J.D. Meier's Blog

Software Engineering, Project Management, and Effectiveness

  • J.D. Meier's Blog

    Reference Models, Reference Architectures, and Reference Implementations

    • 0 Comments

    "All models are wrong, but some are useful." -- George Box

    I often see confusion over reference models, reference architectures, and reference implementations.  In this post, I’ll share my experience and learnings and observations:

    • Reference Model - A Reference model is a model of something that embodies the basic goals or ideas, and you can use it at as a reference for various purposes.  It’s like holding up a diamond and looking at the different facets.  It basically serves as a backdrop or canvas, or a foundation and springboard for deeper dives.  They are also useful for pulling together a bird’s-eye view of a domain or problem space.  A well-known example is the OSI model.  Key Attributes include: abstract, entities and Relationships, technology agnostic, and they clarify things within a context.  By using a model, you can focus on higher-level concepts, ideas, and decisions.
    • Reference Architecture - A reference architecture provides a proven template solution for an architecture for a particular domain.  It’s the high-level “blue prints” for putting the pieces of the puzzle together.
    • Reference Implementation - A reference Implementation goes beyond a reference architecture and is an actual implementation.  This is where the rubber meets the road and it serves as an exemplar down at the implementation level.

    I think the confusion is usually because the argument usually hinges on whether a reference architecture or reference implementation needs to be in code, when that’s really just a form factor decision.  The distinction is actually the focus and concern, independent of how you share it, although code can help illuminate a reference implementation and a reference architecture.  The other confusion is often around how big or small it needs to be to determine whether it’s a reference architecture or reference implementation, but that’ also a herring.  Again, it goes back to what the focus of the example is.  If it’s an exemplar of the architecture, it’s a reference architecture.  If it’s an exemplar of the implementation, then it’s a reference implementation, and each serve different purposes, and require different levels of detail or abstraction.

    Reference Model Examples
    Reference models give us a quick way to see and talk about a given problem space.  Here is an example of a simple reference model that does nothing more than frame out some cornerstone concepts for cloud computing.  In this case, it’s a visual model for cloud computing:

    image

    This is another of my favorite reference models.  In this case, this is a continuum of moving up the stack with types of cloud services from IaaS to PaaS to SaaS :

    image

    I also like a few of the cloud reference models, especially how they can be used for overlaying security concerns.

    Reference Architecture Examples
    The beauty of the reference architecture is that you can shape the application before you implement it.  One of the simplest ways to achieve this is to whiteboard it.  When you put it on the whiteboard, you can focus on key engineering decisions and avoid getting lost in the details.  You can focus on a conceptual, physical, or logical view, … you can focus on the business perspective, user perspective, or technical perspective … and you can move up and down the stack to zoom in or zoom out … but the main point is to show how the bits and pieces should fit together.  The power of a reference architecture is that it creates a shared mental model for the architecture and design and it can help you identify the key decisions and key risks early on.  This helps you both shape a skeleton solution as well as identify what you need to prototype, especially in terms of cross-cutting concerns, or tracer-bullets.  From an agile perspective, the Reference Architecture complements the system metaphor and it helps you identify potential areas to spike on.  Here are a few examples …

    One of my favorite reference architecture examples is the reference architecture from the ESB Toolkit.

    image

    Another of my favorite reference architectures is the reference architecture for the PetShop Sample Application:

    image

    One approach I like to use for sharing reference architectures is what I call Application Scenarios or Scenarios and Solutions.  It’s a whiteboard sketch of the end-to-end solution.  Here is an example:

    image

    Another of my favorite approaches is to use what I refer to as Application Patterns.  It’s like the Application Scenarios, but I overlay patterns on top.  Here is an example:

    image

    image

    image

    The real key of reference architectures is that they help you explore the thinking and design at a higher-level before getting lost in the weeds.  Getting lost in the weeds is a common problem with reference implementations.  That’s why it’s helpful when they include a reference to their corresponding reference architecture.

    The best combinations I find for nailing a problem space include a reference model + reference architecture + reference implementation.

  • J.D. Meier's Blog

    My Personal Approach for Daily Results

    • 16 Comments

    I'm dedicating this post to anybody who's faced with task saturation, or needs some new ideas on managing their days or weeks... 

    One of the most important techniques I share with those I mentor, is how to manage To Dos.  It's too easy to experience churn or task saturation.  It's also too easy to confuse activities with outcomes.  At Microsoft, I have to get a lot done and I have to know what's important vs. what's urgent, and I have to get results.

    My approach is effective and efficient for me.  I think it's effective because it's simple and it's a system, rather than a silver bullet.  Here's my approach in a nutshell:

    1. Monday Vision.
    2. Daily Outcomes.
    3. Friday Reflection.

    Monday Vision
    Monday Vision is simply a practice where each Monday, I identify the most important outcomes for the week.  This lets me work backwards from the end in mind.  I focus on outcome not activities.  I ask questions such as, "if this were Friday, what would I feel good about having accomplished?" ... "if this were Friday, what would suck most if it wasn't done?" ... etc.  I also use some questions from Flawless Execution.

    Daily Outcomes
    Daily Outcomes is where each day, I make a short To Do list.  I title it by date (i.e. 02-03-07).  I start by listing my MUST items. Next, I list my SHOULD or COULD.  I use this list throughout the day, as I fish my various streams for action.  My streams include meetings, email, conversations, or bursts of brilliance throughout the day.   Since I do this at the start of my day, I have a good sense of priorities.  This also helps me deal with potentially randomizing scenarios.  This also helps batch my work.  For example, if I know there's a bunch of folks I need to talk to in my building, I can walk the halls efficiently rather than have email dialogues with them.  On ther other hand, if there's a lot of folks I need to email, I can batch that as well.

    Friday Reflection
    Friday Reflection is a practice where I evaluate what I got done or didn't and why.  Because I have a flat list of chunked up To Do lists by day, it's very easy to review a week's worth and see patterns for improvement.  It's actually easy for me to do this for months as well.  Trends stand out.  Analyzing is easy, particularly with continuous weekly practice.  My learnings feed into Monday's Vision.

    It Works for Teams Too
    Well, that's my personal results framework, but it works for my teams too.  On Monday's I ask my teams what they'd like to get done, as well as what MUST get done. I try to make sure my team enjoys the rythm of their results.  Then each day, in our daily 10-minute calls, we reset MUSTs, SHOULDs, and COULDs.  On Fridays, I do a team-based Lessons Learned exercise (I send an email where we reply all with lessons we each personally learned).

    Why This Approach Works for Me ...

    • It's self-correcting and I can course correct throughout the week.
    • I don't keep noise in my head (the buzz of all the little MUSTs, SHOULDs, COULDs that could float around)
    • Unimportant items slough off (I just don't carry them forward -- if they're important, I'll rehydrate them when needed)
    • I manage small and simple lists -- never a big bloated list.
    • It's not technology bound.  When I'm not at my desk, pen and paper work fine.
    • Keeping my working set small, let's me prioritize faster or course correct as needed.
    • It's a system with simple habbits and practices.  It's a system of constantly checkpointing course, allowing for course correction, and integration lessons learned.
    • My next actions are immediate and obvious, in relation to SHOULDs and COULDs. 

    Why Some Approaches I've Tried Don't ....

    • They were too complex or too weird
    • They ended up in monolithic lists or complicated slicing and dicing to get simple views for next actions.
    • I got lost in activity instead of driving by outcome.
    • They didn't account for the human side.
    • Keeping the list or lists up to date and managing status was often more work than some of the actual items.
    • Stuff that should slough off would, woulddn't, and would have a snowball effect, ultimately making the approach unweildy.

    I've been using this approach now for many months.  I've simplified it as I've shown others over time.  While I learn everyday, I particularly enjoy my Friday Reflections.  I also found a new enjoyment in Mondays because I'm designing my days and driving my weeks.

    My Related Post

  • J.D. Meier's Blog

    New Prescriptive Guidance for Visual Studio Team System

    • 20 Comments

    Our patterns and practices team has just released new prescriptive guidance for Visual Studio Team System!

    Since my previous post we've made significant updates with the addition of the following content:

    This puts us on course to deliver on these main outcomes we have in mind for our Visual Studio Team System Guidance Project

    • The single best repository of Visual Studio Team System guidance
    • Practical and insightful scenario-based guidance for roles (PMs, developers, architects, testers ... etc.)
    • Thoroughly engineered and tested set of recommendations
    • Great entry point through videos, roadmaps, and task-based How Tos
    • Breadth and depth coverage

    Project Overview
    While Visual Studio Team System provides powerful new tools, customers are asking "where's the guidance?" ... "where do I start?" ... "how do I make the most of the tools?"  In response, our team is building a definitive Body of Guidance (BOG) for Team System. This includes How Tos, Guidelines, Practices, Q&A, video-based guidance, and more.

    We’re helping customers walk before they run, so we’re starting with the foundation.  On the code side (for developers) – this includes source control, building your dev and test environments and setting up a build process.  On the project side (for PMs) – this includes work items and reporting.  Once we have the foundation in place, we can move up the stack to making the most out of Team System for the various roles (tester, architect, developer … etc.)
     
    We're framing out the tough problems using Scenario Frames (for an example see Source Control Scenario Frame).  We then identify where we need guidance and perform solution engineering.  This involves building out reproducible customer scenarios, vetting potential solutions, and sharing the ones we can generalize enough to be broadly useful, yet still specific enough to be actionable.
     
    We're partnering with customers, product teams, support, field, MVPs, and subject matter experts.  We’re working closely with Jeff Beehler to synchronize efforts with the VSTS Rangers, such as the Branching Guidance.

    Related Posts

  • J.D. Meier's Blog

    Application Architecture Videos

    • 6 Comments

    As part of our patterns & practices Application Architecture Guide 2.0 project, we created sets of videos to help get you up to speed fast.  We have a train the trainer video, step-by-step How To videos, Explained videos, and some videos About the Guide.

    Index of Videos

    Train the Trainer

    About the Guide

    How Tos

    Explained

  • J.D. Meier's Blog

    ASP.NET Developer Guidance Map

    • 2 Comments

    image

    If you’re an ASP.NET developer or you need to learn ASP.NET, this map is for you.   Microsoft has an extensive collection of developer guidance available in the form of Code Samples, How Tos, Videos, and Training.  The challenge is -- how do you find all of the various content collections? … and part of that challenge is knowing *exactly* where to look.  This is where the map comes in.  It helps you find your way around the online jungle and gives you short-cuts to the treasure troves of available content. 

    The ASP.NET Developer Guidance Map helps you kill two birds with one stone:

    1. It show you the key sources of ASP.NET content and where to look (“teach you how to fish”)
    2. It gives you an index of the main content collections (Code Samples, How Tos, Videos, and Training)

    You can also use the map as a model for creating your own map of developer guidance.

    Download the ASP.NET Developer Guidance Map

    Contents at a Glance

    • Introduction
    • Sources of ASP.NET Developer Guidance
    • Topics and Features Map (a “Lens” for Finding ASP.NET Content)
    • Summary Table of Topics
    • How The Map is Organized (Organizing the “Content Collections”)
    • Getting Started
    • Architecture and Design
    • Code Samples
    • How Tos
    • Videos
    • Training

    Mental Model of the Map
    The map is a simple collection of content types from multiple sources, organized by common tasks, common topics, and ASP.NET features:

    image

    Special Thanks …
    Special thanks to Joe Stagner, Paul Enfield, Rick Anderson, Scott Hanselman, Tim Teebken, and Wade Pickett for helping me find and round up our various content collections.

    Enjoy.  Share the map with a friend.

  • J.D. Meier's Blog

    Stephen Covey Speaks at Microsoft

    • 17 Comments

    Dr. Stephen Covey presented at Microsoft today.  It’s one thing to know the information; it’s another to experience the delivery live. 

    StephenCovey 

    This post is a bit longer than usual, but hey, it’s not every day that Covey is in the house.  Here are some of my highlights from today’s session.

    The Lighthouse Story
    Covey opened with a story of Captain Horatio Hornblower.  As the story goes, one night at sea, Horatio awakens to find that a ship is in his sea-lane about 20 miles away and refuses to move.  Horatio commands the other ship to move starboard, 20 degrees at once.  The other ship refuses and tells Horatio that he should move his ship starboard, 20 degrees at once.  Next, Horatio tries to pull rank and size on the other ship, stating that he’s a captain and that he’s on a large battle ship.  The other ship replies, and it turns out it’s not actually a ship, but a lighthouse.

    The take away from the story is, there are lighthouse principles.  You don’t break them.  You only break yourself against them.  Don’t break yourself against lighthouse principles.

    Values and Principles
    Covey distinguished values from principles:

    • Values drive behavior.
    • Principles drive the consequences of behavior.

    The key take aways are:

    • If you take the short cuts in life, you pay the price of confidence and trust.
    • Build your personal value system on principles.

    Personal Mission Statement
    Covey asked us whether we had personal mission statements?  Some folks raised their hands.  He then asked us how many have them written down.  A lot less kept their hands raised.  I kept my hand raised because I happen to have my personal mission statement written down.  My personal mission statement is, “To find the best way for any person to succeed in any situation.”    I tie this back at work, where I try to help customers be as effective as possible, building on the Microsoft platform.

    Family Mission Statement
    Covey then challenged the audience whether we had mission statements for our families?  That one made me think.  He then challenged, if you asked your loved ones, would they know it?  Now there’s a good test! 

    He challenged us to go home and ask, “What’s the purpose of our family?”  He warned us though, that our families will know that we’ve been seminar’ed!

    Write and Visualize to Imprint on Your Subconscious
    Covey reminded us that writing down your mission imprints it in the subconscious mind.  He added that visualizing also imprints on the sub-concsious mind. 

    The take away is that you should write and visualize your mission statements.

    Keys to a Mission Statement
    Covey put it succinctly that a good mission statement is:

    • Memorizable.
    • Short.
    • Follows the natural laws of principles.

    Why a Mission Statement
    Covey told us that the power of a mission statement is that it governs every other decision.

    Sean Covey
    Covey introduced his son, Sean Covey.  Sean wrote The 7 Habits of Highly Effective Teenagers and The 6 Most Important Decisions You Will Ever Make.   When Covey introduced Sean, he also mentioned a 49th grand-child on the way.  49 … WOW!  That’s quite the impressive team.

    Point to True North
    Covey had us close our eyes and point to true North.  When we opened our eyes, it was obvious there was little consistency.  He said he gets similar results when he asks any department, group, or team – “what’s your purpose?”

    Urgent But Not Important
    Covey asked us how many struggle with work/life balance.  Many hands went up.  He then asked us what we think is the percentage of time we spend on things that are urgent, but not important. 

    He said people often report they feel they spend 50% of their time on urgent, but not important tasks.  Why is that?  Covey stated it’s because everybody defines purpose differently.

    Office Politics and Dysfunctional Activities
    Covey asked us how much time people spend in office politics.    By office politics, he meant, reading the tea leaves, dealing with hidden agendas, fighting cross-group conflict, … etc.  The data says that 75% of people claim they spend 25% of their time on these things.  25% say that 50% of their time is spent in dysfunctional activities.  Urgency replaces important activities.

    The key take away is that people feel they spend a lot of time on dysfunctional activities.

    Six Metastasizing Cancers (Victimism)
    Covey showed us a slide that listed what he called the Six Metastasizing Cancers:

    • Criticizing
    • Complaining
    • Comparing
    • Competing
    • Contending
    • Cynicism

    The take away here is that these are ineffective behaviors and you end up acting like a victim.

    Are You Utilized to Your Full Potential
    Covey asked us whether we can use our full talent and capacity in our organization.   He then asked us whether we feel the pressure to produce more for less.   The point here was to emphasize how there’s a demand for greater results, but that we’re not necessarily utilized to our full potential.

    It’s Not Behavior, It’s Not Attitude … It’s a Bad Map
    Covey gave us a scenario where somebody gets a map of Seattle.  The problem is, the map maker made a mistake.  It’s not really a map of Seattle.  It’s a map of Oregon.  With this map, you can’t even make it out of the airport.  There isn’t one corresponding point.

    Trying harder isn’t the answer.  If you double your speed, now you’re lost twice as fast.  Thinking negatively isn’t the problem.  Covey said some people might try to use a PMA (Positive Mental Attitude.)  Well, that doesn’t help either.  Now you’re all psyched up, but really you are just happy and contented in a lost state.

    The take away here is that it’s not behavior and it’s not attitude.  It’s a bad map.

    Self-Educating
    Covey told us that we need to be self-educating.  School taught us how to learn, but we need to continue to learn.  He said we need to be willing to pay the price to be self-educating, which includes being systematic and disciplined.

    Industrial Age vs. Knowledge Worker Age
    Covey points out that 20 years ago, it was about goods and services.  Today, it’s about knowledge workers.

    - Industrial Age Knowledge Worker Age
    Overall Philosophy Kind Control Unleash Talent
    Leadership Position (Formal Authority) Choice (Moral Authority)
    Culture Boss Centered Complementary Team, Servant Leadership
    People Expense Asset
    Motivation External Internal (Inspiration)
    Management The Boss owns responsibility for results, therefore manages and motivates. The culture owns responsibility for results, therefore self manages.

     

    Expenses and Assets
    Covey asked us what we are called in spreadsheets.   He said that in spreadsheet and financial accounting, people are called expenses and cost centers, while things like microphones, tools, and machines are called assets.  He said this is left-over from the industrial age.

    Finding Your Voice
    Covey asked how do you help people find their voice?  You ask them what are they good at?  What do they love doing?  What is your greatest unique contribution?

    The key is finding a voice that meets a human need.

    Inspiration Over Jackass Theory
    The Jackass Theory refers to the carrot and the stick.  Covey asked us what kind of supervisor do you need when you have a job that you are passionate about and is using your talents and you feel you are appreciated.

    People are volunteers.  You want them to contribute their greatest, unique contribution.

    Keys to Effective Large Team
    Covey outlined the keys for effective large teams::

    • Psychologically committed.
    • Accountable to the team / everybody.
    • Culture of results.

    One person may represent the group, but accountability is to the team versus the boss.  Accountability to the team versus an individual is a knowledge worker concept.

    How To Find the Win / Win Performance Agreement
    Covey suggested an approach for finding the Win/Win for teams and organizations in terms of performance:

    1. Help them find their voice.
    2. Find out what individuals are good at and like doing and serves the needs of the business.

    When you have that, you have a win-win.  The key is to have a win/win performance agreement where it is mutually beneficial between the individual and the organization.  The individual should be able to use their full talent and passion (there voice.)

    Information is the Knowledge Worker's Disinfectant
    Covey mentioned that light is the greatest disinfectant in nature.  For the knowledge worker, it’s information.  For a knowledge worker to be effective in a team, they need information, they need the criteria for success and they need to be accountable to the group.

    The Whole Person
    According to Covey, the whole person includes four parts:

    • Body
    • Mind
    • Heart
    • Spirit

    Control-Paradigm to a Whole Person Paradigm
    Covey reminded us that today’s workforce is about directed autonomy.  You manage (things) that can’t choose.  You lead people.  People have the ability to choose.

    The key take aways are:

    • Today’s world is about breaking away from a control paradigm and shifting to one of directed autonomy.  
    • Help people find their voice.
    • You can’t buy the mind, body, heart, and spirit – they are volunteered. 
    • Use all four parts of your nature.  If you take one away, then you’re treating a person as a “thing” that you control and manage.

    Keeping Top Talent
    Covey told us about how Admirals in the Pacific were losing people to better paying jobs.  There was an exception.  Covey got to meet the group that kept their top talent.  The keys to a committed group included:

    • The culture was committed in hearts and minds.
    • The job was fulfilling and meaningful.

    Indian Talking Stick Communication
    Covey shared a technique for improving empathic listening.  It’s the Indian Talking Stick:

    • You give the stick to the other person first. 
    • You don’t get the stick back until the other person feels they are understood.
    • The purpose is not to agree, or disagree, but only to understand the speaker.

    You don’t need to use an Indian talking stick.  You can use any object.  The value of the object is that you don’t get it back until the other person feels understood.

    Industrial Age Concepts
    Throughout the session, Covey made reference to some "industrial age concepts":

    • People are an expense, tools and machines are assets.
    • Supervision is an industrial age concept.
    • One-on-one accountability to a boss.
    • Comparison systems for the basis of collaboration.

    Lighthouse Principles
    Throughout the presentation, Covey referred to some lighthouse principles that govern behavior:

    • Cultivate an abundance mentality.
    • There are four parts to our nature: body, mind, heart, and spirit
    • The whole is greater than the parts
    • Develop integrity; avoid duplicity (Don’t say one thing, but do another and if you make a promise, keep it.)

    Continuum of Communication
    Covey showed us a continuum of communication that moves from hostility and transaction-based communication to transformation:

    1. Hostility
    2. Defensive Communication (Transaction)
    3. Respectful Communication (Transaction)
    4. Synergy, Third Alternative (Transformation)

    Empathic Listening is the No. 1 Communication Skill
    Covey stated that communication is the number one skill in life.  He went on to say that empathic listening is the number one communication skill.   Covey explained that empathic listening is listening within the other person’s frame of skills.   Listening empathically is listening with the other person’s frame of reference.  The key is to listen until the other person feels heard and understood. 

    Empathic Listening Over Telling and Selling
    A satisfied need, no longer motivates.  Covey used the example of air – it’s a satisfied need.  When the other person feels heard and understood, it’s more likely they will listen to you and that you can seek a better solution, that’s mutually beneficial.  You are no longer telling and selling.

    Our Experience is the Lens We Use to Interpret Life
    Covey showed the audience three pictures.   One half of the audience looked at the first picture.  Next, the other half of the audience looked at the second picture.  Then the full audience looked at a third slide which was a composite of the first two slides.  Depending on which of the pictures you saw first, influenced what you saw in this third picture.

    The key take away here was that what you saw was influenced by your experience and that rather that impose your view, first understand the other person’s perspective – there’s a good chance, you’re both right! (This is a good case where the Indian Talking Stick could come in handy.)

    Resolving Conflict By Finding the Third Alternative
    Covey shared a technique for resolving conflict that works for him in 95% of the cases he runs into around the world.  Here’s the key steps:

    1. Put up the two points.
    2. Ask the question, “would you be willing to search for a solution that would be better than what either of us has proposed?”

    The key here is to listen to the other person first and listen empathically.  The proactive part here is that you can choose to listen to the other person first (seek first to understand, then to be understood.)

    Listening to Loved Ones
    One of the audience members asked for advice on counseling a loved one.  Covey responded with the following solution:

    1. Start by saying, “Honey, I have not spent the time to listen to you, all I’ve done is tell you and evaluate.”
    2. Listen in depth; restate to their satisfaction. (Empathic listening)
    3. After they feel understood, you ask, “Have I listened to you?  Are you willing to listen to me, as I have listened to you?”
    4. Find a 3rd alternative.

    The key here that Covey mentioned is that most people will not pay the price of listening empathically.

    7 Habits of Highly Effective People
    Covey shared a slide that framed out the seven habits of highly effective people in terms of private victory, public victory, dependence, independence, and interdependence.

    1. Be proactive.
    2. Begin with the end in mind.
    3. Put first things first.
    4. Think win-win.
    5. Seek first to understand, then to be understood.
    6. Synergize.
    7. Sharpen the saw.

    Habits 1,2,and 3 are the foundation for private victories and integrity.  Habits 4, 5, and 6 are the keys to public victories.

    Peace of Conscience Over Peace of Mind
    Covey made a distinction between peace of mind and peace of conscience.  He explained that integrity is more than honesty.  Integrity means that if you make a promise, you keep it.  If you’re honest, you might have peace of mind, but if you don’t have integrity, then you won’t have peace of conscience.  You have peace of conscience by avoiding duplicity.

    Loyalty to the Absent
    Covey made his point very simply – only talk about people as if they are there.  You can be critical, but speak as if they were there in front of you.  Don’t bad mouth them behind their back and then sweet talk them to their face.  This is a lack of integrity and creates deep duplicity inside you.  This inhibits your ability to have peace of conscience.

    Use I Messages Over You Messages
    Meet with the people you have a problem with directly.  Practice the following:

    1. Let me listen to you first.
    2. Use “I” messages vs. “you” messages.  I messages are “It’s my perception,” “in my experience,” … etc.  You messages are “you are …”

    Genuine Happiness
    Covey said the key to genuine happiness is to develop integrity.  The key to developing integrity is the first three habits (your Private Victories):

    1. Be proactive
    2. Begin with the end in mind
    3. Put first things first.

    Greek Philosophy of Influence
    Covey shared the three parts of the Greek philosophy of influence:

    1. Ethos – credibility, model trust.
    2. Pathos – restate the point of view.  (Seek first to understand …)
    3. Logos – Make your presentation. (… Then to be understood.)

    You Are the Creative Force of Your Life
    Covey challenged us to be a creative force:
    1.     Get out of victimism – You’re not a victim of your circumstances.
    2.    You are the creative force of your life.

    Empathize first.  Grow your circle of influence.  Make tremendous impact.

    The Most Important Thing You’ll Ever Do
    Covey closed with a powerful message we could take away:

    The most important thing you’ll ever do is in the four walls of your own home.

    My Favorite Part of the Session
    While I enjoyed the entire session, my favorite part was getting to meet Dr. Covey.  I shook his hand, I thanked him for helping people find their voice and he signed my post it note (sadly, I didn’t think to bring my Covey books, and all I had was my post it notes.)

    Key Actions
    After the session, I met with Srinath.  We learned a lot so we tried to turn our insights into a small set of key actions.  Here’s what we came up with:
    1. Develop personal / family mission statements and help others to do the same.
    2. Develop empathic listening and help others to do the same.
    3. Find our voices and help others find theirs. 

    Personally, I want to make more use of the Indian Talking Stick Communication technique, particularly at some of my more vibrant meetings.

    More Information

  • J.D. Meier's Blog

    Clearing Your Inbox

    • 9 Comments

    Today I helped a colleague clear their inbox.  I've kept a zero mail inbox for a few years.  I forgot this wasn't common practice until a colleague said to me, "wow, your inbox doesn't scroll."

    I didn't learn the zen of the zero mail inbox over night.  As pathetic as this sounds, I've actually compared email practices over the years with several people to find some of the best practices that work over time.  The last thing I wanted to do was waste time in email, if there were better ways.  Some of my early managers also instilled in me that to be effective, I needed to master the basics.  Put it another way, don't let administration get in the way of results.

    Key Steps for a Clear Inbox
    My overall approach is to turn actions into next steps, and keep stuff I've seen, out of the way of my incoming mail.  Here's the key steps: 

    1. Filter out everything that's not directly to you.  To do so, create an inbox rule to remove everything that's not directly To or CC you.  As an exception, I do let my immediate team aliases fall through.
    2. Create a folder for everything that's read.  I have a folder to move everything I read and act on.  This is how I make way for incoming.
    3. Create a list for your actions.  Having a separate list means you can list the actions in the sequence that makes sense for you, versus let the sequence in your inbox drive you.

    Part of the key is acting on mail versus shuffling it.  For a given mail, if I can act on it immediately, I do.  If now's not the time, I add it to my list of actions.  If it will take a bit of time, then I drag it to my calendar and schedule the time.

    Anti-Patterns
    I think it's important to note the anti-patterns:

    1. Using your inbox as a large collection of action and semi-action items with varying priorities
    2. Using your inbox as a pool of interspersed action and reference items
    3. Adopting complicated mail and task management systems

    My Related Posts

    1. Scannable Outcome Lists
    2. Using Scannable Outcomes with My Results Approach
  • J.D. Meier's Blog

    Timebox Your Day

    • 5 Comments

    Grigori Melnik joined our team recently.  He's new to Microsoft so I shared some tips for effectiveness.  Potentially, the most important advice I gave him was to timebox his day.  If you keep time a constant (by ending your day at a certain time), it helps with a lot of things:

    • Worklife balance (days can chew into nights can chew into weekends)
    • Figuring our where to optimize your day
    • Prioritizing (time is a great forcing function)

    To start, I think it helps to carve up your day into big buckets (e.g. administration, work time, think time, connect time), and then figure out how much time you're willing to give them.  If you're not getting the throughput you want, you can ask yourself:

    • are you working on the right things?
    • are you spending too much time on lesser things?
    • are there some things you can do more efficiently or effectively?

    To make the point hit home, I pointed out that without a timebox, you can easily spend all day reading mails, blogs, aliases, doing self-training, ... etc. and then wonder where your day went.  Microsoft is a technical playground with lots of potential distractions for curious minds that want to grow.  Using timeboxes helps strike balance.  Timeboxes also help with pacing.  If I only have so many hours to produce results, I'm very careful to spend my high energy hours on the right things.

    My Related Posts

  • J.D. Meier's Blog

    Kanban: The Secret of High-Performing Teams at Microsoft

    • 4 Comments

    If you are a project manager or a program manager, or aspiring to be, one of the best project management tools you can add to your toolbox is the Kanban. In fact, if somebody were to ask me, what’s the single best way to exponentially improve project execution, I would probably say, the answer is Kanban. (Well, I might first say, get my book, Getting Results the Agile Way, and adopt Agile Results

    A Kanban is a simple project management tool. It enables you to visualize your workflow, limit your work in progress, and optimize your “cycle time” (the time it takes to complete one item.) For software development projects, this is a big deal. It helps you find bottlenecks and push quality upstream. Ultimately, you shape your process to flow more value as efficiently and effectively as possible, “just in time.” Another way to think of it is, your users “pull” value through your development chain, while you streamline your process.

    I first got introduced to Kanbans, several years ago, by one of the best and brightest in software engineering, Corey Ladas (author of Scrumban.) My introduction was a “learn by doing” exercise.

    Identify State Changes in Your Workflow

    We went to the whiteboard and Corey has me identify the main states of my project workflow. While it was iterative, and a lot of work was done in parallel, the main stages were:

    Analysis, Design, Development, Test, and Release. It looked something like this:

    image

    Identify Work Items

    Next, Corey asked me to identify the “things” or “items” that I would show on my Kanban. I had a hard time breaking things down into useful units until I used a simple test. What’s the smallest, most useful thing I could demo to users? For simplicity, let’s just say I broke things down into features and user stories. In this case, a user story was simply a persona-based scenario with a goal. In my case, I also needed some “system” stories. The bottom line was that each of these was a “chunk” of value that I would ship to users. Corey had me name some of these items and write them down on stickies. He then had me place them wherever they were currently at on my Kanban. It looked something like this:

    image

    What surprised me was that he didn’t ask me to change our team’s process. The goal was simply to reflect whatever process we were already using. The most important thing was really to identify the most meaningful state changes in our workflow, and to identify the work items that flow through it. He said the power of the Kanban is that we would tune our process over time, with real data and real results. It’s a living thing. And it’s a visual thing.

    Set Limits for Work in Progress

    The next thing Corey had me do was to set a limit for how many items should be actively in development at any given time. I struggled here at first because I was used to having a lot of work in flight. He pointed out the problem with a lot of work in flight is that there’s thrashing, and more time spent context switching than actually finishing the work. Worse, if we’re not closing things down, then we aren’t flowing value. He said, to keep it simple, as an experiment, set the limit at 3. Find out what your team can do. For example, with focus, how quickly can we close down an item? Where does the bottleneck happen? Which resources are idle? Could idle developers pair up with testers and unblock test, for example? He got me thinking.

    image

    Push Quality Upstream

    This is where the magic happened. Corey asked me to identify some of the most common issues found during Test. I rattled off a few common problems. He then asked me what I could check for before entering test. We then repeated this process a few times until we had a few simple checks before we leave Analysis, and before we leave Design, and before we leave Development.

    It sounds so simple, and it is,   But the big deal was having it all at a glance, on the whiteboard.  We could now easily get the right people at the board, having the right conversations.

    A Living Process

    The beauty is that we ended up with a unique process for our team -- built by us, built for us, and optimized by us. As a team, we could now all visualize our process. We could easily see our bottlenecks. We could easily add quality checks. We could easily add more states to our Kanban if we needed more fine-grained visibility. We basically achieved a highly-flexible, highly relevant process that struck a balance between self-organization and workflow specialization.

    Kanban for Execution Excellence

    That was the start of my Kanban adventures, long ago. In the years since, I’ve experimented with Kanbans, personal kanbans, Kanban tools, and various approaches. The Kanban has proven itself time and again for me as one of my most effective project management tools. It really is “just enough process” combined with a focus on flowing value and improving quality. It’s one of the best tools I’ve used for driving execution excellence across people and teams in an empowering and self-directed way.

    When the question is, “How do we improve our execution?” … even if Kanban is not the answer, it’s very often as good place to start. After all, if you can show somebody your Kanban with current activity, chances are you can find the bottlenecks and optimization opportunities. At the minimum, you’ll have a shared frame of reference, the visualization of your process, which is a great way to dive deeper to troubleshoot any execution issues.

    You Might Also Like

  • J.D. Meier's Blog

    Web Application Architecture Pocket Guide

    • 12 Comments
    Web Architecture Pocket Guide
    We posted our Web Application Architecture Pocket Guide to our Application Architecture Guidance KB.  This is in response to customers who expressed interest in more modular guides as a supplement to our Application Architecture Guide 2.0.

    Chapters At a Glance
    Here’s the chapters at a glance:

    • Ch 01 – Web Application Architecture
    • Ch 02 - Design Guidelines
    • Ch 03 - Presentation Layer Guidelines
    • Ch 04 - Business Layer Guidelines
    • Ch 05 - Data Access Layer Guidelines
    • Ch 06 - Service Layer Guidelines
    • Ch 07 - Communication Guidelines
    • Ch 08 - Deployment Patterns

    Download

    My Related Posts

  • J.D. Meier's Blog

    Tags vs. Categories

    • 5 Comments

    What's the difference between tags vs. categories in your blog?  A lot.  Knowing the difference between tags and categories can help you better structure your blog for browsing and SEO.  Personally, I hadn't noticed the issue before because I only have tags on my MSDN blog.  As part of my research on effective blogging practices, I hit the issue.  Now that I've experimented with a few blogging platforms, the difference between tags and categories is more obvious.  For example, WordPress 2.3 supports tags in addition to categories.

    Categories, Internal Tags and External Tags

    • Categories. Categories are your high-level buckets.  You should be able to chunk up your blog by a small, mutually exclusive set of categories.  Imagine a user trying to browse the broad themes of your blog.  Categories can also become part of your URL.
    • Internal tags.  Internal tags are for finer-grained slicing and dicing and hopping across your categories.
    • External tags.  External tags, such as Technorati and del.icio.us are for showing your conent in the relevant topics and niches at Technorati and del.icio.us.

    Tag Clouds
    I think the big benefit of tags is creating browsable tag clouds where you can discover related content.  Whereas categories are just one topic, you can use tags to find related content.  For example, you might browse a "security" tag and then browse a "performance" tag to find the intersection of content tagged both "security" and "performance".

    Notes from Lorell
    In Categories versus Tags - What’s the Difference and Which One?, Lorelle makes the following points:

    • "Categories help visitors find related information on your site. Tags help visitors find related information on your site and on other sites."
    • "Categories generate a page of posts on your site. Tags can, too, but often generate a page of off-site posts on an off-site website".
    • "Tagging gives you topical search capabilities for your site that are a middle ground between categories and all-out search, but it shouldn’t replace categories entirely."
    • "Should tags replace categories? Absolutely not."
    • "I use categories as broad groups of posts and tags as micro-groups of posts, helping narrow down the interest."
    • "Tags shouldn’t replace categories, but they can help the user and search engines and directories find and catalog related information on your site."

    Notes from Problogger
    In Using Categories and Tags Effectively on Your Blog, Michael Martin makes the following points:

    • "The number of categories should be small."
    • "Each post goes into one category."
    • "Use the same tags over and over again."
    • "The tag cloud is easy to scan."

    The End in Mind
    In the ideal scenario, to use tags and categories more effectively (assuming your blogging platform supports it), you would have the following in place:

    • A small set of categories for browsing the key themes of your site and for helping SEO (by having relevant category names in the full URL.)
    • A nice tag cloud that helps users browser your site more like a topical search -- using words that your users would know and be looking for.
    • Posts tagged with Technorati and del.icio.us tags that match the most relevant niches.

    Turning It Into Action

    • Use categories to divide your blog into a small set of mutually exclusive buckets.
    • Use internal tags for slicing your content in more granular ways and to create tag clouds for your users.
    • Tag your posts with external tags for Technorati and del.icio.us to reach the relevant social circles.

    Additional Resources

    My Related Posts

  • J.D. Meier's Blog

    Layers and Tiers

    • 2 Comments

    As part of the patterns & practices App Arch Guide 2.0 project, we needed to nail down layers and tiers.   

    Layers vs. Tiers
    The original App Arch Guide distinguished between layers and tiers:

    "This guide uses the term layer to refer to a component type and uses the term tier to refer to physical distribution patterns."

    In other words, layers are logical and tiers are physical (two-tier, three-tier, N-tier).  This distinction is helpful, particularly when you want to talk about where you run your layers (which tier).

    Presentation Layer, Business Layer and Data Layer
    While there's some variations in layer terms, many people that build application will identify with presentation, business, and data layers.  Here's an example:

    Layers 

    • Presentation Layer - provides interactive access to the application.  (You could argue that user interaction layer might be more appropriate.)
    • Business Layer - the logical grouping of components and services that provide the business functionality in your application.
    • Data Layer - the logical grouping of the components and services that provide data access functionality in your application.  (You could argue to call it your resource access layer.)

    Two-Tier, Three-Tier, and N-Tier
    As mentioned earlier, you can think of tiers as physical distribution patterns.   Here are some visual examples:

    Two-Tier

    2Tier

    Three-Tier

    3Tier 

    N-Tier

    NTier

    Additional Resources
    Here's some links you might find useful:

    My Related Posts

  • J.D. Meier's Blog

    Why Do You Do What You Do?

    • 1 Comments

    One of the keys to making impact is knowing "why" you do what you do?  Chasing the "what" can be a red herring.  It's living your"why" and "how" that helps you be your best and it's where your inner strength comes from.  Most importantly, it's where you give your best where you have your best to give.  One of the tools for figuring out why you do what you do is the Golden Circle.  You can watch this video interview with Simon Sinek on the Golden Circle for an overview.   I also shared my Golden Circle results in my post, Why Do You Do What You Do? on Sources of Insight as both a reminder and inspiration.  Enjoy!

  • J.D. Meier's Blog

    Security Principles

    • 5 Comments

    If you know the underlying principles for security, you can be more effective in your security design.  While working on Improving Web Application Security: Threats and Countermeasures, my team focused on creating a durable set of security principles.  The challenge was to make the principles more useful.  It's one thing to know the principles, but another to turn it into action. 

    Turning Insights Into Action

    To make the principles more useful, we organized them using our Security Frame.  Our Security Frame is a set of actionable, relevant categories that shape your key engineering and deployment decisions.  With the Security Frame we could quickly find principles related to authentication, or authorization or input validation ... etc. 

    Once we had these principles and this organizing frame, we could then evaluate technologies against it to find effective, principle-based techniques.  For example, when we analyzed doing input and data validation in ASP.NET, we focused on finding the best ways to constrain, reject, and sanitize input.  For constraining input, we focused on checking for length, range, format and type.  Using these strategies both shortened our learning curve and improved our results.

    Core Security Principles

    We started with a firm foundation of core security principles.  These influenced the rest of our security design principles.  Here's the core security principles we started with:

    • Adopt the principle of least privilege - Processes that run script or execute code should run under a least privileged account to limit the potential damage that can be done if the process is compromised
    • Use defense in depth.   Place check points within each of the layers and subsystems within your application. The check points are the gatekeepers that ensure that only authenticated and authorized users are able to access the next downstream layer.
    • Don't trust user input.  Applications should thoroughly validate all user input before performing operations with that input. The validation may include filtering out special characters.
    • Use secure defaults.   If your application demands features that force you to reduce or change default security settings, test the effects and understand the implications before making the change
    • Don't rely on security by obscurity.   Trying to hide secrets by using misleading variable names or storing them in odd file locations does not provide security. In a game of hide-and-seek, it's better to use platform features or proven techniques for securing your data.
    • Check at the gate.   Checking the client at the gate refers to authorizing the user at the first point of authentication (for example, within the Web application on the Web server), and determining which resources and operations (potentially provided by downstream services) the user should be allowed to access.
    • Assume external systems are insecure.  If you don't own it, don't assume security is taken care of for you.
    • Reduce Surface Area   Avoid exposing information that is not required. By doing so, you are potentially opening doors that can lead to additional vulnerabilities. Also, handle errors gracefully; don't expose any more information than is required when returning an error message to the end user.
    • Fail to a secure mode.   your application fails, make sure it does not leave sensitive data unprotected. Also, do not provide too much detail in error messages; meaning don't include details that could help an attacker exploit a vulnerability in your application. Write detailed error information to the Windows event log.
    • Security is a concern across all of your application layers and tiers.   Remember you are only as secure as your weakest link.
    • If you don't use it, disable it.   You can remove potential points of attack by disabling modules and components that your application does not require. For example, if your application doesn't use output caching, then you should disable the ASP.NET output cache module. If a future security vulnerability is found in the module, your application is not threatened.

    Frame for Organizing Security Design Principles

    Rather than a laundry list of security principles, you can use the Security Frame as a way to organize and share security principles:

    • Auditing and Logging
    • Authentication
    • Authorization
    • Configuration Management
    • Cryptography
    • Exception Management
    • Input / Data Validation
    • Sensitive Data
    • Session Management

    Auditing and Logging

    Here's our security design principles for auditing and logging:

    • Audit and log access across application tiers.   Audit and log access across the tiers of your application for non-repudiation. Use a combination of application-level logging and platform auditing features, such as Windows, IIS, and SQL Server auditing.
    • Consider identity flow.   You have two basic choices. You can flow the caller's identity at the operating system level or you can flow the caller's identity at the application level and use trusted identities to access back-end resources.
    • Log key events.   The types of events that should be logged include successful and failed logon attempts, modification of data, retrieval of data, network communications, and administrative functions such as the enabling or disabling of logging. Logs should include the time of the event, the location of the event including the machine name, the identity of the current user, the identity of the process initiating the event, and a detailed description of the event
    • Protect log files.   Protect log files using  access control lists and restrict access to the log files. This makes it more difficult for attackers to tamper with log files to cover their tracks. Minimize the number of individuals who can manipulate the log files. Authorize access only to highly trusted accounts such as administrators.
    • Back up and analyze log files regularly.   There's no point in logging activity if the log files are never analyzed. Log files should be removed from production servers on a regular basis. The frequency of removal is dependent upon your application's level of activity. Your design should consider the way that log files will be retrieved and moved to offline servers for analysis. Any additional protocols and ports opened on the Web server for this purpose must be securely locked down.

    Authentication

    Here's our security design principles for authentication:

    • Separate public and restricted areas.   A public area of your site can be accessed by any user anonymously. Restricted areas can be accessed only by specific individuals and the users must authenticate with the site.  By partitioning your site into public and restricted access areas, you can apply separate authentication and authorization rules across the site.
    • Use account lockout policies for end-user accounts.   Disable end-user accounts or write events to a log after a set number of failed logon attempts. With Forms authentication, these policies are the responsibility of the application and must be incorporated into the application design. Be careful that account lockout policies cannot be abused in denial of service attacks.
    • Support password expiration periods. Passwords should not be static and should be changed as part of routine password maintenance through password expiration periods. Consider providing this type of facility during application design.
    • Be able to disable accounts.  If the system is compromised, being able to deliberately invalidate credentials or disable accounts can prevent additional attacks.
    • Do not store passwords in user stores.  If you must verify passwords, it is not necessary to actually store the passwords. Instead, store a one way hash value and then re-compute the hash using the user-supplied passwords. To mitigate the threat of dictionary attacks against the user store, use strong passwords and incorporate a random salt value with the password.
    • Require strong passwords.   Do not make it easy for attackers to crack passwords. There are many guidelines available, but a general practice is to require a minimum of eight characters and a mixture of uppercase and lowercase characters, numbers, and special characters. Whether you are using the platform to enforce these for you, or you are developing your own validation, this step is necessary to counter brute-force attacks where an attacker tries to crack a password through systematic trial and error. Use regular expressions to help with strong password validation.
    • Do not send passwords over the wire in plaintext.   Plaintext passwords sent over a network are vulnerable to eavesdropping. To address this threat, secure the communication channel, for example, by using SSL to encrypt the traffic.
    • Protect authentication cookies.   A stolen authentication cookie is a stolen logon. Protect authentication tickets using encryption and secure communication channels. Also limit the time interval in which an authentication ticket remains valid, to counter the spoofing threat that can result from replay attacks, where an attacker captures the cookie and uses it to gain illicit access to your site. Reducing the cookie timeout does not prevent replay attacks but it does limit the amount of time the attacker has to access the site using the stolen cookie.

    Authorization

    Here's our security design principles for authorization:

    • Use multiple gatekeepers.   By combining multiple gatekeepers across layers and tiers, you can develop an effective authorization strategy.
    • Restrict user access to system-level resources.   System level resources include files, folders, registry keys, Active Directory objects, database objects, event logs, and so on. Use access control lists to restrict which users can access what resources and the types of operations that they can perform. Pay particular attention to anonymous Internet user accounts; lock these down on resources that explicitly deny access to anonymous users.
    • Consider authorization granularity.   There are three common authorization models, each with varying degrees of granularity and scalability: (1.) the impersonation model providing per end user authorization granularity, (2.) the trusted subsystem model uses the application's process identity for resource access, and (3.) the hybrid model uses multiple trusted service identities for downstream resource access. The most granular approach relies on impersonation. The impersonation model provides per end user authorization granularity.

    Configuration Management

    Here's our security design principles for configuration management:

    • Protect your administration interfaces.   It is important that configuration management functionality is accessible only by authorized operators and administrators. A key part is to enforce strong authentication over your administration interfaces, for example, by using certificates. If possible, limit or avoid the use of remote administration and require administrators to log on locally. If you need to support remote administration, use encrypted channels, for example, with SSL or VPN technology, because of the sensitive nature of the data passed over administrative interfaces.
    • Protect your configuration store. Text-based configuration files, the registry, and databases are common options for storing application configuration data. If possible, avoid using configuration files in the application's Web space to prevent possible server configuration vulnerabilities resulting in the download of configuration files. Whatever approach you use, secure access to the configuration store, for example, by using access control lists or database permissions. Also avoid storing plaintext secrets such as database connection strings or account credentials. Secure these items using encryption and then restrict access to the registry key, file, or table that contains the encrypted data.
    • Maintain separate administration privileges.   If the functionality supported by the features of your application's configuration management varies based on the role of the administrator, consider authorizing each role separately by using role-based authorization. For example, the person responsible for updating a site's static content should not necessarily be allowed to change a customer's credit limit.
    • Use least privileged process and service accounts.  An important aspect of your application's configuration is the process accounts used to run the Web server process and the service accounts used to access downstream resources and systems. Make sure these accounts are set up as least privileged. If an attacker manages to take control of a process, the process identity should have very restricted access to the file system and other system resources to limit the damage that can be done.

    Cryptography

    Here's our security design principles for cryptography:

    • Do not develop your own cryptography.   Cryptographic algorithms and routines are notoriously difficult to develop successfully. As a result, you should use the tried and tested cryptographic services provided by the platform.
    • Keep unencrypted data close to the algorithm.   When passing plaintext to an algorithm, do not obtain the data until you are ready to use it, and store it in as few variables as possible.
    • Use the correct algorithm and correct key size.   It is important to make sure you choose the right algorithm for the right job and to make sure you use a key size that provides a sufficient degree of security. Larger key sizes generally increase security. The following list summarizes the major algorithms together with the key sizes that each uses: Data Encryption Standard (DES) 64-bit key (8 bytes) , TripleDES 128-bit key or 192-bit key (16 or 24 bytes) , Rijndael 128–256 bit keys (16–32 bytes) , RSA 384–16,384 bit keys (48–2,048 bytes) .  For large data encryption, use the TripleDES symmetric encryption algorithm. For slower and stronger encryption of large data, use Rijndael. To encrypt data that is to be stored for short periods of time, you can consider using a faster but weaker algorithm such as DES. For digital signatures, use Rivest, Shamir, and Adleman (RSA) or Digital Signature Algorithm (DSA). For hashing, use the Secure Hash Algorithm (SHA)1.0. For keyed hashes, use the Hash-based Message Authentication Code (HMAC) SHA1.0.
    • Protect your encryption keys.   An encryption key is a secret number used as input to the encryption and decryption processes. For encrypted data to remain secure, the key must be protected. If an attacker compromises the decryption key, your encrypted data is no longer secure.  Avoid key management when you can, and when you do need to store encryption keys, cycle your keys periodically.

    Exception Management

    Here's our security design principles for exception management:

    • Do not leak information to the client.   In the event of a failure, do not expose information that could lead to information disclosure. For example, do not expose stack trace details that include function names and line numbers in the case of debug builds (which should not be used on production servers). Instead, return generic error messages to the client.
    • Log detailed error messages.   Send detailed error messages to the error log. Send minimal information to the consumer of your service or application, such as a generic error message and custom error log ID that can subsequently be mapped to detailed message in the event logs. Make sure that you do not log passwords or other sensitive data.
    • Catch exceptions.  Use structured exception handling and catch exception conditions. Doing so avoids leaving your application in an inconsistent state that may lead to information disclosure. It also helps protect your application from denial of service attacks. Decide how to propagate exceptions internally in your application and give special consideration to what occurs at the application boundary.

    Input / Data Validation

    Here's our security design principles for input and data validation:

    • Assume all input is malicious.  Input validation starts with a fundamental supposition that all input is malicious until proven otherwise. Whether input comes from a service, a file share, a user, or a database, validate your input if the source is outside your trust boundary.
    • Centralize your approach.  Make your input validation strategy a core element of your application design. Consider a centralized approach to validation, for example, by using common validation and filtering code in shared libraries. This ensures that validation rules are applied consistently. It also reduces development effort and helps with future maintenance.  In many cases, individual fields require specific validation, for example, with specifically developed regular expressions. However, you can frequently factor out common routines to validate regularly used fields such as e-mail addresses, titles, names, postal addresses including ZIP or postal codes, and so on.
    • Do not rely on client-side validation.   Server-side code should perform its own validation. What if an attacker bypasses your client, or shuts off your client-side script routines, for example, by disabling JavaScript? Use client-side validation to help reduce the number of round trips to the server but do not rely on it for security. This is an example of defense in depth.
    • Be careful with canonicalization issues.   Data in canonical form is in its most standard or simplest form. Canonicalization is the process of converting data to its canonical form. File paths and URLs are particularly prone to canonicalization issues and many well-known exploits are a direct result of canonicalization bugs.  You should generally try to avoid designing applications that accept input file names from the user to avoid canonicalization issues.
    • Constrain, reject, and sanitize your input.   The preferred approach to validating input is to constrain what you allow from the beginning. It is much easier to validate data for known valid types, patterns, and ranges than it is to validate data by looking for known bad characters. When you design your application, you know what your application expects. The range of valid data is generally a more finite set than potentially malicious input. However, for defense in depth you may also want to reject known bad input and then sanitize the input.
    • Encrypt sensitive cookie state.  Cookies may contain sensitive data such as session identifiers or data that is used as part of the server-side authorization process. To protect this type of data from unauthorized manipulation, use cryptography to encrypt the contents of the cookie.
    • Make sure that users do not bypass your checks.   Make sure that users do not bypass your checks by manipulating parameters. URL parameters can be manipulated by end users through the browser address text box. For example, the URL http://www.<YourSite>/<YourApp>/sessionId=10 has a value of 10 that can be changed to some random number to receive different output. Make sure that you check this in server-side code, not in client-side JavaScript, which can be disabled in the browser.
    • Validate all values sent from the client.   Restrict the fields that the user can enter and modify and validate all values coming from the client. If you have predefined values in your form fields, users can change them and post them back to receive different results. Permit only known good values wherever possible. For example, if the input field is for a state, only inputs matching a state postal code should be permitted.
    • Do not trust HTTP header information.   HTTP headers are sent at the start of HTTP requests and HTTP responses. Your Web application should make sure it does not base any security decision on information in the HTTP headers because it is easy for an attacker to manipulate the header. For example, the referrer field in the header contains the URL of the Web page from where the request originated. Do not make any security decisions based on the value of the referrer field, for example, to check whether the request originated from a page generated by the Web application, because the field is easily falsified.

    Sensitive Data

    Here's our security design principles for sensitive data:

    • Do not store secrets if you can avoid it.   Storing secrets in software in a completely secure fashion is not possible. An administrator, who has physical access to the server, can access the data. For example, it is not necessary to store a secret when all you need to do is verify whether a user knows the secret. In this case, you can store a hash value that represents the secret and compute the hash using the user-supplied value to verify whether the user knows the secret.
    • Do not store secrets in code.  Do not hard code secrets in code. Even if the source code is not exposed on the Web server, it is possible to extract string constants from compiled executable files. A configuration vulnerability may allow an attacker to retrieve the executable.
    • Do not store database connections, passwords, or keys in plaintext.   Avoid storing secrets such as database connection strings, passwords, and keys in plaintext. Use encryption and store encrypted strings.
    • Avoid storing secrets in the Local Security Authority (LSA).   Avoid the LSA because your application requires administration privileges to access it. This violates the core security principle of running with least privilege. Also, the LSA can store secrets in only a restricted number of slots. A better approach is to use DPAPI.
    • Use Data Protection API (DPAPI) for encrypting secrets.   To store secrets such as database connection strings or service account credentials, use DPAPI. The main advantage to using DPAPI is that the platform system manages the encryption/decryption key and it is not an issue for the application. The key is either tied to a Windows user account or to a specific computer, depending on flags passed to the DPAPI functions.   DPAPI is best suited for encrypting information that can be manually recreated when the master keys are lost, for example, because a damaged server requires an operating system re-install. Data that cannot be recovered because you do not know the plaintext value, for example, customer credit card details, require an alternate approach that uses traditional symmetric key-based cryptography such as the use of triple-DES.
    • Retrieve sensitive data on demand.   The preferred approach is to retrieve sensitive data on demand when it is needed instead of persisting or caching it in memory. For example, retrieve the encrypted secret when it is needed, decrypt it, use it, and then clear the memory (variable) used to hold the plaintext secret. If performance becomes an issue, consider caching along with potential security implications.
    • Encrypt the data or secure the communication channel.   If you are sending sensitive data over the network to the client, encrypt the data or secure the channel. A common practice is to use SSL between the client and Web server. Between servers, an increasingly common approach is to use IPSec. For securing sensitive data that flows through several intermediaries, for example, Web service Simple Object Access Protocol (SOAP) messages, use message level encryption.
    • Do not store sensitive data in persistent cookies.  Avoid storing sensitive data in persistent cookies. If you store plaintext data, the end user is able to see and modify the data. If you encrypt the data, key management can be a problem. For example, if the key used to encrypt the data in the cookie has expired and been recycled, the new key cannot decrypt the persistent cookie passed by the browser from the client.
    • Do not pass sensitive data using the HTTP-GET protocol.   You should avoid storing sensitive data using the HTTP-GET protocol because the protocol uses query strings to pass data. Sensitive data cannot be secured using query strings and query strings are often logged by the server

    Session Management

    Here's our security design principles for session management:

    • Use SSL to protect session authentication cookies.   Do not pass authentication cookies over HTTP connections. Set the secure cookie property within authentication cookies, which instructs browsers to send cookies back to the server only over HTTPS connections.
    • Encrypt the contents of the authentication cookies.   Encrypt the cookie contents even if you are using SSL. This prevents an attacker viewing or modifying the cookie if he manages to steal it through an XSS attack. In this event, the attacker could still use the cookie to access your application, but only while the cookie remains valid.
    • Limit session lifetime.   Reduce the lifetime of sessions to mitigate the risk of session hijacking and replay attacks. The shorter the session, the less time an attacker has to capture a session cookie and use it to access your application.
    • Protect session state from unauthorized access.   Consider how session state is to be stored. For optimum performance, you can store session state in the Web application's process address space. However, this approach has limited scalability and implications in Web farm scenarios, where requests from the same user cannot be guaranteed to be handled by the same server. You should secure the network link from the Web application to state store using IPSec or SSL to mitigate the risk of eavesdropping. Also consider how the Web application is to be authenticated by the state store. Use Windows authentication where possible to avoid passing plaintext authentication credentials across the network and to benefit from secure Windows account policies.

    Using the Security Design Principles

    This is simply a baseline set of principles so that you don't have to start from scratch.  You can build on this set and tailor for your specific context.  I find that while having a set of principles helps, that you can't stop there.  To share the knowledge and help others use the information, it's important to encapsulate the principles in patterns as well as show concrete examples and create precise, actionable guidelines for developers.  Personally, I've found Wikis to be the most effective way to share and manage the information.

    Additional Resources

    My Related Posts

  • J.D. Meier's Blog

    Code Sharing in Team Foundation Server

    • 4 Comments

    How do you share code in Team Foundation Server?  That's what our team is working through at the moment.  We're looking at what's working, what's not working, and what should customers be doing.

    Here's how we're basically thinking about it so far:

    • There's two main code sharing paths: source and binary.
    • Within source code sharing, there's two approaches:  workspace mapping on the client and branching on the server.
    • The key issues are how to deal with parallel development and how to share across projects

    Here's what seems to be our emerging guidance:

    • If you're coding in parallel, and you need real-time updates, start with workspace mapping.
    • If you need periodic snapshots, or if you need isolation from the changes, then consider a branching approach.
    • If the source you need to reference is relatively stable, then consider using the binary.

    The problem with workspace mappings is that they're developer specific.  Each developer will need their own mapping.  You'll also need to lock down permissions to avoid accidental changes.  Branching has the advantage that you can be explicit about taking changes, so you have stable builds but with the overhead of merging.  You can branch within the same project or cross-project.  A separate project might make sense if you have multiple projects consuming the code.

    I need to still look across more customer sets, but so far I mostly see binary reuse.

    I'm particularly curious in any lessons or insights those of you would like to share.  I think this is an important area for effective source control practices.

  • J.D. Meier's Blog

    MSDN Developer Centers at a Glance

    • 0 Comments

    I created a simple map of the MSDN Developer Centers.  I’m doing a quick assessment and evaluation of the Information Architecture across the various Dev Centers.  I exposed the URLs so I could see at a glance, where the Dev Center actually lives.  Before I give my feedback on the Dev Centers, I like to do my homework and walk all of them and compare the site designs, the patterns, the antipatterns, and the user experiences.  

    All I really care about is how well they help me know what’s going on with the given technology, and find the most relevant resources, including the product documentation, code samples, how tos, videos, training, etc. as well as what’s going on in the community.  Ideally, a Dev Center helps me understand the story for the technology, how it fits in with other technologies, and what the roadmap is.

    Here are the MSDN Developer Centers at a glance …

    MSDN Developer Centers at a Glance   

    Category Items
    .NET Framework
    Cloud
    Desktop
    Data
    Developer Languages
    Developer Tools
    Games
    Mobile
    Networking
    Office
    Phone
    Server
    Web
    Architecture
    Performance
    Process
    Security
    Testing
    General

     

    A-Z List of MSDN Developer Center

  • J.D. Meier's Blog

    The Power of Blue Books for Platform Impact

    • 12 Comments

    WhyBlueBooksForPlatformImpact

    Why invest in prescriptive guidance or “Blue Books” for Microsoft platform impact?  While the answer is obvious to many, it’s not as obvious to others, so I’ll attempt to paint the picture here.

    Building Secure ASP.NET Applications was the first “blue book” at Microsoft, but it was Improving Web Application Security that really made people take notice (it was downloaded more than 800,000 times in its first six months and it changed how many people in the industry thought about security and it changed their approach.  It’s also the guide that helped many customers switch from Java to .NET.)  An interesting note about Building Secure is that the Forms Authentication approach was baked into the Whidbey platform (ASP.NET 2.0.)

    Blue Books Shape Platform Success
    Blue Books have played a strategic role in both shaping the platform and driving exponential customer success on the platform.   They’ve helped us find and share platform best practices, create mental models and conceptual frameworks, and create systems and approaches that scale success and create powerful ecosystems.  They’ve also helped us spring up offerings for our field, reduce support costs, and win competitive assessments.

    Ultimately, Blue Books give us a strategic look at platform pain points as well as competitive analysis, and a consolidated set of success patterns to run with.

    From patents to methodologies to better ways for better days, “Blue Books” have been the definitive way for improving platform success in a sustainable way – a durable backdrop that provides continuity of the platform over time.

    Benefits at a Glance
    Here is a quick rundown of some of the key ways that Blue Books have helped Microsoft and customers win time and again:

    • Platform Playbooks - Serve as platform playbooks for Microsoft, field, support, customers, and partners
    • Shaping the Platform and Tools – Shape the platform and tools by testing out patterns and practices as well as methodologies and methods with the broad community before baking into the platform and tools.
    • Scaling Success Patterns - Broadly scale proven practices and success patterns for predictable results
    • Roadmaps for Platform Adoption - Lay out roadmaps for technology adoption as well as success patterns
    • Competitive Wins - Win competitive assessments (the Blue Books have played a critical role in influencing industry analysts and in winning competitive assessments time and again)
    • Innovation for Exponential Success - Innovate in methodologies and methods for exponentially improving customer success on the platform
    • Frame and Name the Problem Domains – Frame out and name the problem spaces and domains (when you frame out and name a space, whether through patterns or pattern languages, you create a shared vocabulary and model that empowers people to make forward progress at a faster pace and more deliberate way.)

    The list goes on, but the essence is that these playbooks help customers make the most of the platform by sharing the know-how through prescriptive architectural guidance.

     

    Example Blue Books
    I won’t speak for all the Blue Books at Microsoft, but since I created the bulk of the Blue Books, it’s easy for me to speak from the ones I created.   Here is a summary of the impact that can help you better understand the value of Blue Books from a broader perspective.

     

    Blue BookResults
    Application Architecture Guide, Second Edition
    • The platform playbook for Microsoft’s application platform
    • Canonical application types for Web app, RIA, Rich Client, Mobile, and Web Services
    • Baseline best practices for application architecture and design
    • Templates baked into Visual Studio
    • Praise from Ray Ozzie
    • Praise from Grady Booch
    • Conceptual Framework for Application Architecture
    Building Secure ASP.NET Applications
    (aka The first official Microsoft “Blue Book”)
    • End-to-End Application Scenarios for Web Apps
    • Created a highly reusable set of Application Patterns
    • Baseline architectures and success patterns shared broadly inside and outside Microsoft
    Improving .NET Application Performance and Scalability
    (aka “Perf and Scale”)
    • Repeatable performance model
    • Created a highly-effective method for performance modeling
    • Performance Engineering approach baked into Visual Studio
    • 4 patents filed for performance engineering
    • Performance Engineering approach widely adopted inside and outside Microsoft
    • Used for offerings in Microsoft Consulting Services
    • Rules baked into Microsoft Best Practices Analyzer Wizard (MBPA)
    Improving Web Application Security
    (aka “Threats and Countermeasures”)
    • Repeatable security model for Web applications
    • Created a highly-effective method for threat modeling
    • Created a knowledge base of threats, attacks, vulnerabilities, and countermeasures
    • Security model for network, host, and application security
    • Security Engineering approach baked into Visual Studio
    • 4 patents filed for application security
    • Used for offering in Microsoft Consulting Services
    • Rules baked into Microsoft Best Practices Analyzer Wizard (MBPA)
    Improving Web Services Security
    • Security model for Web Services
    • End-to-End Application Scenarios for Web Services
    • Created a highly reusable set of Application Patterns
    • Baseline architectures and common success patterns shared broadly inside and outside Microsoft
    Performance Testing Guidance for Web Applications
    • Created a highly-effective method for performance testing Web applications
    • Performance Testing approach widely adopted inside and outside Microsoft
    • Used for offerings in Microsoft Consulting Services
    Security Engineering Explained
    • Created a model for baking security into the life cycle
    • Helped shift thinking from security "reviews" to "inspections"
    • Overlays security-specific activities on product development life cycles
    Team Development and Visual Studio Team Foundation Server
    • Created a glide-path for TFS adoption (source control, build, task tracking / reporting, process)

     

    End-to-End Application Scenarios and Solutions
    Here’s an example of an application scenario.  We use application scenarios to show how to solve end-to-end problems.  It’s effectively a baseline architecture based on successful solutions.   Here is an example from our WCF Security Guide:

    Scenario

    ExampleScenario

    Solution

    ExampleSolution

     

     

     

    We share them as sketches like on a whiteboard so they are easy to follow.

    Methodologies and Methods
    Methodologies, frameworks and approaches are nice ways to wrap up and package a set of related activities that you can use a baseline for your process or to overlay on what you already do.  Methods are step-by-step techniques for producing effective results and they are a powerful way to share expertise.   Methodologies and methods are how we create exponential results and amplify our impact.

    Example Methodology – Agile Security Engineering

    ExampleMethodologyAgileSecurityEngineering

    Example Method – Threat Modeling Technique

    ExampleMethodThreatModeling

     

    Conceptual Frameworks and Mental Models
    We use mental models, conceptual frameworks, and information models to learn and share the problem space.

    Example Conceptual Framework for Web Security

    ExampleConceptualFramework

    Example Mental Model for Application Architecture

    ExampleMentalModelAppArch

     

    Hot Spots
    Hot Spots are basically heat maps of pain points and opportunities.  We use them as a lens to help us see customer pain points and opportunities, and to prioritize our investments.  They also help us identify, organize, and share scenarios.  Hot Spots also help us organize and share principles, patterns, practices, and anti-patterns for key engineering decisions.   Hot Spots are a powerful tool for product planning and for building prescriptive guidance, platform, and tools.

    Example of Security Hot Spots

    ExampleSecurityHotSpots

    Example of Architecture Hot Spots

    ExampleArchitectureFrame

    Scenarios Organized by Architecture Hot Spots

    ExampleArchitectureFrameTable

    Competitive Wins
    Our Blue Books have consistently been used for winning competitive assessments or at least making significant impact in key areas.  Whether there’s a gap in the tools or a gap in the platform, prescriptive guidance can smooth it out by creating a success path for customers.

    Example of beating IBM in Every Category Around Guidance

    ExampleCompetitiveResults  

    You can find a deeper rundown on the competitive assessments in my previous posts. 

    The Bottom Line on Blue Books
    The bottom line for me is that Blue Books have helped shape platforms and tools and to create glide-paths for customers through mental models, methodologies, and methods.  They’ve been a powerful way to share success patterns, help paint the bigger picture, and connect the dots across platform, tools, and guidance. 

    The adoption and usage has accelerated over the years to the point where just about any customer in the application development space that works with the Microsoft platform is familiar with either patterns & practices for the Microsoft Blue Books.

    Blue Books have been the freemium offering from Microsoft that have paved the way for premium experiences.

  • J.D. Meier's Blog

    10 Success Patterns for PMs

    • 7 Comments

    Here's a brief set of success patterns I've shared with a few colleagues.  These are the patterns I see that make a difference in getting results.

    10 Success Patterns

    1. Empathic listening.
    2. Rapport before influence
    3. Character trumps emotion trumps logic
    4. Match their style
    5. Ask WIIFY
    6. Distinguish between responsibility and authority
    7. Turn chickens into pigs
    8. Adapt, adjust, or avoid situations
    9. Know the system.
    10. Analyze it over time.

    Success Patterns Explained
    Here's the essence of each:

    • Empathic listening.  Listen until the other person "feels" they've been heard.  Once they feel heard, they're more likely to listen to you.  You can do this 1:1 or in a large meeting.  Covey uses an "Indian Talking Stick."  The person with the stick talks until they feel heard.  A former Softie told me his team used an eraser as "the mutex."   See Stephen Covey Speaks at Microsoft.
    • Rapport before influence.  This is true whether it’s a presentation, interview … etc.. For example, go to a comedy club and see how the comedian gets the crowd laughing only  after they have rapport.  See How Might That Be True?
    • Character trumps emotion trumps logic.  If you base all your arguments on logic, but fail to persuade, now you know.  See Win the Heart, the Mind Follows.
    • Match their style.  You don't have to go overboard, but a little bridge can go along way.  If somebody is visual, could you whiteboard it for them?  If somebody's detail oriented, can you provide the details?  If somebody needs to hear action, can you turn your ideas into action?
    • Ask WIIFY.  Ask the question What's In It For You?  If you're a marketer, this might come natural for you.  If you're an engineer, this might feel weird.  It's about shifting the focus from the thing to the person. If nobody shows up to your meetings, tailor the invite to be explicit about what's in it for the attendees.
    • Distinguish between responsibility and authority.  Know whether you influence a decision or own it.  When you don't have authority, but you need to get results, leverage the model in Influencing Without Authority.
    • Turn chickens into pigs.  A pig's committed while a chicken's involved.  Don't let a chicken have a controlling vote, without turning them into a pig.  See Turning Chickens into Pigs.
    • Adapt, adjust, or avoid situations.  Learn how to read situations. Some situations you should just avoid.  Some situations you should adapt yourself, as long as you play to your strengths.  Some situations you should adjust the situation to set yourself up for success.
    • Know the system.   Analyze the problem from a system standpoint.  What are the components and subsystems?  What are the inputs and outputs?  Who are the players?   What levers can you pull that make the most impact?  If you don't know, who does?
    • Analyze it over time.  Look at the problem or solution over time. Build your temporal skills.  The more you play "what ifs" in the future, the easier it gets to anticipate.

    Do you have any favorite success patterns to share?

    My Related Posts

  • J.D. Meier's Blog

    New Release: patterns & practices Performance Testing Guidance for Web Applications

    • 14 Comments

    We released the final version of our patterns & practices Performance Testing Guidance for Web Applications.  This guide provides an end-to-end approach for implementing performance testing. Whether you're new to performance testing or looking for ways to improve your current performance-testing approach, you will gain insights that you can tailor to your specific scenarios.  The main purpose of the guide is to be a relatively stable backdrop to capture, consolidate and share a methodology for performance testing.  Even though the topics addressed apply to other types of applications, we focused on explaining from a Web application perspective to maintain consistency and to be relevant to the majority of our anticipated readers.

    Key Changes Since Beta 1

    • Added forewords by Alberto Savoia and Rico Mariani.
    • Integrated more feedback and insights from customer reviews (particularly chapters 1-4, 9, 14, 18)
    • Integrated learnings from our Engineering Excellence team.
    • Refactored and revamped the performance testing types.
    • Revamped and improved the test execution chapter.
    • Revamped and improved the reporting chapter.
    • Revamped the stress testing chapter.
    • Released the guide in HTML pages on our CodePlex Wiki.

    Highlights

    • Learn the core activities of performance testing.
    • Learn the values and benefits associated with each type of performance testing.
    • Learn how to map performance testing to agile
    • Learn how to map performance testing to CMMI
    • Learn how to identify and capture performance requirements and testing objectives based on the perspectives of system users, business owners of the system, and the project team, in addition to compliance expectations and technological considerations.
    • Learn how to apply principles of effective reporting to performance test data.
    • Learn how to construct realistic workload models for Web applications based on expectations, documentation, observation, log files, and other data available prior to the release of the application to production.

    Why We Wrote the Guide

    • To consolidate real-world lessons learned around performance testing.
    • To present a roadmap for end-to-end performance testing.
    • To narrow the gap between state of the art and state of the practice.

    Scope

    • Managing and conducting performance testing in both dynamic (e.g., Agile) and structured (e.g., CMMI) environments.
    • Performance testing, including load testing, stress testing, and other types of performance related testing.
    • Core activities of performance testing: identifying objectives, designing tests, executing tests, analyzing results, and reporting.

    Features of the Guide

    • Approach for performance testing.  The guide provides an approach that organizes performance testing into logical units to help you incrementally adopt performance testing throughout your application life cycle.
    • Principles and practices.  These serve as the foundation for the guide and provide a stable basis for recommendations. They also reflect successful approaches used in the field.
    • Processes and methodologies.  These provide steps for managing and conducting performance testing. For simplification and tangible results, they are broken down into activities with inputs, outputs, and steps. You can use the steps as a baseline or to help you evolve your own process.
    • Life cycle approach.  The guide provides end-to-end guidance on managing performance testing throughout your application life cycle, to reduce risk and lower total cost of ownership (TCO).
    • Modular.  Each chapter within the guide is designed to be read independently. You do not need to read the guide from beginning to end to benefit from it. Use the parts you need.
    • Holistic.  The guide is designed with the end in mind. If you do read the guide from beginning to end, it is organized to fit together in a comprehensive way. The guide, in its entirety, is better than the sum of its parts.
    • Subject matter expertise.  The guide exposes insight from various experts throughout Microsoft and from customers in the field.

    Parts

    • Part 1, Introduction to Performance Testing
    • Part II, Exemplar Performance Testing Approaches
    • Part III, Identify the Test Environment
    • Part IV, Identify Performance Acceptance Criteria
    • Part V, Plan and Design Tests
    • Part VI, Execute Tests
    • Part VII, Analyze Results and Report
    • Part VIII, Performance-Testing Techniques

    Chapters

    • Chapter 1 – Fundamentals of Web Application Performance Testing
    • Chapter 2 – Types of Performance Testing
    • Chapter 3 – Risks Addressed Through Performance Testing
    • Chapter 4 – Web Application Performance Testing Core Activities
    • Chapter 5 – Coordinating Performance Testing with an Iteration-Based Process
    • Chapter 6 – Managing an Agile Performance Test Cycle
    • Chapter 7 – Managing the Performance Test Cycle in a Regulated (CMMI) Environment
    • Chapter 8 – Evaluating Systems to Increase Performance-Testing Effectiveness
    • Chapter 9 – Determining Performance Testing Objectives
    • Chapter 10 – Quantifying End-User Response Time Goals
    • Chapter 11 – Consolidating Various Types of Performance Acceptance Criteria
    • Chapter 12 – Modeling Application Usage
    • Chapter 13 – Determining Individual User Data and Variances
    • Chapter 14 – Test Execution
    • Chapter 15 – Key Mathematic Principles for Performance Testers
    • Chapter 16 – Performance Test Reporting Fundamentals
    • Chapter 17 – Load-Testing Web Applications
    • Chapter 18 – Stress-Testing Web Applications

    Our Team

    Contributors and Reviewers

    • External Contributors and Reviewers: Alberto Savoia; Ben Simo; Cem Kaner; Chris Loosley; Corey Goldberg; Dawn Haynes; Derek Mead; Karen N. Johnson; Mike Bonar; Pradeep Soundararajan; Richard Leeke; Roland Stens; Ross Collard; Steven Woody
    • Microsoft Contributors / Reviewers: Alan Ridlehoover; Clint Huffman; Edmund Wong; Ken Perilman; Larry Brader; Mark Tomlinson; Paul Williams; Pete Coupland; Rico Mariani

    My Related Posts

  • J.D. Meier's Blog

    Agile Results in Evernote with One Notebook

    • 4 Comments

    imageAgile Results helps you achieve “Agile for Life”, which means flow value, while you learn, and adapt to change.

    I’ve written about how to use Agile Results with Evernote before, but some of you wanted a simplified version.  In this post, I’ll share an approach with you for using Agile Results with Evernote, using just one Notebook and six simple notes.   With this approach, you’ll have all of your vision, mission, and values at a glance, your daily and weekly goals, your list of work and personal projects, and all your ideas at a glance. 

    And you can set it all up in under three minutes.

    All of the information you need to master motivation, time management, and productivity will be at your fingertips, with one place to look.

    I’ll also share some new insights that I’ve learned around dealing with lists to help you manage them more effectively.  And I’ll also share some insights on how you can get a much better performance review, and compete in today’s world more effectively by focusing on higher-value things.

    What is Agile Results

    But first, let’s take a step back and recap what Agile Results is all about.  Agile Results is a simple system for meaningful results.  It helps you do less, but achieve more by combining proven practices for motivation, productivity, and time management.   It works by helping you focus your time, energy, and skills, using a few key concepts.  The big ideas are:  1) it’s outcomes, not activities, 2) it’s value, not volume, and 3) it’s energy, not time.  (Tip – Value is the short-cut in life.  If you know what’s valued, you can target your efforts.  Here is another tip – Value is in the eye of the beholder.)

    Agile Results helps you flow value to yourself and others, while responding to change, and taking the balcony view.  It helps you thrive in change.  It helps you learn new things.  It helps you adapt to our ever-changing world, and come out on top.  It helps you win, and it helps you go for the epic wins in life.

    Agile Results is not just a personal productivity system.  It works for teams, too (I’ve used it to lead high-performing, distributed teams around the world for more than ten years.)  That said, if you want to use it as your personal time management system, it does help you get the edge.  Part of the power is that it synthesizes many principles, patterns, and practices for high-performance, down into a small set of proven practices.

    The simplicity of the system is important.  It helps you spend more time doing, and less time planning.  The simplicity also helps you adapt the system to you and to any situation.  It also makes it easy to get started with Agile Results (you can use it right now, simply write down three wins that you want to achieve today.).

    You can find out more about Agile Results (and everything you need to know about mastering personal productivity, motivation, and time management) in my book, Getting Results the Agile Way.  It’s been an Amazon best seller for Time Management (it was #1 in Germany several time, and in the U.S. it’s been in the top 5, but floats around within the top 100.)

    Now, let’s see how to use Agile Results with Evernote in a simple, but highly effective way …

    Agile Results Notebook in Evernote

    Here is a look at Agile Results in Evernote:

    image

    As you can see, it’s one Notebook called “Agile Results”, and it contains six Notes.  The six notes are:

    1. Note #1 – Firm Foundation
    2. Note #2 – Monday Vision
    3. Note #3 – Daily Wins
    4. Note #4 – Friday Reflection
    5. Note #5 – Projects
    6. Note #6 – Ideas

    I’ll walk through each Note below, but first I’ll summarize the big ideas behind the notes.  The Firm Foundation is meant to give you a quick reminder of your vision, mission, and values at a glance, as well as your strengths.   It’s a way to help you get “on path” and stay on path.

    The Monday Vision, Daily Wins, and Friday Reflection will look familiar if you know Agile Results.   This is the little weekly rhythm of results.  The beauty is that this little combo helps you flow value on a daily and weekly basis, as well as continuously adapt and improve.  On Monday, you identify the three wins you want to achieve for the week (notice that I said “win”, not “tasks.”   A task might be “call a customer”, but the win would be “win a raving fan.”   Rather than just doing tasks, you focus on value and making a difference.  This is the secret to getting better performance reviews, flowing more value, moving up in the world, and getting off the treadmill of life.)

    Daily Wins is where you list your three wins that you want to accomplish for the day, and then all of your tasks or top of mind things.  While Monday Vision helped you set three priorities for the week, your Daily Wins helps you set three priorities for your day.  By keeping these three priorities front and center, you define your success for the day.  It also helps you focus and prioritize throughout the day.  If you have to keep changing these, then you will start to notice whether you are trading up, or just getting randomized.   You will also start to notice whether the tasks you do actually support meaningful goals.  You will also get better at defining three wins for your day.

    See the pattern so far?   Identify three wins for the week and identify three wins for the day.   By having two levels of wins, you can zoom out or zoom in.  Your little wins will add up each day, and your wins for the week will help you stay on track.  As you an imagine, by the end of the month, you have created significant momentum and impact.  Oh, and by the way, you will rapidly improve your personal productivity along the way.  How? … with Friday Reflection.

    Friday Reflection is just like how it sounds.  On Fridays, you reflect.  You review your results.  To do so, you simply ask yourself, “What are three things going well?”, and “What are three things to improve?”   Both question are important.  The one helps you identify your personal habits and practices that are working.  The other helps you identify specific areas you can improve.  For example, if you are not achieving your wins, are you biting off the right things?   Are you biting off too much?  Are you trading up for things or getting randomized?  You will see patterns and opportunities for improvement.  And the beauty is that you can take what you learn and apply it next week.  And you get to practice each day.  That’s the big idea in Agile Results … little wins with continuous improvement add up to big, bold changes in work and life.

    The Projects Note is simply a list of your work projects and your personal projects.  This is an important list.  If you can’t name the things you are working on, then you really can’t prioritize.  Worse, you can’t really focus.  Even worse, you won’t be very effective at telling or selling your work to others, whether that is your manage or your team or more.  When you have a list of what’s on your plate, you instantly have the bird’s-eye view.  You can now see whether you are splitting your time across too many things, or whether too many unimportant things are getting in the way.   As a sanity check, how would you rate the value on a scale of 1-10 of each of the items on your plate, where 10 is most awesome, and 1 is the pits?  This can be a real wake up call.  If all of the things on your plate are low-value items, your next win is to get high-value things on your plate, and squeeze out the low-value stuff, with more high-value stuff. 

    The Ideas Note is actually your Backlog, from an Agile Results perspective.  I’ve found that more people tend to prefer thinking in terms of “ideas” than “backlog”, although, the reality is many people actually have a Backlog of ideas.  That said, this is Agile Results, and it’s flexible, so whatever you want to call that works for you is fine.  What’s important is getting the concept right.  In the Ideas Note, you simply list your ideas for work, and your ideas for personal projects.  By getting things out of your head and down on to “paper”, you can free up your mind to do better things, and you can better analyze your lists of ideas, when you can see it right in front of you, versus swirling around in your mind.

    The big difference between the Ideas Note and the Projects Note is that the Projects Note is a list of your active projects.  It’s stuff that’s really on your plate.  The Ideas Note, on the other hand, is your list of things that are not yet active (That’s why I often refer to it as a Backlog.)

    One thing worth calling out is that it’s a good idea to make a list for each of your projects so that you have one place to look for all the work associated with each project.  What I’m showing here is the “master” list of your projects.  An additional step would be to have a list for each project, which contains the details.  I’m focusing on this master list of projects here because it’s where many people get lost among the sea of tasks, and lose sight of their bigger map.  If you can keep clarity of what’s on your plate, then this has a ripple effect that helps you better manage your time, energy, and focus to make things happen.

    All this might seem like a lot of work, but it’s actually pretty light-weight.  These are simple lists to help you focus, prioritize, and organize your work.   Each week, you simply refresh your Monday Vision.  Each day, you refresh your three wins.  Each Friday, you refresh your three things going well, and three things to improve.   It’s a simple habit, and if you fall off, simply pick up from wherever you are.   On any given day, simply ask yourself, “What are three things I want to accomplish today?”   Getting back on track is easy, and friction-free by design.

    Now, let’s take a quick, visual tour of each of the notes to help really make things concrete …

     

    Step 1.  Firm Foundation

    In the Firm Foundation Note, I simply write down my Vision, Mission, and Values, and my key strengths that help me differentiate and flow unique value.

    image

    It’s a simple list, but it helps me stay on path, and it helps remind and inspire me in all that I do.  Whenever I get off track, I simply go back to my Firm Foundation.  The process of thinking through my vision, mission, and values, also helps me take the balcony view of my life, and helps me head in a direction, even if I don’t know the exact target.  It gets me paving a path forward with skill.

     

    Step 2. Monday Vision

    In Monday Vision, I simply list my three wins for the week.  Below that, I create some whitespace, and then I list anything else that’s top of mind or pressing for the week.  The three wins are my most important.  After that is bonus. 

    image

    It’s my minimum list that helps carve out maximum value.   One thing to note is that I keep the list very simple and flat.  Also note that when I list things beyond my three wins, I list them in alphabetical (thus, the A-Z heading.)  I do this for a few reasons.  First, it forces me to name things better, and the better I name things, the better I can manage them, or tell my boss about them, or share them with my team or whoever.  Second, it makes it very easy to see if something is on the list, or not.   This becomes increasingly important, such as those weeks where I have 50+ items on the list.   Believe it or not, 50 items is actually very easy to deal with when it’s alphabetical and you name things in simple, friendly terms.

     

    Step 3. Daily Wins

    In Daily Wins, you write down the three wins you want to achieve for today.  It’s simple, but powerful.

    image

    As you can imagine, it’s easy to create an overwhelming list.  That’s the beauty of this approach, and why I actually like paper or any application that will let me create whitespace.  What I do is I list my three wins at the top, then I list all the other top of mind things or tasks or actions in an A-Z list below that.  This helps me keep my mind free and focused, while keeping my three wins front and center throughout the day.

    Here is the other beauty of this approach … It’s easy to add three wins to any existing “To Do” list.  No matter how you already track your daily “To Do” list, you don’t have to change it.  Simply add your three wins to the top.  I wanted Agile Results to be inclusive of existing systems, and to ride on top, without getting in the way, and ideally, help you make the most of any system that you already use.  It’s a way to amplify your results and help you get more out of the time you already spend.

     

    Step 4. Friday Reflection

    In Friday Reflection, you simply list three things going well and three things to improve.

    image

    What I do is add a recurring 20 minute appointment to my calendar on Friday mornings.  I used to take 20 minutes, now it’s closer to 10 minutes or less (you get faster, better, and deeper with practice.)  

    The power is in the process.  By asking yourself what’s going well, you take the time to identify and actually acknowledge what’s working for you.  This will help you see some things to keep doing, or potentially do more of.   It is also good for your motivation and momentum.  If you don’t take the time to call out what’s going well, you will more than likely beat yourself up for all the stuff going wrong, and that’s  just a downward spiral if you don’t balance it out. 

    The best way to balance is to first get clear on what you are really doing well, and take the moment or two to really acknowledge and appreciate that.  Maybe it’s as simple as doing what you said you would do.  Maybe it’s that you did a good job of starting your day with a  focus on three wins.  Maybe it’s that you are getting better at making time to execute.  Maybe it’s that you are doing a good job of working on high-value things.  Maybe you are getting better at finishing what you start.  It can be any number of things.  It’s personal.  It’s real.  It’s your chance to shine the spot light on your best performance, and to highlight your personal victories.  Soak it up.

    When you identify things to improve, try and get specific.  For example, if you know that when you write down one of your wins, you aren’t going to even come close, then your “challenge” and “improvement opportunity” is to choose a more achievable win, and to hold yourself to that.  Then you can practice that each day when you write down your Daily Wins.

     

    Step 5. Projects

    In Projects, you simply list your work projects and your personal projects.

    image

    In the ideal scenario, you never list more than five, top level projects.  The reason is this:  you want to use the 80/20 rule for maximum impact, and minimum effort.  You can reasonably spend 20% of your time, and achieve 80% results.  What you don’t want to do is spend less than 20% of your time on a bunch of things, where all you’re doing is administration and context switching.

    Name these things in a way that make sense to you, and ideally to others in YOUR world.  For example, find a good name to refer to your favorite project so that your manager knows how to refer to it (and even better, have them help you name it so that it’s sticky.)   If you have a maximum of five meaningful projects on your plate, and they are all high-value, you are setting yourself up for success.

    Personally, I try to go for three meaningful projects at any point in time, as well as an experiment.  The experiment is my wild card and potential game changer.  It can often lead to a breakthrough for me, either in what I create, or how I create things.  It’s how I keep improving my ability to flow value to myself and others.  Innovation is the key to sustainability, both for businesses, and for us, as individuals.

    Step 6. Ideas

    Ideas is where you simply list the ideas you have for work and personal.  If there is one list that can help you stay on track, this is the list.

    image

    It helps you stay on track, because it reminds you that these are “ideas.”  They are not your active projects.  This is your dumping ground of all the cool things you hope to do, and all your neat ideas on how things can be better.    By carving out all the ideas and potential projects into a separate list, you keep your other lists, simple and focused.  Your Projects Note is clean and crisp.  It only lists your active projects.  That’s important.

    Your Ideas list is your romping ground.  Feel free to dream up big, bold ideas.  But don’t confuse your dreaming with doing.  Use your weekly wins and daily wins in your Monday Vision and Daily Wins notes to stay grounded, and to stay focused on flowing value.  This will help you keep your head in the clouds, but feet on the ground … which is a beautiful blend of strategy + execution.

    It’s important to note that I keep my Ideas list in alphabetical order, and I bubble up the top 10 items to the top, and then add whitespace to break it up from the longer list.   This bubble up the vital few, and then list everything else is an important productivity pattern.  It will help you get better at focusing on value, not volume.  It will also help you deal with information overload and overwhelm by whacking lists down to size.

    You might be asking, how come you don’t put the list in just one big priority order?  Here’s the thing I’ve found.  It’s very easy to scan a list and know the priority.  But it’s very difficult to scan a list that’s not alphabetical.  Your eyes have to go up and down, again and again, checking to see if you already have it on the list.   When you have a simple, flat list of alphabetical items, you can very quickly add or remove things, and very quickly create priority lists, and quickly pluck the high-value items from it.   This was not obvious, but I learned this in having to deal with many, many extreme lists.

    That said, Agile Results is not rigid in the approach, so if the alphabetical does not work for you, then change it to find what does.  The goal with Agile Results is to shape the system to support you in a way that brings out your best.  It’s a flexible system for results, so feel free to bend it in ways that help you make the most of what you’ve got.

    Snippet View to Show Agile Results at a Glance

    It’s worth mentioning the “Snippet View” in the latest versions of Evernote.  You can find the “Snippet View” under the “View” menu.  Here is an example of the Snippet View and how it shows all of the notes under Agile Results “at a glance.”

    image

    What I like about the “Snippet View” is how it very compactly creates a narrative that I can easily scan.  I can quickly see my vision, mission, and values, as well as my Daily Wins and Weekly Wins, and my top Projects and Ideas.

    It’s a very powerful way to put the big rocks in my life, front and center.  It’s like the big picture view, but with enough of the details that bring it to life and make it real.   It’s effectively, “elegance in action.”

    Test Drive Agile Results

    Take Agile Results for a test-drive and see for yourself, if it helps you master motivation, time management, and personal productivity.  You can try it in three different sizes:

    1. Try it for the day.   Simply write down three wins that you want to accomplish today, and see if you improve your focus, motivation, and productivity.
    2. Try it for the week.  On Monday, write down three wins for the week.  Each day, write down three wins for the day.  On Friday, write down three things going well, and three things to improve.
    3. Try it for the month.  Use the practice of 30 Day Improvement Sprints (or Monthly Improvement Sprints) from Agile Results to test-drive Agile Results.  With this approach, you simply set a theme for the month, such as “Master time management” and then each day you do something small to help you towards this goal.  You then use the Monday Vision, Daily Wins, and Friday Reflection to support you.  (Tip – Agile Results is a powerful way to change habits or adopt new ones by using 30 Day Improvement Sprints.)

    If you want to try the 30 day challenge, I have 30 Days of Getting Results, which is a free collection of thirty little lessons that you can do at your own pace.  Each lesson includes an outcome, a lesson, and exercises.   If you commit taking this, you will learn some of the most advanced practices for rapidly and radically improving your personal performance, your motivation, your time management, and your personal productivity skills.

    I love what you’re capable of when you know how to make the most of what you’ve got.   Dig in and really make some thunder with your knowledge, skills, and experience.   The world is ready for you to flourish.   Rise and shine.

    By the way, I should mention that even though I showcased how to use Agile Results in Evernote, it’s a platform agnostic time management system.  I know lots of people that use pen and paper or Outlook or One Note or you name it.   (My favorite tool of choice for a while was my whiteboard.)    I should also mention that Agile Results was originally born as a way to organize your mind so that you didn’t need any tools or applications … just your mind.   That’s why The Rule of Three was important … it was a simple way to organize the most important things, and keep them top of mind.

    Best wishes on making a difference … for yourself, for others, for the world … in your way.

    You Might Also Like

  • J.D. Meier's Blog

    Effectiveness Post Roundup

    • 11 Comments

    At Microsoft, I regularly mentor some fellow softies.   It can be tough to navigate the waters, find your strengths, figure out worklife balance, and deal with the stresses of the job, all while making things happen.  I help my mentees learn  the most effective ways for getting results in a tough, competitive environment.  It's challenging.  It's rewarding.  I've had several great mentors throughout my life at Microsoft, so mentoring is a way that I give back, sharing my lessons learned and helping others grow.  While my 1:1 sessions are the most effective, I try to share key practices more broadly in posts.  Here's a roundup of my various posts for improving effectiveness at work and life.  I organized them by meaningful buckets and provided an A-Z list at the end.  Enjoy.

    Career
    Learn how to find your path and get more from your career.  Work with the right people on the right things making the right impact.  These posts focus on career and worklife balance:

    Communication
    Communication is among the most important skills for getting results in work and life.  Empathic listening is the most important communication skills.  Improve the quality of your communication, and improve the quality of your life.  These posts focus on communication skills:

    Email
    Don't be a slave to your mail.  With the right approach, you can spend less time in your inbox and enjoy an empty inbox on a regular basis.  These posts focus on email management:

    Intellectual Horsepower
    Thinking is asking and answering questions.  Learn ways to improve your thinking through question-driven techniques and changing perspectives:

    Leadership
    Leadership is influence.  Amplify your results by improving your sphere of influence.  Leadership starts with self-leadership.  These posts focus on leadership skills: 

    Learning
    Learning is a life-long process.  Adopt practices that help you grow.  These posts focus on improving your learning:

    Motivation
    Motivation is your energy or desire to make something happen.  It's also the energy or desire for others to make something happen.  Learn how to improve your own passion for results as well as how to influence and motivate those around you.  These posts focus on motivation:

    Personal Development
    Personal excellence is a path, not a destination.  In life you're either climbing or sliding.  One key is to find ways to climb faster than you slide.  Another key is balancing your multiple demands and growing in your mind, body, career, emotions, financial, relationships and fun.  These posts focus on personal development: 

    Personal Productivity
    Make stuff happen.  Drive or be driven.  With the right approaches, you can carve out time for what's important and prioritize more effectively.  This is the key to getting results.  These posts focus on personal productivity:

    Project Management
    If you need to get something done, make it a project.   Whether it's a small-scale, personal project or a large, team-based project, there's patterns and practices you can use to be more successful.  These posts focus on project management:

    Teamwork
    Effective teamwork is a key skill in today's workplace.  Learn how to get more done with your colleagues.  These posts focus on improving your teamwork:

    Time Management
    You can't add more hours to the day, but you can spend your time more effectively.  You can also add more power hours to your day.  These posts focus on time management:

    Questions
    Questions are a powerful way to shape your thinking and mindset.  Ask better questions and get better answers.  These posts focus on asking and answering better questions:

    A-Z
    Here's the posts organized in a flat A - Z list for easy scanning:

    Sources of Insight
    If that's not enough for you, check out my project blog: Sources of Insight.  Sources of Insight is a browsable KB of insights and actions for work and life.  It's where I share my lessons learned from books, heroes and quotes.  You can read more about the mission and vision in the About page.

  • Page 2 of 42 (1,043 items) 12345»