code development programming security

This is raw

This is raw chicken : 🐤

If you eat it like that, you may get hurt immediately, by its beak, or its claws. It may grab your money and run off with it.

If you want to eat it, better to kill it first. 💀

If you eat it like that, you may get hurt or die, in a few hours, or days. Washing it won’t help.

Cook it. Cook it well. If there’s any sign of pink, cook it some more. 🔥

It might still kill you, but at least you’re a lot safer than when you started.

This is raw data : 🐤

If you display it, users will get hurt immediately, whether by cross-site scripting, cookie sniffing, crypt-currency mining, or something else. If you’re lucky, it will be something your user’s see immediately and leave your site never to return. Otherwise they may get infected.

If you want to use it, better to validate it first. 💀

If you save it like that, your users are still vulnerable. It might appear on the front end in a different form. It might be a string of unicode characters that crashes your phone. It might be a link to somewhere they can’t trust.

Encapsulate it. Sandbox it. Never trust it, in or out . HTML encode, whitelist the output as well as the input.

And if you need to avoid spam, or incitement, or solicitation, maybe you need editors. Computers can’t fix all the social problems. 🔥

development leadership

Measuring the wrong thing

Process improvement requires measurements. How do you know what to improve if you can’t see where things aren’t working, and how do you know you’ve made the right change without seeing those numbers going in the right direction?

But measuring doesn’t mean you’re measuring the right thing, and measuring the wrong thing can lead to the wrong outcomes, and can be very harmful (see Liz Keogh’s talk on perverse incentives )

The key to the success of any metric is that it is owned by the team so they have complete control over the changes needed to affect it, so they feel ownership, and that improving the metric has a useful business outcome.

Metrics that I’ve found useful in the past include:

Number of bugs introduced by a release.

This is a tricky one to work with because it can easily be a perverse incentive, and the feedback cycle can be slow, especially with the usual 6-12 month release cadence. However, on one waterfall project I took over there was a strong negative perception of the quality of the code, and big count was a useful proxy as the customer had access to JIRA so the big list was already visible. Reducing this number was a combined effort where testers and developers had to approve requirements, developers and testers invested in automated testing at all levels, and testers joined the developer daily stand-up in order to catch bugs before they were released “have you checked that page in Welsh?“, “We found problems on that page last time because IE was too slow“.

Number of releases per month.

On an agile project we noticed that releases were getting held up because testing was slow and produced a lot of rework, which were then tested against more features that had been pulled from the backlog, increasing testing time. Each release also took half a day, so we had to schedule them carefully.

So we set a goal of focusing on releases for a month and measuring how many we did. There were other measures within that, such as monitoring work in progress on the testers, time taken to do a release, and cycle time from start of development to live release, but they all drove the big number, visible to the whole company, of more quality releases.

Questions answered per day.

This can be a very useful metric for research projects, especially when following a fail fast approach, when you want to prove something can’t be done before you invest in doing it. In order to do that, you need lots of questions with quick answers, to accelerate learning. Any answer, positive or negative, is progress. It means we have learned something.

“I cheerily assured him that we had learned something.
For we had learned for a certainty that the thing couldn’t be done
that way, and that we would have to try some other way.” – Thomas Edison

Age of Pull Requests

Successful agile projects rely on peer review, either via pairing, or a formal review process such as git PRs (and I won’t discuss that in this post). However, when we started working with these on one project, we discovered that we were building up a large debt of Work In Progress because the team wasn’t incentivised to review each other’s code, so one of the developers set up a nag bot for any PR older than 4 days. It lasted 2 weeks before it was no longer needed.

What about you?

What metrics have you used to incentivise the team? What problem were you trying to solve, and did the metric work?


Sense and Respond by Jeff Gothelf and Josh Seiden

Sense and Respond: How Successful Organizations Listen to Customers and Create New Products ContinuouslySense and Respond: How Successful Organizations Listen to Customers and Create New Products Continuously by Jeff Gothelf

My rating: 5 of 5 stars

Having read Lean UX, I was expecting a good book on how organisations could deliver projects. This book is about much more than that. The authors are coming from a point of frustration where agile delivery and Lean UX projects have failed to reach their potential because the organisations surrounding them were not supportive, so this book is about how to reshape an entire organisation to meet the challenged of the modern world, with lots of positive and negative examples, which is refreshing to see in this type of book. If you’ve ever had a strategy meeting, or ever found your project success limited by your organisation, go read this book.

Easily the best book about dysfunctional organisations and organisational change I’ve read since Peopleware.

View all my reviews

Buy on Amazon UK :

development lifehacks

The tech diversity blind spot



Technology makes the world better. It promises to make our lives better. It will free us from work.

Except “The best minds of my generation are thinking about how to make people click ads”. And tech lives in social bubbles as well as financial ones. Apps designed for silicon Valley don’t always travel to the rest of the USA, apps for Western countries don’t always apply in the East, Facebook and Google aren’t always trusted, VR headsets that don’t work if you wear make up, facial recognition fails if you don’t have the same skin as the webcam software developer, or the photo auto-categorising application developers.

Sometimes the solution is to write technology in another bubble. Brazil, India, China, and many other places have strong home grown technology far more popular than the “global” leaders. Sometimes you expand your bubble, diversified teams, balanced teams, who are smarter than homogeneous teams anyway.

Sometimes you look outside your bubble. I get paid to write software that I will likely never use. Line of business applications, including public interfaces, for government clients. I don’t know what their business is until I ask. I don’t know how they work, or what is important to them. And sometimes I have to ask several times, and sometimes people can never understand or articulate what they do, let alone what they want, even after asking them in several ways. So what makes you uniquely qualified to understand what you do, or what problems you have, or whether those problems are universal?

If you want to know if your intuition applies to the population as a whole, make sure your stakeholders reflect that population, or accept that you are deliberately limiting your audience, because that’s what makes sense to you.

development programming

Devweek review

DevWeek T-Shirt
I designed my own T-Shirt at DevWeek 2012

I spent 3 days last week at the DevWeek conference in London. This was the first time I have gone, and I’d recommend it. I’m going to pull everything into one post for now, but I think I’ll be returning to some of the themes in later posts, so if this is a bit TL;DR for you, please let me know in the comments if there’s anything you’d like a summary on. Visual Studio 11 and the new TFS are two things that come to mind, but there’s also some interesting things about managing software teams that I want to return to once I’ve finished reading Peopleware.

If any of these interest you, check out the slides and code available on the DevWeek website.

Day 1

Tuesday 27th March schedule

Windows 8 for application developers – Mike Taulty

Microsoft’s Mike Taulty (twitter : @mtaulty ) got the keynote slot this year to talk about Windows 8 and Visual Studio 11. I’m sure most .Net folk have heard of both by now, but I certainly hadn’t had a chance to install the previews and try them out. This talk reinforced Microsoft’s vision of a single OS for all devices, although this only seemed to be Desktop, Netbook and Tablet, there was nothing on the new versions of Windows Server 8 (which looks like it would save me a lot of time setting up and deploying to new servers) and Windows Phone 8 so I’ll just have to keep reading the blogs to keep up with those.

The main goal of Windows 8 seems to be doing what they did right in Windows 7 and making it better. For some things, that’s borrowing from Windows Phone 7 (the Metro UI being the most obvious, and controversial), but there’s also Charms, which look like Microsoft’s take on Android’s Intents (a simple, powerful channel for de-coupled cross-app communication), a settings page which looks far more like the iPad than the old Control Panel, built in Cloud Syncing that includes app data (and easily extensible – there was a nice example of selecting photos for your profile from disk, SkyDrive or PhotoBucket seamlessly), which shows what Android and iOS should be doing for cloud integration, and looks as simple as Firefox sync or Amazon’s whisper sync to set up. Given the recent changes that iOS and Android have been getting in their latest releases, it looks like the next generation of devices are converging on some standard functionality, so consumers don’t have to lose functionality when switching between platforms.

Interestingly, the new version will also be LiveCD / bootable USB compatible. An obvious decision given the lack of optical drives on the Windows 7 tablets that will likely be upgraded, but will be interesting to see if Microsoft can make the experience as smooth as the Linux/BeOS LiveCDs. Given the advances from the Windows XP to he Windows 7 installer, there’s a good chance.

WinRT is Microsoft’s push for the new platform – bring the Metro UI to C, C++, C#, VB and HTML/JS developers equally. Channelling the .Net developers through .Net 4.5. I’m not sure where this leaves Mono developers, so .net might not be the cross-platform solution that MonoTouch and MonoDroid promise. If you want to develop on a tablet, as I wondered in my last blog post, just use Visual Studio 11. Microsoft might become the leaders in developing apps for your Post-PC world 😉

I think the most telling takeaway from this talk for how you develop for Windows 8 was this:

“There are no Windows in Windows 8 – every pixel is yours”

You have a blank canvas, how are you going to fill a 7″ tablet and 2 42″ monitors with your metro app?

A tour through Visual Studio 11 – David Starr

The next major release of Visual Studio is on the way, and our favorite IDE just keeps getting better. This session shares significant additions and improvements slated for the next version of Visual Studio. The specific focus is on the tools that will make developers’ lives better, and how we’ll use them in real life.
Learning points:
• What’s coming in Visual Studio 11
• Which features add major value, and which are just a “meh”
• How these new tools will change how we work

My first impression of Visual Studio 11 was how much it reminded me of Ice Cream Sandwich (especially in the dark theme), and how many of the speakers were not fans. David Starr (twitter @elegantcode) pointed us at the Uservoice page for Visual Studio 11 where the lack of colour in the default theme was the number 1 most requested feature. Note that Visual Studio 11 is not a Metro app, so it will live on Windows 8’s desktop (legacy?) view.

According to the talk, Visual Studio 11’s main driver was about listening to the community and giving developers what they want, so Monty Hammontree listened to what folk were saying on Twitter, and sending via the “help Microsoft improve Visual Studio” feedback and designed Visual Studio to have simpler tooling, a minimal UI, and allowing Visual Studio to better handle the development tasks that aren’t coding, such as requirements. Read Monty’s blog above to understand the philosophy behind the changes. Although the SQL server team and the NuGet team haven’t got the memo as both built-in components are still using the 2010 colour scheme.

As with Windows 8, Visual Studio is borrowing a lot of ideas from the community and building in things that were previously only provided by add-ons, including their own add-ons like the productivity power pack, whose Solution Navigator is Visual Studio 11’s SOLUTION EXPLORER (yes, it’s all caps), and allows you to drill down and search through filenames, classes and methods.

Depending on which edition you use, there’s an improved code comparison tools that makes merging easier, a new code duplicate finder, a new test runner that can be set to run tests after every build (that includes nUnit and xUnit support), and an ability to fake any DLL (such as the System and HttpContext) in your tests, but I think the 2 things that will really help me out are the preview tab and the speed improvements.

The preview tab opens when you hit F12, or click on something in the solution explorer, or whenever you’re browsing rather than editing. It appears on the right hand side, and stops Visual Studio from opening multiple tabs by re-using the same window as you browse, then offering a simple button to turn it into a normal tab once you’ve found what you want.

The speed improvements come mainly from better backgrounding of tasks, so the UI is not blocked. Msbuild is now used for all builds, allowing the build to be architecture independent, and this feeds into the test runner and the built in source control tools.

The other big takeaway from this talk is that if you are running Visual Studio 10 SP1, you can load your project files in the Visual Studio 11 beta, save them, and they will still work in the old version, so no more breaking projects when 1 member of the team upgrades – so long as they don’t start using C#5 features like async (I’ll get to that on Day 3)

ASP.Net and Visual Studio 11 – Robert Boedigheimer

Robert Boedigheimer (twitter: @boedie) covered some of the same ground as David Starr, but he quickly got into the nitty gritty for us ASP.Net developers.

There a lot of improvements in the editors to make them more context aware for HTML and JavaScript, for example, renaming and IntelliSense support for HTML5 tags, the IE9 Javascript engine built in to add IntelliSense and references for Javascript, colour picker and CSS3 support in the CSS editor, as well as awareness for common hacks and vendor-specific prefixes so there’s no more warnings.

There’s a new Page Inspector, which looks like IE9 inside Visual Studio, that gives access to most of the web developer tools, with the ability to link back to the source code so that the CSS/HTML changes can be tested and fixed with a much shorter feedback loop.

There are some validation (including Anti-XSS), performance and feature improvements, as well as support for Web Sockets via IIS8. There was a lot of talk about how to improve performance of you website, making use of caching and minification, which are useful for everyone, but there are a few nice tricks in the new framework that make these easier and more powerful.

Even if you’ve had a look at Visual Studio 11, be sure to check out these slides, as you might learn a thing or two about improving performance.

High performance software development teams – David Starr

This one will definitely be of interest to my colleagues. Discussion of SMART goals and how to create teams that constantly outperform expectations (without lowering expectations 😉 ). Successful teams are ones that don’t stop learning, keep communicating, have short feedback cycles, and make decisions rather than reacting impulsively.

I’m not going to go into detail, as I’m sure David Starr can explain it better himself, but there were a couple of things he said that I’ll repeat here and let you cogitate on:

Successful teams ship software and are in a position that they can always ship software quickly.

Well-functioning organisations don’t need heroes to do lots of overtime, or need to fix things whilst ignoring the team.

If your well-maintained and performant data centre runs at 80% efficiency, shouldn’t you make sure you’re not working your staff harder than your machines?

Although on that last one, remember it’s always easier to add a new machine to your data centre than a new developer to your team.

Day 2

Asynchronous programming with C# 5 – Andrew Clymer

This is the sort of deep technical talk conferences like this need. Andrew Clymer from Rock Solid Knowledge showed plenty of code to demonstrate the pain of asynchronous programming in .Net by looking at how to spin off a background task from the UI, and update a control with the result (with an aside into other places where the technique is useful.

Fundamentally, async and await allow you to free up a thread and do asynchronous programming whilst the framework does all the dirty work to make sure the return message ends up on the calling thread and exceptions are raised in the right place, so writing a callback is as simple as:

async void OnClickGetUsers
try {
var users = await Server.GetAllUsers();
} catch (TimeoutException e) {

And all you have to do is use the Task / Task<T> as the return value from Server.GetAllUsers().

If want to run many tasks, create your own wrappers for legacy tasks, or write task-aware WCF clients, go have a look at the blogs and screencasts on his site.

Pragmatic architecture – Oliver Sturm

I was a bit disappointed with Oliver Sturm‘s talk. There was a nice concept in there, walking through the breaking down of a project into its architecture and talking through the decisions to be made at each step, but it didn’t quite work as a talk. It was listed as “The short talk”, as a pre-cursor to a workshop on the Friday, which I couldn’t go to, and I think the session was designed to interactive, so the size of the room and the expectations of the audience didn’t give the talk the dialogue it deserved. I’ve seen Oliver talk about more technical topics and those have been good, so I hope the workshop session lived up to the potential

ASP.Net MVC hidden gems, tips & tricks – Shay Friedman

Apart from a few broken demos, Shay Friedman (twitter: @ironshay ) gave a good overview of some lesser known frameworks and options in ASP.Net MVC. Most of it could be summed up by the first slide : Use NuGet, but the rest discussed all the nice extensions, frameworks, and scaffolds that you can get via NuGet, as well as a couple of simple error handling tricks, and pointing out the built-in controls from WebMatrix.

Cognitive biases and effects you should know about – Kevlin Henney

I’ve seen Kevlin Henney before, and he’s got a great, humorous style. In this very informative talk, he didn’t disappoint. His basic thesis was that everyone is biased, even about bias. If you’ve ever come across the Dunning-Kruger effect or read Kluge, you’ll have a fair idea where he was coming from. Basically, humans have a world view that is great for avoiding being eaten by a tiger, but not so great for the modern world. And Success is a better teacher than failure, because we try to forget failure. If you want to learn, mentoring is good, and practice is good, and trying to learn without either is very tough.

Day 3

The frustrated architect – Simon Brown

A great talk from Simon Brown to set up the last day.

How do you build an architecture in an Agile team? How does an agile team works with non-functional concerns like performance and scalability? What did we forget when we threw front-loaded architecture out the window and moved to Agile?

A great teardown of the problems with Agile-driven architecture, followed by some resources and ideas to help you think about how to resolve those in your own teams.

Go see the slides for yourself and understand that architecture is social and the architect needs to understand the developers and the users, and a good architect is a developer and a leader, and isn’t someone who kills trees with 400-page documents that are never read.

Storyboarding in Visual Studio 11 – Brian A Randell

I think Brian A. Randell (twitter: @brianrandell) is a Disney fan. He managed to get some Disney storyboards to demonstrate the power of storyboards. It’s prototyping from Visual Studio via a special set of templates in Powerpoint.

The interesting point of the talk for me though wasn’t the Powerpoint side, it was the additions and changes in Team Foundation Server that enable the feedback loop to send those storyboards around the development team, out to the client, gather specific feedback, and pull that back into the tasks. I wasn’t interested in TFS before, but I am now.

M-V-VM from the ground up – Dave Wheeler

I only saw the first part of this two-parter from Dave Wheeler (twitter: @finiteplane) but it was all I was looking for to understand MVVM as mainly an ASP.Net MVC developer. He had some strident views about keeping developers and designers separate, but the talk was mainly about building up a simple app and demonstrating best practice to make lives of both developers and designers as easy as possible.

To make the M-V-VM pattern work, the Model does all the back-end communication and exposes business objects, the only code in the view code-behind is the untestable UI-tied behaviour (like weird animations, and non-standard behaviours), the the ViewModel responds to ICommands like “DeleteUser” and replies with INotifyPropertyChanged events back to the UI, allowing the behaviour of the presentation layer to be tested independent of the designer’s layout preferences.

Agile Engineering Practices – Neal Ford

An Agile talk, responsive to audience demands (via a talk menu that was voted on), Neal Ford (twitter: @neal4d) gave a great journey through some interesting topics on Agile Engineering in ThoughtWorks.

In Information Radiators, he spoke about code metrics and providing information on failure and success as directly and as unobtrusively as required.

In Design Practices, he talked about the complexity of simplicity (why is it so hard to make the design simple), the importance of throwing away your experiments (but keeping the results to learn from) and how well the original design patterns from the Agile movement have aged, re-iterating the good ones, and replacing the not-so-good ones.

In Test Driven Design, he showed how TDD improved the design of a solution as well as the quality using a Kata example, as well as a series of studies from Dr. Laurie Williams that show that TDD costs a lot less than you think (which I wish I’d known about when I gave my TDD talk a few years ago), and writing more code makes you go faster.

In feature toggles, he discussed an alternative to branching and merging to allow multiple developers to work on multiple features without a merge ambush leaving developers lost and contemplating throwing away a week’s work.

In DVCS magic, he talked about how his team uses git, and how they modified things to minimise developer downtime and frustration and increase productivity.

Overall thoughts

This was a good, well-organised conference, with a heavy, but not exclusively Microsoft focus. At 90 minutes, the talks were longer than most conferences, but the speakers tended to make good use of the extra time so few of the talks felt stretched or over-long, and they all mostly ran smoothly.

The venue was good, but there was a big split between 2 of the rooms (and the exhibition area) and the other 10, heightened by lift failures on the final day, but that wouldn’t put me off going again.

The lunches were also the best I’ve had at a conference, so 3 cheers to the organisers for that.

Looking forward to coming again next year (Next DevWeek 4th – 8th March 2013). Anyone want a talk on developing across multiple offices?