you are – finger print

Authorization is the process through which we check the permissions that someone has. Although this can be modeled in multiple ways, it can be viewed as a matrix with subjects per lines, resources per columns and actions in cells.

OAuth 2.0

If we’re talking about API authorization, we need to also discuss about the delegated access model. The end user delegates access to his resources hosted on the web API to the client – the website. If we don’t want to pass the user’s credentials to the client and the APIs, then OAuth is a good choice. OAuth is an authorization protocol that can be used to enable limited access to private resources for 3rd party apps.
Continue Reading

Uncategorized

When I first thought of blogging, it was for two reasons: having an activity log and learning more quickly (and thoroughly).

Activity Log

Like any other developer, I often face new and interesting problems. Also, like many other developers, I face the same “new” problems again and again and have to rediscover the solutions because I forgot either the solution, or the reasoning behind it. A personal blog would be a perfect place to keep track of problems and their solution. And if other people can benefit from this, hey, that’s a big plus.

Learning

The second reason (and probably the most important) is learning. In the last 6 months I have been thinking a lot about learning. The way I learn is pretty common: grab a book and read it cover-to-cover. The thing is, there’s a limited amount of books that you can read this way. Also, if I don’t exercise what I learn immediately, I forget most of the book in a couple of months.

One of the best ways to learn something is actually teaching. It makes a lot of sense: every time I had to teach something, I gained a lot out of the experience. You can do this step in multiple ways: talk with someone, do a tutorial, deliver a presentation or you could start…

Blogging

Writing a good blog post on a topic should force you to fill any knowledge gaps and find a good way of organizing the information.

I once took a blogging course. My favorite homework on this course was having to come up with 50 (yes, 50!) blog post ideas. Although it seemed quite daunting at first, after about 30 minutes, ideas really started flowing. I guess this homework really hit the nail on its head – coming up with post ideas might not be as difficult as you may think.  Of course, there is a long road from post idea to blog post and it does require commitment, but coming up with ideas is half the battle.

So this is it – this blog will help me remember more, learn more, share more.  Check back soon!