Software Engineering, Project Management, and Effectiveness
Why invest in prescriptive guidance or “Blue Books” for Microsoft platform impact? While the answer is obvious to many, it’s not as obvious to others, so I’ll attempt to paint the picture here.
Building Secure ASP.NET Applications was the first “blue book” at Microsoft, but it was Improving Web Application Security that really made people take notice (it was downloaded more than 800,000 times in its first six months and it changed how many people in the industry thought about security and it changed their approach. It’s also the guide that helped many customers switch from Java to .NET.) An interesting note about Building Secure is that the Forms Authentication approach was baked into the Whidbey platform (ASP.NET 2.0.)
Blue Books Shape Platform SuccessBlue Books have played a strategic role in both shaping the platform and driving exponential customer success on the platform. They’ve helped us find and share platform best practices, create mental models and conceptual frameworks, and create systems and approaches that scale success and create powerful ecosystems. They’ve also helped us spring up offerings for our field, reduce support costs, and win competitive assessments.
Ultimately, Blue Books give us a strategic look at platform pain points as well as competitive analysis, and a consolidated set of success patterns to run with.
From patents to methodologies to better ways for better days, “Blue Books” have been the definitive way for improving platform success in a sustainable way – a durable backdrop that provides continuity of the platform over time.
Benefits at a GlanceHere is a quick rundown of some of the key ways that Blue Books have helped Microsoft and customers win time and again:
The list goes on, but the essence is that these playbooks help customers make the most of the platform by sharing the know-how through prescriptive architectural guidance.
End-to-End Application Scenarios and SolutionsHere’s an example of an application scenario. We use application scenarios to show how to solve end-to-end problems. It’s effectively a baseline architecture based on successful solutions. Here is an example from our WCF Security Guide:
We share them as sketches like on a whiteboard so they are easy to follow.
Methodologies and MethodsMethodologies, frameworks and approaches are nice ways to wrap up and package a set of related activities that you can use a baseline for your process or to overlay on what you already do. Methods are step-by-step techniques for producing effective results and they are a powerful way to share expertise. Methodologies and methods are how we create exponential results and amplify our impact.
Example Methodology – Agile Security Engineering
Example Method – Threat Modeling Technique
Conceptual Frameworks and Mental ModelsWe use mental models, conceptual frameworks, and information models to learn and share the problem space.
Example Conceptual Framework for Web Security
Example Mental Model for Application Architecture
Hot SpotsHot Spots are basically heat maps of pain points and opportunities. We use them as a lens to help us see customer pain points and opportunities, and to prioritize our investments. They also help us identify, organize, and share scenarios. Hot Spots also help us organize and share principles, patterns, practices, and anti-patterns for key engineering decisions. Hot Spots are a powerful tool for product planning and for building prescriptive guidance, platform, and tools.
Example of Security Hot Spots
Example of Architecture Hot Spots
Scenarios Organized by Architecture Hot Spots
Competitive WinsOur Blue Books have consistently been used for winning competitive assessments or at least making significant impact in key areas. Whether there’s a gap in the tools or a gap in the platform, prescriptive guidance can smooth it out by creating a success path for customers.
Example of beating IBM in Every Category Around Guidance
You can find a deeper rundown on the competitive assessments in my previous posts.
The Bottom Line on Blue BooksThe bottom line for me is that Blue Books have helped shape platforms and tools and to create glide-paths for customers through mental models, methodologies, and methods. They’ve been a powerful way to share success patterns, help paint the bigger picture, and connect the dots across platform, tools, and guidance.
The adoption and usage has accelerated over the years to the point where just about any customer in the application development space that works with the Microsoft platform is familiar with either patterns & practices for the Microsoft Blue Books.
Blue Books have been the freemium offering from Microsoft that have paved the way for premium experiences.
In my 60+ engagements in my role as a consultant for Microsoft, I've become keenly aware of the importance of best practices. The term is not a euphemism; they're called *best* practices for a reason.
And nobody does it better than the Patterns & Practices team. This frames it perfectly, "Blue Books have been the freemium offering from Microsoft that have paved the way for premium experiences."
When a customer needs guidance, as a blue badge I always look to the blue books first.
I have been using p&p guides since 2004 very massively. First it was security guides, then performance, and then apparch. I can measure my success by customers' responses to my services. There is very clear channel for evaluating my work - MCS Surveys. Last 6 months I have participated in 7 surveys - all top box. Previous years were similar. I used the guides, customers happy. My managers too ;)
With so many ways to do the same thing using Microsoft technologies, the blue books provide a central reference point of recommended practices for customers and consultants. My first blue book was the Application Architecture for .NET guide and I always keep it dear to me.
Today, I have implemented many systems and shared my knowledge with many customers using the practices I learned and evolved from that book as well as parts from other blue books.
If I use a metaphor to describe it - MSDN is like a dictionary, the blue books are like a (spoken) language book teaching us how to assemble sentences, constructs, write and speak properly.
It's great to hear your perspective from the field.
There's definitely an art and science to sharing best practices and it sounds like sharing the *best* has made a huge impact, time and again.
You're a long time veteran and I like how you've consistently built on and extended the blue books into offerings and additional services for customers.
It's great that you get direct feedback from customers and that the blue books have served you well.
I like your metaphor and your perspective.
I've used similar metaphors. When my Aunt wanted to know what I do, I told her I write books that help customers put the Legos together.
I also think of the blue books as "driver's guides" vs. "owner's manuals."
The blue books, in particular Threats and Countermeasures, have been a standard for conducting security reviews since original publication. We've used this to harden internal Microsoft Line of Business applications with great success. The guidance, while .NET 2.0 era and "focused" on web applications, is fairly technology agnostic and we leverage it for non web apps as easily as web apps. As additional guidance has been released we've updated our methodology accordingly.
These books are completely invaluable.
For years people have complained about how Microsoft systems are slow or insecure or can't scale. These documents have shown exactly how systems designed with Microsoft products and technologies are secure, scalable and maintainable.
I've done countless consulting engagements over the past 9 years and these guides have been instrumental with
- communication and mentoring new teams about what we're going to do, how we're going to do it, why we're going to do it that way. The code reviews and checklists are easily baked into SLDC process and that just improves quality and efficiency.
- reconnecting to a technical pattern as ramp up for a new engagement. Its very difficult to remember everything about every technology. These documents are a great refresher when you haven't worked with a specific technology/pattern in a while and need to get a quick refresher. What are the patterns, where are the hot spots, what are the scenarios?
- as a guide for a architectural system reviews - the architecture hot spots and scenarios help me focus on what matters most and providing guidance on what should be changed and why.
- One on one mentoring and personal development. The scenarios and solutions, how-tos and 'explained's are great tools to share and walk junior and mid-level developers through.
These guides are paramount to getting developers up to speed on new technologies, architectural patterns and best practices.
Here's the real question:
==>When are we going to get a "perf and scale" or "Improving Web Application Security" style book for doing cloud applications.
Cloud applications right now are grossly misunderstood and underplayed in many corporations that could significantly benefit from them. The problem is they don't understand them and developers don't have the guidance to help them learn about it. What are the scenarios and solutions? What are the hotspots? My data is in the cloud, how can I secure it? How can I design my application for scale in the cloud?
Microsoft is spending huge amounts of time and energy on the cloud but there's no blue book.
We need a blue book on clouds.
I do work on JAVA websphere side now. We pay external consultants 100K's to deliver 'best' practice recommendations. All I can say is that it certainly is an expensive practice. None of the work attaches to any continuum so we have a constantly evolving set of meta-standards.
On the MS side it's easy. Just read P&P and deviate at your own risk. The net-net is we have a .net server farm that is a fraction of the cost and level of complication to our corresponding JAVA side. We have close to 100 people manage and direct and design the JAVA side that we simply don't need at all for the Windows side.
Can you start writing hetereogeneous blue books so we can at least leverage some of these good ideas on our linux/solaris/aix mess?
As someone who used to be deeply involved in helping developers create secure apps, I can attest to the importance and impact of these books. Calling them books is a bit of a misphoner; a book is something you read and then let dust collect onto, but these books can act as a cover-to-cover read and a reference material to use day-in and day-out.
Get 'em. Promote 'em. Use 'em.
Having been involved in these projects for years, its difficult for me to imagine what it would be like to run consulting projects without these. For years, going all the way back to the orignal application archtiecture documents, these have served as the gold standard for customers, the statement of how best to build applications on our platforms.
Selfishly, as a consultant I suppose there would be more work for me and others in my business if such guidance did not exist. people would not adequately secure their systems, or they would write systems that did not show sufficient performance, or even the potential of having such performance. In some sense, I guess it would enable us to have engagements coming in to fix them.
However, its never fun to have an engagement just rehashing the same first 70% of territory. Just getting customers to that baseline is a benefit to the whole industry. Its critical, in my mind, that we provide this as a way to get that first step in the process.
As a former Microsoft security team member and now a business owner in the information security space it boggles my mind why these aren't required reading. These books get you straight to the goods on how to improve your security now and why, and not fluffed up like some other books with author pontification and ego stroking :)
Seriously though, when I tell people about the hidden gems that Microsoft gives away for free, these are always one of the top items I share.
Prior joining patterns & practices (p&p), J.D and I have authored several articles documenting proven-practices, troubleshooting steps and guidance in the form KB (Knowledge Base Articles) and occasionally MSDN articles. Being on the frontline solving complex developer challenges and troubleshooting mission critical applications gave us a deep understanding of the customer needs, internals of the product stack and gaps that existed in our guidance.
p&p gave us the freedom & opportunity to shape content guidance and take it to next level. We spent countless iterations on 'Building Secure ASP.NET Applications', ‘Threats and Countermeasures' and ‘Performance and Scalability’ to distill the guidance, making it extremely relevant, actionable, easy to consume with no fluff. Many iterations were spent on fine tuning the guide and sections to target various reader-segments (show me HOW; tell me WHAT; I don’t know M$ technology, but I understand arch & design; give me the abstraction/framework to think about the problem space not the technology that fades away in a couple of years; give me the checklist; help me navigate thru the plethora of choices, etc, etc). Thought you will encounter repetition-of-content, but you will not find fluff. Repetition was a conscious trade-off that we made, because we wanted to provide the reader with nuggets of self contained info.
It was not an easy journey. When we started it was hard to get the feedback/data to demonstrate the impact these guides had to our stakeholders. We were constantly challenged – …why do you need these guides when we have product documentation, …no one will have time to read these bulky material, ….why are you wasting time writing guidance, it has to be solved using a tool, etc, etc. But we persevered, and JD is continuing to do so till date.
Is it POSSIBLE to develop quality applications WITHOUT the "Blue Books"???????
A little tongue-in-cheek, but IMHO a BIG "grain of truth". I do not know where I would be without them.