afongen

I am so pleased to be working with people who are clued in enough so I can have conversations like this:

Me: John, I’m glad that we’ve finally got Board policy addressing data security and privacy, and we’re putting in place practices and training to address network security, wireless security, and so on, but—

Him: But Gary McGraw is right.

Me: Yes, exactly.

Here’s the thing. We have paid far too much attention to network security and not nearly enough to application security. That’s what Gary McGraw has been saying, and thankfully our security guy knows it. Software security is the new frontier. Or really, it’s been the frontier all along, we just haven’t acknowledged it.

So what do I do? I’m going to have a very busy summer, jump-starting our secure development process and trying to get policy to match what our process should be, so practice can flow from policy. This is nothing official to my job, it’s just something that I care a lot about and am going to do. It’s a start.

I was in a boring meeting and killed time by jotting down a list of books that I’m either reading now or plan to read in the next couple weeks.

• Ruby for Rails by David Black. You can’t get far in Rails development without knowing Ruby well. This is a good introductory Ruby book that goes into more detail than you’d expect and still comes off enjoyably readable. Glenn Vanderburg talks about the notion of using Rails not as a framework or domain specific language for web applications in general, but as a DSL for your web application. If you understand Ruby well, and you understand how Rails ticks, you’re on the way to doing this.
• A Little Ruby, A Lot of Objects. I’ve mentioned this before. A good way to grok OOP, Ruby style.
• Programming Ruby. The PickAxe is the standard with good reason.
• Best of Ruby Quiz. A language’s syntax is the easy part. To become proficient, I need to use a language to solve real problems, feel my way around the idioms.
• PHP 5 Objects, Patterns, and Practice. I’ve been itching to get back into PHP programming, and I immensely enjoyed this book’s practicality and clear-headedness. I don’t think anyone does a better job writing about PHP than Matt Zandstra. If you want to understand OOP in PHP, both from a mechanical/syntactic perspective as well as design philosophy, this is a very good place to begin.
• Facts and Fallacies of Software Engineering. My introduction to Robert Glass’s work, I return to this book periodically as a touchstone. Grounded in years of research and practice, Glass discusses what ought to be common knowledge but often isn’t. We keep making the same mistakes and we need to be reminded of that so we can do better.
• Software Conflict 2.0, again by Robert Glass. A collection of essays from 1990, still very much relevant.
• Rising Stars, vols. 1-3. J. Michael Straczynski wrote a comic book series? It is marvellous, as you would expect from the man who brought us Babylon 5. (Actually, he’s written more than one comic, but I really like this one.)
• How to Break Web Software. This is aimed more at software testers than I expected, which was a foolish assumption on my part. A good book. Oh, which reminds me, I need to reread the OWASP Guide 2.0.
• Software Security, Gary McGraw’s latest, focusing on building in security throughout the development lifecycle. I’ve come to a point where I need to start suggesting policy and practice. There aren’t many better places to start than Gary McGraw. I am also eagerly awaiting Michael Howard and Steve Lipner’s upcoming book about the Microsoft SDLC: The Security Development Lifecycle.
• Getting Real. Nothing new if you’re familiar with 37signals and their philosophy, but an engaging and exciting read. I find myself listening to Jason Fried over and over again.
• In the Company of the Courtesan. I heard an interview with the author and got sucked in.
• Shooting the Thorn Tree. Kiara’s Masters thesis. Well, one of them.
• Designing Interfaces. Yes, I am the user interface guy on our team.
• My Job Went to India. I’m not afraid of my job being outsourced, but I have been too complacent in driving my career. Time to take control.
• The Career Programmer: Guerilla Tactics for an Imperfect World. Cuz man, things get nuts.
• Beyond Code. See above.
• Spies Among Us. The local OWASP chapter discussed this last month but I couldn’t attend the meeting.
• Digital Identity. Phil Windley’s high-level discussion if identity management. I really, really need to wrap my head around what’s happening in this space.
• The Great Transformation: The Beginning of Our Religious Traditions. Karen Armstrong’s latest.
• Garth Nix’s Abhorsen trilogy. Have I mentioned that I’m a sucker for teen fiction?

Okay, got to get cracking.

The other day Owen sat down to a snack of crackers and cheese: a round of camembert and French raw sheep milk cheese whose name escapes me. It was the first time he had ever had either one. Owen bit into a cracker and his face lit up.

“I love camembert. Camembert is my favorite cheese in the whole world!”

We are warping the poor kid.

My presentations at the MnSCU IT conference a couple weeks ago were mixed.

The Ruby on Rails talk did not go well. I decided to start with a demo to give some flavor of what Rails development is like and how very little code it takes to get up and running. I had trouble with the demo so ended up behind schedule and didn’t get to talk enough about what I really think is important. I like Rails well enough, but about a month ago I realized that I wasn’t all that interested in talking about it. To my mind, it’s a bit over the top to claim that it’s the future of web development, although its release did mark the emergence of energetic activity in the web app framework space that embraces DRY and convention over configuration. Less code. Rails is interesting and downright fun, but so are the similar frameworks that came out at about the same time: Django, TurboGears, Symfony, CakePHP… I wanted to focus not on Rails but on the ideas it represents, but I didn’t leave enough time. I had hoped, too, to talk about share nothing architectures and spend a little more time plugging dynamic languages. But it’s over, and that’s just fine. I don’t think I’ll be doing many live demos in the near future, and I might stay away from Big Idea talks — or at least structure them differently.

The Ajax presentation, which I did in collaboration with Dave Kruse, webmaster at South Central Technical College, was much better. Planning for it, Dave and I struggled with how to address the fact that the audience would have all sorts of skill levels ranging from knowing nothing about Ajax or even JavaScript, to understanding XMLHttpRequest at a really deep level. We opted to avoid lots of technical explanation and code examples. Instead of focusing on the technical, we talked more about the ways in which Ajax is changing how people experience web apps, what they expect from them, and how to ensure that using Ajax improves the user experience. Because that’s what it’s all about.

Would like to have had more handouts, but time got the better of me and flu got the better of Dave, so that didn’t happen.

During breakfast before the session, I threw together some code examples using Prototype, which I did end up showing since we had some time left. Also at breakfast, Dave worked on some Flash animation illustrating the difference between traditional web application interaction and Ajax-style asynchronous requests. He dismissed them as hopelessly cheesy, but despite the lack of polish I think they do a better job of visually representing Ajax at work than anything else I’ve seen. I’ll try to get Dave’s permission to post them here.

MP3s will be available at some point.

The best part of the conference was the conversation, connecting with my colleagues on the campuses. Face-to-face is a Good Thing. Getting to work with the amazingly talented people at our colleges and universities is one of my favorite aspects of my job.

The next best thing was the introduction of Al Essa, who started working with us a few weeks back as Associate Vice Chancellor / Deputy CIO, and from what I saw at the conference people are impressed. As they should be. I’m downright giddy about Al joining us. This Educause interview with him should make it clear why: he’s thoughtful, articulate, and apparently values many of the same things I do: open source, Web 2.0 (yeah, yeah), dynamic languages… Even in his first weeks here, sounding out the territory, I get the sense that he has Ideas.

And he blogs. Check. I’m pretty sure I ended up at his blog via Stephen O’Grady, which is another good sign.

I’ve been way too with conference preparation and family life to write much, but I’ve had a lot of things rumbling around in my head that are dying to get out. I saw this cartoon by Hugh Macleod today and thought it about sums up everything I’ve been thinking:

Then I decided that this is a bit closer to the mark:

More soon.

A few events I won’t be able to attend but that might catch your geeky interest.

First, tomorrow at the Minneapolis/Saint Paul Java SIG, Tom Enebo and Charles Nutter, leads for the JRuby project, will be talking about JRuby. Dynamic languages that run on the JVM are becoming more and more interesting to me, so I wish I could make it to this one, especially since I missed their JRuby presentation for the local Ruby users group. (Side note: Tim Bray recently managed to get Sun to donate a couple Sun Ultra 20s to the project, which will help nicely.)

Next week on April 18, another local Object Technology User Group event: Ryan Asleson and Nathaniel T. Schutta will be talking about Ajax. Asleson and Schutta are the authors of Foundations of Ajax, which has come recommended to me. I can’t make it because I’ll be up at our MnSCU IT conference, settling in quaffing a few and preparing my own Ajax talk.

Also on the 18th, the Twin Cities OWASP Chapter is meeting. This time they’re in Roseville, in the offices of Integral Business Solutions. I’m glad to see them a bit closer to me instead of out in the western suburbs. Unfortunately, I still can’t go since I’ll be in Brainerd. Rats! But maybe you can. I recommend it; the OWASP chapter is really taking shape.

Listened to the third episode of RedMonk Radio on my way in today. My favorite bit:

Coté: There’s the evolution of, y’know, way back when the military radar system drove technology, right, and then there was NASA, and then it went into private enterprise, and now it’s kind of the consumer space that seems to drive everything.

James: Oh, Coté, you’re my man, I’m so glad you’re saying that. Let’s create games platforms to drive technology instead of war to drive technology. I am all about that. Consumer-driven innovation is the better kind. Let’s stop funding all the military stuff and fund fun that will drive technology.

Right on.

Rubyists talk about methods calls as sending message to objects, a notion that I understand is inherited from Smalltalk. It always seemed a little strange, but I could accept it as an odd quirk (“Bah! I understand method calls!”) and move on to writing code. This is unusual behavior for me, since normally I try to understand a language on its own terms. Now, though, I think I finally grok all this talk of messages, thanks to A Little Ruby, A Lot of Objects, an incomplete book in the style of The Little Schemer. And as it turns out, terminology matters.

class Dog
  def speak
    "Woof!"
  end
end

fido = Dog.new

Calling the speak method on fido (fido.speak) is really sending a message to the fido object. When fido receives the “speak” message, it knows to invoke the Dog class’s speak method. It answers, or returns, with the String “Woof!”

Yeah, that doesn’t seem too special, does it?

But here’s the thing. In Ruby, everything’s an object. 2 is an object of type Integer. 2 + 5 in Ruby is really saying, “Send the message “+” to the object 2, along with the parameter 5.” That is, 2 + 5 is convenient shorthand, syntactic sugar for 2.send("+",5) (which is, by the way, valid Ruby). 2 receives the message and invokes its + method, passing 5 as a parameter. It responds with 7.

Okay, this is still not seeming very special. Doesn’t this just muck up the discussion? Sure, it’s neat that 2 is an object, but what do you gain from all this talk of sending messages?

I’ll tell you where it finally clicked for me: polymorphism. I’m not sure why, but for some reason polymorphism is often a tricky concept for beginning programmers. Couched in terms of sending messages to objects, it’s crystal clear (at least to me :). You can send the same message to different objects, each of which will invoke the appropriate method of its class.

class Cat
  def speak
    "Meow!"
  end
end

garfield = Cat.new

With both fido.speak and garfield.speak, we’re sending the message “speak” to the object. fido receives the message and invokes its speak method, and garfield invokes its own speak.

+ does different things for Strings and Integers. This is commonly called operator overloading.

2 + 5 == 7
"Abe " + "Lincoln" == "Abe Lincoln"

The message is the same: “+” — but the methods are different. Ah ha!

And now I finally understand duck typing in relation to polymorphism. It should have been obvious earlier, but I never thought of it in that way (probably because I figured that polymorphism wasn’t that tricky, so I didn’t think about it). Dave Thomas’s explanation of duck typing is fairly clear. In Ruby, types are defined by what objects can do rather than their class.

When I write

  fred

in Ruby, I don't care whether fred is a String, a File, or an Array

What matters instead is whether fred can respond to the message “A Little Ruby, A Lot of Objects, let me make it clear now: it is a fine read, highly recommended. And now I want to go read The Little Schemer.

Kiara’s getting her Master of Fine Arts in Creative Writing from Hamline this spring, and will be reading from her theses this Friday. She blogs about that over at Wordspinning.

Yes, theses. Maybe it’s just considered one thesis, but she’s done thesis-length works in both poetry and prose. That’s Kiara for you: why do anything half-assed when you can do twice the amount of top-notch work?

It sounds like she’ll be reading “Mary’s Baby,” which is a fine, fine short story embedded in her novel. I’m excited to see how she reads that, as the narrative voices in the story are so strong and so distinct.

The JavaScript shell is nice, but if you’re using OS X there’s a better option. On a tip from Todd Ditchendorf, I’m now running both a JavaScript and a Ruby interpreter in Dashboard, just a keystroke away.

It’s easy. Todd gives directions for installing WidgetTerm, which is key to the whole thing. Then drop a jar from the Rhino project in your Java classpath, set an alias to a JavaScript shell, fire up a WidgetTerm instance, and you’re done. It sounds more complicated than it is.

I need to pay more attention to Rhino. It caught my attention when I read this discussion of choosing a Java scripting language and saw how Rhino stacked up against JRuby, Groovy, Jython, and others. Here’s an obvious application.