Software Engineering, Project Management, and Effectiveness
I like to learn from everyone around me. One of my most influential mentors has been my manager, Per. Here’s a highlight of some of the lessons I learned from Per over the years:
My Related Posts
Periodically I like to revisit our project life cycle in patterns & practices. I like to see how it's shape-shifted over the years. (Note - our project life cycle wraps our product cycle)
patterns & practices Project Life Cycle Circa 2005Here's a snapshot of our patterns & practices project life cycle circa 2005:
I used this as a baseline to reflect against. Here are the phases, stages, and milestones:
PhasesProjects cycled through the following phases:
MilestonesThe milestones included:
Three Things That Worked WellHere's three things that worked well with the original project cycle:
Additionally, the key milestones such as Vision Scope and MO were something of a ceremony and tended to include the right representation across the p&p team.
Three Things That Needed ImprovementHere's three things that needed improvement:
When people ask me my take on model-driven approaches, I think of two ends of the spectrum -- human and the machine.
Model-Driven CodeI've never experienced an effective modeling approach that turns visuals of systems into code, where the model doesn't get in the way. At some point, the model stops being useful for humans or stops being useful to the machine. As a result, I've never really been a fan of model-driven approaches that are coupled to code in practice, although they're always interesting in theory. While I'm open to the idea, I just haven't seen it. Am I missing out?
Effective Modeling for Shaping SoftwareWhile I'm not a fan of most visual modeling tools, there’s some very real modeling approaches I find to be effective (which is more about modeling for the humans to understand what matters.) I find that light-weight, human-oriented models are particularly effective for shaping software around quality attributes. For example:
When I ramp new folks on the team, I find it helpful to whiteboard how I build prescriptive guidance. Here's a rough picture of the process:
Examples I've used the same process for Performance Testing Guidance, Team Development with Visual Studio Team Foundation Server, and WCF Security.
Here's a brief explanation of what happens along the way:
Design The dominant focus here is identifying candidate problems, candidate solutions, and figuring out key risks, as well as testing paths to explore. The best outcome is a set of scenarios we can execute against.
Execution The dominant focus here is product results. It's scenario-driven. Each week we pick scenarios to execute against.
Release We produce a Knowledge Base (KB) of guidance modules and a guide. The guidance modules are modular and can be reused. The guide includes chapters in addition to the guidance modules. Here's examples from our WCF Security Guide:
Agile Publishing We release our guidance modules along the way to test reactions, get feedback and reshape the approach as needed.
Stable Reference Once we've tested and vetted the guidance and have made it through a few rounds of customer feedback, we push the guidance to MSDN.
I'm testing another version of the home page on Software Guidance Share. Software Guidance Share is a perpetual work in progress. I think of it as my quick-and-dirty guidance KB for developers and solution architects. I continuously refactor information into reusable nuggets. I also test ways to browse the guidance and find relationships among the nuggets.
Here's a couple of example scenarios:
I haven't fleshed out some of the areas, but the Wiki gives me a lot of flexibility and it's easy to course-correct. In other words, it's more adaptable than adapted.
What are the key steps to designing an effective authentication and authorization strategy? The keys are knowing your user stores, role stores, and who need to access what or perform which operations. In this post, I share the approaches we've used in two of our patterns & practices guides. These are the approaches we've used to help customers design successfully design their authentication and authorization approaches.
Designing an Authentication and Authorization Strategy - v1When we first wrote Building Secure ASP.NET Applications, here's the meta-process we came up with for working through your authentication and authorization strategies:
For elaboration, see Authentication and Authorization.
Designing an Authentication and Authorization Strategy - v2 When we recently wrote Improving Web Application Security, we made some revisions:
Personally, I've found it really cuts to the chase if you start with your user stores and role stores, since they tend to be somewhat fixed.
IdentitiesWhen you think through the identities, I've found it helpful to think in terms of who needs to access which resources or perform which actions. Consider the following:
Resource TypesWhen you think through the resource types, I find it helpful to think in terms of:
Authorization StrategiesWhen thinking through the authorization strategies, I find it helpful to consider:
Resource Access PatternsWhen thinking through the resource access patterns, I find it helpful to consider:
Designing authentication and authorization can be a gnarly topic. I hope the scaffolding above helps you find a path that works for you.
Our guide, patterns & practices Improving Web Services Security:Scenarios and Implementation Guidance for WCF is now available in HTML.
Today we released our WCF Security guide, patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF. This is our Microsoft playbook for Windows Communication Foundation (WCF - "Indigo".) It shows you how to build secure Web services using WCF. It's a compendium of proven practices, product team recommendations and insights from the field.
Download the guide
Contents at a Glance
Contributors and Reviewers
The key to making principles, patterns, and practices more effective is to have an organizing frame. While working on our patterns & practices WCF Security Guidance Project, we created the Web Services Security Frame for just such a purpose. We use the frame throughout the guidance to organize threats, attacks, vulnerabilities and countermeasures, as well as to organize principles, patterns, and practices.
Web Services Security Frame
Here's a snapshot of the frame (the power of the frame is that it's a durable, evolvable backdrop -- in other words, you can shape it to your own purposes.) You'll see this frame used throughout our upcoming guide. Notice that the categories serve as a pivot that we can hang other viewpoints (threats/attacks, vulnerabilities, countermeasures.)
Threats / Attacks Organized By the Web Services Security Frame
Vulnerabilities Organized by the Web Services Security Frame
Countermeasures Organized by the Web Services Security Frame
ThanksSpecial thanks to Rudy Araujo and ACE Team members, Richard Lewis and John Steer for their contribution toward helping shape a better frame.
If you're building Web services or if you're implementing SOA on the Microsoft platform , then you're probably either working with or exploring WCF (Windows Communication Foundation.) When we started our patterns & practices WCF Security Guidance project, one of the first things I did was compile a list of WCF security resources for our team. This helped us quickly ramp up and as well as see gaps. One thing that surprised me is how much is available in the product documentation, if you know where to look. Here's a preliminary look at our WCF Security resources index which we'll include in our WCF Security Guide:
Documentation (MSDN Product Documentation)
Threats and Countermeasures
patterns & practices
Product Support Services (PSS)
MSDN Support WebCasts
For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF Security Practices at a Glance. Practices At a Glance gives you a bird's-eye view of how to perform common tasks. They are scannable and outcome-driven so that you can quickly browse the problem/solution pairs. Rather than a laundry list of granular tasks, we organize them by our Web Services Security frame (still evolving.)
CategoriesHere's how we grouped our WCF Security Practices at a Glance so far:
Here's a snapshot of the problems solved from our Practices At a Glance, but you can see our answers explained at our WCF Security Guidance project site.
Auditing and Logging
Ken Blanchard spoke at Microsoft last week. He's all about empowering people, growing people, and helping everybody get an A. This post is my notes from the session.
Catch People Doing Something Right, Accentuate the Positive I'm putting this right up front because Ken said if there was only one thing he could be remembered for, he would want it to be:
"Catch People Doing Something Right, Accentuate the Positive."
"Catch People Doing Something Right, Accentuate the Positive."
Random Highlights Here's a sampling of some of the one-liners and insights from the session:
Philanthropy is the News Around the World Ken travels the world and the big news he kept hearing about was the philanthropy. Specifically, the news was focused on Bill Gates and Warren Buffet. The fact that Buffet trusts the Bill & Melinda Gates Foundation to help the world sends a powerful message.
4 Keys to Lead at a Higher Level Ken framed out 4 keys to lead at a higher level:
Decide, Discover and Deliver To treat your customers right, Ken provided a decide, discover, deliver approach:
Turn the Pyramid Upside Down Turn the pyramid upside down. Have your team bring their brains to work vs. kiss up the hierarchy. Don't have them be ducks (who just quack excuses why they can't do this or can't do that.) Empower them to be eagles who soar above the crowd.
A Fortunate 500 List According to Ken Blanchard Ken suggested the idea of a Fortunate 500 list. A Fortunate 500 Company would have a triple bottom line and be a good citizen in the community.
Customers, Business, Employees (The Triple Bottom Line) The triple bottom line includes:
Ken remarked that profit is the applause you get for taking care of customers and being a motivating place to work.
Organizational Vitality, Employee Passion, Customer Devotion Ken outlined the keys to organizational vitality:
From Self-Leadership to Organizational Leadership The journey of an effective leader starts with self-leadership (who are you) and progresses to organizational leadership:
Ken noted that one of his favorite mantras is -- none of us is as smart as all of us.
3 Skills of Situational Leader Ken identified 3 skills of a situational leader:
The 4 D's (Development Level) The four development levels vary by competence and motivation. If you can identify which development level somebody is in, you can use the right leadership style:
4 Leadership Styles The four leadership styles range from directing to delegating:
Your leadership style varies by how you need to teach skills and provide motivation. You match your leadership style based on the development level.
More Supporting, Less Delegating Ken noted that the most common style in tech is delegating (telling folks what to do), but that it only works if you have self-reliant achievers. He said lots of situations where somebody fails, it's because the leader didn't spend enough time supporting. For example, somebody might be great at sales, but poor at administration and could use more support.
Don't Be a Seagul Ken described the seagul type manager:
Yuck! Don't be a seagul.
How to Manage Effectively Ken gave us a recipe for managing effectively:
Leadership vs. Management When a colleague asked Ken about his thoughts on the difference between leadership and management, he said he doesn't get involved in the debate. He doesn't think management should play 2nd fiddle.
Don't Rank Employees on a Bell Curve Ken made a few key points against ranking employees on a bell curve:
Help Everybody Get A's Ken's recipe for results is:
Share Them With Your Competition What happens if you give help people get A's but they don't get A's:
From self-serving leaders to Servant Leadership Ken gave us three ways that somebody moves from a self-serving leader to servant-leadership:
Basically it's life-changing events or by following an example.
Egos Anonymous There's two ends of the spectrum with ego issues:
The problem with ego issues is that the world spins around you. Ken said the key is to put the focus somewhere else. When you put the focus on something else, the fear goes away.
Ken told us about "Egos Anonymous" meetings. He said at the meetings, people introduce themselves with "I'm an ego maniac, the last time my ego got in the way ..."
The irony is, everybody wants to go last to be more clever, funnier -- and that's an ego thing.
Bigger Emphasis on Results or Developing People? Ken pointed out that it's not an either/or it's a both/and. The keys are:
The Secret of Great Leaders Ken told us the secret of great leaders:
You're Learning or Dying Ken told us we're learning or dying:
SERVE - What Great Leaders Know and Do Ken explained that SERVE is what great leaders know and do:
Leadership is Love Ken told us leadership is love:
How To Implement the program Ken said he's seen remarkable impact when organizations apply the knowledge. He said there's three keys:
Wrap Up At the end of the talk, I met Ken and he signed my copy of The 3 Keys to Empowerment. What surprised me the most was how down to earth and engaged in the moment he was. I thanked him for teaching people situational leadership. I asked him where the II part came from in Situational Leadership II and he told me the story of the split. I told him it would be great to be able to read stories like that in his blog, if he had one.
3 Actions As a habit, I challenge myself to turn what I learn into three things I can apply. There's always more I can do, but I start with three. Here they are:
If you need to make an important decision, the following can help:
For example, when I was giving input on hiring our PUM, I identified the following criteria:
I then assigned a weighting. For example:
I rated the candidate against each criteria and then multiplied by the weighting. This gave me a quick frame to compare different candidates as well as have more meaningful dialogues with others. The actual numbers were less important than testing and clarifying criteria.
We have 6 new How Tos for this week's release of our patterns & practices WCF Security Guidance Project.
WCF Security How Tos
Each month I pick a focus or a theme for my improvement sprint. I find it's easier to start and stop a new sprint each month, rather than start in the middle of a month and try and remember when to stop. I also like the fact that each month is a fresh start. Cycling through a new improvement sprint each month, gives me 12 sprints I can allocate to whatever I want or need to focus on. This keeps me learning and growing throughout the year in a simple, but systematic way. Each month I can do another sprint on the same topic or pick a new area to explore. Periodically, I try to inject an improvement sprint that focuses on something physical. For example, last year I did a living foods improvement sprint and in another sprint I worked up to roller-blading 15+ miles a day.
Here's the improvement sprints I've done so far this year:
Sometimes I'll do more than one sprint for a month, but in general I try to stick with one theme. The power of the sprint is the focus. Its easier for me to stay focused when I remind myself I can switch focus each month.
What are your key security-related questions with WCF? More importantly, what are the answers? For this week's release of our WCF Security Guidance Project, we posted our WCF Security Q&A (Questions and Answers) to CodePlex.
To create the questions and answers set, we first gathered and organized recurring questions from our field, support, customers and forums. We then worked through to create precise answers. What you get is a browsable collection of questions and answers, organized by our security frame. The security frame maps to actionable categories of your application.
Here's a snapshot of the questions from our Q&A, but you can see our answers explained at our WCF Security Guidance project site.
For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF 3.5 Security Guidelines. Each guideline is a nugget of what to do, why, and how. The goal of the guideline format is to take a lot of information, compress it down, and turn insight into action.
The downside is that it's tough to create prescriptive guidelines that are generic enough to be reusable, but specific enough to be helpful. The upside is that customers find the guidelines help them cut through a lot of information and take action. We contextualize the guidelines as much as we can, but ultimately you're in the best position to do the pattern matching to find which guidelines are relevant for your scenarios, and how you need to tailor them.
Here's a snapshot of the guidelines, but you can see our security guidelines explained at our WCF Security Guidance project site.
CategoriesOur WCF Security guidelines are organized using the following buckets:
Impersonation and Delegation
For this week's release in our patterns & practices WCF Security Guidance project, we added new sections to our WCF Security Application Scenarios. We added sections for analysis, code and configuration examples. The analysis section explains the rationale behind some of the decisions.
The idea behind the application scenarios is to show you a before and after look of end-to-end solutions. Rather than a single solution, we give you a set of solutions to pick from. The main parameters that vary in each solution include: Intranet vs. Internet, ASP.NET client vs. Windows Forms clients, TCP vs. HTTP, impersonation/delegation vs. trusted subsystem, and AD (domain credentials) vs. a custom user store.
WCF Security Application Scenarios Intranet
Note that if there's enough interest and time, we'll add a scenario that shows accessing an existing custom user store (i.e. you aren't using Membership.)
My Related Posts
If you know the underlying principles for security, you can be more effective in your security design. While working on Improving Web Application Security: Threats and Countermeasures, my team focused on creating a durable set of security principles. The challenge was to make the principles more useful. It's one thing to know the principles, but another to turn it into action.
Turning Insights Into Action
To make the principles more useful, we organized them using our Security Frame. Our Security Frame is a set of actionable, relevant categories that shape your key engineering and deployment decisions. With the Security Frame we could quickly find principles related to authentication, or authorization or input validation ... etc.
Once we had these principles and this organizing frame, we could then evaluate technologies against it to find effective, principle-based techniques. For example, when we analyzed doing input and data validation in ASP.NET, we focused on finding the best ways to constrain, reject, and sanitize input. For constraining input, we focused on checking for length, range, format and type. Using these strategies both shortened our learning curve and improved our results.
Core Security Principles
We started with a firm foundation of core security principles. These influenced the rest of our security design principles. Here's the core security principles we started with:
Frame for Organizing Security Design Principles
Rather than a laundry list of security principles, you can use the Security Frame as a way to organize and share security principles:
Auditing and Logging
Here's our security design principles for auditing and logging:
Here's our security design principles for authentication:
Here's our security design principles for authorization:
Here's our security design principles for configuration management:
Here's our security design principles for cryptography:
Here's our security design principles for exception management:
Input / Data Validation
Here's our security design principles for input and data validation:
Here's our security design principles for sensitive data:
Here's our security design principles for session management:
Using the Security Design Principles
This is simply a baseline set of principles so that you don't have to start from scratch. You can build on this set and tailor for your specific context. I find that while having a set of principles helps, that you can't stop there. To share the knowledge and help others use the information, it's important to encapsulate the principles in patterns as well as show concrete examples and create precise, actionable guidelines for developers. Personally, I've found Wikis to be the most effective way to share and manage the information.
Dr. Stephen Covey presented at Microsoft today. It’s one thing to know the information; it’s another to experience the delivery live.
This post is a bit longer than usual, but hey, it’s not every day that Covey is in the house. Here are some of my highlights from today’s session.
The Lighthouse Story Covey opened with a story of Captain Horatio Hornblower. As the story goes, one night at sea, Horatio awakens to find that a ship is in his sea-lane about 20 miles away and refuses to move. Horatio commands the other ship to move starboard, 20 degrees at once. The other ship refuses and tells Horatio that he should move his ship starboard, 20 degrees at once. Next, Horatio tries to pull rank and size on the other ship, stating that he’s a captain and that he’s on a large battle ship. The other ship replies, and it turns out it’s not actually a ship, but a lighthouse.
The take away from the story is, there are lighthouse principles. You don’t break them. You only break yourself against them. Don’t break yourself against lighthouse principles.
Values and Principles Covey distinguished values from principles:
The key take aways are:
Personal Mission Statement Covey asked us whether we had personal mission statements? Some folks raised their hands. He then asked us how many have them written down. A lot less kept their hands raised. I kept my hand raised because I happen to have my personal mission statement written down. My personal mission statement is, “To find the best way for any person to succeed in any situation.” I tie this back at work, where I try to help customers be as effective as possible, building on the Microsoft platform.
Family Mission Statement Covey then challenged the audience whether we had mission statements for our families? That one made me think. He then challenged, if you asked your loved ones, would they know it? Now there’s a good test!
He challenged us to go home and ask, “What’s the purpose of our family?” He warned us though, that our families will know that we’ve been seminar’ed!
Write and Visualize to Imprint on Your Subconscious Covey reminded us that writing down your mission imprints it in the subconscious mind. He added that visualizing also imprints on the sub-concsious mind.
The take away is that you should write and visualize your mission statements.
Keys to a Mission Statement Covey put it succinctly that a good mission statement is:
Why a Mission Statement Covey told us that the power of a mission statement is that it governs every other decision.
Sean Covey Covey introduced his son, Sean Covey. Sean wrote The 7 Habits of Highly Effective Teenagers and The 6 Most Important Decisions You Will Ever Make. When Covey introduced Sean, he also mentioned a 49th grand-child on the way. 49 … WOW! That’s quite the impressive team.
Point to True North Covey had us close our eyes and point to true North. When we opened our eyes, it was obvious there was little consistency. He said he gets similar results when he asks any department, group, or team – “what’s your purpose?” Urgent But Not Important Covey asked us how many struggle with work/life balance. Many hands went up. He then asked us what we think is the percentage of time we spend on things that are urgent, but not important.
He said people often report they feel they spend 50% of their time on urgent, but not important tasks. Why is that? Covey stated it’s because everybody defines purpose differently. Office Politics and Dysfunctional Activities Covey asked us how much time people spend in office politics. By office politics, he meant, reading the tea leaves, dealing with hidden agendas, fighting cross-group conflict, … etc. The data says that 75% of people claim they spend 25% of their time on these things. 25% say that 50% of their time is spent in dysfunctional activities. Urgency replaces important activities.
The key take away is that people feel they spend a lot of time on dysfunctional activities. Six Metastasizing Cancers (Victimism) Covey showed us a slide that listed what he called the Six Metastasizing Cancers:
The take away here is that these are ineffective behaviors and you end up acting like a victim.
Are You Utilized to Your Full Potential Covey asked us whether we can use our full talent and capacity in our organization. He then asked us whether we feel the pressure to produce more for less. The point here was to emphasize how there’s a demand for greater results, but that we’re not necessarily utilized to our full potential.
It’s Not Behavior, It’s Not Attitude … It’s a Bad Map Covey gave us a scenario where somebody gets a map of Seattle. The problem is, the map maker made a mistake. It’s not really a map of Seattle. It’s a map of Oregon. With this map, you can’t even make it out of the airport. There isn’t one corresponding point.
Trying harder isn’t the answer. If you double your speed, now you’re lost twice as fast. Thinking negatively isn’t the problem. Covey said some people might try to use a PMA (Positive Mental Attitude.) Well, that doesn’t help either. Now you’re all psyched up, but really you are just happy and contented in a lost state.
The take away here is that it’s not behavior and it’s not attitude. It’s a bad map.
Self-Educating Covey told us that we need to be self-educating. School taught us how to learn, but we need to continue to learn. He said we need to be willing to pay the price to be self-educating, which includes being systematic and disciplined.
Industrial Age vs. Knowledge Worker Age Covey points out that 20 years ago, it was about goods and services. Today, it’s about knowledge workers.
Expenses and Assets Covey asked us what we are called in spreadsheets. He said that in spreadsheet and financial accounting, people are called expenses and cost centers, while things like microphones, tools, and machines are called assets. He said this is left-over from the industrial age.
Finding Your Voice Covey asked how do you help people find their voice? You ask them what are they good at? What do they love doing? What is your greatest unique contribution?
The key is finding a voice that meets a human need.
Inspiration Over Jackass Theory The Jackass Theory refers to the carrot and the stick. Covey asked us what kind of supervisor do you need when you have a job that you are passionate about and is using your talents and you feel you are appreciated.
People are volunteers. You want them to contribute their greatest, unique contribution.
Keys to Effective Large Team Covey outlined the keys for effective large teams::
One person may represent the group, but accountability is to the team versus the boss. Accountability to the team versus an individual is a knowledge worker concept.
How To Find the Win / Win Performance Agreement Covey suggested an approach for finding the Win/Win for teams and organizations in terms of performance:
When you have that, you have a win-win. The key is to have a win/win performance agreement where it is mutually beneficial between the individual and the organization. The individual should be able to use their full talent and passion (there voice.)
Information is the Knowledge Worker's Disinfectant Covey mentioned that light is the greatest disinfectant in nature. For the knowledge worker, it’s information. For a knowledge worker to be effective in a team, they need information, they need the criteria for success and they need to be accountable to the group.
The Whole Person According to Covey, the whole person includes four parts:
Control-Paradigm to a Whole Person Paradigm Covey reminded us that today’s workforce is about directed autonomy. You manage (things) that can’t choose. You lead people. People have the ability to choose.
Keeping Top Talent Covey told us about how Admirals in the Pacific were losing people to better paying jobs. There was an exception. Covey got to meet the group that kept their top talent. The keys to a committed group included:
Indian Talking Stick Communication Covey shared a technique for improving empathic listening. It’s the Indian Talking Stick:
You don’t need to use an Indian talking stick. You can use any object. The value of the object is that you don’t get it back until the other person feels understood.
Industrial Age Concepts Throughout the session, Covey made reference to some "industrial age concepts":
Lighthouse Principles Throughout the presentation, Covey referred to some lighthouse principles that govern behavior:
Continuum of Communication Covey showed us a continuum of communication that moves from hostility and transaction-based communication to transformation:
Empathic Listening is the No. 1 Communication Skill Covey stated that communication is the number one skill in life. He went on to say that empathic listening is the number one communication skill. Covey explained that empathic listening is listening within the other person’s frame of skills. Listening empathically is listening with the other person’s frame of reference. The key is to listen until the other person feels heard and understood. Empathic Listening Over Telling and Selling A satisfied need, no longer motivates. Covey used the example of air – it’s a satisfied need. When the other person feels heard and understood, it’s more likely they will listen to you and that you can seek a better solution, that’s mutually beneficial. You are no longer telling and selling.
Our Experience is the Lens We Use to Interpret Life Covey showed the audience three pictures. One half of the audience looked at the first picture. Next, the other half of the audience looked at the second picture. Then the full audience looked at a third slide which was a composite of the first two slides. Depending on which of the pictures you saw first, influenced what you saw in this third picture.
The key take away here was that what you saw was influenced by your experience and that rather that impose your view, first understand the other person’s perspective – there’s a good chance, you’re both right! (This is a good case where the Indian Talking Stick could come in handy.) Resolving Conflict By Finding the Third Alternative Covey shared a technique for resolving conflict that works for him in 95% of the cases he runs into around the world. Here’s the key steps:
The key here is to listen to the other person first and listen empathically. The proactive part here is that you can choose to listen to the other person first (seek first to understand, then to be understood.) Listening to Loved Ones One of the audience members asked for advice on counseling a loved one. Covey responded with the following solution:
The key here that Covey mentioned is that most people will not pay the price of listening empathically.
7 Habits of Highly Effective People Covey shared a slide that framed out the seven habits of highly effective people in terms of private victory, public victory, dependence, independence, and interdependence.
Habits 1,2,and 3 are the foundation for private victories and integrity. Habits 4, 5, and 6 are the keys to public victories.
Peace of Conscience Over Peace of Mind Covey made a distinction between peace of mind and peace of conscience. He explained that integrity is more than honesty. Integrity means that if you make a promise, you keep it. If you’re honest, you might have peace of mind, but if you don’t have integrity, then you won’t have peace of conscience. You have peace of conscience by avoiding duplicity.
Loyalty to the Absent Covey made his point very simply – only talk about people as if they are there. You can be critical, but speak as if they were there in front of you. Don’t bad mouth them behind their back and then sweet talk them to their face. This is a lack of integrity and creates deep duplicity inside you. This inhibits your ability to have peace of conscience. Use I Messages Over You Messages Meet with the people you have a problem with directly. Practice the following:
Genuine Happiness Covey said the key to genuine happiness is to develop integrity. The key to developing integrity is the first three habits (your Private Victories):
Greek Philosophy of Influence Covey shared the three parts of the Greek philosophy of influence:
You Are the Creative Force of Your Life Covey challenged us to be a creative force: 1. Get out of victimism – You’re not a victim of your circumstances. 2. You are the creative force of your life.
Empathize first. Grow your circle of influence. Make tremendous impact.
The Most Important Thing You’ll Ever Do Covey closed with a powerful message we could take away:
The most important thing you’ll ever do is in the four walls of your own home.
The most important thing you’ll ever do is in the four walls of your own home.
Personally, I want to make more use of the Indian Talking Stick Communication technique, particularly at some of my more vibrant meetings.
We published an updated set of our WCF Security application scenarios yesterday, as part of our patterns & practices WCF Security guidance project. Application Scenarios are visual "blueprints" of skeletal solutions for end-to-end deployment scenarios. Each application scenario includes a before and after look at working solutions. While you still need to prototype and test for your scenario, this gives you potential solutions and paths at a glance, rather than starting from scratch. It's a catalog of applications scenarios that you can look through and potentially find your match.
IntranetCommon Intranet patterns:
Internet Common Internet patterns:
One Size Does Not Fit AllWe know that one size doesn't fit all, so we create a collection of application scenarios that you can quickly sort through and pattern match against your scenario. It's like a visual menu at a restaurant. The goal is to find a good fit against your parameters versus a perfect fit. It gives you a baseline to start from. They effectively let you preview solutions, before embarking on your journey.
How We Make Application ScenariosFirst, we start by gathering all the deployment scenarios we can find from customers with working solutions. We use our field, product support, product teams, subject matter experts, and customers. We also check with our internal line of business application solutions. While there's a lot of variations, we look for the common denominators. There's only so many ways to physically deploy servers, so we start there. We group potential solutions by big buckets.
In order to make the solutions meaningful, we pick a focus. For example, with WCF Security, key overarching decisions include authentication, authorization, and secure communication. These decisions span the layers and tiers. We also pay attention to factors that influence your decisions. For example, your role stores and user stores are a big factor. The tricky part is throwing out the details of customer specific solutions, while retaining the conceptual integrity that makes the solution useful.
Next, we create prototypes and we test the end-to-end scenarios in our lab. We do a lot of whiteboarding during this stage for candidate solutions. This is where we spend the bulk of our time, testing paths, finding surprises, and making things work. It's one thing to know what's supposed to work; it's another to make it work in practice.
From our working solution, we highlight the insights and actions within the Application Scenario so you can quickly prototype for your particular context. We then share our candidate guidance modules on CodePlex, while we continue reviews across our review loops including field, PSS, customers, product team members, and subject matter experts.
Our patterns & practices WCF Security Guidance Project is in progress on CodePlex. This is our first release of prescriptive guidance modules for WCF Security.
How Tos Our How Tos give you step by step instructions for performing key tasks:
Videos Our videos step you visually through key guidance:
About WCF Windows Communication Foundation (WCF) is a service-oriented platform for building and consuming secure, reliable, and transacted services. It unifies the programming models for ASMX, Enterprise services and .NET Remoting. It supports multiple protocols including named pipes, TCP, HTTP, and MSMQ. WCF promotes loose coupling, supports interoperability, and encapsulates the latest web service standards. With WCF, you get flexibility in choosing protocol, message encoding formats, and hosting. For more information, see the MSDN WCF Developer Center.
About the Project WCF provides a lot of options and flexibility. The goal of our patterns & practices WCF Security Guidance Project is to find the key combinations of security practices for WCF that work for customers and share them more broadly. At a high-level, you can think of the project in terms of these main buckets:
The plan is to incrementally share our guidance modules on CodePlex as we go, then build a guide, then port the guidance to MSDN once it's baked.
How do you identify the bull's-eye among your stakeholders? Nothing's worse than finishing a project and missing the mark you didn't know was there. At patterns & practices, one of our effective project practices is to use "tests for success" to help avoid this scenario.
What are Tests for Success "Tests for success" are the prioritized success criteria that the stakeholder's agree to. It's basically a set of test cases, that if the project passes, the project is perceived as a success. They help clarify outcomes and priorities.
Example Tests for Success Here's an example of "tests for success" from one of my projects:
Stakeholders for the project created and prioritized this list, with prompts from the project team. This exercise helped clarify a lot of ambiguity as well as do a level set for the team.
How Can You Use This Whether it's a personal project or a project at work, you can create your own tests for success. I think a small list of the vital few works better than a laundry list. Phrasing the tests as one-liner questions makes them easy to create and use. Here's some prompts to trigger your own tests for success:
When you're in the thick of things, you'll appreciate having a small set of criteria to go back to and help keep you and everyone involved on track.
Have you ever been on a project where key stakeholders don't have skin in the game, but they have a controlling vote? This is a bad situation. It's like multiple backseat drivers, except they won't be there if the car crashes. What's the solution? You turn chickens into pigs!
The Chicken and the Pig You may have heard the story about the chicken and the pig. The chicken says to the pig, "We should should start a restaurant." The pig asks, "What would we serve?" The chicken responds, "Bacon and eggs!" The pig says, "No thanks!"
The point in the story is the pig's "committed" while the chicken's "involved."
The Solution Recognizing the situation is more than half the battle. When you've identified that chickens have controlling votes over pigs, your options include:
How can you differentiate what you do? This can be particularly difficult in problem spaces that seem over-crowded. It helps if you have a frame. One of my mentors gave me a useful lens for differentiating that helps solve this problem.
Problem, Approach, or Implementation You can differentiate based on problem, approach or implementation:
If you differentiate at the problem you solve, it's good to be able to call that out. If you solve the same problem, but use a different approach, unless it produces a big difference in results, it's probably not worth it. If you differ only by implementation and the experience or results aren't valued by the customer, again, it's probably not worth it.
Using the Frame for Differentiation First identify whether you differentiate at the problem, approach, or implementation. Next, determine whether the level at which you're differentiating is worth it. For example, consider safety among automobile makers. Volvo's approach to safety stands out. They work the same problem but differentiate by approach.
By having clarity around where you differentiate, it's easier to communicate your deltas in a meaningful way to others.
Example At Microsoft, when I tackle a problem that's been "solved" before, I use the frame as a lens to quickly find the useful differentiation. For example, doing security reviews wasn't a new problem. However, changing the approach by using inspections and building a set of reusable criteria from a team of experts changed the game. By using criteria based on principles and patterns, and then organizing the criteria within a frame of actionable categories produced exponential results for all of our customers that adopted the approach. Old problem, new approach, great results.