Your team of developers have finished coding your new application, and now they start releasing builds of code every few hours. The best time to start the quality assurance process is as early as...

If you’re in San Francisco next week, Saucer Santi will be giving a featured talk on Selenium and best practices for writing automated functional tests for your Python Web Apps on Thursday, 5/8 at 6:15PM. The meetup will be hosted at the Yelp SF office, 706 Mission St. Yelp is also generously sponsoring pizza and beer. :)

Drop by to say hi, hear some awesome talks, and connect with other Bay Area Python lovers.

You can find more info about the meetup and RSVP here.

See you there!

Writing an article on APIs within the telecom industry could very easily turn into writing a lecture on computer science. So, for the sake of not dismissing interest, this article will be focused on...

Writing tests looks simple and every kid could write few lines of JUnit code. Writing valuable tests is more challenging. Everyone have seen (or written himself!) tests, which are hard to understand, hard to maintain, and do not verify anything really important (or maybe they do, but it is too hard to deduce)! Some tests are simply a burden. I want to present few examples of bad tests and show the ways of improving them. Along the way, I plan to discuss some general issues related to writing tests, present few ...

I’m writing several posts using my favorite quotes from the recent Security at the Speed of Development webinar with Wendy Nather, Research Director, Security for 451 Research and Ryan Berg, Sonatype CSO.

In this first post, Wendy was talking about the need to integrate security in from the beginning…

• “The best place to set security standards is across the board before any projects get started. If you have the same requirements for everyone right out of the gate you’ll have less to change for each individual project.”

• “In QA, it’s almost too late, all the time and resources that were budgeted for the project will have been used up. It’s extremely hard to sell the concept of going back and changing the design. The inertia here to get management to slow the release or to fix problems is really big.”

• “In production you have the greatest inertia. It has already been rolled out, it’s running just fine and the developers have been reallocated to other projects. There is one poor guy named Mike left to support it along with 2 or 3 other applications. Good luck getting Mike to fix big security flaws.“

The interesting thing about Wendy’s recommendation is that it represents a key design principle of the Sonatype CLM. Integrating security throughout the entire lifecycle – from design, development, on through production deployment.

With the CLM, it starts by providing security, licensing and quality information in the IDE so the developer can make informed decisions about the best components to use. This prevents problems from occurring downstream, problems that become more expensive to fix.

To learn more about Sonatype CLM, check out the product tour.

Make sure you read Wendy’s research Mission Impossible: securing the open source software supply chain with Sonatype.

 

 

Last week I attended a class about Mobile application testing and learned a great deal about what needs to be tested and how, specifically from a mobile application point of view. In a matter of minutes, we were able to find all sorts of bugs in the applications. Overall, it was a real fun and empowering experience.  

 

Is testing mobile applications the same as testing web applications? It seems like it is, but it is so NOT!

 

Today HP is launching a time limited, bundle incentivized, mobile performance testing promotion to help you get started with this most important initiative.

 

Read the blog to learn more about mobile application testing and the discounted HP Performance Validation Suite.

 

 

On the bottom of James Bach’s recommendations of people there is a small paragraph:

That One German Guy

Germany has no excuse. There are TONS of smart people there. How is it only one intellectual software tester has emerged from the ISTQB-addled masses to demand my respect with his work? My theory is that Germany has a more command-and-control culture, which perhaps disparages independent thought of the kind required to achieve excellence in testing. This pains me, because I am descended from Germans and I would love to visit and teach there.

Anyway, the one German guy who shines in my community is Markus Gaertner. I’ll do a write-up on him, shortly.

Yeah, it’s about me. From time to time I am asked by James and other people in our community where the German testers actually are. Here are some folks I am in touch with, that have raised my attention, and I think will need some attention from the wider community. There is not only one guy testing in Germany, seriously.

Meike Mertsch

Meike Mertsch is not only my colleague, but upon joining James’ tutorial at the Swiss Testing Day last year, James got in contact with me over skype along with these lines:

I have met Meike. Now I know two testers in Germany.

Meike is more a developer-tester, but I think she has some potential. I work with her partially as a colleague, partially as a mentor.

Alexander Simic

For quite some time I have been in touch with Alexander. He is working with James as a testing coach, and besides Meike and myself was the third participants at last year’s GATE peer workshop. Alexander is working in Freiburg, eager to meet other like-minded folks.

Maik Nogens

Maik and I started this thing called GATE a while ago. Last year, he couldn’t make the date, though. That does not mean that we are not in touch with each other. In fact, he’s right now co-organizing the Software Testing user group in Hamburg.

Tobias Geyer

Oh, yeah, Tobias is the guy that made me aware of the Software Testing user group in Hamburg at the Agile Testing Days 2010. Since then some things have changed, but I think highly about Tobias, and I think he started a great community in Hamburg there. It’s a bit of a pity that Hamburg seems to be the only user community in Germany I am aware of.

Ursula Beiersdorf

Ursula Beiersdorf right now co-organizes local testing events in Hamburg, Germany together with Maik. I think she is doing a great job in networking and getting testers together.

Stephan Kämper

In 2009 I sat in the same tutorial at a conference as Stephan Kämper. Over the years, I came to value our exchanges on testing, and the greater community.

Andreas Simon

Andreas Simon is the guy that went to the very first Belgium Testing Days on his own budget to attend the Testing Dojos that I facilitated there. We had quite some fun together. Over the past two years, we came to co-organize the local Software Craftsmanship user group in Münster-Osnabrück-Bielefeld, he also organizes Coding Dojos and Code’n'Cake meet-ups in Münster as well.

More

I think there are more. For example there was this guy, Ender Ekinci, who dived deeply into the problems with Parkcalc, and found a way to produce even higher parking costs.

There also is Moritz Schoenberg who I don’t know in person (yet). I became aware of him since he won the uTest award for the tester of the year in a row. I hope to get in touch with him at the next official GATE workshop.

Oh, and of course there is Christian Baumann who attended the first GATE workshop in Hamburg in 2011. He’s been on my radar before that. That usually means I had the impression he is worthwhile to follow.

A final disclaimer: I think I might have forgotten some more people I work with in user groups, and other communities. If you miss your name on this list, drop me a line, and I will check whether to do a follow-up with your name included as well.

Last, but not least, this should be a starting point for you, German testers, to get in touch with us. I think we can excel beyond the state of our craft that we are currently working in. But we need to network better for this to happen.

Since it is hard to elaborate a response in 140 characters, I am blogging this. First, full disclosure, I am on the board of directors of the ASTQB and I am a training provider of ISTQB certification courses, as well as over 60 other courses I have written. (I make a small percentage of my income from ISTQB training.) I was also a founding author of the CSTE test certification from QAI. This is from my own perspective and does not represent the views of the ISTQB or ASTQB.

Second, I really believe as testers we have the right and responsibility to ask questions. So my issue is not with the asking of questions. We can still be friends.

I tweeted yesterday that "The open letter to the ISTQB is meaningless." Here's why.

1. The letter fails to distinguish between the ISTQB and the country examination boards (such as the ASTQB, Canadian Testing Board, UKTB, etc.) that write and administer the exams. Therefore, the ISTQB does not write exam questions. To get the answers to the questions about the validity of questions and coefficients, you would have to write such a request to each individual country exam board. The ISTQB may provide a high-level response, but it can't answer the detailed questions posed because it simply doesn't have the information.

2. There are Non-disclosure Agreements in place to protect the intellectual property of each country board and the ISTQB in general. One of the challenges with any exam (ITIL, PMP, etc.) is to keep the contents of the exam confidential as to prevent questions from being passed around. There is a sample exam available on the ASTQB website that gives a flavor of the questions being asked. Kryterion would not release results because they also have confidentiality restrictions.

3. "Have there ever been any problems with the validity of the exams?" This is like asking, "Are you still beating your wife?" Everything has shortcomings. The reason the ASTQB invested in independent exam reviews and measurement was to make the exam as valid as possible.

I agree that the questions on the exam must be a valid reflection of the learning objectives in the syllabus.  As a training provider, I don't know what is on the exam. There is a firm line of separation. I focus on the methods and application as opposed to the brain cram approach.

That's it for now. Gotta get back to the test lab.

Thanks,

Randy

The tide is turning. OWASP A9 is more recognition that modern applications are constructed primarily of components. In our recent survey of 3500 developers, managers and architects that use open source, 86% of participants noted applications built today are at least 80% open source. OWASP A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.

Jeff Williams, CEO of Aspect Security and founding member of OWASP puts a fine point on the challenge…

• “The performance, time and cost advantages of agile, open-source development comes at a price – you have to ensure the components you use are up-to-date and secure.”
• “Unfortunately, it’s not trivial to figure out what components your applications are using, and even harder to figure out which vulnerabilities apply to those components.”
• “The new OWASP Top Ten has detailed recommendations for locking down your software supply chain, and Sonatype’s tools make them much easier.”

So why should managing and securing components be a priority? Simply put, components have become a rich attack vector because of their pervasive reuse. Reuse that makes it easy for hackers to propagate their attack across multiple applications and organizations.

OWASP provides a set of best practice recommendations, including:

1. Identify the components and their versions you are using, including all dependencies.
2. Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up-to-date.
3. Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable license.

Sonatype CLM goes beyond these recommendations and is designed to manage the entire component lifecycle. The CLM integrates security, licensing and quality information about the components directly in the tools that developers use (repository manager, IDE, build/CI environment), provides early and quick remediation capabilities, and continuously monitors your production applications.

For more information on recommended best practices, check out the 7 steps to Good Component Practice section (it’s at the end) of the 2013 Sonatype Survey results.

You can also check out the press release announcing OWASP A9.  

If you’re involved with development or testing for all things internet or mobile, you’re sitting in a sweet spot in the economy, according to IBIS World. While the economy as a whole is starting to do better then it was five years ago, the industry research company says that many web-based industries are thriving and growing at an impressive rate. Not surprisingly, mobile will be an increasingly important driver for these industries.

IBISWorld has compiled a list of standout industries based on their annualized revenue growth over the past 10 years, as well as performance expected through 2018. One trend stood out above all: The internet is playing an integral and deciding role among these industries. For example, IBISWorld expects the number of mobile internet connections in the United States to rise at an annualized rate of 7.9% through 2018. Thus, a rise in the number of mobile internet connections, higher internet traffic and the proliferation of smartphones, tablets and other mobile devices across the US will help these 10 industries continue a meteoric rise that will outpace the rest of the economy.

Here’s a look at the fastest growing industries, according to IBIS World:

Social Networking Sites
Over the past decade, SNS [social networking sites] has exploded, recording 74.4% annualized growth since 2003, which included the beginnings of early SNS like MySpace and Friendster. … Over the next five years, SNS will further develop new ways to monetize, tracking user data and leveraging more lucrative advertising contracts. As a result, the Social Networking Sites industry is expected to generate growth of roughly 25.0% per year on average over the five years to 2018.

Social Gaming
Companies, such as Zynga and EA (Electronic Arts), have transformed well-known, classic games like Scrabble and Battleship into social attractions where consumers can play head-to-head over the internet. This trend has been enhanced by a surge in social game applications, which are being developed at a rapid rate to cater to those consumers looking to play games on their mobile device. The industry hardly existed in 2003, but has since posted annualized revenue growth of 134.4% over the past 10 years. Moreover, the industry is expected to grow an additional 16.9% per year on average over the five years to 2018.

E-Commerce
Online sales of fashion samples, greeting cards, photo printing, shoes and household furniture have exploded in recent years and look to maintain their strong growth in the long run. … Aside from well established firms, however, many specialized websites are gaining greater traction and maintaining a robust, loyal customer base. … Moreover, these sites have been enhancing their mobile presence, as many consumers continually access mobile e-commerce content from their smartphones or tablets. Each of these sites has shown impressive, swift growth over the past decade in revenue, establishments and in their overall contribution to the economy.

Online Payment Processing
Online Payment Processing Software Developers are strongly benefiting from the ever-increasing e-commerce activity. As more brick-and-mortar retail establishments created online retail websites over the past decade, the need for online payment processing software has increased dramatically. As a result, the Online Payment Processing Software Developers industry has experienced average annual revenue growth of 43.2% over the 10 years to 2013. … Additionally, as more niche, specialized firms continue to enter the e-commerce realm, online payment processors will continue reaping the benefits, with expected growth of 17.2% per year on average over the five years to 2018.

E-Publishing
With increasing smartphone and tablet penetration in the United States, e-book publishers have flourished. … these factors have lead to strong growth for the industry over the past decade, reaching annualized growth of 88.3% since 2003. Over the next five years, e-book publishers will continue to benefit from the improvement in the prevailing economy and its effect on consumer disposable income, as well as the gradual shift toward more books formatted only for e-readers. IBISWorld expects E-Book Publishing to grow 7.5% per year on average over the five years to 2018.

Fantasy Sport Services
Fantasy Sports Services have been gaining popularity as more consumers go to the internet to compete in these social sports games. The industry develops software, and markets an online platform for multiplayer fantasy sports. … These games have been around for more than 25 years and played in tight knit social circles, but the internet really helped push the envelope for transforming Fantasy Sports Services into a full-blown industry. Over the past 10 years, fantasy sports services have experienced explosive absolute growth of 241.0%. Fantasy Sports Service firms will continue cashing in on the general move toward more mobile content, which will help bring revenue up at an annualized rate of 7.6% over the five years to 2018.

Online Recruiting
Online recruitment sites have been taking to the internet and revolutionizing the Employment Recruiting industry. … Online recruitment sites have grown an annualized 11.9% since 2003. Over the next five years, these sites will grow another 3.0% per year on average by penetrating specialized, niche job markets and catering to specific markets of job seekers.

Read the full IBIS World report >>>

If you’re involved with any of those industries, hold on for the ride – things are only going to continue to grow! Also let this be a pre-warning: As the industries continue to grow, more competition will enter the ring. You need to stay vigilant and continue to put out the best product you can, don’t rest on simply being one of the first. Listen to users and make sure you’re continuously giving them what they want. If you don’t, someone one will certainly swoop in to fill the void – and take your customers/users while they’re at it.

Also keep an eye on what’s coming. Mobile has a long way to go and it will certainly go through many changes during that process. Take leaps and adapt to new technology as it comes out, you don’t want to be left behind if some wild new gadget like Google Glass makes it big.

SmartBear Software is redefining large-scale Web optimization with WebLoadUI Pro, its new, affordable Web performance testing tool. This new commercial version, released a few weeks after strong interest in the free WebLoadUI tool, addresses the ...

Most load testing tools collect exhaustive information for each load test run. Traditionally (if we can say that about load testing), you needed to have pretty extensive knowledge in order to...

SmartBear Software is redefining large-scale Web optimization with WebLoadUI Pro, its new Web performance testing tool. This new commercial version, released a few weeks after strong interest in the free WebLoadUI tool, addresses the needs of enterprise and large website teams with advanced capabilities and support at an affordable cost. “WebLoadUI Pro marks the completion of an ambitious project to establish a freeware model for Web load testing with the same product structure as the very successful LoadUI for API load testing,” said Niclas Reimertz, Managing Director, SmartBear. “This new Pro ...

If you want to save time on a distributed team, this post is for you.

The best way to manage external teams and resources is the Space Manager Tool. Space Manager Tool is available for all Assembla Portfolios. Space Manager provides your team the ability to:

• Share Code with Limited Access
• Share Partial Ticket Lists
• Share a Prioritized Backlog
• Share Tools You Want

How does it work?

Let's start setting up a Master Space and add Child Spaces to them.

The Master Space is the container for the Child Spaces. Child Spaces are filtered spaces of the Master Space.

Say, you have an IT-outsourcing company "MasterSoft inc".

You provide services to a lot of customers. Let's take two of them: "SimpleJava" and "Soft.com".

Of course, you would like to keep customers informed. Also, Child Project members should have access to their company's content.

To achieve these goals you will setup a Master Space. All "MasterSoft" team members (PMs, Developers, Ops, etc) will become members of this space.

To add Master Space features to your Child Space use Space Manager Tool.

It can be installed from Admin->Tools:

Also, "MasterSoft" will need a Ticket Tool to post tasks for all customers.

Each customer company will have own repository in it's Child Space, so the Master Space will not require a repo tool.

At this point you will need Tags for each child project. Tags can be managed in the Ticket Tool Settings, under the "Tags" section.

Tags are also used to mark and filter tickets in the Simple Planner and Cardwall for Non-Child Spaces and Child Spaces without Filter.

In the Filtered Child Space this option is disabled, since it has already been applied.

To create a Child Space you will need to switch to the Space Manager tab:

Finally, setup a new Child Space:

As shown in the form, Tickets will be shared with SimpleJava space, but will be filtered by the Tag "SimpleJava".

This means that only tickets with this Tag will be displayed for the Child Space. Also, all the tickets, created from "SimpleJava" Child Space will be tagged with a "SimpleJava" tag. Nice, isn't it?

Now the only thing required, is to invite SimpleJava Team Members in the Child Space, and set up their role (member, watcher or owner).

Note, that all the roles from the Master Space will be delegated to the Child Space. So, all the Master Space members will be able to access all the Child Spaces with the same role, they have in Master Space.

The Child Space can be accessed directly from the Space Manager page or from the top bar dropdown navigation once you are in the Master Space.

The Workflow

It's time to talk about how the whole stuff works and what is the basic workflow, for the MasterSoft use case.

Bob is a QA specialist from "MasterSoft", who found a typo in the application, just deployed to the Google Play Market.

So Bob opens a new ticket from the Master Space, and tag it with "SimpleJava" tag.

Quite simple.

Now all the developers who work with "SimpleJava" will be able to see the new ticket in the filtered Child Space, as well as SimpleJava team will be able to track the progress.

So what are the results?

• Tech Leads and Developers are more focused on their work in Child Spaces
• PM's can still see the list of tickets for all Feature Teams, filtered by some condition (say fix-today tasks) in Master Space, alongside with filtered Backlog in the child space.
• Your customers can track the Prioritized Filtered Backlog in the child space
• A customer is prevented from accessing other customer's content
• You can add any usual tool (Wiki, Messages, Repositories, e.t.c.) to the Child Space
• You can tag a ticket for more than one team, say "SimpleJava" and "Soft.com". This introduces even more flexibility into your process.

To find out more about Scaling Teams and Resources, you may want to read Beyond the Scrum Roadmap article.

If you haven't  try Space Manager for your projects yet, you definitely should https://www.assembla.com/subscribe-portfolio.

A large number of terminal servers, which are also called serial port servers and are used to provide remote access to non-networked equipment such as point-of-sale systems and environmental controls, are at risk of becoming the targets of vulnerability exploits. Rapid7 researcher HD Moore recently presented a study and published an accompanying blog post showing that more than 114,000 serial port servers are accessible over the internet, with a significant share offering administrative access to connected systems.

Misconfiguration of and a lack of substantial built-in software security in devices from the two primary serial port server manufacturers, Digi International and Lantronix, means that attackers have an easy vector for accessing a variety of business critical systems, Rapid7 noted. Serial servers enable organizations to connect legacy systems with a networked environment, and they are often used to manage equipment and tools such as retail POS systems, HVAC and ICS equipment, vehicle fleet and cargo location trackers, traffic signals and telecom infrastructure. Among the exposed systems discovered in Rapid7′s research were a coal-mining firm’s cargo tracking tool, which attackers could use to stream train GPS coordinates, and a national dry cleaning chain’s employee terminals, on which attackers could access payment information.

Too much connectivity, too much trust
Serial servers are generally connected via Ethernet, but many also connect to the internet using wireless modems that support 3G and 4G networks. This type of mobile connectivity places devices outside of firewalls, making them difficult to secure, Moore explained. The problem is compounded by the fact that remote serial port connections are rarely encrypted. There are three common access methods: login over telnet, SSH or web interface; connection to a specific TCP port and access over a proprietary protocol using vendor-specific software. The first is more likely to be secure, but the latter two are rarely encrypted and require only a single layer of authentication – or, in many cases, devices do not need authentication because it is assumed they are physically connected to the serial port.

“Serial port servers change the authentication model in two significant ways,” Moore explained on the Rapid7 blog. “First, the concept of trusting a physical port goes out the window when that port is exposed to the internet, especially without an initial layer of authentication. Second, there is a significant difference between a SSH or telnet session and an authenticated serial console. If the user disconnects from SSH or telnet, the session is closed. This is not the case with serial consoles unless the device automatically logs out due to inactivity. Very few systems support inactivity timers on serial consoles.”

Strengthening security
Using customized search modules and public sources such as the Shodan search engine, Rapid7 was able to identify more than 13,000 serial ports out of 114,000 accessible IP addresses that offered some level of administrative access to anyone who connects to them. Representatives from Digi and Lantronix both spoke to Computerworld, acknowledging the problem and pointing out that end users need to be more careful in configuring authentication on their products.

Given the small amount of memory in the devices, trusting in the security on the level of the embedded software is not enough, Digi CTO Joel Young told the publication. Users need to supplement security with network-level safeguards. Daryl Miller, vice president of engineering at Lantronix, urged users to implement encryption. According to Moore, however, more could be done to improve security on a device level.

“There is a little awareness of how exposed these devices are and no real push by either users or vendors to improve the situation,” he wrote. “A list of vulnerable organizations can be pulled from public sources such as SHODAN and the Internet Census 2012 data set. The sheer number of critical, bizarre, and just plain scary devices connected to the internet through serial port servers are an indication of just how dangerous the internet has become.”

Manufacturers of networking equipment can strengthen software security by including automated safeguards. Given the vulnerability of these systems, manufacturers of connected devices also need to ensure they are addressing security in their development process with tools such as static analysis software. With more attention paid to security in all aspects of connected devices, from the terminal server level to the embedded software of devices themselves companies can reduce the threat of remote attacks. In the meantime, users can protect themselves by configuring terminal servers to only use encrypted management services, requiring authentication, setting a strong password and enabling inactivity timeouts, Moore noted.

Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.

One concern I receive quite a bit from folks new to messaging, especially those coming from SOAP and WCF land, is how to preserve the convenience of proxy classes and data contracts that can be shared amongst multiple clients. The problem comes in when looking at coupling, especially around changes in the contract and how to upgrade clients. Clemens Vasters details many of these issues in his screencast on data/contract coupling in messaging.

One thing that grounds all of this is what we consider the message as developers, and what our transport and messaging system considers to be the message. For example, the Azure REST services expose contracts as XML. XML, by itself, and JSON make for great transport formats because the underlying technology provides a fairly universally acceptable common type system. Although your language might need to bridge from your format to theirs, people standardize on ISO formats for standard primitives to maximize interoperability (and minimize serialization mistakes).

Dealing with such large XML documents from a client API can be a pain, however. XML is notoriously finicky with respect to case sensitivity, and I can’t count how many times I’ve been bitten by this when dealing with raw XML and REST APIs. We would need to assume that documentation exists, and until forms become common in REST APIs, it’s difficult to say that HATEOAS will simply solve all these problems of self-describing APIs.

Instead, we often see REST and other messaging clients, out of convenience, build DTOs as a means of representing the message. But first – what is a message? A message is just data. It’s defined by a header and body, where the header is used by the transport/messaging system and the body is ignored (picture courtesy http://www.eaipatterns.com):

However, messages aren’t types. But what about sharing something like this?

[DataContract]
public class PurchaseOrder
{
	private int poId_value;
	
	// Apply the DataMemberAttribute to the property.
	[DataMember]
	public int PurchaseOrderId
	{
	
	    get { return poId_value; }
	    set { poId_value = value; }
	}
}

That’s still not terrible, because underneath the covers our message is still just XML or JSON. We use this type as a description or blueprint of our message, because it’s simpler to describe our message in C# terms instead of a looser type like XML or JSON, which are more difficult to describe and use in C#. I’m ignoring dynamic types in .NET – those to me are a bit of a hack in this case. In WCF, proxy classes get generated on the client side, so we’re still not taking an assembly dependency. This isn’t available in REST or other messaging technologies, leaving clients reliant on documentation to “Get it right” – assuming that they don’t make mistakes translating raw XML or JSON into code building raw XML or JSON on the client side.

So what typically happens in a homogenous environment is that data contract assemblies are shared:

Both client and server share a contracts assembly, and use the contracts assembly as a description for how to construct and consume the raw messages.

We introduce coupling on the client side with a raw type shared across the server boundary, but it’s up to those building the system to determine if this sort of coupling introduces any potential risks. When we look at coupling, we must always balance risk. If coupling introduces low risk, it might be acceptable (assuming we’re more or less prescient in our future system’s design).

From my experience, as long as the messaging infrastructure doesn’t assume that the message is built from a type and therefore leak those concerns, this sort of model can be a nice compromise in ecosystems where types as blueprints for messages ensures safety in our message construction and consumption. It’s similar to building MVC applications around View Models – they’re a blueprint for building forms, and a means of accepting raw form POSTs. Side note – I found it hilarious that the Rails folks ran into that mass assignment security problem – it’s a problem I’ve never, ever had in MVC.

But that’s the real kicker – our messaging infrastructure can’t assume types, as the message is not the type. We might use a type as a convenience to build and consume, as we do in MVC, but ultimately, our messaging infrastructure can’t assume a type. MVC handles this quite well, with model metadata and its ModelState objects. The original request is always preserved in its raw form (dictionary of strings), but the model provided to the controller action is an approximation of that request.

It’s only when we assume that we’ve literally shared types that we’re going to slip into real type coupling, and everything that SOAP failed to deliver comes back again.

Post Footer automatically generated by Add Post Footer Plugin for wordpress.

We've seen it happen in many organizations at some point or another - the blissfully-unaware load tester finds out that their current approach to performance testing is not meeting the needs of the...

Tom Gilb is interviewed on why, how and who should measure value in software testing after speaking at UNICOM’s 8th Next Generation Testing Conference. Video Producer: http://www.next-generation-testing.com

This year, the West Coast Jenkins User Conference will be in Palo Alto rather than San Francisco. If you’re nearby – or even if you’re not – join Kohsuke and other fellow developers for a solid day of Jenkins.

• The Date: Wednesday, October 23, 2013
• The Venue: Palo Alto Jewish Community Center
• Details
• Register

The Call for Papers is open until June 9 (scroll to bottom of page for form). JUC will be much better with your involvement, so please submit your abstracts and share your Jenkins knowledge with the community.

A very special thanks to our JUC Palo Alto sponsors, who will make sure you are fed, caffeinated, clothed (in this year’s collectible Jenkins tshirt), and generally well cared for at the conference: CloudBees, JFrog, XebiaLabs, appvance, ZeroTurnaround, LMIT Software, Black Diamond Software, New Relic, Liferay, AppDynamics, and SOASTA.

Two other differences this year – the conference is not timed to coincide with JavaOne, and it falls on a Wednesday rather than a Sunday. We thought we’d try these changes and are interested to know if they work better for everyone.

The agenda won’t be populated until after the Call for Papers closes and talks are selected. But you can check out previous JUC agendas, slides, and video:

• 2012 JUC San Francisco
• Inaugural JUC San Francisco - 2011

If JUC Palo Alto is not convenient for you, there’s also a JUC coming up in Herzelia, Israel on June 6 and a Jenkins event planned for Copenhagen, Denmark on September 6.

Hope you can join us at JUC!