Keeping out crackers (the black-hat kind, I mean, not saltines or rednecks) is like trying to seal a leaky basement: Every time you plug one hole, the water flows to another. Our firewalls sealed off everything except for port 80; naturally enough, Web services flowed in to fill it. I remember tool vendors crowing that XML-based remote procedure calls would "travel unimpeded by your firewall." I groaned, and with good reason: The crackers were only a few milliseconds behind.
Of course, Web services can be implemented securely, and the techniques for doing so are known. Then again, software can be implemented without bugs, too. Sure, I'm a development genius ... but I test anyway.
[click for larger image]
In addition to functional, client, regression and penetration testing for your SOAP apps, SOAPTest handles load testing.
If "test anyway" is your style as well, check out Parasoft's SOAPTest, now at release 4.0, which sports new ways to give your Web service security precautions
a good sweaty run for their money. SOAPTest 4.0 uses your UDDI, WSDL or even HTML traffic to craft a test program that actively bangs on the security doors, using crackers' known techniques. Ever hear of an "XML bomb," for example? To create one, you carefully craft some XML that will expand infinitely when parsed (recursively defining an entity in terms of itself will do the trick), send it in to the unsuspecting Web service, and watch the pretty lights. Sometimes you'll crash the server. Sometimes you'll get interesting and enlightening error messages back that can inform your next attack. SOAPTest 4.0 knows how to do it, so your software had better be ready to defend against it, along with a host of other cunning tricks, such as our old friend SQL injection, parameter fuzzing (mucking with SOAP parameters in an effort to elicit more-interesting error messages), XPath injection, and links to external entities.
Parasoft, 101 E. Huntington Dr., Second Floor, Monrovia, CA 91016, Tel: (626) 256-3680, Fax: (626) 256-6884, www.parasoft.com
Effective Swingers All Ship It
When the Pragmatic Programmers started their own press, it wasn't to put out some oinker. Instead, they produced the Pragmatic Starter Kit, which lives on my easy-reach shelf. Their latest is Ship It! A Practical Guide to Successful Software Projects (Pragmatic Bookshelf, 2005), a compendium of eminently practical project tips that authors Jared Richardson and William Gwaltney Jr. have found useful throughout their combined 30 years of experience writing code and getting projects out the door.
In a way, there's not much that's new here. It's not exactly a revelation that revision control can prevent disasters, for example. And yet ... and yet! Plenty of development shops still aren't using many of these practices, and Ship It! gives good advice to help you herd your outfit toward adoptionor at least to get you off to a good start if you're new to software project management. In addition to recommendations for tools and infrastructure and pragmatic project techniques, they also talk up tracer bullet development, which advocates (among other things) stubbing out a product from end to end, then refining the stubs into working code. Consider this: I've been building software for 20 years, and I blasted through Ship It! in a single evening, learning lessons to implement immediately in our group. Ship It! is available for $29.95.
Fair or not, Java UI programming has an ugly reputation among our development team at the University of Wisconsin. Heck, just uttering the phrase within earshot of the Finn puts you in imminent peril of receiving the Look.
But it doesn't have to be that way, say Joshua Marinacci and Chris Adamson, authors of Swing Hacks (O'Reilly, 2005). The two point out that Sun's Swing UI library lets you craft user interfaces that would be impossible to achieve with Web techniques, without giving up cross-platform compatibility. Deep, rich, responsive UIs are expectednay, demandedby today's users, and Marinacci and Adamson show you how to achieve them in Swing, with the O'Reilly-standard 100 hacks to give your applications "the cool stuff."
These hacks cover much of UI implementation, with chapters on lists and combos, tables and trees, rendering, drag-and-drop, and eight others. The hacks themselves range from the utilitarian (Use HTML and CSS in Text Components) to the flashy (Create a Magnifying Glass Component) to the whimsical (Earthquake Dialog and Fun with Keyboard Lights) to the seemingly quixotic (Make Mac Applications Behave Normallyto which I envision 10,000 programmers roaring "YEAH!" in unison). Swing Hacks is available for $29.95.
What's new? Scott Meyers' Effective C++ (Addison-Wesley, 2005) has been revised into a third edition. What's noteworthy about that? Two things: First, Meyers has completely revamped his items format to address the changing world of C++ (Boost, TR1 and the ubiquity of templates, for example) and how it affects its users (today, he notes, one may safely assume that programmers are familiar with object-oriented programming and design patterns). Secondand this has been true since the original book hit the shelves in 1991if you program in C++, you'd be crazy not to have this book within reach. Its 55 items will improve your programming style and spare you red-faced embarrassment (to say nothing of possible unemployment). C++ has never been a language for fools or dabblers, and harbors pitfalls aplenty even for intelligent newbies. It pays to let Meyers be your point man. For example, take item 9: Never call virtual functions during construction or destruction. Think about that for a minute. Sends a chill up your spine, doesn't it? And yet many of us would never have considered that issue.
You get the idea. Now go get Effective C++, which lists for $44.99.
Script 'Em, Load 'Em, Ship 'Em, Rawhide
[click for larger image]
You needn't be a developer to build a comprehensive suite of functional, regression and load tests with AccordSQA's SmarteScript and SmarteLoad.
To deploy, you must test. (OK, you can deploy once without testing. But by the time your ex-users are finished with the torches and pitchforks, version 2.0 is going to be a tough sell.) To test effectively, you must automate. To automate effectivelywell, that depends on the scale of your projects. If you've got more than a handful of integration or acceptance tests to run, consider SmarteScript 4.0 and SmarteLoad 1.0 from AccordSQA. These apps test management out of the realm of "I know I put those scripts somewhere" to a place where complete, repeatable test suites become merely the elementary building blocks of your entire enterprise's test program.
SmarteScript's user interface is aimed at business analyststhose folks who know how to invoke and operate the application in question (be it a Windows executable, .NET application or Web app) but don't necessarily know what makes it tick. A "learn" function walks you through the application, while SmarteScript recognizes objects on the screen and parses values out of them. (It's not simple screen capture. Developers moving objects around on the UI won't break tests, claims the companybut they wouldn't tell me exactly how they do it.) Next, the tester is presented with a grid in which he can specify which values are the ones to look for, and voilà, a new test is born. Tests can incorporate clicks and keyboard events, and even shell out to arbitrary commands (to initialize a test database, for example). Natural-language documentation can be automatically generated for each test, sort of like Javadoc for testers. The test can be recalled, edited, lumped with others into suites, scheduled or run directly, all from a management console. One crucial advantage over "dumb" (or is that "dumbe"?) scripting is that when objects in a test change, that change is reflected over all tests using that objectyou don't have to go back and edit all your regression tests.
SmarteLoad takes the abstraction one level higher, pulling in the tests you build with SmarteScript and orchestrating entire galaxies of simultaneous test runs to stress test your applications and report the results through a dashboard that gives you the skinny on your applications' health and responsiveness.
SmarteScript starts at $4,950 for a single seat; SmarteLoad starts at $9,980.
AccordSQA, 15 Doeskin Drive, Framingham, MA 01701, Tel: (508) 877-1594, Fax: (508) 877-1595, www.accordsqa.com
Fast Little Feet
Parallel computing. It's a phrase so trite, it's almost devoid of meaning, yet useful parallelism is out of reach for most projects. For example, I work with a biophysical landscape-modeling program that's a real cycle-sucker: 10-hour runs on high-end PCs are not unheard of, and they need to do a lot of runs. Sure, I could build a Beowulf cluster. But as the only Linux-savvy hacker in our tiny shop, I'd be appointing myself Sysadmin For Life. I could also write scripts to ship the data around and schedule the runs. Or, if I had the money, I could hire one of the industry big guns to come in and set it up for me. Or ... I could work on the five other high-priority projects on my desk. If it isn't as simple as plugging an appliance into the wall, why the heck do they call it "grid computing"?
Fortunately, Digipede ("Many legs make light work") has a solution for me, and maybe for you, too. Its Digipede Network runs on Windows (heavily leveraging the .NET framework) and is designed to let you get jobs running in parallel within an hour or two of breaking the shrink-wrap. The software has three parts: First, an agent runs on each compute node to handle that node's compute runs and resource management. You can configure the agent to run jobs whenever the screen saver kicks in, à la [email protected], or run them constantly but at low priority so that a human can still use the machine or schedule timeslike nights or weekendsto just grab the CPU and run with it. A central server can also coordinate the jobs, and management consoles let you monitor and control what's going on.
I should point out that all this happens without recompiling a single module. Out of the box, Network manages the data for your existing Windows programs and runs them. No noodle-wrenching parallel programming is required. So if your thing is Monte Carlo runs, you can set a bunch of them to spinning their roulette wheels at once. Or you could take that "logic" layer in your three-tier application and farm it out to a wad of busy little Windows servers.
Digipede Network Team edition ships with five agent licenses for $1,000 each. You can add more agents (and hence, more processors) for $199 each for a total of up to 20. Digipede plans to release an unlimited-node Professional edition later this year.
If, on the other hand, your noodle likes being wrenched, and you're just itching to dive into parallel programming, your programs can exploit Digipede's .NET API to run atop the Network software, too. Sigh ... if only that model weren't written in Fortran.
Digipede Technologies, 3640 Grand Avenue, Ste. 206, Oakland, CA 94610, www.digipede.com
Software Development does not review New & Noteworthy inclusions. The features, capabilities and, in some cases, the images have been derived from the manufacturers' information. The words, however, are all ours. New product announcements may be sent to [email protected].