Software Engineering, Project Management, and Effectiveness
Each month I pick a focus or a theme for my improvement sprint. I find it's easier to start and stop a new sprint each month, rather than start in the middle of a month and try and remember when to stop. I also like the fact that each month is a fresh start. Cycling through a new improvement sprint each month, gives me 12 sprints I can allocate to whatever I want or need to focus on. This keeps me learning and growing throughout the year in a simple, but systematic way. Each month I can do another sprint on the same topic or pick a new area to explore. Periodically, I try to inject an improvement sprint that focuses on something physical. For example, last year I did a living foods improvement sprint and in another sprint I worked up to roller-blading 15+ miles a day.
Here's the improvement sprints I've done so far this year:
Sometimes I'll do more than one sprint for a month, but in general I try to stick with one theme. The power of the sprint is the focus. Its easier for me to stay focused when I remind myself I can switch focus each month.
My Related Posts
What are your key security-related questions with WCF? More importantly, what are the answers? For this week's release of our WCF Security Guidance Project, we posted our WCF Security Q&A (Questions and Answers) to CodePlex.
To create the questions and answers set, we first gathered and organized recurring questions from our field, support, customers and forums. We then worked through to create precise answers. What you get is a browsable collection of questions and answers, organized by our security frame. The security frame maps to actionable categories of your application.
Here's a snapshot of the questions from our Q&A, but you can see our answers explained at our WCF Security Guidance project site.
Auditing and Logging
For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF 3.5 Security Guidelines. Each guideline is a nugget of what to do, why, and how. The goal of the guideline format is to take a lot of information, compress it down, and turn insight into action.
The downside is that it's tough to create prescriptive guidelines that are generic enough to be reusable, but specific enough to be helpful. The upside is that customers find the guidelines help them cut through a lot of information and take action. We contextualize the guidelines as much as we can, but ultimately you're in the best position to do the pattern matching to find which guidelines are relevant for your scenarios, and how you need to tailor them.
Here's a snapshot of the guidelines, but you can see our security guidelines explained at our WCF Security Guidance project site.
CategoriesOur WCF Security guidelines are organized using the following buckets:
Impersonation and Delegation
For this week's release in our patterns & practices WCF Security Guidance project, we added new sections to our WCF Security Application Scenarios. We added sections for analysis, code and configuration examples. The analysis section explains the rationale behind some of the decisions.
The idea behind the application scenarios is to show you a before and after look of end-to-end solutions. Rather than a single solution, we give you a set of solutions to pick from. The main parameters that vary in each solution include: Intranet vs. Internet, ASP.NET client vs. Windows Forms clients, TCP vs. HTTP, impersonation/delegation vs. trusted subsystem, and AD (domain credentials) vs. a custom user store.
WCF Security Application Scenarios Intranet
Note that if there's enough interest and time, we'll add a scenario that shows accessing an existing custom user store (i.e. you aren't using Membership.)
My Related Posts
If you know the underlying principles for security, you can be more effective in your security design. While working on Improving Web Application Security: Threats and Countermeasures, my team focused on creating a durable set of security principles. The challenge was to make the principles more useful. It's one thing to know the principles, but another to turn it into action.
Turning Insights Into Action
To make the principles more useful, we organized them using our Security Frame. Our Security Frame is a set of actionable, relevant categories that shape your key engineering and deployment decisions. With the Security Frame we could quickly find principles related to authentication, or authorization or input validation ... etc.
Once we had these principles and this organizing frame, we could then evaluate technologies against it to find effective, principle-based techniques. For example, when we analyzed doing input and data validation in ASP.NET, we focused on finding the best ways to constrain, reject, and sanitize input. For constraining input, we focused on checking for length, range, format and type. Using these strategies both shortened our learning curve and improved our results.
Core Security Principles
We started with a firm foundation of core security principles. These influenced the rest of our security design principles. Here's the core security principles we started with:
Frame for Organizing Security Design Principles
Rather than a laundry list of security principles, you can use the Security Frame as a way to organize and share security principles:
Auditing and Logging
Here's our security design principles for auditing and logging:
Here's our security design principles for authentication:
Here's our security design principles for authorization:
Here's our security design principles for configuration management:
Here's our security design principles for cryptography:
Here's our security design principles for exception management:
Input / Data Validation
Here's our security design principles for input and data validation:
Here's our security design principles for sensitive data:
Here's our security design principles for session management:
Using the Security Design Principles
This is simply a baseline set of principles so that you don't have to start from scratch. You can build on this set and tailor for your specific context. I find that while having a set of principles helps, that you can't stop there. To share the knowledge and help others use the information, it's important to encapsulate the principles in patterns as well as show concrete examples and create precise, actionable guidelines for developers. Personally, I've found Wikis to be the most effective way to share and manage the information.
Dr. Stephen Covey presented at Microsoft today. It’s one thing to know the information; it’s another to experience the delivery live.
This post is a bit longer than usual, but hey, it’s not every day that Covey is in the house. Here are some of my highlights from today’s session.
The Lighthouse Story Covey opened with a story of Captain Horatio Hornblower. As the story goes, one night at sea, Horatio awakens to find that a ship is in his sea-lane about 20 miles away and refuses to move. Horatio commands the other ship to move starboard, 20 degrees at once. The other ship refuses and tells Horatio that he should move his ship starboard, 20 degrees at once. Next, Horatio tries to pull rank and size on the other ship, stating that he’s a captain and that he’s on a large battle ship. The other ship replies, and it turns out it’s not actually a ship, but a lighthouse.
The take away from the story is, there are lighthouse principles. You don’t break them. You only break yourself against them. Don’t break yourself against lighthouse principles.
Values and Principles Covey distinguished values from principles:
The key take aways are:
Personal Mission Statement Covey asked us whether we had personal mission statements? Some folks raised their hands. He then asked us how many have them written down. A lot less kept their hands raised. I kept my hand raised because I happen to have my personal mission statement written down. My personal mission statement is, “To find the best way for any person to succeed in any situation.” I tie this back at work, where I try to help customers be as effective as possible, building on the Microsoft platform.
Family Mission Statement Covey then challenged the audience whether we had mission statements for our families? That one made me think. He then challenged, if you asked your loved ones, would they know it? Now there’s a good test!
He challenged us to go home and ask, “What’s the purpose of our family?” He warned us though, that our families will know that we’ve been seminar’ed!
Write and Visualize to Imprint on Your Subconscious Covey reminded us that writing down your mission imprints it in the subconscious mind. He added that visualizing also imprints on the sub-concsious mind.
The take away is that you should write and visualize your mission statements.
Keys to a Mission Statement Covey put it succinctly that a good mission statement is:
Why a Mission Statement Covey told us that the power of a mission statement is that it governs every other decision.
Sean Covey Covey introduced his son, Sean Covey. Sean wrote The 7 Habits of Highly Effective Teenagers and The 6 Most Important Decisions You Will Ever Make. When Covey introduced Sean, he also mentioned a 49th grand-child on the way. 49 … WOW! That’s quite the impressive team.
Point to True North Covey had us close our eyes and point to true North. When we opened our eyes, it was obvious there was little consistency. He said he gets similar results when he asks any department, group, or team – “what’s your purpose?” Urgent But Not Important Covey asked us how many struggle with work/life balance. Many hands went up. He then asked us what we think is the percentage of time we spend on things that are urgent, but not important.
He said people often report they feel they spend 50% of their time on urgent, but not important tasks. Why is that? Covey stated it’s because everybody defines purpose differently. Office Politics and Dysfunctional Activities Covey asked us how much time people spend in office politics. By office politics, he meant, reading the tea leaves, dealing with hidden agendas, fighting cross-group conflict, … etc. The data says that 75% of people claim they spend 25% of their time on these things. 25% say that 50% of their time is spent in dysfunctional activities. Urgency replaces important activities.
The key take away is that people feel they spend a lot of time on dysfunctional activities. Six Metastasizing Cancers (Victimism) Covey showed us a slide that listed what he called the Six Metastasizing Cancers:
The take away here is that these are ineffective behaviors and you end up acting like a victim.
Are You Utilized to Your Full Potential Covey asked us whether we can use our full talent and capacity in our organization. He then asked us whether we feel the pressure to produce more for less. The point here was to emphasize how there’s a demand for greater results, but that we’re not necessarily utilized to our full potential.
It’s Not Behavior, It’s Not Attitude … It’s a Bad Map Covey gave us a scenario where somebody gets a map of Seattle. The problem is, the map maker made a mistake. It’s not really a map of Seattle. It’s a map of Oregon. With this map, you can’t even make it out of the airport. There isn’t one corresponding point.
Trying harder isn’t the answer. If you double your speed, now you’re lost twice as fast. Thinking negatively isn’t the problem. Covey said some people might try to use a PMA (Positive Mental Attitude.) Well, that doesn’t help either. Now you’re all psyched up, but really you are just happy and contented in a lost state.
The take away here is that it’s not behavior and it’s not attitude. It’s a bad map.
Self-Educating Covey told us that we need to be self-educating. School taught us how to learn, but we need to continue to learn. He said we need to be willing to pay the price to be self-educating, which includes being systematic and disciplined.
Industrial Age vs. Knowledge Worker Age Covey points out that 20 years ago, it was about goods and services. Today, it’s about knowledge workers.
Expenses and Assets Covey asked us what we are called in spreadsheets. He said that in spreadsheet and financial accounting, people are called expenses and cost centers, while things like microphones, tools, and machines are called assets. He said this is left-over from the industrial age.
Finding Your Voice Covey asked how do you help people find their voice? You ask them what are they good at? What do they love doing? What is your greatest unique contribution?
The key is finding a voice that meets a human need.
Inspiration Over Jackass Theory The Jackass Theory refers to the carrot and the stick. Covey asked us what kind of supervisor do you need when you have a job that you are passionate about and is using your talents and you feel you are appreciated.
People are volunteers. You want them to contribute their greatest, unique contribution.
Keys to Effective Large Team Covey outlined the keys for effective large teams::
One person may represent the group, but accountability is to the team versus the boss. Accountability to the team versus an individual is a knowledge worker concept.
How To Find the Win / Win Performance Agreement Covey suggested an approach for finding the Win/Win for teams and organizations in terms of performance:
When you have that, you have a win-win. The key is to have a win/win performance agreement where it is mutually beneficial between the individual and the organization. The individual should be able to use their full talent and passion (there voice.)
Information is the Knowledge Worker's Disinfectant Covey mentioned that light is the greatest disinfectant in nature. For the knowledge worker, it’s information. For a knowledge worker to be effective in a team, they need information, they need the criteria for success and they need to be accountable to the group.
The Whole Person According to Covey, the whole person includes four parts:
Control-Paradigm to a Whole Person Paradigm Covey reminded us that today’s workforce is about directed autonomy. You manage (things) that can’t choose. You lead people. People have the ability to choose.
Keeping Top Talent Covey told us about how Admirals in the Pacific were losing people to better paying jobs. There was an exception. Covey got to meet the group that kept their top talent. The keys to a committed group included:
Indian Talking Stick Communication Covey shared a technique for improving empathic listening. It’s the Indian Talking Stick:
You don’t need to use an Indian talking stick. You can use any object. The value of the object is that you don’t get it back until the other person feels understood.
Industrial Age Concepts Throughout the session, Covey made reference to some "industrial age concepts":
Lighthouse Principles Throughout the presentation, Covey referred to some lighthouse principles that govern behavior:
Continuum of Communication Covey showed us a continuum of communication that moves from hostility and transaction-based communication to transformation:
Empathic Listening is the No. 1 Communication Skill Covey stated that communication is the number one skill in life. He went on to say that empathic listening is the number one communication skill. Covey explained that empathic listening is listening within the other person’s frame of skills. Listening empathically is listening with the other person’s frame of reference. The key is to listen until the other person feels heard and understood. Empathic Listening Over Telling and Selling A satisfied need, no longer motivates. Covey used the example of air – it’s a satisfied need. When the other person feels heard and understood, it’s more likely they will listen to you and that you can seek a better solution, that’s mutually beneficial. You are no longer telling and selling.
Our Experience is the Lens We Use to Interpret Life Covey showed the audience three pictures. One half of the audience looked at the first picture. Next, the other half of the audience looked at the second picture. Then the full audience looked at a third slide which was a composite of the first two slides. Depending on which of the pictures you saw first, influenced what you saw in this third picture.
The key take away here was that what you saw was influenced by your experience and that rather that impose your view, first understand the other person’s perspective – there’s a good chance, you’re both right! (This is a good case where the Indian Talking Stick could come in handy.) Resolving Conflict By Finding the Third Alternative Covey shared a technique for resolving conflict that works for him in 95% of the cases he runs into around the world. Here’s the key steps:
The key here is to listen to the other person first and listen empathically. The proactive part here is that you can choose to listen to the other person first (seek first to understand, then to be understood.) Listening to Loved Ones One of the audience members asked for advice on counseling a loved one. Covey responded with the following solution:
The key here that Covey mentioned is that most people will not pay the price of listening empathically.
7 Habits of Highly Effective People Covey shared a slide that framed out the seven habits of highly effective people in terms of private victory, public victory, dependence, independence, and interdependence.
Habits 1,2,and 3 are the foundation for private victories and integrity. Habits 4, 5, and 6 are the keys to public victories.
Peace of Conscience Over Peace of Mind Covey made a distinction between peace of mind and peace of conscience. He explained that integrity is more than honesty. Integrity means that if you make a promise, you keep it. If you’re honest, you might have peace of mind, but if you don’t have integrity, then you won’t have peace of conscience. You have peace of conscience by avoiding duplicity.
Loyalty to the Absent Covey made his point very simply – only talk about people as if they are there. You can be critical, but speak as if they were there in front of you. Don’t bad mouth them behind their back and then sweet talk them to their face. This is a lack of integrity and creates deep duplicity inside you. This inhibits your ability to have peace of conscience. Use I Messages Over You Messages Meet with the people you have a problem with directly. Practice the following:
Genuine Happiness Covey said the key to genuine happiness is to develop integrity. The key to developing integrity is the first three habits (your Private Victories):
Greek Philosophy of Influence Covey shared the three parts of the Greek philosophy of influence:
You Are the Creative Force of Your Life Covey challenged us to be a creative force: 1. Get out of victimism – You’re not a victim of your circumstances. 2. You are the creative force of your life.
Empathize first. Grow your circle of influence. Make tremendous impact.
The Most Important Thing You’ll Ever Do Covey closed with a powerful message we could take away:
The most important thing you’ll ever do is in the four walls of your own home.
The most important thing you’ll ever do is in the four walls of your own home.
Personally, I want to make more use of the Indian Talking Stick Communication technique, particularly at some of my more vibrant meetings.
We published an updated set of our WCF Security application scenarios yesterday, as part of our patterns & practices WCF Security guidance project. Application Scenarios are visual "blueprints" of skeletal solutions for end-to-end deployment scenarios. Each application scenario includes a before and after look at working solutions. While you still need to prototype and test for your scenario, this gives you potential solutions and paths at a glance, rather than starting from scratch. It's a catalog of applications scenarios that you can look through and potentially find your match.
IntranetCommon Intranet patterns:
Internet Common Internet patterns:
One Size Does Not Fit AllWe know that one size doesn't fit all, so we create a collection of application scenarios that you can quickly sort through and pattern match against your scenario. It's like a visual menu at a restaurant. The goal is to find a good fit against your parameters versus a perfect fit. It gives you a baseline to start from. They effectively let you preview solutions, before embarking on your journey.
How We Make Application ScenariosFirst, we start by gathering all the deployment scenarios we can find from customers with working solutions. We use our field, product support, product teams, subject matter experts, and customers. We also check with our internal line of business application solutions. While there's a lot of variations, we look for the common denominators. There's only so many ways to physically deploy servers, so we start there. We group potential solutions by big buckets.
In order to make the solutions meaningful, we pick a focus. For example, with WCF Security, key overarching decisions include authentication, authorization, and secure communication. These decisions span the layers and tiers. We also pay attention to factors that influence your decisions. For example, your role stores and user stores are a big factor. The tricky part is throwing out the details of customer specific solutions, while retaining the conceptual integrity that makes the solution useful.
Next, we create prototypes and we test the end-to-end scenarios in our lab. We do a lot of whiteboarding during this stage for candidate solutions. This is where we spend the bulk of our time, testing paths, finding surprises, and making things work. It's one thing to know what's supposed to work; it's another to make it work in practice.
From our working solution, we highlight the insights and actions within the Application Scenario so you can quickly prototype for your particular context. We then share our candidate guidance modules on CodePlex, while we continue reviews across our review loops including field, PSS, customers, product team members, and subject matter experts.