J.D. Meier's Blog

Software Engineering, Project Management, and Effectiveness

  • J.D. Meier's Blog

    Decision Making with Criteria and Weight

    • 4 Comments

    If you need to make an important decision, the following can help:

    1. Identify the criteria
    2. Identify the weighting of each criteria
    3. Rate your options against the criteria and multiply by the weightings

    For example, when I was giving input on hiring our PUM, I identified the following criteria:

    • Microsoft Experience
    • patterns & practices Experience
    • Attract the right talent
    • Execution
    • Customer-connection
    • Engineering Competence
    • Business Competence
    • Political Competence

    I then assigned a weighting.  For example:

    • Microsoft Experience - (2)
    • patterns & practices Experience - (3)
    • Attract the right talent - (3)
    • Execution - (3)
    • Customer-connection - (3)
    • Engineering Competence  - (2)
    • Business Competence - (2)
    • Political Competence - (2)

    I rated the candidate against each criteria and then multiplied by the weighting.  This gave me a quick frame to compare different candidates as well as have more meaningful dialogues with others.  The actual numbers were less important than testing and clarifying criteria.

  • J.D. Meier's Blog

    6 New patterns & practices WCF Security How Tos

    • 3 Comments

    We have 6 new How Tos for this week's release of our patterns & practices WCF Security Guidance Project.

    WCF Security How Tos

    My Related Posts

  • J.D. Meier's Blog

    Monthly Improvement Sprints

    • 4 Comments

    Each month I pick a focus or a theme for my improvement sprint.  I find it's easier to start and stop a new sprint each month, rather than start in the middle of a month and try and remember when to stop.  I also like the fact that each month is a fresh start.  Cycling through a new improvement sprint each month, gives me 12 sprints I can allocate to whatever I want or need to focus on.  This keeps me learning and growing throughout the year in a simple, but systematic way.  Each month I can do another sprint on the same topic or pick a new area to explore.  Periodically, I try to inject an improvement sprint that focuses on something physical.  For example, last year I did a living foods improvement sprint and in another sprint I worked up to roller-blading 15+ miles a day.

    Here's the improvement sprints I've done so far this year:

    • JAN - Leadership skills / Microsoft leadership skills
    • FEB - Effective blogging
    • MAR - Effective blogging (I continued researching effective blogging practices)
    • APR - SEO practices (studying blogging practices lead me down the SEO path)

    Sometimes I'll do more than one sprint for a month, but in general I try to stick with one theme.  The power of the sprint is the focus.  Its easier for me to stay focused when I remind myself I can switch focus each month.

    My Related Posts

  • J.D. Meier's Blog

    patterns & practices WCF Security Questions and Answers Now Available

    • 4 Comments

    What are your key security-related questions with WCF?  More importantly, what are the answers?  For this week's release of our WCF Security Guidance Project, we posted our WCF Security Q&A (Questions and Answers) to CodePlex. 

    To create the questions and answers set, we first gathered and organized recurring questions from our field, support, customers and forums.  We then worked through to create precise answers.  What you get is a browsable collection of questions and answers, organized by our security frame.   The security frame maps to actionable categories of your application.

    Here's a snapshot of the questions from our Q&A, but you can see our answers explained at our WCF Security Guidance project site.

    Design Considerations

    • How do I decide on an authentication strategy?
    • How do I decide on an authorization strategy?
    • When should I use message security vs. transport security?
    • How do I use my existing Active Directory infrastructure?
    • What bindings should I use over the Internet?
    • What bindings should I use over the Intranet?
    • When should I use resource-based authorization vs. roles-based authorization?
    • When should I impersonate the original caller?
    • When should I flow the original caller’s identity to back-end resources?
    • How do I migrate to WCF from an ASMX web service?
    • How do I migrate to WCF from a COM application?
    • How do I migrate to WCF from a DCOM application?
    • How do I migrate to WCF from a WSE application?

    Auditing and Logging

    • What WCF Service security events should be logged?
    • How do I enable logging and auditing in WCF?
    • How do I enable auditing in WCF?
    • How do I stop my service if there has been an auditing failure?
    • How do I log important business events in WCF?
    • How do I implement log throttling in WCF?
    • How do I use Health Monitoring Feature with WCF?
    • How do I protect my log files?
    • How to I pass user identity information in a message for auditing purpose?

    Authentication

    • How do I decide on an authentication strategy in WCF?
    • When should I use brokered authentication?
    • When should I use the SQL Server Membership provider?
    • How do I authenticate against Active Directory?
    • How do I authenticate against a SQL store?
    • How do I authenticate against a custom store?
    • How do I protect passwords in my user store?
    • How do I use certificate authentication with X.509 certificates?
    • What is the most common authentication scenario for intranet applications?
    • What is the most common authentication scenario for internet applications?
    • How do I support authentication for multiple client types?
    • What is federated security?
    • How do I send credentials in the message when I am using transport security?
    • How do I avoid cleartext passwords?

    Authorization

    • How do I decide on an authorization strategy in WCF?
    • What’s the difference between resource-based, roles-based and claims-based authorization?
    • How do I use Windows groups for role authorization in WCF?
    • How do I use the SQL Role provider for ASPNET role authorization in WCF?
    • How do I use the Windows Token role provider for ASPNET role authorization in WCF?
    • How do I use the Authorization Store role provider for ASPNET role authorization in WCF?
    • What’s the difference between declarative and imperative roles authorization?
    • How do I restrict access to WCF operations to specific Windows users?
    • How do I associate roles with a certificate?
    • What is a service principle name (SPN)?
    • How do I create a service principle name (SPN)?

    Bindings

    • What is a binding?
    • What bindings are available?
    • Which bindings are best suited for the Internet?
    • Which bindings are best suited for the Intranet?
    • How do I choose an appropriate binding?
    • Configuration Management
    • How do I encrypt sensitive data in WCF configuration file?
    • How do I run a WCF Service with a particular identity?
    • How do I create a service account for running my WCF Service?
    • When should I use a configuration file versus the WCF object model?
    • What is a metadata exchange (MEX) binding?
    • How do I keep clients from referencing my service?

    Exception Management

    • How do I implement a global exception handler?
    • What is a fault contract?
    • How do I define a fault contract?
    • How do I avoid sending exception details to the client?

    Hosting

    • How do I configure a least privileged account to host my service?
    • When should I host my service in IIS?
    • When should I host my service in a Windows service?
    • When should I self-host my service?
    • Impersonation/Delegation
    • What are my impersonation options?
    • What is the difference between impersonation and delegation?
    • How do I impersonate the original caller for an operation call?
    • How do I temporarily impersonate the original caller in an operation call?
    • How do I impersonate a specific (fixed) identity?
    • What is constrained delegation?
    • What is protocol transition?
    • How do I flow original caller from ASP.NET client to WCF Service?
    • What is the difference between declarative and programmatic impersonation?
    • What is the trusted subsystem model?
    • When should I flow the original caller to back-end code?
    • How do I control access to a remote resource based on the original caller’s identity?

    Input/Data Validation

    • How do I implement input and data validation in WCF?
    • What is schema validation?
    • What is parameter validation?
    • Should I validate before or after message serialization?
    • How do I protect my service from denial of service attacks?
    • How do I protect my service from malicious input attacks?
    • How do I protect my service from malformed messages?
    • Message Protection
    • When should I use message security?
    • When should I use transport security?
    • How do I protect my message when there are intermediaries routing my message?
    • How do I protect my message when there are multiple protocols used during message
    • transit?
    • How do I implement partial message encryption?

    Proxy Considerations

    • When should I use a channel factory?
    • When do I need to expose a metadata exchange endpoint for my service?
    • How do I avoid proxy spoofing?

    Sensitive Data

    • How do I protect sensitive data in configuration files?
    • How do I protect sensitive data in memory?
    • How do I protect my metadata?
    • How do I protect sensitive data from being read on the wire?
    • How do I protect sensitive data from being tampered with on the wire?
    • How do I authenticate a message was sent by the expected sender?
    • How do I encrypt data within my message?

    X.509 Certificates

    • How do I create X.509 certificates?
    • Do I need to create a certificate signed by the root CA certificate?
    • How do I use X.509 certificate revocation?
    • How do I authenticate users with X.509 certificates, and then perform role-based access control using an Active Directory domain?

    Deployment Considerations

    • What are the additional considerations for using WCF in a webfarm?
    • How do I configure WCF for NATs and Firewalls?
    • How do I configure Active Directory groups and accounts for role-based authorization checks?
    • How do I create an X.509 certificate?
    • When should I use a Service Principle Name (SPN)?
    • How do I configure a least privileged account for my service?

    My Related Posts

  • J.D. Meier's Blog

    patterns & practices WCF 3.5 Security Guidelines Now Available

    • 10 Comments

    For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF 3.5 Security Guidelines.  Each guideline is a nugget of what to do, why, and how.  The goal of the guideline format is to take a lot of information, compress it down, and turn insight into action.

    The downside is that it's tough to create prescriptive guidelines that are generic enough to be reusable, but specific enough to be helpful.  The upside is that customers find the guidelines help them cut through a lot of information and take action.  We contextualize the guidelines as much as we can, but ultimately you're in the best position to do the pattern matching to find which guidelines are relevant for your scenarios, and how you need to tailor them.

    Here's a snapshot of the guidelines, but you can see our security guidelines explained at our WCF Security Guidance project site.

    Categories
    Our WCF Security guidelines are organized using the following buckets:

    • Auditing and Logging
    • Authentication
    • Authorization
    • Binding
    • Configuration Management
    • Exception Management
    • Hosting
    • Impersonation and Delegation
    • Input/Data Validation
    • Proxy Considerations
    • Deployment considerations 

    Auditing and Logging

    • Use WCF auditing to audit your service
    • If non-repudiation is important, consider setting SuppressAuditFailure property to false
    • Use message logging to log operations on your service
    • Instrument for user management events
    • Instrument for significant business operations
    • Protect log files from unauthorized access
    • Do not log sensitive information

    Authentication

    • Know your authentication options
    • Use Windows Authentication when you can
    • If you support non-WCF clients using windows authentication and message security, consider using the Kerberos direct option
    • If your users are in AD, but you can’t use windows authentication, consider using username authentication
    • If your clients have certificates, consider using client certificate authentication
    • If you need to streamline certificate distribution to your clients for message encryption, consider using the negotiate credentials option
    • If your users are in a custom store, consider using username authentication with a custom validator
    • If your users are in a SQL membership store, use the SQL Membership Provider
    • If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.
    • If you are using username authentication, use SQL Server Membership Provider instead of custom authentication
    • If you need to support intermediaries and a variety of transports between client and service, use message security to protect credentials
    • If you are using username authentication, validate user login information
    • Do not store passwords directly in the user store
    • Enforce strong passwords
    • Protect access to your credential store
    • If you are using Windows Forms to connect to WCF, do not cache credentials

    Authorization

    • If you use ASP.NET roles, use the ASP.NET Role Provider
    • If you use windows groups for authorization, use ASP.NET Role Provider with AspNetWindowsTokenRoleProvider
    • If you store role information in SQL, consider using the SQL Server Role Provider for roles authorization
    • If you store role information in Windows Groups, consider using the WCF PrincipalPermissionAttribute class for roles authorization
    • If you need to authorize access to WCF operations, use declarative authorization
    • If you need to perform fine-grained authorization based on business logic, use imperative authorization

    Binding

    • If you need to support clients over the internet, consider using wsHttpBinding.
    • If you need to expose your WCF service to legacy clients as an ASMX web service, use basicHttpBinding
    • If you need to support remote WCF clients within an intranet, consider using netTcpBinding.
    • If you need to support local WCF clients, consider using netNamedPipeBinding.
    • If you need to support disconnected queued calls, use netMsmqBinding.
    • If you need to support bidirectional communication between WCF Client and WCF service, use wsDualHttpBinding.

    Configuration Management

    • Use Replay detection to protect against message replay attacks
    • If you host your service in a Windows service, expose a metadata exchange (mex) binding
    • If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex)
    • Manage bindings and endpoints in config not code
    • Associate names with the service configuration when you create service behavior, endpoint behavior, and binding configuration
    • Encrypt configuration sections that contain sensitive data

    Exception Management

    • Use structured exception handling
    • Do not divulge exception details to clients in production
    • Use a fault contract to return error information to clients
    • Use a global exception handler to catch unhandled exceptions

    Hosting

    • If you are hosting your service in a Windows Service, use a least privileged custom domain account
    • If you are hosting your service in IIS, use a least privileged service account
    • Use IIS to host your service unless you need to use a transport that IIS does not support

    Impersonation and Delegation

    • Know the impersonation options
    • If you have to flow the original caller, use constrained delegation
    • Consider LogonUser when you need to impersonate but you don’t have trusted delegation
    • Consider S4U when you need a Windows token and you don’t have the original caller’s credentials
    • Use programmatic impersonation to impersonate based on business logic
    • When impersonating programmatically be sure to revert to original context
    • Only impersonate on operations that require it
    • Use OperationBehavior to impersonate declaratively

    Input/Data Validation

    • If you need to validate parameters, use parameter inspectors
    • If your service has operations that accept message or data contracts, use schemas to validate your messages
    • If you need to do schema validation, use message inspectors
    • Validate operation parameters for length, range, format and type
    • Validate parameter input on the server
    • Validate service responses on the client
    • Do not rely on client-side validation
    • Avoid user-supplied file name and path input
    • Do not echo untrusted input

    Proxy Considerations

    • Publish your metadata over HTTPS to protect your clients from proxy spoofing
    • If you turn off mutual authentication, be aware of service spoofing

    Deployment considerations

    • Do not use temporary certificates in production
    • If you are using a custom domain account in the identity pool for your WCF application, create an SPN for Kerberos to authenticate the client.
    • If you are using a custom service account and need to use trusted for delegation, create an SPN
    • If you are hosting your service in a Windows Service, using a custom domain identity, and ASP.NET needs to use constrained trusted for delegation when calling the service, create an SPN
    • Use IIS to host your service unless you need to use a transport that IIS does not support
    • Use a least privileged account to run your WCF service
    • Protect sensitive data in your configuration files

    My Related Posts

  • J.D. Meier's Blog

    patterns & practices WCF Security Guidance: Updated Application Scenarios

    • 9 Comments

    For this week's release in our patterns & practices WCF Security Guidance project, we added new sections to our WCF Security Application Scenarios.  We added sections for analysis, code and configuration examples.  The analysis section explains the rationale behind some of the decisions. 

    The idea behind the application scenarios is to show you a before and after look of end-to-end solutions.  Rather than a single solution, we give you a set of solutions to pick from.  The main parameters that vary in each solution include: Intranet vs. Internet, ASP.NET client vs. Windows Forms clients, TCP vs. HTTP, impersonation/delegation vs. trusted subsystem, and AD (domain credentials) vs. a custom user store.

    WCF Security Application Scenarios
    Intranet

    Internet

    Note that if there's enough interest and time, we'll add a scenario that shows accessing an existing custom user store (i.e. you aren't using Membership.) 

    My Related Posts

  • J.D. Meier's Blog

    Security Principles

    • 5 Comments

    If you know the underlying principles for security, you can be more effective in your security design.  While working on Improving Web Application Security: Threats and Countermeasures, my team focused on creating a durable set of security principles.  The challenge was to make the principles more useful.  It's one thing to know the principles, but another to turn it into action. 

    Turning Insights Into Action

    To make the principles more useful, we organized them using our Security Frame.  Our Security Frame is a set of actionable, relevant categories that shape your key engineering and deployment decisions.  With the Security Frame we could quickly find principles related to authentication, or authorization or input validation ... etc. 

    Once we had these principles and this organizing frame, we could then evaluate technologies against it to find effective, principle-based techniques.  For example, when we analyzed doing input and data validation in ASP.NET, we focused on finding the best ways to constrain, reject, and sanitize input.  For constraining input, we focused on checking for length, range, format and type.  Using these strategies both shortened our learning curve and improved our results.

    Core Security Principles

    We started with a firm foundation of core security principles.  These influenced the rest of our security design principles.  Here's the core security principles we started with:

    • Adopt the principle of least privilege - Processes that run script or execute code should run under a least privileged account to limit the potential damage that can be done if the process is compromised
    • Use defense in depth.   Place check points within each of the layers and subsystems within your application. The check points are the gatekeepers that ensure that only authenticated and authorized users are able to access the next downstream layer.
    • Don't trust user input.  Applications should thoroughly validate all user input before performing operations with that input. The validation may include filtering out special characters.
    • Use secure defaults.   If your application demands features that force you to reduce or change default security settings, test the effects and understand the implications before making the change
    • Don't rely on security by obscurity.   Trying to hide secrets by using misleading variable names or storing them in odd file locations does not provide security. In a game of hide-and-seek, it's better to use platform features or proven techniques for securing your data.
    • Check at the gate.   Checking the client at the gate refers to authorizing the user at the first point of authentication (for example, within the Web application on the Web server), and determining which resources and operations (potentially provided by downstream services) the user should be allowed to access.
    • Assume external systems are insecure.  If you don't own it, don't assume security is taken care of for you.
    • Reduce Surface Area   Avoid exposing information that is not required. By doing so, you are potentially opening doors that can lead to additional vulnerabilities. Also, handle errors gracefully; don't expose any more information than is required when returning an error message to the end user.
    • Fail to a secure mode.   your application fails, make sure it does not leave sensitive data unprotected. Also, do not provide too much detail in error messages; meaning don't include details that could help an attacker exploit a vulnerability in your application. Write detailed error information to the Windows event log.
    • Security is a concern across all of your application layers and tiers.   Remember you are only as secure as your weakest link.
    • If you don't use it, disable it.   You can remove potential points of attack by disabling modules and components that your application does not require. For example, if your application doesn't use output caching, then you should disable the ASP.NET output cache module. If a future security vulnerability is found in the module, your application is not threatened.

    Frame for Organizing Security Design Principles

    Rather than a laundry list of security principles, you can use the Security Frame as a way to organize and share security principles:

    • Auditing and Logging
    • Authentication
    • Authorization
    • Configuration Management
    • Cryptography
    • Exception Management
    • Input / Data Validation
    • Sensitive Data
    • Session Management

    Auditing and Logging

    Here's our security design principles for auditing and logging:

    • Audit and log access across application tiers.   Audit and log access across the tiers of your application for non-repudiation. Use a combination of application-level logging and platform auditing features, such as Windows, IIS, and SQL Server auditing.
    • Consider identity flow.   You have two basic choices. You can flow the caller's identity at the operating system level or you can flow the caller's identity at the application level and use trusted identities to access back-end resources.
    • Log key events.   The types of events that should be logged include successful and failed logon attempts, modification of data, retrieval of data, network communications, and administrative functions such as the enabling or disabling of logging. Logs should include the time of the event, the location of the event including the machine name, the identity of the current user, the identity of the process initiating the event, and a detailed description of the event
    • Protect log files.   Protect log files using  access control lists and restrict access to the log files. This makes it more difficult for attackers to tamper with log files to cover their tracks. Minimize the number of individuals who can manipulate the log files. Authorize access only to highly trusted accounts such as administrators.
    • Back up and analyze log files regularly.   There's no point in logging activity if the log files are never analyzed. Log files should be removed from production servers on a regular basis. The frequency of removal is dependent upon your application's level of activity. Your design should consider the way that log files will be retrieved and moved to offline servers for analysis. Any additional protocols and ports opened on the Web server for this purpose must be securely locked down.

    Authentication

    Here's our security design principles for authentication:

    • Separate public and restricted areas.   A public area of your site can be accessed by any user anonymously. Restricted areas can be accessed only by specific individuals and the users must authenticate with the site.  By partitioning your site into public and restricted access areas, you can apply separate authentication and authorization rules across the site.
    • Use account lockout policies for end-user accounts.   Disable end-user accounts or write events to a log after a set number of failed logon attempts. With Forms authentication, these policies are the responsibility of the application and must be incorporated into the application design. Be careful that account lockout policies cannot be abused in denial of service attacks.
    • Support password expiration periods. Passwords should not be static and should be changed as part of routine password maintenance through password expiration periods. Consider providing this type of facility during application design.
    • Be able to disable accounts.  If the system is compromised, being able to deliberately invalidate credentials or disable accounts can prevent additional attacks.
    • Do not store passwords in user stores.  If you must verify passwords, it is not necessary to actually store the passwords. Instead, store a one way hash value and then re-compute the hash using the user-supplied passwords. To mitigate the threat of dictionary attacks against the user store, use strong passwords and incorporate a random salt value with the password.
    • Require strong passwords.   Do not make it easy for attackers to crack passwords. There are many guidelines available, but a general practice is to require a minimum of eight characters and a mixture of uppercase and lowercase characters, numbers, and special characters. Whether you are using the platform to enforce these for you, or you are developing your own validation, this step is necessary to counter brute-force attacks where an attacker tries to crack a password through systematic trial and error. Use regular expressions to help with strong password validation.
    • Do not send passwords over the wire in plaintext.   Plaintext passwords sent over a network are vulnerable to eavesdropping. To address this threat, secure the communication channel, for example, by using SSL to encrypt the traffic.
    • Protect authentication cookies.   A stolen authentication cookie is a stolen logon. Protect authentication tickets using encryption and secure communication channels. Also limit the time interval in which an authentication ticket remains valid, to counter the spoofing threat that can result from replay attacks, where an attacker captures the cookie and uses it to gain illicit access to your site. Reducing the cookie timeout does not prevent replay attacks but it does limit the amount of time the attacker has to access the site using the stolen cookie.

    Authorization

    Here's our security design principles for authorization:

    • Use multiple gatekeepers.   By combining multiple gatekeepers across layers and tiers, you can develop an effective authorization strategy.
    • Restrict user access to system-level resources.   System level resources include files, folders, registry keys, Active Directory objects, database objects, event logs, and so on. Use access control lists to restrict which users can access what resources and the types of operations that they can perform. Pay particular attention to anonymous Internet user accounts; lock these down on resources that explicitly deny access to anonymous users.
    • Consider authorization granularity.   There are three common authorization models, each with varying degrees of granularity and scalability: (1.) the impersonation model providing per end user authorization granularity, (2.) the trusted subsystem model uses the application's process identity for resource access, and (3.) the hybrid model uses multiple trusted service identities for downstream resource access. The most granular approach relies on impersonation. The impersonation model provides per end user authorization granularity.

    Configuration Management

    Here's our security design principles for configuration management:

    • Protect your administration interfaces.   It is important that configuration management functionality is accessible only by authorized operators and administrators. A key part is to enforce strong authentication over your administration interfaces, for example, by using certificates. If possible, limit or avoid the use of remote administration and require administrators to log on locally. If you need to support remote administration, use encrypted channels, for example, with SSL or VPN technology, because of the sensitive nature of the data passed over administrative interfaces.
    • Protect your configuration store. Text-based configuration files, the registry, and databases are common options for storing application configuration data. If possible, avoid using configuration files in the application's Web space to prevent possible server configuration vulnerabilities resulting in the download of configuration files. Whatever approach you use, secure access to the configuration store, for example, by using access control lists or database permissions. Also avoid storing plaintext secrets such as database connection strings or account credentials. Secure these items using encryption and then restrict access to the registry key, file, or table that contains the encrypted data.
    • Maintain separate administration privileges.   If the functionality supported by the features of your application's configuration management varies based on the role of the administrator, consider authorizing each role separately by using role-based authorization. For example, the person responsible for updating a site's static content should not necessarily be allowed to change a customer's credit limit.
    • Use least privileged process and service accounts.  An important aspect of your application's configuration is the process accounts used to run the Web server process and the service accounts used to access downstream resources and systems. Make sure these accounts are set up as least privileged. If an attacker manages to take control of a process, the process identity should have very restricted access to the file system and other system resources to limit the damage that can be done.

    Cryptography

    Here's our security design principles for cryptography:

    • Do not develop your own cryptography.   Cryptographic algorithms and routines are notoriously difficult to develop successfully. As a result, you should use the tried and tested cryptographic services provided by the platform.
    • Keep unencrypted data close to the algorithm.   When passing plaintext to an algorithm, do not obtain the data until you are ready to use it, and store it in as few variables as possible.
    • Use the correct algorithm and correct key size.   It is important to make sure you choose the right algorithm for the right job and to make sure you use a key size that provides a sufficient degree of security. Larger key sizes generally increase security. The following list summarizes the major algorithms together with the key sizes that each uses: Data Encryption Standard (DES) 64-bit key (8 bytes) , TripleDES 128-bit key or 192-bit key (16 or 24 bytes) , Rijndael 128–256 bit keys (16–32 bytes) , RSA 384–16,384 bit keys (48–2,048 bytes) .  For large data encryption, use the TripleDES symmetric encryption algorithm. For slower and stronger encryption of large data, use Rijndael. To encrypt data that is to be stored for short periods of time, you can consider using a faster but weaker algorithm such as DES. For digital signatures, use Rivest, Shamir, and Adleman (RSA) or Digital Signature Algorithm (DSA). For hashing, use the Secure Hash Algorithm (SHA)1.0. For keyed hashes, use the Hash-based Message Authentication Code (HMAC) SHA1.0.
    • Protect your encryption keys.   An encryption key is a secret number used as input to the encryption and decryption processes. For encrypted data to remain secure, the key must be protected. If an attacker compromises the decryption key, your encrypted data is no longer secure.  Avoid key management when you can, and when you do need to store encryption keys, cycle your keys periodically.

    Exception Management

    Here's our security design principles for exception management:

    • Do not leak information to the client.   In the event of a failure, do not expose information that could lead to information disclosure. For example, do not expose stack trace details that include function names and line numbers in the case of debug builds (which should not be used on production servers). Instead, return generic error messages to the client.
    • Log detailed error messages.   Send detailed error messages to the error log. Send minimal information to the consumer of your service or application, such as a generic error message and custom error log ID that can subsequently be mapped to detailed message in the event logs. Make sure that you do not log passwords or other sensitive data.
    • Catch exceptions.  Use structured exception handling and catch exception conditions. Doing so avoids leaving your application in an inconsistent state that may lead to information disclosure. It also helps protect your application from denial of service attacks. Decide how to propagate exceptions internally in your application and give special consideration to what occurs at the application boundary.

    Input / Data Validation

    Here's our security design principles for input and data validation:

    • Assume all input is malicious.  Input validation starts with a fundamental supposition that all input is malicious until proven otherwise. Whether input comes from a service, a file share, a user, or a database, validate your input if the source is outside your trust boundary.
    • Centralize your approach.  Make your input validation strategy a core element of your application design. Consider a centralized approach to validation, for example, by using common validation and filtering code in shared libraries. This ensures that validation rules are applied consistently. It also reduces development effort and helps with future maintenance.  In many cases, individual fields require specific validation, for example, with specifically developed regular expressions. However, you can frequently factor out common routines to validate regularly used fields such as e-mail addresses, titles, names, postal addresses including ZIP or postal codes, and so on.
    • Do not rely on client-side validation.   Server-side code should perform its own validation. What if an attacker bypasses your client, or shuts off your client-side script routines, for example, by disabling JavaScript? Use client-side validation to help reduce the number of round trips to the server but do not rely on it for security. This is an example of defense in depth.
    • Be careful with canonicalization issues.   Data in canonical form is in its most standard or simplest form. Canonicalization is the process of converting data to its canonical form. File paths and URLs are particularly prone to canonicalization issues and many well-known exploits are a direct result of canonicalization bugs.  You should generally try to avoid designing applications that accept input file names from the user to avoid canonicalization issues.
    • Constrain, reject, and sanitize your input.   The preferred approach to validating input is to constrain what you allow from the beginning. It is much easier to validate data for known valid types, patterns, and ranges than it is to validate data by looking for known bad characters. When you design your application, you know what your application expects. The range of valid data is generally a more finite set than potentially malicious input. However, for defense in depth you may also want to reject known bad input and then sanitize the input.
    • Encrypt sensitive cookie state.  Cookies may contain sensitive data such as session identifiers or data that is used as part of the server-side authorization process. To protect this type of data from unauthorized manipulation, use cryptography to encrypt the contents of the cookie.
    • Make sure that users do not bypass your checks.   Make sure that users do not bypass your checks by manipulating parameters. URL parameters can be manipulated by end users through the browser address text box. For example, the URL http://www.<YourSite>/<YourApp>/sessionId=10 has a value of 10 that can be changed to some random number to receive different output. Make sure that you check this in server-side code, not in client-side JavaScript, which can be disabled in the browser.
    • Validate all values sent from the client.   Restrict the fields that the user can enter and modify and validate all values coming from the client. If you have predefined values in your form fields, users can change them and post them back to receive different results. Permit only known good values wherever possible. For example, if the input field is for a state, only inputs matching a state postal code should be permitted.
    • Do not trust HTTP header information.   HTTP headers are sent at the start of HTTP requests and HTTP responses. Your Web application should make sure it does not base any security decision on information in the HTTP headers because it is easy for an attacker to manipulate the header. For example, the referrer field in the header contains the URL of the Web page from where the request originated. Do not make any security decisions based on the value of the referrer field, for example, to check whether the request originated from a page generated by the Web application, because the field is easily falsified.

    Sensitive Data

    Here's our security design principles for sensitive data:

    • Do not store secrets if you can avoid it.   Storing secrets in software in a completely secure fashion is not possible. An administrator, who has physical access to the server, can access the data. For example, it is not necessary to store a secret when all you need to do is verify whether a user knows the secret. In this case, you can store a hash value that represents the secret and compute the hash using the user-supplied value to verify whether the user knows the secret.
    • Do not store secrets in code.  Do not hard code secrets in code. Even if the source code is not exposed on the Web server, it is possible to extract string constants from compiled executable files. A configuration vulnerability may allow an attacker to retrieve the executable.
    • Do not store database connections, passwords, or keys in plaintext.   Avoid storing secrets such as database connection strings, passwords, and keys in plaintext. Use encryption and store encrypted strings.
    • Avoid storing secrets in the Local Security Authority (LSA).   Avoid the LSA because your application requires administration privileges to access it. This violates the core security principle of running with least privilege. Also, the LSA can store secrets in only a restricted number of slots. A better approach is to use DPAPI.
    • Use Data Protection API (DPAPI) for encrypting secrets.   To store secrets such as database connection strings or service account credentials, use DPAPI. The main advantage to using DPAPI is that the platform system manages the encryption/decryption key and it is not an issue for the application. The key is either tied to a Windows user account or to a specific computer, depending on flags passed to the DPAPI functions.   DPAPI is best suited for encrypting information that can be manually recreated when the master keys are lost, for example, because a damaged server requires an operating system re-install. Data that cannot be recovered because you do not know the plaintext value, for example, customer credit card details, require an alternate approach that uses traditional symmetric key-based cryptography such as the use of triple-DES.
    • Retrieve sensitive data on demand.   The preferred approach is to retrieve sensitive data on demand when it is needed instead of persisting or caching it in memory. For example, retrieve the encrypted secret when it is needed, decrypt it, use it, and then clear the memory (variable) used to hold the plaintext secret. If performance becomes an issue, consider caching along with potential security implications.
    • Encrypt the data or secure the communication channel.   If you are sending sensitive data over the network to the client, encrypt the data or secure the channel. A common practice is to use SSL between the client and Web server. Between servers, an increasingly common approach is to use IPSec. For securing sensitive data that flows through several intermediaries, for example, Web service Simple Object Access Protocol (SOAP) messages, use message level encryption.
    • Do not store sensitive data in persistent cookies.  Avoid storing sensitive data in persistent cookies. If you store plaintext data, the end user is able to see and modify the data. If you encrypt the data, key management can be a problem. For example, if the key used to encrypt the data in the cookie has expired and been recycled, the new key cannot decrypt the persistent cookie passed by the browser from the client.
    • Do not pass sensitive data using the HTTP-GET protocol.   You should avoid storing sensitive data using the HTTP-GET protocol because the protocol uses query strings to pass data. Sensitive data cannot be secured using query strings and query strings are often logged by the server

    Session Management

    Here's our security design principles for session management:

    • Use SSL to protect session authentication cookies.   Do not pass authentication cookies over HTTP connections. Set the secure cookie property within authentication cookies, which instructs browsers to send cookies back to the server only over HTTPS connections.
    • Encrypt the contents of the authentication cookies.   Encrypt the cookie contents even if you are using SSL. This prevents an attacker viewing or modifying the cookie if he manages to steal it through an XSS attack. In this event, the attacker could still use the cookie to access your application, but only while the cookie remains valid.
    • Limit session lifetime.   Reduce the lifetime of sessions to mitigate the risk of session hijacking and replay attacks. The shorter the session, the less time an attacker has to capture a session cookie and use it to access your application.
    • Protect session state from unauthorized access.   Consider how session state is to be stored. For optimum performance, you can store session state in the Web application's process address space. However, this approach has limited scalability and implications in Web farm scenarios, where requests from the same user cannot be guaranteed to be handled by the same server. You should secure the network link from the Web application to state store using IPSec or SSL to mitigate the risk of eavesdropping. Also consider how the Web application is to be authenticated by the state store. Use Windows authentication where possible to avoid passing plaintext authentication credentials across the network and to benefit from secure Windows account policies.

    Using the Security Design Principles

    This is simply a baseline set of principles so that you don't have to start from scratch.  You can build on this set and tailor for your specific context.  I find that while having a set of principles helps, that you can't stop there.  To share the knowledge and help others use the information, it's important to encapsulate the principles in patterns as well as show concrete examples and create precise, actionable guidelines for developers.  Personally, I've found Wikis to be the most effective way to share and manage the information.

    Additional Resources

    My Related Posts

  • J.D. Meier's Blog

    Stephen Covey Speaks at Microsoft

    • 17 Comments

    Dr. Stephen Covey presented at Microsoft today.  It’s one thing to know the information; it’s another to experience the delivery live. 

    StephenCovey 

    This post is a bit longer than usual, but hey, it’s not every day that Covey is in the house.  Here are some of my highlights from today’s session.

    The Lighthouse Story
    Covey opened with a story of Captain Horatio Hornblower.  As the story goes, one night at sea, Horatio awakens to find that a ship is in his sea-lane about 20 miles away and refuses to move.  Horatio commands the other ship to move starboard, 20 degrees at once.  The other ship refuses and tells Horatio that he should move his ship starboard, 20 degrees at once.  Next, Horatio tries to pull rank and size on the other ship, stating that he’s a captain and that he’s on a large battle ship.  The other ship replies, and it turns out it’s not actually a ship, but a lighthouse.

    The take away from the story is, there are lighthouse principles.  You don’t break them.  You only break yourself against them.  Don’t break yourself against lighthouse principles.

    Values and Principles
    Covey distinguished values from principles:

    • Values drive behavior.
    • Principles drive the consequences of behavior.

    The key take aways are:

    • If you take the short cuts in life, you pay the price of confidence and trust.
    • Build your personal value system on principles.

    Personal Mission Statement
    Covey asked us whether we had personal mission statements?  Some folks raised their hands.  He then asked us how many have them written down.  A lot less kept their hands raised.  I kept my hand raised because I happen to have my personal mission statement written down.  My personal mission statement is, “To find the best way for any person to succeed in any situation.”    I tie this back at work, where I try to help customers be as effective as possible, building on the Microsoft platform.

    Family Mission Statement
    Covey then challenged the audience whether we had mission statements for our families?  That one made me think.  He then challenged, if you asked your loved ones, would they know it?  Now there’s a good test! 

    He challenged us to go home and ask, “What’s the purpose of our family?”  He warned us though, that our families will know that we’ve been seminar’ed!

    Write and Visualize to Imprint on Your Subconscious
    Covey reminded us that writing down your mission imprints it in the subconscious mind.  He added that visualizing also imprints on the sub-concsious mind. 

    The take away is that you should write and visualize your mission statements.

    Keys to a Mission Statement
    Covey put it succinctly that a good mission statement is:

    • Memorizable.
    • Short.
    • Follows the natural laws of principles.

    Why a Mission Statement
    Covey told us that the power of a mission statement is that it governs every other decision.

    Sean Covey
    Covey introduced his son, Sean Covey.  Sean wrote The 7 Habits of Highly Effective Teenagers and The 6 Most Important Decisions You Will Ever Make.   When Covey introduced Sean, he also mentioned a 49th grand-child on the way.  49 … WOW!  That’s quite the impressive team.

    Point to True North
    Covey had us close our eyes and point to true North.  When we opened our eyes, it was obvious there was little consistency.  He said he gets similar results when he asks any department, group, or team – “what’s your purpose?”

    Urgent But Not Important
    Covey asked us how many struggle with work/life balance.  Many hands went up.  He then asked us what we think is the percentage of time we spend on things that are urgent, but not important. 

    He said people often report they feel they spend 50% of their time on urgent, but not important tasks.  Why is that?  Covey stated it’s because everybody defines purpose differently.

    Office Politics and Dysfunctional Activities
    Covey asked us how much time people spend in office politics.    By office politics, he meant, reading the tea leaves, dealing with hidden agendas, fighting cross-group conflict, … etc.  The data says that 75% of people claim they spend 25% of their time on these things.  25% say that 50% of their time is spent in dysfunctional activities.  Urgency replaces important activities.

    The key take away is that people feel they spend a lot of time on dysfunctional activities.

    Six Metastasizing Cancers (Victimism)
    Covey showed us a slide that listed what he called the Six Metastasizing Cancers:

    • Criticizing
    • Complaining
    • Comparing
    • Competing
    • Contending
    • Cynicism

    The take away here is that these are ineffective behaviors and you end up acting like a victim.

    Are You Utilized to Your Full Potential
    Covey asked us whether we can use our full talent and capacity in our organization.   He then asked us whether we feel the pressure to produce more for less.   The point here was to emphasize how there’s a demand for greater results, but that we’re not necessarily utilized to our full potential.

    It’s Not Behavior, It’s Not Attitude … It’s a Bad Map
    Covey gave us a scenario where somebody gets a map of Seattle.  The problem is, the map maker made a mistake.  It’s not really a map of Seattle.  It’s a map of Oregon.  With this map, you can’t even make it out of the airport.  There isn’t one corresponding point.

    Trying harder isn’t the answer.  If you double your speed, now you’re lost twice as fast.  Thinking negatively isn’t the problem.  Covey said some people might try to use a PMA (Positive Mental Attitude.)  Well, that doesn’t help either.  Now you’re all psyched up, but really you are just happy and contented in a lost state.

    The take away here is that it’s not behavior and it’s not attitude.  It’s a bad map.

    Self-Educating
    Covey told us that we need to be self-educating.  School taught us how to learn, but we need to continue to learn.  He said we need to be willing to pay the price to be self-educating, which includes being systematic and disciplined.

    Industrial Age vs. Knowledge Worker Age
    Covey points out that 20 years ago, it was about goods and services.  Today, it’s about knowledge workers.

    - Industrial Age Knowledge Worker Age
    Overall Philosophy Kind Control Unleash Talent
    Leadership Position (Formal Authority) Choice (Moral Authority)
    Culture Boss Centered Complementary Team, Servant Leadership
    People Expense Asset
    Motivation External Internal (Inspiration)
    Management The Boss owns responsibility for results, therefore manages and motivates. The culture owns responsibility for results, therefore self manages.

     

    Expenses and Assets
    Covey asked us what we are called in spreadsheets.   He said that in spreadsheet and financial accounting, people are called expenses and cost centers, while things like microphones, tools, and machines are called assets.  He said this is left-over from the industrial age.

    Finding Your Voice
    Covey asked how do you help people find their voice?  You ask them what are they good at?  What do they love doing?  What is your greatest unique contribution?

    The key is finding a voice that meets a human need.

    Inspiration Over Jackass Theory
    The Jackass Theory refers to the carrot and the stick.  Covey asked us what kind of supervisor do you need when you have a job that you are passionate about and is using your talents and you feel you are appreciated.

    People are volunteers.  You want them to contribute their greatest, unique contribution.

    Keys to Effective Large Team
    Covey outlined the keys for effective large teams::

    • Psychologically committed.
    • Accountable to the team / everybody.
    • Culture of results.

    One person may represent the group, but accountability is to the team versus the boss.  Accountability to the team versus an individual is a knowledge worker concept.

    How To Find the Win / Win Performance Agreement
    Covey suggested an approach for finding the Win/Win for teams and organizations in terms of performance:

    1. Help them find their voice.
    2. Find out what individuals are good at and like doing and serves the needs of the business.

    When you have that, you have a win-win.  The key is to have a win/win performance agreement where it is mutually beneficial between the individual and the organization.  The individual should be able to use their full talent and passion (there voice.)

    Information is the Knowledge Worker's Disinfectant
    Covey mentioned that light is the greatest disinfectant in nature.  For the knowledge worker, it’s information.  For a knowledge worker to be effective in a team, they need information, they need the criteria for success and they need to be accountable to the group.

    The Whole Person
    According to Covey, the whole person includes four parts:

    • Body
    • Mind
    • Heart
    • Spirit

    Control-Paradigm to a Whole Person Paradigm
    Covey reminded us that today’s workforce is about directed autonomy.  You manage (things) that can’t choose.  You lead people.  People have the ability to choose.

    The key take aways are:

    • Today’s world is about breaking away from a control paradigm and shifting to one of directed autonomy.  
    • Help people find their voice.
    • You can’t buy the mind, body, heart, and spirit – they are volunteered. 
    • Use all four parts of your nature.  If you take one away, then you’re treating a person as a “thing” that you control and manage.

    Keeping Top Talent
    Covey told us about how Admirals in the Pacific were losing people to better paying jobs.  There was an exception.  Covey got to meet the group that kept their top talent.  The keys to a committed group included:

    • The culture was committed in hearts and minds.
    • The job was fulfilling and meaningful.

    Indian Talking Stick Communication
    Covey shared a technique for improving empathic listening.  It’s the Indian Talking Stick:

    • You give the stick to the other person first. 
    • You don’t get the stick back until the other person feels they are understood.
    • The purpose is not to agree, or disagree, but only to understand the speaker.

    You don’t need to use an Indian talking stick.  You can use any object.  The value of the object is that you don’t get it back until the other person feels understood.

    Industrial Age Concepts
    Throughout the session, Covey made reference to some "industrial age concepts":

    • People are an expense, tools and machines are assets.
    • Supervision is an industrial age concept.
    • One-on-one accountability to a boss.
    • Comparison systems for the basis of collaboration.

    Lighthouse Principles
    Throughout the presentation, Covey referred to some lighthouse principles that govern behavior:

    • Cultivate an abundance mentality.
    • There are four parts to our nature: body, mind, heart, and spirit
    • The whole is greater than the parts
    • Develop integrity; avoid duplicity (Don’t say one thing, but do another and if you make a promise, keep it.)

    Continuum of Communication
    Covey showed us a continuum of communication that moves from hostility and transaction-based communication to transformation:

    1. Hostility
    2. Defensive Communication (Transaction)
    3. Respectful Communication (Transaction)
    4. Synergy, Third Alternative (Transformation)

    Empathic Listening is the No. 1 Communication Skill
    Covey stated that communication is the number one skill in life.  He went on to say that empathic listening is the number one communication skill.   Covey explained that empathic listening is listening within the other person’s frame of skills.   Listening empathically is listening with the other person’s frame of reference.  The key is to listen until the other person feels heard and understood. 

    Empathic Listening Over Telling and Selling
    A satisfied need, no longer motivates.  Covey used the example of air – it’s a satisfied need.  When the other person feels heard and understood, it’s more likely they will listen to you and that you can seek a better solution, that’s mutually beneficial.  You are no longer telling and selling.

    Our Experience is the Lens We Use to Interpret Life
    Covey showed the audience three pictures.   One half of the audience looked at the first picture.  Next, the other half of the audience looked at the second picture.  Then the full audience looked at a third slide which was a composite of the first two slides.  Depending on which of the pictures you saw first, influenced what you saw in this third picture.

    The key take away here was that what you saw was influenced by your experience and that rather that impose your view, first understand the other person’s perspective – there’s a good chance, you’re both right! (This is a good case where the Indian Talking Stick could come in handy.)

    Resolving Conflict By Finding the Third Alternative
    Covey shared a technique for resolving conflict that works for him in 95% of the cases he runs into around the world.  Here’s the key steps:

    1. Put up the two points.
    2. Ask the question, “would you be willing to search for a solution that would be better than what either of us has proposed?”

    The key here is to listen to the other person first and listen empathically.  The proactive part here is that you can choose to listen to the other person first (seek first to understand, then to be understood.)

    Listening to Loved Ones
    One of the audience members asked for advice on counseling a loved one.  Covey responded with the following solution:

    1. Start by saying, “Honey, I have not spent the time to listen to you, all I’ve done is tell you and evaluate.”
    2. Listen in depth; restate to their satisfaction. (Empathic listening)
    3. After they feel understood, you ask, “Have I listened to you?  Are you willing to listen to me, as I have listened to you?”
    4. Find a 3rd alternative.

    The key here that Covey mentioned is that most people will not pay the price of listening empathically.

    7 Habits of Highly Effective People
    Covey shared a slide that framed out the seven habits of highly effective people in terms of private victory, public victory, dependence, independence, and interdependence.

    1. Be proactive.
    2. Begin with the end in mind.
    3. Put first things first.
    4. Think win-win.
    5. Seek first to understand, then to be understood.
    6. Synergize.
    7. Sharpen the saw.

    Habits 1,2,and 3 are the foundation for private victories and integrity.  Habits 4, 5, and 6 are the keys to public victories.

    Peace of Conscience Over Peace of Mind
    Covey made a distinction between peace of mind and peace of conscience.  He explained that integrity is more than honesty.  Integrity means that if you make a promise, you keep it.  If you’re honest, you might have peace of mind, but if you don’t have integrity, then you won’t have peace of conscience.  You have peace of conscience by avoiding duplicity.

    Loyalty to the Absent
    Covey made his point very simply – only talk about people as if they are there.  You can be critical, but speak as if they were there in front of you.  Don’t bad mouth them behind their back and then sweet talk them to their face.  This is a lack of integrity and creates deep duplicity inside you.  This inhibits your ability to have peace of conscience.

    Use I Messages Over You Messages
    Meet with the people you have a problem with directly.  Practice the following:

    1. Let me listen to you first.
    2. Use “I” messages vs. “you” messages.  I messages are “It’s my perception,” “in my experience,” … etc.  You messages are “you are …”

    Genuine Happiness
    Covey said the key to genuine happiness is to develop integrity.  The key to developing integrity is the first three habits (your Private Victories):

    1. Be proactive
    2. Begin with the end in mind
    3. Put first things first.

    Greek Philosophy of Influence
    Covey shared the three parts of the Greek philosophy of influence:

    1. Ethos – credibility, model trust.
    2. Pathos – restate the point of view.  (Seek first to understand …)
    3. Logos – Make your presentation. (… Then to be understood.)

    You Are the Creative Force of Your Life
    Covey challenged us to be a creative force:
    1.     Get out of victimism – You’re not a victim of your circumstances.
    2.    You are the creative force of your life.

    Empathize first.  Grow your circle of influence.  Make tremendous impact.

    The Most Important Thing You’ll Ever Do
    Covey closed with a powerful message we could take away:

    The most important thing you’ll ever do is in the four walls of your own home.

    My Favorite Part of the Session
    While I enjoyed the entire session, my favorite part was getting to meet Dr. Covey.  I shook his hand, I thanked him for helping people find their voice and he signed my post it note (sadly, I didn’t think to bring my Covey books, and all I had was my post it notes.)

    Key Actions
    After the session, I met with Srinath.  We learned a lot so we tried to turn our insights into a small set of key actions.  Here’s what we came up with:
    1. Develop personal / family mission statements and help others to do the same.
    2. Develop empathic listening and help others to do the same.
    3. Find our voices and help others find theirs. 

    Personally, I want to make more use of the Indian Talking Stick Communication technique, particularly at some of my more vibrant meetings.

    More Information

  • J.D. Meier's Blog

    patterns and practices WCF Security Application Scenarios

    • 7 Comments

    We published an updated set of our WCF Security application scenarios yesterday, as part of our patterns & practices WCF Security guidance project.   Application Scenarios are visual "blueprints" of skeletal solutions for end-to-end deployment scenarios.  Each application scenario includes a before and after look at working solutions.  While you still need to prototype and test for your scenario, this gives you potential solutions and paths at a glance, rather than starting from scratch.  It's a catalog of applications scenarios that you can look through and potentially find your match.

    Intranet
    Common Intranet patterns:

    Internet
    Common Internet patterns:

    One Size Does Not Fit All
    We know that one size doesn't fit all, so we create a collection of application scenarios that you can quickly sort through and pattern match against your scenario.  It's like a visual menu at a restaurant.  The goal is to find a good fit against your parameters versus a perfect fit.  It gives you a baseline to start from.  They effectively let you preview solutions, before embarking on your journey.

    How We Make Application Scenarios
    First, we start by gathering all the deployment scenarios we can find from customers with working solutions.  We use our field, product support, product teams, subject matter experts, and customers.  We also check with our internal line of business application solutions.  While there's a lot of variations, we look for the common denominators.  There's only so many ways to physically deploy servers, so we start there.  We group potential solutions by big buckets. 

    In order to make the solutions meaningful, we pick a focus.  For example, with WCF Security, key overarching decisions include authentication, authorization, and secure communication.  These decisions span the layers and tiers.  We also pay attention to factors that influence your decisions.  For example, your role stores and user stores are a big factor.  The tricky part is throwing out the details of customer specific solutions, while retaining the conceptual integrity that makes the solution useful.

    Next, we create prototypes and we test the end-to-end scenarios in our lab.  We do a lot of whiteboarding during this stage for candidate solutions.  This is where we spend the bulk of our time, testing paths, finding surprises, and making things work.  It's one thing to know what's supposed to work; it's another to make it work in practice. 

    From our working solution, we highlight the insights and actions within the Application Scenario so you can quickly prototype for your particular context.  We then share our candidate guidance modules on CodePlex, while we continue reviews across our review loops including field, PSS, customers, product team members, and subject matter experts. 

  • J.D. Meier's Blog

    patterns and practices WCF Security Guidance Now Available

    • 20 Comments

    Our patterns & practices WCF Security Guidance Project is in progress on CodePlex.  This is our first release of prescriptive guidance modules for WCF Security. 

    How Tos
    Our How Tos give you step by step instructions for performing key tasks:

    Videos
    Our videos step you visually through key guidance:

    About WCF
    Windows Communication Foundation (WCF) is a service-oriented platform for building and consuming secure, reliable, and transacted services.  It unifies the programming models for ASMX, Enterprise services and .NET Remoting.  It supports multiple protocols including named pipes, TCP, HTTP, and MSMQ.  WCF promotes loose coupling, supports interoperability, and encapsulates the latest web service standards.  With WCF, you get flexibility in choosing protocol, message encoding formats, and hosting.   For more information, see the MSDN WCF Developer Center.

    About the Project
    WCF provides a lot of options and flexibility.  The goal of our patterns & practices WCF Security Guidance Project is to find the key combinations of security practices for WCF that work for customers and share them more broadly.  At a high-level, you can think of the project in terms of these main buckets:

    • Application Scenarios - These are whiteboard solutions for common end-to-end application scenarios.
    • How Tos - These are step-by-step instructions for performing key end-to-end tasks.
    • Building Codes - These are our sets of rules and practices.  This includes Guidelines, Checklists, and Practices at a Glance.
    • Reference - This includes Explained, Cheat Sheets, and Q&A guidance.

    The plan is to incrementally share our guidance modules on CodePlex as we go, then build a guide, then port the guidance to MSDN once it's baked.

  • J.D. Meier's Blog

    Tests for Success

    • 1 Comments

    How do you identify the bull's-eye among your stakeholders?  Nothing's worse than finishing a project and missing the mark you didn't know was there. At patterns & practices, one of our effective project practices is to use "tests for success" to help avoid this scenario.

    What are Tests for Success
    "Tests for success" are the prioritized success criteria that the stakeholder's agree to.  It's basically a set of test cases, that if the project passes, the project is perceived as a success.  They help clarify outcomes and priorities.

    Example Tests for Success
    Here's an example of "tests for success" from one of my projects:

    • Single multi-dimensional information model?
    • Single unified perspective of the product model?
    • Single unified perspective of the content model?
    • Backlog is mapped to the information model?
    • Capability to do comparative analysis and produce “Consumer reports” view of the catalog and the proposed work? (e.g. What’s customer demand? ... What’s our coverage?)

    Stakeholders for the project created and prioritized this list, with prompts from the project team.  This exercise helped clarify a lot of ambiguity as well as do a level set for the team.

    How Can You Use This
    Whether it's a personal project or a project at work, you can create your own tests for success.   I think a small list of the vital few works better than a laundry list.  Phrasing the tests as one-liner questions makes them easy to create and use.  Here's some prompts to trigger your own tests for success:

    • How will the world be a different place when the project is done?
    • How will we know we did a good job?
    • What's the most valuable outcomes for the project?
    • In order for the project to be successful, we need to .... ?

    When you're in the thick of things, you'll appreciate having a small set of criteria to go back to and help keep you and everyone involved on track.

  • J.D. Meier's Blog

    Turning Chickens into Pigs

    • 3 Comments

    Have you ever been on a project where key stakeholders don't have skin in the game, but they have a controlling vote?  This is a bad situation.  It's like multiple backseat drivers, except they won't be there if the car crashes.  What's the solution?  You turn chickens into pigs!

    The Chicken and the Pig
    You may have heard the story about the chicken and the pig.  The chicken says to the pig, "We should should start a restaurant."  The pig asks, "What would we serve?"  The chicken responds, "Bacon and eggs!"  The pig says, "No thanks!"

    The point in the story is the pig's "committed" while the chicken's "involved."

    The Solution
    Recognizing the situation is more than half the battle.  When you've identified that chickens have controlling votes over pigs, your options include:

    • Avoid the situation where chickens are controlling the votes for pigs.
    • Make sure the chickens don't have controlling votes and make it explicit.
    • Turn the chickens into pigs.  You need to move them from involved to committed.  Have them take commitments or dependencies (skin in the game and committed to your success.)
  • J.D. Meier's Blog

    How To Differentiate

    • 1 Comments

    How can you differentiate what you do?  This can be particularly difficult in problem spaces that seem over-crowded.  It helps if you have a frame.  One of my mentors gave me a useful lens for differentiating that helps solve this problem.

    Problem, Approach, or Implementation
    You can differentiate based on problem, approach or implementation:

    • Problem - What problem do you address?
    • Approach - What strategy do you use to solve the problem?
    • Implementation - How do you implement your solution?

    If you differentiate at the problem you solve, it's good to be able to call that out.   If you solve the same problem, but use a different approach, unless it produces a big difference in results, it's probably not worth it.  If you differ only by implementation and the experience or results aren't valued by the customer, again, it's probably not worth it.

    Using the Frame for Differentiation
    First identify whether you differentiate at the problem, approach, or implementation.   Next, determine whether the level at which you're differentiating is worth it.  For example, consider safety among automobile makers.  Volvo's approach to safety stands out.  They work the same problem but differentiate by approach.

    By having clarity around where you differentiate, it's easier to communicate your deltas in a meaningful way to others.

    Example
    At Microsoft, when I tackle a problem that's been "solved" before, I use the frame as a lens to quickly find the useful differentiation.  For example, doing security reviews wasn't a new problem.  However, changing the approach by using inspections and building a set of reusable criteria from a team of experts changed the game.  By using criteria based on principles and patterns, and then organizing the criteria within a frame of actionable categories produced exponential results for all of our customers that adopted the approach.  Old problem, new approach, great results.

  • J.D. Meier's Blog

    Life Frame

    • 3 Comments

    What is your life frame?  What are the key buckets in your life that you need to balance across?  If you have a frame, you can balance your life through thick and through thin.  If you have a life frame, you can more thoughtfully allocate your time and energy for maximum results.  More importantly, when things aren't going well, you have a tool to help you spot where you are not investing enough.

    Life Frame
    This is a baseline of your personal portfolio of your most important assets:

    • Mind
    • Body
    • Emotions
    • Career
    • Financial
    • Relationships
    • Adventure

    Note - if those buckets don't work for you, change them.  It's a starter set.

    I've been sharing this life frame with those I coach, and some colleagues and they've found it helpful, so now I'm sharing it more broadly.  It's a great starting point when you're not getting what you want out of life.

    Spread Your Energy and Time Across Your Buckets
    Spread your energy and time across them.  If your current investment's not working, turn up the dial on some.  If your stuck in one area, then try turning up another.  For example, if you're not getting the results you want at work, then crank up your relationships dial.  Remember that with this portfolio, the sum is more than the parts.   It's the net effect.

    What Can Happen When You Don't Use the Frame
    When I first got to Microsoft years ago, I didn't have this frame.  Sure I knew about these areas of my life, but I didn't have the mental model of a portfolio.  Instead, all I knew was that I would throw all my energy and hours at my career bucket.  To put that in perspective, 80, 90, 100+ hours a week.  The problem is I consistently got rated highly and produced results.  But at what cost?  Well, if you spend 100+ hours in one bucket, guess how much energy you're spending in others?   Granted some buckets overlap, but I'm talking about when you really shine the spotlight on them.

    Improve Your Approach Over Spend More Time
    Time is a limited resources.  So is your energy.  Interestingly, while working on performance modeling, the light bulb went off.  If I carve out a minimum for some buckets and a maximum for others, it would be a forcing function.  What's the maximum I would throw at my career bucket?  60? 50? 40?   Timeboxing my career bucket forced me to identify the real value of all my work and to heavily prioritize.  It also forced me to find the most effective principles, patterns and practices for project management, personal productivity, running high-performance teams, ... etc.   Which is better ... more time at the problem? ... or better techniques, more value, and a sustainable pace?  

    Set Boundaries (Minimums and Maximums)
    The real lesson is that if you don't first set your boundaries, then you never really have a way to prioritize.  For example, if you allocate fifty hours to your career bucket weekly, now you know how much to bite off at a time.  Otherwise, you'll just work until everything's done, but there's always something more to do.  Priorities, focus, and value are your friends.

    As another example, I now continuously invest in my relationships bucket.  For example, each week I have lunch with an old friend, and lunch with someone new.  At Microsoft, and in life, it's what you know and who you know.

    How To Use This
    To get started, just put these categories on your whiteboard or a pad of paper.  Take a look across your portfolio and figure out your current investments in time and energy.  Look at your results.  How well are you balancing?  If you're on track, great.  If not, try increasing your investment is some areas and lowering another.   The goal is to improve the quality of your life.  If you want to really put some focus in an area, try a 30 Day Improvement Sprint.

    My Related Posts

  • J.D. Meier's Blog

    Success is When the Response Meets the Challenge

    • 3 Comments

    I know success means a lot of things to a lot of people.  My favorite definition is "success is when the response meets the challenge."

  • J.D. Meier's Blog

    Adapt, Adjust, or Avoid

    • 2 Comments

    How do you make the most of any situation?  Figure out whether you need to adapt, adjust or avoid.

    Adapting to the Situation
    Adapting to the situation, means changing yourself for the situation.  While flexibility is good, you need to be careful.  You can trade your less effective behaviors, but don't adapt to the situation in a way that takes away your strengths.  You'd be better off finding a situation where you can play to your strengths.  

    Adjusting the Situation
    Adjusting the situation, means changing the situation to suit you.  Sometimes this is the best option, particularly if you can set it up to play to your strength.  For example, when you take on a project, can you get the right people on board that compliment your ability?

    Avoiding the Situation
    Sometimes this is the best path.  Learn to spot the situations where you don't do well.   This is my caution.  Because I turn any situation into a learning opportunity or challenge, I need to know when it's low ROI.  Life's too short to spend energy in low ROI situations.

    Self-Awareness is the Key
    If you know your personal strengths and passions, this is your key to success.  You avoid adapting to situations that take away your strengths.  You learn to setup situations in a way that you succeed.  You learn the situations that you should avoid.

    Additional Resources

  • J.D. Meier's Blog

    Win the Heart, the Mind Follows

    • 5 Comments

    How do you get the people on your side or inspire a vision or change the world?  First win the heart.  I'm blogging on this because it's a lesson I've learned that shows up in so many ways, time and again.  I see it in thought leaders.  I see it in people leaders.  I see it in everyday, conversational exchange.  This is one of those ah-ha's that when it sinks in, you find opportunities to apply it every day to improve your effectiveness.

    Connecting at the Heart vs. Connecting at the Intellect
    If you connect at the heart, the mind follows. Interestingly,if you connect at the intellect, you may not necessarily get the heart to follow. 

    Go For the Heart
    If you have great ideas, but people aren't on board, chances are you've been ignoring the heart.  Change your approach.  One way to invoke the heart is to address core values: loyalty, commitment and contribution, individual worth and dignity, and integrity.

    Example
    One of my former leaders is known for inspiring people.  For example, whenever I would tell him about a project, he would first ask me how I was going to change the world and who the dream team would be to make it happen? 

    While he couldn't always get me the dream team, he first focused on a compelling vision and that was inspirational.  Where the heart goes, the mind follows.  In fact, in many cases I was able to get the dream team, because of the emotional commitment to make it happen.  Inspired visions trump purely intellectual ones.

    Posts with Pictures
    While studying effective blogging practices, I noticed a success pattern.  The pattern is to start your post with a picture.  Ironically, I fought this pattern because the engineer in me wants efficient, effective value in text.  So do a lot of engineers.  However, many don't. 

    Choosing the right picture can cause your readers to have an emotional reaction to your information, and draw them into your post.  If you don't believe me, take a look at Alik's post Glue Audience To Your Presentation With ZoomIt.  Tell me that picture doesn't get you curious?  While your picture should be relevant, it should also cause your readers to feel something, and have a reaction.  An extreme anti-pattern is to use pictures to trick readers into your posts.

    It Works On You
    If you know this, you can inspire yourself.  Rather than smart talk yourself into something, try winning over your heart first.  How can you get leverage on yourself?  What inspires you?  Win your heart and your mind will follow. 

    Additional Resources

  • J.D. Meier's Blog

    How To Choose an Effective Blog Template or Theme

    • 7 Comments

    How do you pick the right theme for your blog?  The challenge is that it's not a linear decision and it requires satisficing to balance content,  function, and design ("look and feel").  As part of my research on effective blogging, I've been analyzing themes.  I’ve literally evaluated more than 2,000 themes and heavily modified more than 20.  I see a lot of patterns now.  I've decided to share my lessons learned, since they might save you considerable time.

    Summary of Lessons Learned
    Here's a summary of my key lessons learned:

    • Know your purpose.  You need to know what your optimizing for.  This shapes all the rest of your decisions, so if you know this, it helps.  For me, my portfolio of blogs will be online personal knowledge bases to share my learnings.  For me, that means putting a premium on organizing, browsing, searching, and sharing posts.
    • Start with a two column theme.  If you don't know where to start, start with a two-column template for your blog.  Three column templates have more moving parts and are trickier to create a clean reading experience.
    • Your content drives your theme choice.  Will you use images?  How long is your content going to be?  What types of posts will you have?  Will they vary?  Test the variations because this can have a big impact in the look and feel in your theme.  Your posts are the wood behind the arrow.  While your theme is the initial impact, your posts should be very readable and scannable.  Test the readability of your posts for different scenarios (skimming, in depth, long, short ... etc.)
    • Test how you'll use images.  Some of the themes I tested completely changed simply by adding images in the banner or in the posts.  The two main patterns are whether to use pictures in your banner or pictures in your posts.  The benefit of the picture per post approach is that your feed readers will get them.  If you use pictures in both your banner and your posts, it's tougher to help your users know where to focus.  Using a good picture at the front of your post, helps draw your reader in, particularly if they are scanning and sick of text.
    • Test key scenarios.  This includes users reading your feed, commenting, scanning your posts, reading your posts in detail, searching your blog, and browsing your blog (using your tags and categories.)
    • Choose simplicity over complexity.  You can evaluate the complexity by walking your key scenarios.  Do your eyes know where to focus when you first pull up your blog?  How tough is it to find a particular post? ... etc.
    • Trust your gut.  If something doesn't feel right, it probably isn't.  You just might not be able to put your finger on it, so ask others who might know.  Sometimes intuitively recognizing a problem is more effective than trying to logic your way through it.
    • If it's not working, change it.  As tough as it is to let things go, it's important to cut the deadwood or change things that don't work.  Experimenting opens new doors.  Some days after a long customization session it was really tough to drop the theme entirely, but I stayed focused on making my focus group happy.  That helped me keep going and continuously throw out what didn't work and carry forward lessons learned.
    • Ask your users.   While I had built up my own internal references of what good looks like, using a personal sounding board was invaluable.  I really enjoyed the surprises the most.  They forced me to challenge my thinking and test new ideas.
    • Know you can't make everybody happy.   This was really tough in the beginning.  I couldn't believe how I couldn't get any critical mass down any particular path.   What changed was I found the common denominators and patterns.  Once I chose themes that shared these patterns, then it was easier to spiral down on agreement.
    • Beware if you have to modify a template too much.  If you have to modify a template too much, something might be off.   While you can dramatically reshape a template to your liking, I think the base theme is a reflection of the designer's style and expertise.  If you find that your changing a lot of the theme, at some point you might be adjusting the theme too much and working against the theme.  In some themes, it starts to become obvious whether the designer knows SEO very well or knows how to bullet-proof their layouts or is good with overall look and feel, including typography.  That's why I paid a lot of attention to live examples and user comments to see what sorts of changes people were making, and whether they were just personal style or represented real structural or significant changes.  Spotting the patterns saved me lots of time, once I knew what I was looking for.
    • Leverage the Internet Explorer Development Toolbar.  The Internet Explorer Development Toolbar is your friend.  I couldn't have analyzed as many themes as I did without it.   The ability to quickly point at themes and reverse engineer them was invaluable.  For Firefox users, you can try FireBug, but I haven't tried it myself.  The key is to find a tool that helps you analyze the CSS HTMl, and JavasScript.

    Vital Factors in Your Blog Theme
    It's the sum of the parts that creates your overall blog theme impact.  Part of the problem that cost me so much time is I didn't know what to look for at first.  I had to go through hundreds of themes before I started to see patterns that made some themes more effective than others.  The other thing that cost me so much time is that it's a combination of factors over any one thing.  The overall look and feel is the sum of the parts.  Here's what I found to be key factors in overall look and feel:

    • 2 Column vs. 3 Column Templates.  This is a good macro-level decision because it helps divide your theme choices.  While there's exceptions, my readers told me that in general they prefer two columns over three.  They said it's a cleaner reading area, easier to know where to focus and it's simple to scroll the full page and see posts/pages on the left and the navigation/ads on the right.  If you go with a three column theme then there's a few issues.  Overall, try to find a theme where the column for posts is around two-thirds of the page and the two sidebars add up to around one-third.  In general, for three columns, my users preferred a column on the left and a column on the right with posts in the middle, versus two columns on the right.      
    • Color Patterns.  Colors and color combinations have a big impact on your blog's look and feel.  This includes your background, banner, text and links.  Your best judge is how you and your user's feel when they see the color combinations.  They may not to explain the reaction, but they'll feel something.  One of the guys on my team knows some science behind colors so he helped me better understand different reactions.  You can check Crayola's America's 50 Favorite Colors and Kuler helps you explore, create and share color themes
    • Font combinations for titles, body, and sidebar.  According to my users fonts and typography matters a lot.  This includes font size, family and colors.  This ones tough and can vary a great deal.  You need to evaluate both Initial impact and readability over time.  Again, unless you're a designer, you'll need to compare your gut reaction to different examples and test with your users.  For the main post text, What I did find was that, in general, my users preferred a white or off-white background, with dark gray font (versus black) and Verdana font.  They also prefer the post titles to clearly stand out, at least in size and style (for example Trebuchet or Ariel.)
    • Post readability.  Width is a big factor.  My users told me that when the post column is too wide, scanning is more difficult, and that when it's too narrow, they have to scroll too much.  Overall, they expect the post column to be two-thirds of the template width.  Once the width is right, then the next issue is the          
    • Effective sidebar design.   It seems like the features my user's cared about the most on the sidebars were: subscribe to RSS, search, categories, tags, recent posts and recent comments.   There was a definite preference for search and subscribe to RSS to be at the top.   
    • User experience patterns for searching/browsing.    If you have a large collection of posts this is particularly important, and pretty easy to test.  If you know your posts, you should first test how quickly you can browse and search for specific posts.  Then test the theme with your users.  They won't have the same inside information you do, so this could be very revealing how well the patterns are working.   I think the biggest factor here is using a "Read More" feature and showing just the first part of your posts when browsing categories or in search results.  The longer your posts are, the more important this becomes.
    • Effective use of images.  Choosing images for banners and posts made a dramatic difference in how my focus group responded to some themes.       
    • Effective banner design.  This can make or break the initial impact of your theme. 
    • Comment support.  Some themes host user comments better than others.  It really helps when you find a live example with many comments.  That way you can see how well it scales while maintaining readability. 
    • Effective use of whitespace.   My users pretty consistently commented on how effective whitespace really made some themes seem cleaner than others.  I think the biggest factor here was spacing between blog sections and elements.
    • Links.  My users told me they prefer links that are easy to spot versus get lost in the text, but that don't steal the show.  They also told me they prefer underlined links in posts, but don't underline in the sidebar (for example, categories, tag cloud, recent posts, ... etc.)
    • Search Engine Optimization (SEO).   I did notice that some themes seem optimized for SEO more than others.  While my user's didn't notice this, search engines will.  I think the main thing to pay attention across templates is how they use the title, description and header tags.  You can tailor how your results will show up in search results.  For categories, you should use permanent links.  This improves your URLs for the search engine using more meaningful words.  You should put your posts in only one category to avoid duplicate content from the search engine view.  You should also only show parts of each post when browsing categories, to also avoid duplicate content (as well as make it easier for a human to quickly scan all your posts in a category.)  See The Blogger's Guide to Search Engine Optimization - by Aaron & Giovanna Wall and Search Engine Optimization for Blogs - SEO.

    Key Blog Features
    Here's a quick list of the features that my focus group seemed to care about the most:

    • Title  and purpose.   The test is - do your user's quickly know which category in their RSS reader to put your blog in?
    • About page.  Your about page can quickly help clarify the promise of your blog and setting expectations.  See Skellie on How to Write the Perfect ‘About’ Page (by Numbers).
    • Categories.   Categories help your user's browse your catalog of posts in terms of key themes, as well as help clarify what your blog is really about.  It's another visual cue.
    • Search your blog.  Even if you don't have a bunch of posts, users tend to rely on search.  Once you have a bunch of posts, your search is vital.  It's like a chicken and egg scenario though.  If your search is tough to find, user's wont use it much.  If it's easy to find and convenient, they'll use it more.  Because there's so many ways to customize your search feature, the most important thing is to make it obvious that it is a search feature (and not a subscription form) and that it is scoped to your blog.
    • Tag Cloud.  Tag clouds are  nice way to provide a topical browsing experience for your blog.  There's two types -- internal and external.  Internal tags (Wordpress 2.3 has built in support) help you slice up your body of posts in a more fine-grained way.  External tags, such as Technorati tags, help showcase your posts in those social circles.  For more information, see my post, Tags vs. Categories.
    • Recent Comments and Recent Posts.  Using Recent Posts and Recent Comments is an effective way to improve your user's experience and help user's discover your other posts, as well as show signs of life.
    • Browse your posts.  Your user's will browse your posts either by categories, tag clouds, searches, or related posts.  Another entry point is Recent Comments and Recent Posts.  Another approach is to create pages that organize your posts in alternate ways.
    • Subscribe by RSS.  If a user likes your blog, it should be easy for them to subscribe.  Most blog themes I experimented with either exposed RSS in the right place, or it was easy to add.
    • Subscribe by email.   None of the templates that I experimented with exposed this by default, so it can be easy to forget about.  Some of my users pointed this out, so I tested adding subscribe by email.  
    • Comments.  One thing that my user's pointed out to me was how they like when they can scan posts and quickly see the comment information beneath the post titles, rather than at the end of the posts.  A few users pointed this out so this seems to be a common preference.  I noticed some themes did a better job than others of showcasing the comments for each post.  The key decisions are whether to show links above the post or at the end of the post, along with what font and color.  Once you're actually looking at the comments, the quick scan test will tell you how readable the comments are.  Actually add some comments yourself so you can find any surprises.

    How I Did My Research
    My research was pretty basic, but time consuming and challenging, particularly because there's a lot of variables and not much prescriptive guidance that I found actionable.   Here's what I did:

    • Searched for patterns.   I could recognize when a template looked and felt good, but I couldn't reliably figure out why.  To fix this, I filled my head with as many patterns as I could by evaluating hundreds of blogs, then evaluating thousands of templates and then by spiraling down around the vital few variables (once I figured out what they were.)
    • Set up multiple test beds.  I setup multiple test sites for testing with users.  Each test bed was a full blown blog with theme, so that I could do fast comparisons between theme A and theme B. 
    • Tested with Wordpress.  I've done testing before with Community Server and Blogger, so this time I focused on Wordpress.
    • Evaluated free templates.  I explored multiple, free template galleries to build a foundation for recognizing effective blog theme patterns.  I tried to find templates that were actively used, so I could see live implementations.
    • Evaluated templates you buy.   I ended up buying various blog theme packages so I could explore them too, to see if I could find any clear quality differentiations.
    • Modeled from effective blogs and bloggers.  I evaluated the top 100 bogs in Technorati.  I also explored lots of blog examples that my friends sent during my research.
    • Created a focus group.   I selected a subset of my users that were able to provide multiple rounds of in-depth feedback.  This helped tons and I can't thank them enough!
    • Used the Internet Explorer Development Toolbar.   The toolbar helped me quickly analyze various blog themes on live sites and then tweak my own. See Alik on using the IE Development Toolbar.

    Key Galleries I Explored
    I explored several galleries, but here's a few of the key ones:

    Key Themes I Tested
    While I tested a lot of themes, her's a few key ones that stood out:

    • Deep Blue.  Here's a live demo of Deep Blue.  I found it very clean and functional.  Some of my users liked it too for the same reasons, but I didn't get critical mass with it.
    • Easy Wordpress.   Who is Jon Ray is a good live example.  I like the theme and I like what Jon's done.  I think the theme really optimizes both browsing and reading content, and pictures work really well.  Even though it's a three column template, it's well organized.  The majority of my focus group preferred this theme.  One user thought the post column is too wide, but they read using a feed reader, so it's not a show stopper.  The majority of my focus group really liked the width and balance of the theme across the columns, and it would scale over time.
    • Grid FocusWrite To Done, Skelliewag.org, Anywired, and Six Revisions are really good live examples.  I was very partial to this theme, particularly because it has a similar look and feel to my Guidance Share Wiki (particularly after I added baby blue bullets instead of the default dark bullets.)  However, my users told me to choose otherwise. This surprised me.  I imagined I was going to be using Grid Focus.  I still think it's a great theme, but my user feedback says it's not the right one at this time for me.   
    • NeoclassicalOpen Education and Schaefer's Blog. This theme had universal appeal across my users particularly at first glance.  In fact, for a while, I thought this would be my theme of choice.  However, after more analysis, user's eventually told me the post column was too narrow, the typography was tough for extended use, and that browsability across a large body of posts might not be as effective as they would like.  The key thing I learned from Neoclassical was that images are important.
    • MistyLook with Two Sidebars. Cheap DJ Systems and Gluten Free Cooking School are live examples of the two sidebar version, and here's a live demo of MistyLook with one sidebar.   This theme is very clean and very easy to customize.  I really like the pattern of a prominent image in the banner with clean, readable posts.  The sidebars are compact too which really helps for navigation.  While most of my focus group liked the theme, they didn't like it enough to make it the final choice.   One of my focus group members really liked this particular theme, enough that it made it tough during final eliminations.
    • My April ReloadedMe, Myself, and I and Market Associates.com are good live examples.  This theme really is spectacular.  Posts are incredibly readable and scannable.  Depending on how you structure the layout, you can make it very, very clean.  There's plenty of room in the third column to fit full post titles without scrunching.  My focus group really liked this theme, but ultimately prioritized Easy Wordpress.
    • StudioPress and GreenTech.  I found these themes very clean and functional.  However, I didn't get enough critical mass to spend a lot of time investing in them.

    How I'll Use This 
    This has definitely shaped my perspective on blog themes.   It's night and day from when I first evaluated themes.  Knowing what to look for helps me test and experiment faster.  I now have a more systematic way of figuring out why some blog themes work and why some don't.  I'll be helping some colleagues with their blog themes and I'll be using what I learned as I launch new blogs.

    Additional Resources

    My Related Posts

  • J.D. Meier's Blog

    Tags vs. Categories

    • 5 Comments

    What's the difference between tags vs. categories in your blog?  A lot.  Knowing the difference between tags and categories can help you better structure your blog for browsing and SEO.  Personally, I hadn't noticed the issue before because I only have tags on my MSDN blog.  As part of my research on effective blogging practices, I hit the issue.  Now that I've experimented with a few blogging platforms, the difference between tags and categories is more obvious.  For example, WordPress 2.3 supports tags in addition to categories.

    Categories, Internal Tags and External Tags

    • Categories. Categories are your high-level buckets.  You should be able to chunk up your blog by a small, mutually exclusive set of categories.  Imagine a user trying to browse the broad themes of your blog.  Categories can also become part of your URL.
    • Internal tags.  Internal tags are for finer-grained slicing and dicing and hopping across your categories.
    • External tags.  External tags, such as Technorati and del.icio.us are for showing your conent in the relevant topics and niches at Technorati and del.icio.us.

    Tag Clouds
    I think the big benefit of tags is creating browsable tag clouds where you can discover related content.  Whereas categories are just one topic, you can use tags to find related content.  For example, you might browse a "security" tag and then browse a "performance" tag to find the intersection of content tagged both "security" and "performance".

    Notes from Lorell
    In Categories versus Tags - What’s the Difference and Which One?, Lorelle makes the following points:

    • "Categories help visitors find related information on your site. Tags help visitors find related information on your site and on other sites."
    • "Categories generate a page of posts on your site. Tags can, too, but often generate a page of off-site posts on an off-site website".
    • "Tagging gives you topical search capabilities for your site that are a middle ground between categories and all-out search, but it shouldn’t replace categories entirely."
    • "Should tags replace categories? Absolutely not."
    • "I use categories as broad groups of posts and tags as micro-groups of posts, helping narrow down the interest."
    • "Tags shouldn’t replace categories, but they can help the user and search engines and directories find and catalog related information on your site."

    Notes from Problogger
    In Using Categories and Tags Effectively on Your Blog, Michael Martin makes the following points:

    • "The number of categories should be small."
    • "Each post goes into one category."
    • "Use the same tags over and over again."
    • "The tag cloud is easy to scan."

    The End in Mind
    In the ideal scenario, to use tags and categories more effectively (assuming your blogging platform supports it), you would have the following in place:

    • A small set of categories for browsing the key themes of your site and for helping SEO (by having relevant category names in the full URL.)
    • A nice tag cloud that helps users browser your site more like a topical search -- using words that your users would know and be looking for.
    • Posts tagged with Technorati and del.icio.us tags that match the most relevant niches.

    Turning It Into Action

    • Use categories to divide your blog into a small set of mutually exclusive buckets.
    • Use internal tags for slicing your content in more granular ways and to create tag clouds for your users.
    • Tag your posts with external tags for Technorati and del.icio.us to reach the relevant social circles.

    Additional Resources

    My Related Posts

  • J.D. Meier's Blog

    patterns and practices Complete Catalog

    • 5 Comments

    What's the full patterns & practices catalog?  I created a quick index of the patterns & practices catalog since I've needed to hunt down a few things.  I figured this might be useful to share.

    Views

    Blocks

    Enterprise Library

    Factories

    Guides

    Patterns

    Tools

  • J.D. Meier's Blog

    Patterns and Practices for Visual Studio Team System

    • 4 Comments

    I thought it might be helpful to walk through a deliverable so you can see my current approach for building prescriptive guidance in patterns & practices.

    Stage 1: Knowledge Base
    We start by building the knowledge base:

    In this stage, we do a lot of solution engineering.  This includes framing out the problem space using Scenario Frames.  After all, you can't fix a problem if you don't know what it is, and you don't know when you're done, if you don't know what good looks like.  It also includes creating repros for problems and solutions.  I think of this as Test-Driven Guidance. 

    At this stage, we create what I call "guidance modules."   These are focused nuggets.  At a high-level, we factor reference from action.  Our key types include guidelines, checklist, how-tos, and practices.  I think Weinberg's term, the Fieldstone Method, applies to what we do.  

    We also publish our modules to Guidance Explorer at this point so you can build your own guide on the fly.

    Stage 2: The Guide
    At this stage, we build the guide.

    The guide helps put the story together.  The guide is divided into roughly two parts.  The first part is a series of fast-paced chapters that paint the broad strokes and highlight key concepts.  The second part is the hard-core reference section.  This gives us a combination of top-down and bottom up.

    We share the guide in HTML and PDF.  This ways it's easy to share URLs and play in the community, or download and read the guide offline.

    Stage 3: MSDN
    At this stage, we port the guidance to MSDN:

    Stage 4: Amazon
    At this stage, we partner with Microsoft Press and we bake the printed book:

    Team Guidance
    One of the things you'll notice about the guides is the breadth of participation.  I'm a fan of integrating customer perspective, product perspective, field perspective, and expert perspective.  I think the best way is to involve key folks that represent those perspective.  Here's an example of the contributors and reviewers for the TFS guide.   For a more extreme example, see the team behind our Threats and Countermeasures Security Guide.

    Measuring Success
    At the end of the day, I measure success of the guides based on how well they improve your effectiveness.  I think our best guides improve your confidence and competence.  As much as I'd like you to enjoy reading the guides, I assume you're reading the guides to get your job done.  That's why they are dense with insight and action.

    Why Guides?
    Not everybody is a fan of the guides.  Personally, I see them as a way to share expertise.  You don't get the benefit of working alongside all the product team members, the field, our various customers, subject matter experts, ... etc.  That's what the guide is for.  It's a way to consolidate and share the expertise.  While they won't solve your every problem, you don't have to start from scratch.  I think the best guides help you bootstrap your success and avoid reinventing wheels.  Why go it alone, when you can stand on the shoulders of giants and learn from what works?

    Related Guides

    Key tips -- if you want to become a security and performance expert, learn the principles, patterns and practices for security and performance from Improving .NET Application Performance and Scalability and Improving Web Application Security.

    My Related Posts

  • J.D. Meier's Blog

    Lessons Learned from the Most Successful Innovators

    • 4 Comments

    What practices can we learn from the leaders in innovation?  How can you improve the success of your R&D efforts?  In "Smart Spenders, the Global Innovation 1000," an article in strategy+business magazine, Barry Jaruzelski, Kevin Dehoff, and Rakesh Bordia write about the key practices that the most successful innovators use.

    About the Study
    In the study, Booz Allen Hamilton set out to find which companies have been getting R&D spending right, and then to identify common attributes.  They analyzed the data for the Global Innovation 1000 using seven performance screens: sales growth, gross margin percentage, gross profit growth, operating margin percentage, operating income growth, total shareholder returns, and market capitalization growth.   They analyzed the following industries: Aerospace & Defense, Auto, Chemicals & Energy, Computing & Electronics, Consumer, Health, Industrials, Other, Software & Internet, Technology, and Telecom.

    Lessons Learned
    Jaruzelski, Dehoff, and Bordia identify some of the key practices for successful innovation:

    • Deep pockets can be dry wells.  Money simply cannot buy effective innovation.  There's no significant statistical relationships between R&D spending and the primary measures of financial or corporate success.  Gross Margin is the single measure for which a relationship between R&D expenditures and corporate performance can be statistically demonstrated.  The 500 companies  that have the highest rates of R&D spending as a percentage of sales are more likely than other companies in their industries to achieve superior gross margins.  
    • Less than 10 percent of companies are high-leverage innovators.  Only 94 of the companies in the Global Innovation 1000 produced significantly better performance per R&D dollar over a sustained period.
    • Companies are getting better at squeezing benefits from R&D spending.  Spending rose, but revenues rose more.
    • Bigger can be better, even if it doesn't boost break-throughs.  Scale provides advantages to R&D spenders.  For the largest 500 companies, ranked by revenue and indexed by industry, median R&D spending was only 3.5 percent of sales in 2005, compared with 7.6 percent for the 500 smallest firms.
    • Patents generally don't drive profits.  Boosting spending can increase the number of patents that a company controls, but there is no statistical relationship between the number of patents that a company controls, but there's no statistical relationship between the number or even the quality of patents and overall financial performance.  Very few patents are truly significant -- just as only a handful of books become bestsellers.
    • Master of the innovation chain have an edge.  The typical problems are good ideas get stuck in developmental bottlenecks and promising innovations never get to market because of flawed understanding of customer's needs, and poor marketing and investment planning.  The high-leverage innovators and the companies with best overall performance distinguish themselves not by the money they spend, but by the capabilities they demonstrate in ideation, project selection, development, or commercialization. 

    There's No Silver Bullet
    Jaruzelski, Dehoff, and Bordia dispell the idea that there's a silver bullet:

    "How did they do it?  There's no silver bullet; we found examples of many different models and approaches.  If these high achievers have one thing in common, it seems to be a focus on building multifunctional, company-wide capabilities that can provide them with sustainable competitive advantage.  They design their innovation investment for the long run, and create superior growth and profitability over time."

    Innovation in the Nonprofit Sector
    Jaruzelski, Dehoff, and Bordia shine a spotlight on St. Jude Children's Research Hospital as both a success story and to compare and contrast with corporations.  Here's a rundown of the key points:

    • Many nonprofits spend significant amounts on R&D, and although the metrics they use to measure performance are different from those of corporations, the challenges their leaders face in maximizing the benefits of innovation investments are often similar.
    • St. Jude Children's Research Hospital is widely recognized as an innovation leader in catastrophic pediatric diseases such as leukemia.  It's overall cure rate is 70% up from 20% in the 1960's and it's current goal is to raise the rate to more than 90%.
      Innovation in St. Jude is intimately linked to delivery of service.
    • Strategic decisions  on R&D are made by St. Jude's executive team and are based on an assessment of where the hospital can be most productive.
      "I think we can do things that other places can't do because of our focused mission." - Scientific Director James Downing
    • At the ideation phase, researchers are given wide latitude.  "In this business, the worst thing you can do is try to direct basic science and discovery, because you really don't know where the advances are going to come from." - William E. Evans, CEO
    • St. Jude is also an innovator in breaking down silo mentalities.  Conscious effort is made to cultivate people in cross-disciplinary collaboration.  The hospital has been designed so that employees in different disciplines -- researchers, clinicians, pharmacologists, nurses, and geneticists -- all work interactively and in close proximity.
    • One result is that St. Jude is recognized for its skill at translating medical research into effective treatment.
    • The bottom line for a nonprofit research hospital is different from that of a corporation.  Instead of gross margin, net profit, and shareholder returns, St. Jude tracks such results as the decrease in mortality rates for specific diseases, the reduction in harmful side effects of treatments, and the number of times that studies by St. Jude researchers are cited in other research.
    • "The most important thing we do every day is to provide unsurpassed care for kids who come here.  The most important thing we do for tomorrow is our research, which will change that treatment to something better.  Innovation, in and of itself, is the ultimate product of this organization." - William E. Evans, CEO

    My Related Posts

  • J.D. Meier's Blog

    Innovation Life Cycle

    • 4 Comments

    What are the key stages in the innovation life cycle?  What is the end-to-end value chain for bringing innovation to market? In "Smart Spenders, the Global Innovation 1000," an article in strategy+business magazine, Barry Jaruzelski, Kevin Dehoff, and Rakesh Bordia write about the four key stages of innovation that the 94 high-leverage innovators have in common.

    Four Stages of Innovation
    According to Jaruzelski, Dehoff, and Bordia, the four key stages of innovation are:

    • Ideation - Basic research and conception.
    • Project Selection - The decision to invest.
    • Product Development - Building the product or service.
    • Commercialization - Bringing the product or service to market and adapting it to customer demands.

    High-Leverage Innovators
    Jaruzelski, Dehoff, and Borida write:

    "Based on press coverage and interviews with executives, we conclude that each of the 94 high-leverage innovators has built sufficiently strong capabilities in all four links of the value chain, and has seamlessly integrated them, to provide a high level of performance over time."

    Key Take Aways
    Here's my key take aways:

    • Use the frame to analyze improvement opportunities.  I found this frame helpful for thinking about the end-to-end cycle for innovation.  After all, what good are ideas if you can't bring them to market.  A lot of ideas get stuck in the ideation stage. 
    • Walk your innovation cycle.  By walking your end-to-end system for bringing your ideas to end-users, you can find ways to reduce friction or find places to build synergies.  
    • Optimize your system over a stage.  Debottlenecking your end-to-end system is more effective than optimizing just a single stage.

    My Related Posts

  • J.D. Meier's Blog

    High-Leverage Strategies for Innovation

    • 6 Comments

    What are the high-leverage strategies that the leaders in innovation use?  In "Smart Spenders, the Global Innovation 1000," an article in strategy+business magazine, Barry Jaruzelski, Kevin Dehoff, and Rakesh Bordia write about the successful strategies that the 94 high-leverage innovators use.

    Example High-Leverage Strategies
    Here's a sampling of the high leverage strategies:

    • Have systematic ideation processes, including involving senior management in the conception and definition of new ideas.
    • Have competence at all stages of your value chain.
    • Involve end-users in your innovation strategy.  Spend a lot of time focusing on  where they work, where they play, where they buy, and where they learn.  This helps to increase your efficiency of your new product introductions.
    • Favor flatter and nimbler management structures that make the innovation process more transparent to your executive team.
    • Keep R&D costs down by keeping R&D focused and closely aligned with your business units.  This allows you to target your R&D efforts to meet specific customer needs versus doing a great deal of early-stage, academic research.
    • Keep an internal innovation engine running efficiently through a core engineering team that designs and developers a variety of product lines (this helps provide common engineering and design as well as actual code reuse.)
    • Place greater value on economies of speed, scope and skill rather than simply economies of scale.
    • Look outside your organization for partners, suppliers and customers for new and innovative ideas.
    • Build capabilities along the innovation value chain to generate significant improvements in return on your research and development spending.
    • Pick the elements to generate a competitive advantage based on your industry, competition and internal capabilities.
  • J.D. Meier's Blog

    Top 100 Blogs in Technorati

    • 5 Comments

    I created a snapshot of the top 100 blogs according to Technorati.   I'll be starting with these blogs to identify patterns and practices for effective blogging.   I'll be analyzing blog design, user experience patterns, key features, content, style, frequency, information management, community interaction, impact ... etc.   I think there's a lot of lessons to be learned.

    Top 100 Blogs
    This is the list I see in Technorati as of 02/23/2008.

Page 33 of 44 (1,089 items) «3132333435»