TEAM Zarate Tarrani Notes From the Field

Posted 4:14:00 AM by Mike Tarrani
Update. I am still behind on final release of the content in our sister weblog, Postcards from the Revolution. I should have it up to date and released within the next day. I appreciate your patience.

Issues. That word has multiple meanings in this context. One meaning is that we have all been obviously busy these past six weeks, which means that we've been dealing with a plethora of issues, with more to come. Another meaning is that new issues of two of my favorite magazines are out.

The magazine that I most look forward to is CrossTalk, The Journal of Defense Software Engineering. Since we've been so far behind I failed to report on the past two issues - a situation I am going to rectify now:

July 2002 is devoted to Information Assurance.
June 2002 is focused on software estimation techniques.

Each of these issues contain other articles outside of the main themes, and both are well worth reading. The full list of back issues between 1994 and present are worth bookmarking.

The other magazine I make sure I read as soon as it comes out is The Data Administration Newsletter. In the most recent issue, Issue 21.0 - 3rd Quarter 2002, you'll find a fresh set of papers and articles, and the insightful feature columns that are written by genuine industry experts.

Also noteworthy are the following new issues of newsletters that I read:

STQe-Letter, Information for Software Testers, Managers, and Quality Assurance People.
Amy D. Wohl's Opinions Volume 2, Issue 26 (28 June 2002).
The Server Side Connection.
Doug Kaye's IT Strategy Letter.
Mike Sisco's E-Zine (June 2002 issue).
Methods & Tools.

Yes, I do a lot of reading. Until tomorrow, enjoy these resources and have a wonderful day.

Posted 4:59:00 AM by Mike Tarrani
Magic? Mystery? Why have five weeks worth of entries suddenly appeared? Answer:we've been adding the content, but didn't release it until a few minutes ago. Among the reasons for this are work, my trips to Florida and Texas, and Linda's busy schedule which includes frantic preparations for her OCP examination and a plethora of other issues.

Appreciation. One gentle voice who encouraged us to release the backlog of entries is Nikhil Joshi of Pune, India. Thank you for your support and encouragement Nikhil, and rest assured that we will try to not get so far behind again.

But ... The content for Postcards from the Revolution is going to take an additional day before we're ready to release it. Please be patient.

Posted 12:10:00 AM by Mike Tarrani
Quality and Testing. Rarely do I stray far from these topics, and the reason I am back in this entry is to share an excellent book titled Software Quality and Software Testing in Internet Times.

This book is a collection of papers that address the full spectrum of testing issues and challenges in rapid development/rapid deployment environments. Although the title implies that this book is about quality and testing of web applications, many of the papers go well beyond that narrow scope.

The papers are divided into five categories:

Managing for Optimal Time to Market. This categories contains an obligatory paper on high-speed web testing, which does address the key challenges. However, two of the papers are exceptional: Using QA for Risk Management in Web Projects drives home the relationship between QA and project risk, and Establishing Quality Procedures for Incremental Software Development is essential reading for anyone who needs to integrate testing into methodologies such as the Rational Unified Process or any other incremental/rapid development approach.
Processes. This section of the book has papers covering topics ranging from how to use Extreme Programming to manage project risks to adapting test processes to web applications. In many respects the papers in this section capture the essence of the book's theme.
Testing from the User's Perspective. This is my favorite section, especially the papers on business oriented testing for e-commerce and the paper titled "Strategic Testing: Focus on the Business". All of the material here reinforces my own experience and observations, and clearly shows the relationships among meeting business requirements, quality and project success.
Technical Testing. Test professionals will get the most from this section because it provides techniques. My favorite is "Securing E-Business" because this important aspect of testing is usually given superficial treatment (if it's covered at all) in most testing books. Another paper I liked in this section is "The Back-End Side of Web Testing: Integration of Legacy Systems", which is applicable to enterprise application integration and e-business system testing. In addition to papers on testing techniques, other aspects of quality are covered in this section, such as performance monitoring (more aligned to capacity planning and performance management than testing, but certainly applicable to quality and service level management).
Test Automation Techniques and Tools contains a single paper titled "Automated Testing of mySAP Business Processes". If you're involved in web-enabled ERP or portal quality this paper is a treasure.

Although this book is an anthology, the topics and editing make it coherent and focused. It is not a book that covers quality or testing as a unified methodology. If you're seeking such a book read Quality Web Systems: Performance, Security, and Usability by Elfriede Dustin, Jeff Rashka and Douglas McDiarmid does go into details and is one of the best books on end-to-end web systems quality.

Posted 11:02:00 PM by Linda
Taking Care of Business. Schaum's Quick Guide to Business Finance: 201 Decision-Making Tools for Business, Finance, and Accounting Students is a reprint of "McGraw-Hill Pocket Guide to Business Finance: 201 Decision-Making Tools for Managers" with a single difference. The now out-or-print book came with a runtime version of MathCAD and formulas for using each of the tools, while this new version does not. Also, don't let the title fool you - this book is as useful to working professionals as it is to students.

The 201 tools contained in this small, highly useful book range from Acid Test (doing a quick ratio of financials) to Z-Scores. Each tool is listed alphabetically, its use explained, and instructions on how to use it is provided. What I particularly liked is the worked examples that accompany each tool.

As an IT consultant who specializes in service delivery this book is not one I would normally include in my professional library. I was introduced to it when a colleague and I were writing a white paper on recovery management. We were searching for a way to link business imperatives to justification for investment in recovery strategies. We found one piece of the puzzle in this book - the Altman Z-Score. This tool predicts whether or not a company is likely to enter into bankruptcy within one or two years. This led to the development of a copyrighted model that addressed survival level objectives, and also became a key part of the Tarrani-Zarate Information Technologies Management Model. All this from a single entry in a small book!

Aside from discovering a relatively obscure, but important, tool I also found other useful tools in this book. Because I am not a business consultant or financial expert the tools were like a cram course in financial management for non-financial people. For example, I was able to apply some of the tools to personal financial matters - the real costs of a loan become quickly apparent when you compute them. I was also able to employ some of the tools to conduct realistic cost/benefit analyses, examine trade-offs supporting approaches to projects, etc. In this respect this small book has significantly improved my professional skills and has inspired me to read other books on financial management.

I strongly recommend this book - collection of tools really - to anyone who deals with finance, anyone who has P&L responsibilities, and business and IT consultants. The latter group will find this book to be invaluable for developing proposals, deliverables and project plans that add value.

Posted 10:33:00 PM by Mike Tarrani
Capability Maturity. Most books on the CMM assume that you're headed for Level 5 and then proceed to write a confusing and overwhelming guide for getting there from ground zero. Implementing the Capability Maturity Model is different.

The author of this excellent book give a realistic roadmap to achieving CMM levels 2 and 3, which are major hurdles in capability maturity, especially level 2 from a culture-shock point of view.

What makes this book realistic is the way you're lead through the important steps, with a complete focus on what it takes instead of theory. The book starts off with an obligatory overview of the CMM, but quickly segues into the steps needed to attain level 2 (repeatable), which are creating the structures, processes, training program and policies. While each of these are important, I especially like the inclusion of policies because they are necessary to codify goals and are frequently overlooked. This section also includes subcontractor management, which is important for aligning those with whom you are using on projects with your own organizational capabilities. This makes sense because if your organization is repeatable and your subcontractor(s) aren't, then you either need to go shopping for more compatible subcontractors, or get dragged back into ad hoc approaches.

The same approach to graduating to level 3 is used, with slight changes. In the section that covers level 3 the first topic is about focusing on organizational process improvement, followed by an in-depth chapter on defining organization processes. These reflect the key changes between level 2's repeatable goals and level 3's focus on defined processes. After these are clearly and completely explained the same formula - structures, processes, training program and policies - is addressed for level 3.

Following the steps to get to levels 2 and 3, the next section is centered on implementation and assessment. This section prepares you for the assessment process itself, and offers excellent advice on how to get through it. Additional information of value is provided in appendices B (Annotated Level 2 Preassessment Questionnaire) and C (Samples of Level 2 Policies), both of which are provided in PDF format from the book's associated web site.

One key question that needs to be answered: Which is better, this book or CMM Implementation Guide: Choreographing Software Process Improvement by Kim Caputo? My opinion is that both books are equally important and both should be read because they cover two different aspects of attaining CMM levels 2 and above. This book concerns itself with the nuts and bolts of processes, where Caputo's book is more focused on organizational change. I recommend both books, and think that they nicely complement each other.

Posted 11:41:00 PM by Mike Tarrani
Production Matters. The most critical phase in a systems life cycle is the transition to production. Done wrong and all of the work performed in the requirements, design and development phases count for very little, no matter how well the work was managed and how mature the processes. A book that specifically addresses this make-or-break event is The Unified Process Transition and Production Phases. In the Unified Process (or any systems life cycle) the milestones/phases up to transition are well documented, but these represent the tip of the iceberg with respect to determining project success and total cost of ownership. This unique book examines the transition and production support requirements, addressing some of the deficiencies in the Unified Process (production support is all but ignored), and can be applied to other development life cycle models, nearly all of which have the same blind spots.

Many of the ideas and the approach for this book were born in the author's earlier book, More Process Patterns, which examined the very transition and support requirements in a more generic manner. In fact this book, like the earlier one, is a collection of best practice patterns that cover the transition and production milestones. After an introduction that explains the rationale and approach, the book covers the workflows and patterns in the sequence in which they will occur: testing, deployment and environment, operations and support, project management and infrastructure management.

What makes this book important is that it extends the Unified Process to include the key milestones that account for cost and quality, and goes into great detail about what is required and how to avoid failure. If you work in operations and support you will find the material in this book invaluable - you should also buy copies for key members of the project team that is delivering your system so they have an understanding of and appreciation for the task of supporting their creation. While this book will obviously benefit shops that employ the Unified Process, the information and workflows are equally useful in any development approach.

Posted 5:47:00 PM by Linda
The Important Part of PM. A friend who is an experienced PM once remarked that there are three stages to becoming an enlightened project manager:

learning the techniques
realizing that it's really about people
epiphany - it's about ensuring that someone else gets the blame if things go wrong and 1 & 2 are core skills in achieving this

Regardless of how true his theory is, People in Projects will certainly get you to the second stage of enlightenment, and also provide you with the knowledge and skills to manage stakeholder expectations, use effective intervention methods when things do get off track, and to maintain high project team morale.

The nine chapters in this 305 page book systematically cover all aspects of the people part of the equation. It starts with an accurate description of key management skills and duties required of a PM. It then addresses the basics of organizational planning, which focuses on roles and responsibilities. From personal experience I can attest that establishing roles and responsibilities is essential to project success.

Chapter 3, Human Resource Theory and Charts, sets the tone for the chapters on Staff Acquisition and Kickoff, and Team Development, both of which provide refined techniques for managing people and teams.

I particularly liked the chapters on resolving conflict (something that PMs deal with daily) and managing change, which is a constant. Since I work with multi-cultural teams that are international I also liked the chapter titled Worldwide Teams and Cultural Issues.

The chapter on project closeout and evaluation is a good reminder that there is a shutdown phase to projects, and this chapter provides guidance for how to perform this step in a structured manner.

Although this is a book on the PMI approach to project management, the material is also applicable to any project management methodology, including the UK standard (PRINCE2) and CompTIA's IT Project +.

Posted 10:21:00 AM by Mike Tarrani
Data Warehousing. Two books that will interest architects, developers and DBAs are:

Data Warehousing Fundamentals. This is one of the best introductory books on data warehousing I've read. The authors make few assumptions of reader knowledge beyond the fact that they are IT professionals who have a technical background that doesn't necessarily include database and data warehouse knowledge. They do assume a basic knowledge of IT operations, project management skills and systems analysis and design - skills that IT professionals are expected to have.
The book is divided into five parts: Overview and Concepts, Planning and Requirements, Architecture and Infrastructure, Data Design and Data Preparation, and Implementation and Maintenance. These follow a development life cycle, making the structure of the book easy to follow.
What I like about this book is it doesn't just cover the theory and concepts (which it does do well), but sets data warehousing in the context of a larger architecture designed to meet specific business requirements. I also like the way the authors address real world issues such as planning and managing a data warehouse project, and the issues and factors surrounding adding a data warehouse into an existing technical architecture. This information is what IT professionals are seeking when they are faced with a technology with which they may not have strong knowledge, and it makes this book useful to the intended audience.
Among the chapters that I most liked are: Principles of Dimensional Modeling, Data Extraction, Transformation, and Loading, and Data Quality: A Key to Success. These capture the essence of data warehousing in my opinion and are topics that IT professionals without a data background need to understand. I also thought that each of the appendices were useful. They provided a finishing touch by covering project life cycle steps and checklists, critical success factors and guidelines for evaluating vendor solutions - each of which provide practical information.
Data Warehousing and Web Engineering. This is a collection of papers that cover salient issues in data warehousing with an emphasis on business intelligence, data mining and knowledge management applications. While many of the papers in this book are more useful to technical professionals, there is a lot of material that will also be useful to marketing and competitive intelligence specialists in the business domain.
Some of the papers are more basic and introductory, such as "Justification of Data Warehousing Projects", "An Introduction to Information Technology and Business Intelligence" and "Some Issues in Design of Data Warehousing Systems". Some, however, address advanced topics such as "Data Mining Methods Databases and Statistics Point of Views" and "Incremental Data Allocation and Reallocation in Distributed Database Systems".
My personal favorite papers were "Specification of Components Based on the WebComposition Component Model" (reflecting professional interests in component-based development), "Complementing the Data Warehouse with Information Filtered from the Web", and "Using Business Rules Within a Design Process of Active Databases" (another area of professional interest).
In addition, the papers cover topics in data mining, data quality and knowledge management, which means that there is at least a few papers that will intersect with a reader's professional interests. The best audience for this book includes academics (the papers are citable), consultants who specialize in business intelligence and data mining, and organizations that have a solid base of experience with advanced uses of data warehousing.

Note: This book is also available as an eBook in PDF format.

Posted 11:47:00 PM by Mike Tarrani
Softer Side of Risk. I find much comfort in quantitative methods because numbers are unambiguous. However, numbers alone only tell part of the story. Experience is a good teacher and it is from experience that we grow as professionals. Coping With IS/IT Risk Management This is probably one of the most unique books on IT project risk management in that it doesn't go into the process and techniques of risk management, but in the common risks and how to deal with them.

Don't expect qualitative or quantitative risk assessment methods, or even a risk management process that is almost an obligatory part of most project management books. Do expect the collective wisdom of real people who were interviewed, and their recommendations for dealing with the real risks.

These risks range from misaligned or unwarranted expectations to slippery requirements. If you've managed an IT project many of the risks will be familiar. How the PMs who were interviewed handled them will be illuminating.

Aside from the fact that this is a highly readable book that is packed with wisdom and advice, the appendices also add a considerable value. Appendix 1 cross references the risks (constructs) by theme making it easy to quickly find the solution to a particular issue. Appendix 2 gives 5 hypothetical project profiles that reinforce the information in the body of the book, and Appendix 3 is a collection of strategies from the body of the book.

Regardless of whether you are preparing to manage your first project or are seasoned and battle-scared, this book provides knowledge and advice that you can use.

Posted 7:59:00 PM by Linda
More ABout Project Management. Mike is now going in one direction and I another with respect to our topics, and that adds balance to the material we're posting. One of the critical success factors in project management is taking the time to develop a work breakdown structure (WBS) before proceeding with planning, estimating and scheduling. In fact, it's nearly impossible to realistically estimate if you haven't decomposed the project into a WBS. Most people don't know where to begin. I've found that the Project Management Institute Practice Standard for Work Breakdown Structures to be a clearly written guide and one that I recommend all project managers read.

The four chapters in this short, focused book introduce work breakdown structures, define them from a conceptual point of view, explain why they are the foundation of project planning, and show how to create one. These chapters comprise a scant 18 pages, but are thorough enough to accomplish the objective of explaining the Project Management Institute's practice standards for WBS.

The real value of the book is contained in appendices E through O, in which a WBS for common industry project types are given as examples. These 44 pages are the real reason to buy the book because they show real examples of the conceptual and brief "how to" approach compressed into the first 18 pages. The project types in these appendices are:

E - Oil, Gas, and Petrochemical (OGP)
F - Environmental Management
G - Process Improvement
H - Pharmaceutical
I - Process Plant Construction
J - Service Industry Outsourcing
K - Web Design
L - Telecom
M - Refinery Turnaround
N - Government Design-Bid-Build
O - Software Implementation

Appendices A-D are filler that descripe the PMI standards process and associated information, and can be safely skipped unless you are interested in those topics.

Overall this is a much needed book because WBS are still skipped during the project planning phase in too many projects. This is unfortunate because the first thing that a professional does when called in to rescue a project is to examine the WBS, and if there isn't one, the first step towards rescuing a project is to develop one. By following this book, especially if any of the example WBS is similar to your project, will go a long way towards ensuring its success.

Posted 9:58:00 PM by Mike Tarrani
Tools of the Trade. Since I've dragged a business-oriented discussion into this weblog, I'll continue until Linda jumps in and changes the direction. One of the most valuable skills an analyst can develop and build upon is decision making. Not making snap decisions based on gut feeling, but doing it the right way. The foundation for decision making is in Decision Analysis for the Professional.This book is an excellent intermediate-level text on decision analysis that deals with both uncertainty and risk. It uses realistic examples that working professionals will appreciate and to which they can relate.

It's written as a tutorial that uses two tools, Sensitivity, which is used with the chapters dealing with decisions under uncertainty, and Supertree for developing decision trees related to risk analysis. Instructions on obtaining the student versions of these programs are included in the book. Note that the student version of Supertree accommodates trees with up to 250 endpoints, and the student version of Sensitivity performs sensitivity for up to 12 variables.

My most used text on decision analysis is Making Hard Decisions by Robert T. Clemen. Where that book is more comprehensive, it's also less suitable for the working professional who needs a refresher and a desk reference. Therein lies the main value of this book - it's more aligned to real world problems that you'll find in the workplace and is written to be both a tutorial and a reference.

Posted 12:45:00 AM by Mike Tarrani
Consultant, Manage Thyself - Part II. In my last entry I discussed Building Professional Services. This book, in my opinion, is the best starting point for anyone who is involved in establishing and managing technical services or starting a consulting company. PSA: Professional Services Automation by Rudolf Melik, et al is the second book you should read because of the way both books complement one another. Actually, one should follow the other because PSA: Professional Services Automation is about automating the professional services organization after it has been established.

In the past I gleaned information and techniques from books about managing professional services from the perspective of law firms and other industries - good information to be sure, but fell short of the realities of technical services.

What I like about this book is the complete look at professional service management, with an emphasis on both personnel and cost management. I especially like the way the authors show how to go beyond mere cost management to optimize revenue and profit. The information and strategies they provide reflect extensive experience and a strong focus on the business aspects of professional services. I also like the ties to customer relationship management and various types of services, and the PSA components. This first decomposes the components of professional services management (manual or automated) into the critical success factors, then reconnects them into a coherent whole.

Although this book is about automating professional services management, most of the information, especially part 2, can be used effectively without automation. Therein lies the main value of this book and the reason why I think it's simply the singlemost important book a professional services manager can have. In order to get the information collected between the covers of this book you'd have to purchase a pile of related books from other industries, and spend a significant amount of time reading articles and surfing the net. If you are a professional services manager you already know that you don't have time for that. If you're being placed in a professional services management position you need this book.

Posted 12:18:00 AM by Mike Tarrani
Something New. If you are a consulting, and particularly if you manage a services group, you'll find that Building Professional Services fills a sorely needed gap in the computer consulting industry, and is especially valuable for start-up consulting companies, established companies that want to achieve higher profitability, and for internal IT organizations that are seeking a way to move from a cost center to a profit center.

Regardless of your goals or motivations, the first two chapters helps you to clarify your objectives, decide on the appropriate business model and mission statement, and introduces key concepts that will be used throughout the book. One of the most effective techniques in this section of the book is the way the authors lead you through framing your mission and goals and employing a service alignment risk factor to test the clarity of your mission and how it aligns to other business processes. This is especially important if technical services is not your core business.

Chapters 3 and 4 are, in my opinion, the heart of the book because they address revenue and profitability, and organizational structure - two areas with which many companies struggle. The information in these chapters will show you what you need to do to become and remain profitable, as well as how to best organize your resources to deliver in accordance with your chosen business model. For start-ups Chapter 3 provides an excellent framework for business plan pro formas. Chapter 5, Selling, thoroughly covers the critical success factors and metrics for selling services.

In chapters 6 through 8 services delivery, productizing and promotion are given the same thorough and insightful treatment. Of particular value is the customer engagement workflow that is provided in Chapter 11, and the four phases of professional services given in chapter 12. The phases provide a path by establishing basic implementation services as a service offering, then building upon these to provide integration services, consulting services and productized services - each phase represents an increase in what you offer customers (external or internal). For each of the phases the authors address the following factors: value proposition, profitability triangle focus, critical skills, required operational infrastructure, target mix, revenue growth rate, target gross margin and target operating profit.

I like the way that these (and all of the chapters) end with sample budgets and issues to watch, and the key financial models provided in Appendix D.

You can get more information about this book, including associated articles and PowerPoint presentations, from the author's webpage.

Posted 2:24:00 AM by Mike Tarrani
Building a Bridge. Building systems in a vacuum results in technical achievements that fail to meet business requirements. In other words, a disaster. One book, Totally Integrated Enterprises, bridges the business and IT domains. It educates business process owners on the capabilities and technologies that provide tools to support operations, and gives IT insights into how to best develop and deploy systems that meet business requirements.

Integration is assumed to be within the context of ERP systems, which are enterprise-wide in scope. The level of detail is kept reasonably high so that both audiences can easily grasp the key issues and understand the challenges and needs of the other. What I like about the book is the fact that it never loses sight of business requirements, and the manner in which it stays focused on quality and real world issues. I also like the way case studies are used to reinforce some of the more abstract aspects of enterprise integration.

Highlights of this book that will interest both business and IT include:

Totally Integrated Enterprise Goals and Agile Enterprise, which give a business framework for the technology solutions that are discussed later in the book.
Methodology for Understanding Enterprises, which places integration and technology into the context of meeting business requirements.
Business Development and Product Management, which provide insights to IT about the challenges that their business constituents face and their support requirements.

Because this book is a high level view of enterprise integration many details that support the decision to employ integrated systems and how to implement them are missing. However, the true value of this book is the way it brings together business and technical information and the way the authors have managed to address both groups that are normally widely separated.

If you are seeking a book about deciding whether of not to implement an enterprise-wide system I recommend Enterprise Resource Planning Systems: Systems, Life Cycle, Electronic Commerce, and Risk by Daniel Edmund O'Leary. If you are more interested in an implementation methodology I recommend E-Business and ERP: Rapid Implementation and Project Planningby Murrell G. Shields.

Posted 3:14:00 AM by Mike Tarrani
Then There's That Stuff in the Middle. One of the biggest challenges in designing, building and implementing an enterprise-wide system is the middleware component. Enter The Complete Book of Middleware, which is a collection of papers divided among eight major topic areas, each on a specific middleware category. The main value of this book is the wide range of technologies and vendor solutions, and the fact that it's up to date.

I like the complete coverage of both transaction and queuing approaches, and the vendor-specific information that includes Microsoft's .NET and Sun's Java, as well as everything in between. The sections database middleware and middleware performance are especially valuable because they are more generic and applicable to a wider audience than the MS- and Java-centric sections.

While individual papers have a slight vendor bias, the book as a whole is vendor neutral. This is not a book for learning about middleware as much as a good description of what's currently available and their strengths and weaknesses. If you are looking for a more general book I recommend Chris Britton's IT Architectures and Middleware: Strategies for Building Large, Integrated Systems for the fundamentals, and David Linthicum's B2B Application Integration for a detailed text on how to employ middleware in practice. However, this book will give vendor-specific details and a more up-to-date view of middleware that are missing from Britton's and Linthicum's books. If you're a system architect or consultant this book is an excellent desk reference.

Posted 10:37:00 PM by Mike Tarrani
It's About the Data. The foundation of any system, standalone, single-user, or enterprise-wide, is the data. Manufacturing Data Structures is an essential reference for ERP analysts, developers and DBAs. It is unique in that it addresses data requirements for materials management within the context of manufacturing processes, with an emphasis on bills of materials.

The chapter on engineering change control stands out because this aspect of both data structures and process change management are not covered (or only lightly touched upon) in other ERP references. This chapter and its companion on implementing change add significant value to the book and reflect mature and best practices. I also liked the chapter on new product introduction and custom manufacturing because these aspects of the manufacturing process come with a different set of challenges and requirements from steady production processes.

Regardless of whether you're using SAP, Baan or another ERP package (or are developing custom applications to automate manufacturing materials management) this book will expose the relevant details of the data structures, which are the foundation of any application.

Posted 11:17:00 PM by Mike Tarrani
Integrating the Enterprise. My next few entries are going to deal with some of the better books about enterprise systems. One such book is Enterprise Systems Integration.The audience for this book consists of architecture and integration group members, making this book an ideal addition to group libraries. The focus is on ERP architecture, although the range of topics overlap into non-ERP domains, and is best used as a desk reference because it's a collection of short papers written by 70+ authors instead of a book that focuses on a specific approach or methodology. The papers comprising this desk reference are organized in logical groupings that are akin to layers in an enterprise architecture.

Each section is devoted to carefully chosen papers, some of which reflect individual authors' experience. The strength of this approach is that you benefit from a rich diversity of viewpoints and deep subject matter knowledge. The weakness is that some of the material is inconsistent with what precedes or follows in the book.

Since this is a technology-focused book the highlights are that the information is current and reflects issues, methods and technologies that are valid as of the date this review was written. The editors ensured that information that is not commonly used in ERP integration, such as web services, are not addressed. This doesn't imply that web services will not play a future key role (such as in PeopleSoft 8), but that most ERP implementations are integrated using middleware, XML and other methods. The more typical integration methods are covered in great detail, and the sections on database servers and data warehousing are especially informative.

I also like the section on Internet commerce, which covers topics ranging from web-based testing and capacity planning to XML-based B2B commerce - topics that are not commonly found in other ERP texts. The section on project and systems management also contained excellent information, such as the paper titled "Service Level Management Links IT to the Business", which touches upon a critical aspect of integration. Each of the four papers in the Component-Based Development section also included information that should be carefully considered by large enterprises, especially those that are using off-shore development of off-site contractors to develop modules. This section goes into each of the major critical issues, including economic considerations, domain engineering, server-side Java development and object library management.

Some of the information in this book is time sensitive in that it will be rendered obsolete as web services play a larger role in ERP systems (which is already happening in a sense), and XML and/or ebXML emerge as a core component of all of the major packages, such as SAP, PeopleSoft, Baan, etc. If you have a defined architecture or integration group this book will make a good investment because of the wide array of topics covered. If, however, you are seeking a book that provides a methodology or focused technology description this book may not be for you.

Posted 6:43:00 PM by Mike Tarrani
Project management is a core skill that all IT professionals need to master in order to achieve increasing levels of responsibility and professional growth. There is another facet to project management in software, which is how to align project management processes and procedures to an enterprise operational model. One unique book that deals with this is Software Project Dynamics. This is not a book about project management per se, but a book about how to integrate project management processes into a large software development organization using analysis based on system dynamics.

If you are not familiar with system dynamics, it's a methodology for studying and managing complex feedback systems using time graphs and causal loops, and more formal analytical methods such as simulation and exploring alternatives in a structured manner.

This book uses those techniques to align project management processes to software development. The best way to determine if this book is right for you is to answer the following questions:

Is your core business software development?
Is your organization at approximately the same level as that described by SEI's CMM for level 3 or above?
Is there a commitment to implement an integrated process that is driven by the executive or board level and does this commitment have a strong sponsor?

If the answer to at least two of the above questions is yes, then this book will be valuable. Also note that some knowledge of system dynamics is assumed. If you need to become familiar with this discipline I recommend Business Dynamics: Systems Thinking and Modeling for a Complex World by John D. Sterman. This book addresses system dynamics from public policy and strategy points of view, but will provide a thorough understanding of the subject.

Those who will benefit most from this book are organizations that have found existing PM methodologies to not fully meet objectives. For example, the U.S. standard based on the Project Management Institute's Project Management Body of Knowledge (PMBOK) is too generic for software development, and the U.K. standard called PRINCE2 is not as well suited for product-line and software vendor approaches to development. While the PMBOK and PRINCE2 contain processes and procedures that can be used, the system dynamics approach defined in this book gives a method for selecting, evaluating and integrating the processes and procedures borrowed from these two standards. Moreover, since the CMM and related models identify key process areas for project management, they do not prescribe how they are to be implemented. This book will provide the tools and techniques for tailoring the techniques to PM process areas.

If your objective is to find a book that describes a complete project management maturity model you will be better served by Strategic Planning for Project Management Using a Project Management Maturity Model by Harold Kerzner; if you are looking for an off-the-shelf methodology to use with iterative processes such as the Rational Unified Process I recommend Software Project Management: A Unified Framework by Walker Royce. However, if you are seeking to develop and implement a best-in-class, tailored project management methodology that is seamlessly integrated into your software development processes this book will show you how to achieve that goal.

Posted 12:31:00 PM by Linda
Shifting Once More. We normally cover project management in Postcards from the Revolution, but when material is also applicable to the more technical readers of this weblog we cross post here. One such book is The Project Workout, which is one of the most business-focused books on project management that you can read. Where other books go into techniques that are specific to project planning, scheduling and control, this one ensures that business issues are interwoven into each element of project management.

Parts that set this book apart from the others include an emphasis on developing a business case and the structured way in which all project stakeholder requirements are considered in project quality and reporting. I also like the way projects are managed at the enterprise level as portfolios and integrated into programs instead of standalone projects. In addition, the many forms, checklists and diagrams are highly useful and can be used with little or no modification.

This book is also completely consistent with the PMI PMBOK and UK PRINCE2 methodologies, and the author's web site that supports this book contains a wealth of up-to-date information that adds to the value of this book.

Posted 10:40:00 PM by Mike Tarrani
More About Components. It appears that Linda and I are locked into some spiral, because my chosen topic before she posted was also about components. Foundations of Component-Based Systems is an excellent secondary companion to Component Based Software Engineering: Putting the Pieces Together by Heineman and Councill. It is a secondary text for practitioners and academics that will provide insights into a narrow slice of component-based software engineering issues. Organization is a collection of papers that are grouped in four sections:

Frameworks and Architectures. Consists of four papers of which I particularly liked Key Concepts in Architecture Definition Languages and Acme: Architectural Description of Component-Based Systems because of professional interests in ADLs.
Object-Based Specification and Verification. The three papers in this section were focused on narrow topics; however, I gained much from Modular Specification and Verification Techniques for Object-Oriented Software Components. This paper alone made the book worthwhile to me, but this is a subjective remark with which you may not agree.
Formal Methods and Semantics. Each of the three papers in this section were, in my opinion, valuable. My favorite, Toward a Normative Theory for Component-Based System Design and Analysis, contained a viable framework and approach to component design, which is a topic that receives little coverage in other component-based books.
Reactive and Distributed Systems. The two papers in this section are interesting in that their topics intersect nicely with the discipline of semantic web engineering. If your interests or work also includes that knowledge area then the papers (Composition of Reactive System Components and Using I/O Automata for Developing Distributed Systems)will 'connect the dots' in a manner of speaking.

Much of the material in this book is academic and/or theoretical, but is backed up with results from projects and supporting project data. What I like most is that the material uses tools and technologies that are hot topics, such as UML, EJB and COM.

The second book is Component-Based Product Line Engineering with UML. Where most books on the subject cover the component-based development life cycle at a high level with an emphasis on the development, deployment and QA aspects, this one is about requirements and design. That is what sets it apart and an important work. It becomes even more important if you are using or trying to adapt the Unified Process to a component-based environment. Obviously if your environment also includes product line development the value of this book increases even more.

The book contains five parts which build upon each other. Part 1 is a thorough, 60-page introduction that compares and contrasts development life cycles, summarizes the approach the book proposes, and the concepts, artifacts and process associated with "KobrA" (a German abbreviation for "Component-based application development".

Part 2 is devoted to component modeling based on the KobrA component model, and covers all aspects in 153 pages. This part ends with an excellent introduction to patterns and UML, which lays the groundwork for the next part. The information in this part drills down into requirements and specifications, which is one of the reasons I cited above that sets this book apart.

In Part 3 (Embodiment) refinement and translation, component reuse and incremental development are covered in detail. Part 4 introduces and covers product line, framework and application engineering. It is here that the KobrA foundation laid in the previous parts begins to become coherent and the viability of the approach becomes apparent.

Part 5 is my favorite because, like Part 2, it gives a view of component-based development that most books gloss over. In particular, the chapters on maintenance and QA are filled with information that reflects the realities of component-based development, and the chapter on quality modeling is among the best treatments of the topic in any book or paper I've recently read. The 60 pages of appendices are also valuable sources of information and knowledge about metamodels, maintenance and process. I found this book to be an invaluable reference and recommend it to anyone who is heavily involved in component-based software engineering in conjunction with product line development.

Posted 3:29:00 PM by Linda
Building Things. Mike introduced me to component-based development last summer. It's a subject that interests him, and also piqued my interest. However, the book he recommended at the time, titled Component Based Software Engineering: Putting the Pieces Together, was overwhelming at 800+ pages. However, I recently came across Component-Based Development: Principles and Planning for Business Systems, which at 224 pages is a more realistic introduction. This book is an excellent and clearly written introduction to component-based development from business and software engineering process perspectives.

It does not contain technical information for developing components in various environments, nor does it go into the relative merits of component-based development from the viewpoint of any vendor. What it does contain is a tutorial on component-based development as a software engineering discipline, and makes a strong business case for adopting this approach to software development.

If you're expecting an end-to-end life cycle you may be somewhat disappointed because the book only covers the design through build phases of development. However, since this book is more about showing the value of components this scope is more than sufficient. If, on the other hand, you are evaluating component-based development as a business strategy you'll like the details about the value and underlying processes, and how this approach differs from more traditional software development. In particular you'll like the way the author goes into organizational issues (who owns the process), and the unique requirements of component-based development (such as strict configuration control and reuse strategies, and cataloging and certifying components). The case study at the end of the book pulls the preceding 13 chapters together and provides a realistic view of the strengths and weaknesses of components.

Posted 8:48:00 PM by Mike Tarrani
Back to Me? Linda is absolutely correct - the foundation of any process improvement or quality initiative is measurement. There are two excellent books on the subject that are specifically for software professionals:

Applied Statistics for Software Managers. If you're working in SQA or managing software development projects this book is an excellent introductory text to statistical analysis.
What I like about this book is that it's a tutorial on the statistical skills and knowledge that you'll need, and it combines this learning goal with the basics of software metrics and how they can be employed to measure productivity, estimate projects, and manage costs and organizational quality. The core approach is data analysis, and the main tools that the book employs are multi-variate techniques, regression analysis and correlation and sensitivity tests. The author has a talent for clearly explaining a dry subject, and while it will take a good deal of effort to master the material because of its nature, the excellent writing and illustrations will make it easy to quickly grasp statistical fundamentals and put them to use.
The lessons are taught within the framework of four case studies that are realistic and apply to the real world. The case study topics are: productivity analysis, analysis of time to market factors, development cost analysis, and maintenance cost drivers. These cover the full range of both internal development and product-line software engineering. I especially like the inclusion of maintenance costs as a topic of study because this area contributes significantly to total costs of ownership, but is often overlooked.
Measuring the Software Process. This book contains the keys to meeting core CMM level 5 requirements, which defines key processes for optimizing and continuous improvement, and for achieving 6-sigma processes. However, you need not be striving for either (or both) of these goals to use the techniques and approach in this book to full advantage.
Implementing and employing statistical process controls are the basis of this book. The authors lead you through the steps and techniques necessary to implement and use SPC, starting with background information on processes and a process measurement framework, and moving through topics such as planning your measurement strategy, data collection and analysis, and developing and interpreting process behavior charts using common SPC chart types. The most common controls are x-bar (mean) and r (range) charts. Be aware that any SPC approach requires two conditions to be met:
- defined processes
- the processes are in statistical control (meaning that the data points being measured have settled into a normal distribution that are randomly clustered around a mean and have defined upper and lower control limits)
New processes, or processes that are not managed well enough to have these characteristics are not candidates for SPC.
This book requires knowledge and skills in basic statistical analysis. If you require a refresher I recommend reading Visual Statistics before tackling this book.

Deciding which of the two books is better is a matter of assessing your needs. The key strengths of Measuring the Software Process are the tutorial nature and the wide range of case studies that are used to reinforce the learning. The key strengths of Applied Statistics for Software Managers are that it goes much deeper into analysis and also includes statistical process controls and other techniques that are present in highly mature development organizations. Regardless of which book you choose (or if you choose both), the information and knowledge to be gained is the foundation of SQA and best practices in project management.

Posted 11:01:00 PM by Linda
Games People Play. Mike and I have been playing tag in our recent entries. I come in from left field with a new topic, he follows, then changes it and I follow. In this spirit I'll augment his last entry on software process improvement by discussing two books that provide foundation knowledge and skills for any process improvement initiative.

Understanding the Essentials of the Six Sigma Quality Initiative is a short book that does one thing and does it well - clearly explains what Six Sigma is and why it's important. It accomplishes this in less than 100 pages, making it a succinct guides to a highly complex topic.

Practitioners will find the material too basic, but business managers will find it sufficient to see the value of a Six Sigma initiative. It's also useful for communicating an initiative and its importance to employees who are not directly involved, but need to be on board to imbue it into the corporate culture.

It devotes the first 35 pages to explaining the what's and why's in clear, non-technical prose, and the rest of the book covers the how's by explaining each of the tools that are used to achieve Six Sigma. Each tool, ranging from Analysis of Variance to Team Development, is quickly described at a high level, with all key factors and a brief summary of what it is and how to use it.

If you are a member of the organizational implementation team I recommend that this book used to communicate the reasons for the initiative and what Six Sigma will mean to your organization to employees. If you have a direct role in Six Sigma and your statistics are rusty I recommend augmenting this book with Visual Statistics by Jack R. Fraenkel, Enoch I. Sawin and Norman E. Wallen.

I've struggled with statistics for years, and had resigned myself to continuing that struggle until I read this wonderful book. Where most books assume that you remember lessons from high school this one starts from scratch. It also differs from other books by teaching you how statistics work instead of force feeding you formulas that you learn by rote, but do not impart an understanding of how statistics work.

I like the way that this book uses illustrations and clearly describes the 'whys' to make statistics come alive. Shortly after I started reading this book (which is actually interesting!), I began seeing the significance of data distributions, relationships and dependencies. This not only will improve your understanding of statistics, but also gives you the confidence to tackle problems that may have intimidated you or were beyond your knowledge level.

If you need to quickly refresh your knowledge and skills, or want to understand statistics instead of crunching formulas, this book is a fast way to get there.

Posted 10:49:00 PM by Mike Tarrani
On Software Process Improvement. Before we become mired down in Oracle topics I am going to take an abrupt turn back towards quality and process improvement. One excellent book on the subject that covers both process assessment and improvement, is Software Process Improvement. With exceptions that I've noted below this is an in-depth examination of standards, initiatives and methods for software process improvement (SPI) and software process assessment (SPA).

The book is divided into twelve chapters, each of which contains two or more papers written by top experts in the field, including Mark Paulk (of CMM fame), Watts S. Humphrey (creator of PSP and TSP, and prolific author of software engineering process papers), Robert B. Grady (author of three standard references on metrics), and others who key players, but are not as widely known outside of the SPI and SPA community.

Chapter 1 covers software process assessment with an article by Paulk that surveys the more common models for SPI and SPA, and a reprint of Sarah Sheard's excellent article from CrossTalk Magazine titled "The Frameworks Quagmire". Chapter 2 contains three articles on the SW-CMM, which seems to be the centerpiece of this book. Chapter 3, "Other Approaches to Software Process Assessment" contains four articles that add balance by covering non-CMM approaches that are in common use, especially in Europe (Bootstrap). I especially liked the article by David N. Card titled "Sorting out Six Sigma and the CMM", which combines two hot topics. One of the exceptions that I cited at the beginning of this review is the article on Trillium, which in my opinion has been superseded by TL 9000 in the telecommunications industry.

The three articles in Chapter 4 (Software Process Improvement: How To Do It) address common concerns and barriers to any SPI initiative, and each add well thought out ideas, especially Sandra McGill's "Overcoming Resistance to Standard Processes, or, Herding Cats", and William Florac's "Statistically Managing the Software Process".

Watts Humphrey's Personal and Team Software Processes, and CMMI are the key topics in Chapter 5, which covers developments inspired by the SW-CMM. All of Chapter 6's Software Product Evaluation articles were my favorites from among the collection in this book, and I particularly liked Jørgen Bøegh's "Quality Evaluation of Software Products" and Geoff Dromey's "A Model for Software Product Quality" because they go to the heart of key issues in both product line engineering challenges and user acceptance testing.

Chapter 7, ISO 9000 Series and TickIT, is the second exception that I previously noted. Much has changed in ISO 9000 with the 2000 standard, which renders this entire chapter moot in my opinion. I also thought the five articles in Chapter 8, The SPICE Project, would have been a better fit in Chapter 3. The same goes for Chapter 9, Experiences of Software Process Assessment, which is nearly an extension of Chapter 8, and is closely related to Chapter 3.

Two other favorite chapters are 10 (Software Process Improvement for Small Organizations) and 11 (Benefits of Software Process Improvement). Chapter 10's three articles dispell any notion that SPI is only feasible for large organizations, and the three articles in Chapter 11 focus on the benefits of SPI, especially Herb Krasner's article titled "Accumulating the Body of Evidence for the Payoff of Software Process Improvement". I also liked the final chapter, which covers software processes in general, including an excellent article on modeling. I felt that this chapter should have been at the beginning of the book instead of the end.

Overall, this is a book for those of us who are nearly religious about SPI; but is not a good introductory text. It's main value will be to IT consultants who specialize in either SPI or SPA (or both), and who need to be familiar with the mainstream standards and approaches.

Posted 8:04:00 PM by Mike Tarrani
A Challenge. In my last entry I didn't really take Linda's spot - XLM and Oracle (or any database) have a natural affinity. XML is the magic. You can stuff the results of a SQL query into a DTD, which is the stuff of application and database integration. However, there are also security challenges. The topic of this entry is XML and database security, and is based on two excellent books I recently finished reading.

The first book is Translucent Databases. This book contains an innovative and viable approach to securing databases, and one that I've not encountered anywhere else. In a nutshell the author provides techniques, based on standard SQL and Java, for securing sensitive data without restricting general access of less sensitive data to authorized users. The core of this approach is based on encryption and one-way functions, including PKI and secure hashing, and accepted authentication techniques such as digital signatures.

What makes this book unique is that while it's based on solid theoretical ground, the material is practical. As the techniques are discussed they are illustrated by 15 different scenarios, all of which contain problems faced by e-commerce, HIPAA and other high security environments, and code examples that show how to solve the problems. I like the way the author shows how to implement his solutions in common database environments (PostgreSQL, MySQL and Oracle - the approach should also work in the MS SQL Server environment). As I read this book I saw interesting possibilities for implementing role-based access controls and securing against SQL-based statistical attacks using the author's approach.

This book is essential reading for DBAs, system architects and IT security professionals, especially those in healthcare who are struggling with meeting HIPAA requirements, and in e-commerce who are challenged by protecting credit card and account information. This book shows the DBA how to secure his or her database, and the system architects and security professionals what is possible using SQL and Java. The book also has an associated web site which is supposed to have soft copies of all of the source code contained in the book. As of this entry the link to the source code is on the site, but the code itself is not yet available. When it is the value of this book will increase even more because of the time it will save by not having to manually create the code from scratch.

If you are new to the cryptographic techniques introduced in this book I recommend Cryptography Decrypted by H. X. Mel and Doris M. Baker, which is one of the best introductions to this complex subject. I also recommend reading Secrets and Lies: Digital Security in a Networked World by Bruce Schneier, which covers the technical, organizational and social aspects of security and gives a clear description of the technical underpinnings discussed in this book.

The second book is XML Security. Given the fact that XML is a key component of web services, and extensively used in e-commerce and enterprise applications integration, this book addresses a genuinely important topic. For one reason, XML is text-based and can expose proprietary information, which is a vulnerability for competitive intelligence specialists and corporate spying.

Before going into what the book contains it's important to know that much of the material is based on RSA's view of the security. This isn't a criticism, but an up-front statement of fact because if you're looking for a book that is 100% vendor neutral you are going to have to wait until one is written - this is the only book I know of that is solely about XML security.

The book starts with primers on security and XML to set the context. It then covers, in succession, digital signatures (chapters 4, 5 and 6), and XML encryption. These chapters are consistent with work and specifications produced by XML Signature WG (joint the Working Group IETF and W3C for digital signatures) and the W3C working group for XML Encryption.

Chapter 8 is specific to RSA products. It shows how to implement XML encryption using RSA BSAFE© Cert-J, which can be downloaded in a trial version from RSA's website. Chapter 9 covers XML key management specification, which are consistent with the W3C working group's specifications, and how XML security relates to web services.

Despite the slight bias towards RSA this book is an invaluable reference. It provides an in-depth discussion of major security issues, as well as how they are being addressed by the W3C. It goes without saying that anyone who is responsible for system architecture, design and/or security should carefully read this book.

Posted 10:01:00 PM by Linda
Reality and Sanity. I have to agree with Mike that wading through thousands of pages of technical text is not the best use of time and energy - unless you are cramming for a certification exam. For the working professional a better book, especially for mastering SQL and PL/SQL, is Database Systems Using Oracle: A Simplified Guide to SQL and PL/SQL. This book is remarkable for the clear manner in which it explains the basics of relational databases in general and Oracle in particular. I am currently in training for Oracle Certified Professional and had been using study guides and class material to learn Oracle. These are fine for passing the OCP exam, but they leave many gaps in the finer points which lead to thoroughly understanding Oracle.

Since this book's goal is to explain Oracle's SQL Plus and PL/SQL languages instead of getting you through an examination with a passing grade it goes into details that my training missed. I especially like the way that database concepts, design and modeling are covered in the first chapter, and the step-by-step approach to teaching SQL and PL/SQL by actually performing useful tasks such as creating tables and working with tables.

In addition to the basics, this book covers advanced topics such as row locking, performance and joins and set operations. PL/SQL is given the same thorough treatment as SQL Plus and as you read through the book and actually perform the tasks on a real Oracle instance your understanding and skill level increases greatly. Since PL/SQL is rich in features and programming constructs the care with which the author explains the basics and how to apply them in a real environment made learning fun and builds your self confidence.

I also liked the attention given to database administration tasks in the final part of the book, and found the SQL Plus and PL/SQL quick reference in the back of the book useful on many occasions.

If you don't have the luxury of attending Oracle training this book is an excellent substitute, and even if you're going through OCP training this book will fill in the gaps that will surely arise since the course is fast paced. Note that this book uses Oracle 8i as the example environment, but the material works with the newer 9i version too.

Posted 3:38:00 AM by Mike Tarrani
Taking Linda's Spot. The boxed set of Oracle books that Linda discussed in her last entry are a bargain for someone who is immersed in a training program. However, who really has the time to wade through thousands of pages and a stack of CD ROMs? (Unless you're facing a certification exam). What if you merely want to gain basic Oracle skills and are overwhelmed by the six inch thick books out there? A refreshingly slender book is So You Want to Be an Oracle DBA?. First, you need to know that this book is based on version 9i and is focused on the UNIX environment. If you're using Oracle 8i and have no immediate plans to upgrade you will find that the previous edition to be more suitable.

The ideal audience for this book is the new Oracle DBA or UNIX system administrators who have either inherited DBA responsibilities or who want to gain cross-functional skills. Experienced DBAs will find much of this book too basic, and may complain that it doesn't cover the full range of database administration topics.

In my opinion the relatively narrow scope of this book is one of its strengths. Instead of overwhelming the new DBA with hundreds of pages it sticks to the essentials. Another point in its favor is that the author doesn't attempt to go into gory details about how things work (information that you can get from other books as your comfort level and self-confidence improve), but remains focused on what you need to do in order to effectively manage and support an Oracle 9i instance.

While I liked the Getting Started and Some DBA tasks (Sections I and II) that start this book, I especially liked Section III, which covers tuning. This is the essence of what a DBA does, and the basics are well covered. This section also gives some excellent scripts that the new DBA will find invaluable. Section IV, is somewhat useful, but Section V is another favorite because it shows how to begin building your own set of tools, which is the hallmark of an experienced DBA. The scripts that are provided in this section are the foundation of database administration, and will spark ideas for additional and more specific scripts. The value is that you can learn much from what is provided.

Each topic in this book is given a brief 2-3 pages, which makes it somewhat terse. In many cases you'll have to go to other books for deeper explanations, but at least you'll be quickly functional.

If I had to choose a single book with which to get started this would be it. Of course you'll outgrow this as your skills and experience evolve, but it will get you started and does so using good practices and workable techniques.

Posted 3:54:00 AM by Mike Tarrani
Trapped in a Time Warp? Are you currently stuck in the mainframe or mid-range world and are seeking an escape? Or perhaps you realize that your skills are growing obsolete and you want to remake yourself. Programming the World Wide Web may be your ticket out. If you're trying to break into development and are seeking a basic book that will prepare you for a career as a web developer, this isn't what you're looking for. It's neither a programming tutorial nor a book on specific environments, such as .NET. However, if you're doing maintenance programming in, say, RPG/400 or writing JCL and are wondering how you can refactor your skills and get out of the mid-range and mainframe environment this book is ideal.

Solid programming skills are assumed (preferably in C or C++, but that isn't essential). You should have a basic understanding of databases and data structures. If you have these skills this book will systematically familiarize you with the web programming environment and common tools and programming languages that you'll need to master in order to transition out of the data center. I like the way the book touches all of the key knowledge areas, starting with HTML and going through javascript, perl and the usual cast of mark-up, scripting and programming languages. More importantly, this book doesn't skim the surface - it does into databases, XML and server-side development. If you've read the table of contents and are tempted to question why CGI was included in such a relatively new book, bear in mind that most of the information in this book is ideal for maintenance programmers, and there are literally thousands of systems that still employ CGI scripts. This also reinforces my opinion about who will benefit most from this book - maintenance programmers from mid-range and mainframe environments.

In a nutshell, you bring your knowledge of algorithms, data structures and development methodologies, and the book will show you how to apply them to web programming.

Posted 3:53:00 PM by Linda
My Turn. Mike's been plowing through topics, and before he gets stuck in XML I am going to break his stride. I'm still in Oracle OCP training, and want to share a collection of books that I've found useful: OCP Oracle9i DBA Certification Boxed Set. This collection of study guides and the CD ROMs that come with it represent potential value, but the decision to go with this set versus buying 'best of breed' books on each subject area boils down to a personal choice. Factors include budget and how willing you are to endure some of the typos in most of the books in this set.

What you get: This collection consists of the following books, each of which I have reviewed on their product pages. I am summarizing the reviews to save time:

OCP Introduction to Oracle9i: SQL Exam Guide. I rated this at 4 stars - be aware of the fact that this book does have errors, make sure you read the errata and you'll find it quite helpful.
OCP Oracle9i Database: Fundamentals I Exam Guide. Another 4-star rating - there are editing flaws and inconsistent writing that do make this book ponderous at times. There have been times when I wished the authors and editors had paid more attention to the book, and other times when I silently thanked them for clarifying a concept.
OCP Oracle9i Database: Fundamentals II Exam Guide. 4-stars. Among the strong points of this book are the self tests and practice exam questions. Weaknesses include poor editing, which seems to plague this series, and the inconsistent writing that is at times extremely clear and others quite obtuse. I prefer OCP: Oracle9i DBA Fundamentals II Study Guide by Doug Stuns and Matthew Weishan, which is better written, consistent and complete. It is also a 'best of breed' book.
OCP Oracle9i Database: Performance Tuning Exam Guide. Unlike the others in this set this book is a 5-star gem. All of the key elements of performance tuning are covered, the illustrations are excellent and aid in understanding, and the drills, self tests and practice questions have been a tremendous help.

Pros: price, over 2000 pages of materials and CD ROMs with practice questions and other material.

Cons: with the exception of the Performance Tuning Exam Guide the guides in this set have editing problems and errors.

You choose.

Posted 1:13:00 AM by Mike Tarrani
Still More XML Resources. I mentioned Definitive XML Application Development in my last entry. If you're a developer this is an excellent resource. Be aware that the book requires a solid working knowledge of XML and associated protocols (XLST, XPath, XML Schema), Python and Java), and is written for practicing developers who are involved with web services, e-commerce and extended supply chain applications. You should also be reasonably familiar with DOM, data structures and relational databases to get the most from this book.

After a quick introduction to the XML processing the author wastes no time getting to the meat by going into processing types in Sections II (Event-Based Processing), III (Tree-Based Processing) and IV (Declarative Processing). Each of these sections are comprised of chapters and topics that cover the strengths and weaknesses of each approach, common tools and example applications, and tips and techniques.

Section V is focused on Java development, including SAX in Java, DOM in Java and XSLT In Java Applications. This section covers APIs, tools and specific considerations for each topic.

The final section addresses XML processing in detail, and deals with alternative processing approaches (including hybrids of event-, tree- and declarative-based models), schemas, and RSS.

In addition the appendices are informative and add to the value of this book. In particular, Appendix A, A Lightning Introduction to Python, will get seasoned developers up-to-speed (augmented by Appendix C which covers Python XML Packages). Appendix B is a glossary that goes into considerable detail, making it a handy reference.

Posted 5:19:00 PM by Mike Tarrani
More XML Resources. It's one thing to have a book of spcifications, such as the one cited in my last entry, but such books are more useful as references than as learning tools for mastering the underlying technology. One of the best collections of XML resources is The Definitive XML Professional Toolkit. This boxed set contains three books that have been published in December 2001 and represent the essentials for anyone who is working with XML and web services. The books are:

Charles F. Goldfarb's XML Handbook (4th Edition) by Charles F. Goldfarb and Paul Prescod. Goldfarb invented SGML, upon which XML is based and which had a significant influence on the design of HTML. At 1200 pages this book is probably one of the most complete references that one can have. It covers every conceivable topic, ranging from a good description of XML and how it evolved from SGML, to semantic web and web services (each of which are disciplines onto themselves).
Expected topics are given in-depth treatment (XML, schemas, DTDs, datatypes, XSLT, XSL-FO, XLink, XPath, XPointer, XSDL, namespaces, topic maps, RDF, SOAP, UDDI, WSDL and VoiceXML), with a focus on the following:
- integration of XML and the older EDI approaches to e-commerce and extended supply chain systems
- a sound approach to content management - how XML fits into the web services framework
- chapters on important topics such as portals, databases, content acquisition, conversion and publishing
- a series of chapters devoted to tutorials on XML basics, schemas, and transformation and navigation protocols
In addition this book comes with two CD ROMs that are packed with applications such as IBM's AlphaWorks suite and NeoCore XMS Native XML Database (Personal Edition). A trial version of TurboXML IDE & Schema Editor is also included among the 175 programs on the CD ROM set.
This is an overwhelming book for beginners, but is a valuable resource for anyone who is deeply involved in web services, XML and related technologies. If you fit the latter category this is probably the only XML reference you'll need.
Definitive XML Schema by Priscilla Walmsley. In a nutshell this book gives a detailed description of the XML schema and associated topics. The author is a member of the W3C working group that created XML Schema, and the material in this book is consistent with W3C recommendations. See the editorial description and reviews on this book's product page for specifics.
Definitive XSLT and XPath by G. Ken Holman. Covers everything you need to know about transforming information structured vocabularies and output formats. The author is the chair of OASIS's XSLT/XPath Conformance Technical Subcommittee. See the editorial description and reviews on this book's product page for specifics.

What's not included in this set, but worth getting is Definitive XML Application Development by Lars Marius Garshol. However, the books that do come this this boxed set will provide you with a solid foundation of the basics as well as software tools that you can evaluate as candidates for your own development environment.

Posted 11:26:00 PM by Mike Tarrani
XML Resources. Because XML is so versatile, especially for enterprise applications integration, and as a core component of web services and e-commerce systems, I want to share some of the better XML books that are available.

Although you can download XML specifications from the W3C working groups, a single book that summarizes these specifications is worth the investment. XML Family of Specifications: A Practical Guide is such a book. It's a comprehensive and up-to-date (as of this review) reference on XML as defined by the W3C. Part I is more of a desk reference (with a lot of example code), which covers XML syntax, modeling and parsing, DTDs and schemas. Part II, also with many examples, is a complete treatment of parsing with APIs, with separate chapters on SAX, DOM, JDOM and JAXP. Transformation and display protocols are covered in Part III, including CSS2, XSLT and XPath. XSLFO for formatting is also covered in this part. Xlink and Xpointer to facilitate referencing operations are the subjects of Part IV, and the book wraps up the formal descriptions of the family of specifications in Part V, which covers XHTML and RDF. I have a personal interest in RDF, and found the chapter devoted to it complete, but terse. This characterizes all of the chapters in this book. What makes this book valuable is the way the information is displayed. Each chapter starts with either an overview or concepts, and each clearly explains each specification and gives clear examples to demonstrate how they work in practice.

Appendices at the back of the book are especially valuable because they summarize much of the information in the body of the book. For example, Appendix A depicts the family of specifications in a format that clearly shows the relationships among them. In addition, the web site that supports the book provides a lot of supplementary material, including over 900 links to related resources and an image map of the family of specifications that is one of the most visually appealing and informative resources one can have at their disposal. Note that the web site is not up-to-date - some information that was cited as coming in April and May were still not online as of late June.

This is not a book for learning XML as much as it's a reference. The main value over W3C material that is available over the web is the clear writing and many examples. It reads much better than dry specs and is complete in its coverage.

Posted 3:53:00 AM by Mike Tarrani
Now For Something Strange. As long as I'm dredging up old books that I think are still useful, here is one that is worth tracking down: Testing to Verify Design and Manufacturing Readiness This book, despite the editorial description on this page, is entirely about hardware/software integration as it pertains to managing acquisition risk for the buyer and the processes and procedures that need to be employed by the developer.

If you work within the framework of the FDA's General Principles of Software Validation or the FAA's DO-178B for safety-critical avionics the material is consistent with these governing documents, but is too outdated to be useful.

However, if you are working on integrated projects that are unregulated with respect to government controls you may find this book useful. It contains a wealth of useful guidelines for establishing and managing processes to support development of products that are based on embedded software or hardware/software integration, The core of this book is a collection of templates that were developed and proven in the DoD industry, and are designed to manage integrated testing, failure management and field feedback. Each element is applicable to commercial environments, especially for companies that are manufacturing intelligent network devices, data storage systems and specialty products such as digital control systems, sensors and other integrated hardware/software products.

The templates are introduced in Chapter 1, and each of the seven functional areas covered by the templates are discussed in separate chapters. These functional areas are: integrated testing, failure reporting, design limits, product life, test/analyze/fix process, uniform test reporting and field feedback. A chapter on applying these follows, but the material is slanted towards DoD issues. If you apply thought and imagination while reading this chapter you should get ideas on how to refactor the cases into your own environment.

Section 2 devotes three chapters to software design and test, which are based on the older waterfall development life cycle. However, this particular life cycle lends itself well to developing embedded systems, making this material valid and applicable to commercial environments.

Overall, this is a useful book for the intended audience I cited above if you can track down a copy. In particular, the checklists and overall framework are valuable, and much can be learned from the risk-based approach taken in the book.

Shifting Gears. Although I'll inevitably return to quality and reliability, I am going to shift to another topic in my next entry: XML. Also, most of the topics for the next few weeks will be in the form of book reviews instead of the tutorials and news items that we've been writing about. That will change as soon as things stabilize. We're all busy and haven't the time to do the research we normally do, nor the freedom to craft original essays on topics that are dear to us. That will change in due time, but until then please bear with us.

Posted 2:10:00 PM by Mike Tarrani
Oldies, But Goodies. One of my personal favorite books, and one that has had a profound influence on me, is Quality Assurance for Information Systems. This book represents a pivot point in Perry's prolific published works that date from 1981. What makes it pivotal is the fact that this book synthesizes his approach to IS quality assurance from a production support viewpoint and his future work which focuses on software testing.

Although over 11 years old the QA approach contained in this book is still valid. To get at the gems, though, you have to overlook a few things. For example, terminology common in the mainframe data center of past decades sounds quaint even to those of us who came from that environment. Also, the code examples used to illustrate quality problems are sure to confuse the younger generation of C++ and Java developers and test professionals who probably never heard of PL/I and only vaguely know about FORTRAN.

What I like about this book and the reason why I think it's still an important reference is the fact that application quality from an enterprise perspective is addressed. This goes beyond testing and release processes, as well as beyond project issues surrounding applications delivery and SQA. The focus is on production and maintenance, although testing, SQA and project metrics are addressed.

In addition to the focus, the book contains checklists, questionnaires and sample forms that can be updated to reflect modern computing environments - and you may be surprised to find that much of this 'ancient' material requires very little modification. Another aspect of this book that I like is the material on software maintenance, which seems to be a lost art, although it's as important now as it ever was.

Don't let the age of this book deter you if you're interested in quality assurance from a production support point of view. The best recommendation I can give is that this book has served me well in over a decade of consulting, and it probably will for years to come. However, it shouldn't be your only reference either.

Posted 4:12:00 PM by Mike Tarrani
More on Quality and Testing. In previous entries I covered most of the newer books on quality, reliability and testing. However, there are some older books that are still valid or contain enough information of value that they merit a mention.

Testing Very Big Systems. After you've peeled back the layers of testing techniques that are better documented and more refined in more recent books, and archaic language that characterized the mainframe lingo that was dying out when this book was first written a decade ago you'll find gold.
First, the way test case management is presented stands the test of time. The author is obviously well versed in managing complex system testing and it shows in his detailed approach to developing a test strategy and managing a large array of test cases. As good as this material is, it isn't a sufficient reason to track down a copy of this book because Rick Craig and Stefan Jaskiel have a more modern book, Systematic Software Testing that accomplishes the same goal.
The real gold is in the way that this book integrates testing, issue management and metrics. Although there is a large body of knowledge on these topics, this book manages to sort out the complexities in the clearest terms I've encountered. I also think that the approach change management is excellent, and especially the way this is linked to issue management. On the subject of issue management, the taxonomy of issue types has served me as a model during numerous consulting engagements for service delivery and software engineering process development, and have been proven in the field.
Additional gold is in the chapters on test documentation (especially the treatment of status reporting) and managing management. I also like the way that the author takes economic considerations into account, which was not much in vogue when this book was written in 1992.
If you're an SQA or applications delivery practitioner I strongly recommend tracking down a copy of this book. Look past the archaic parts and you will find one nugget after the other of useful information. I wish this book would be rewritten to reflect today's environment and the lessons that the author learned in the decade since this book was first published because there is much in this book that you will not find elsewhere.
Ensuring Software Reliability. Despite this book's age and the subsequent software reliability books that have since been published, it adds a perspective and information that is either not in more recent books, or is not given the same comprehensive treatment.
If you are familiar with software reliability as a discipline and with any of the major books, such as John Musa's Software Reliability Engineered Testing, you'll probably not find anything new in Part I, although chapters 3 (software failures and failure processes), and 6 (reliability terms and definitions) add clear, succinct descriptions and definitions to these topics.
Part II, however, is where this book shines and why I use this book as one of my principal references. Specifically, chapter 7, which covers software reliability data collection, is thorough and comprehensive. I especially like the way data collection is integrated into a reporting process, and the near exhaustive list of error, product and process metrics and their associated descriptions. Chapter 8 is another gem. It describes 12 major reliability models, ranging from Musa's models to predictive models. One of the most interesting models in this catalog is the 'Leone Test Coverage Model', which is based upon percentage of completion and coverage of specific development and testing tasks. For each model the author gives a summary description, provides assumptions and parameters of the model, and the associated math. Each model's summary contains strengths and weaknesses, and when in the life cycle the model is best employed.
Overall, this book contains some invaluable information and information that has been superseded by newer books (especially the last chapters in Part II). If you're seeking information that I've highlighted above, this book is a worthwhile investment. If you're looking for a book that is more up-to-date I recommend Software Reliability Engineered Testing by John Musa. This book will remain an often referenced part of my library for some time to come.

In my next entry I'll provide additional books that I like in spite of their age.

Posted 7:08:00 AM by Mike Tarrani
Short Break. I am going to briefly break from the testing, SQA and reliability thread because I don't have time right now to devote to properly wrapping it up. I will offer an interesting article titled Use of Metrics in High Maturity Organizations to keep the pace alive until I return to the topic.

Wireless and M-Commerce Development. I just posted my take on a book titled Mobile Business Strategies: Understanding the Technologies and Opportunities in our sister weblog, Postcards from the Revolution.

That weblog focuses on service delivery and business/IT alignment issues, while this one is slanted towards software engineering and more technical topics. The book fit within our theme for Postcards from the Revolution, but there is a related book that is more suitable for this audience. The title is The Complete Wireless Internet & Mobile Business Programming Training Course (with CDROM), and the friend who called it to my attention was enthusiastic. It appears to be a complete training course in all aspects of wireless and mobile commerce development. Judging from the content of the thirty-four associated PowerPoint presentations that are available for free download this is, indeed, a complete training course. If you need to get yourself or your staff quickly up-to-speed and you have a constrained training budget this may be a cost-effective alternative.

Back to Quality. Before ending this entry I want to revisit quality. If you are pursuing the ASQ CSQE certification you may want to get a copy of Fundamental Concepts for the Software Quality Engineer. This book is published by the sponsor of the certification (ASQ), and the book editor is Taz Daughtrey, who is editor-in-chief of ASQ's peer-reviewed quarterly journal, Software Quality Professional.

Posted 7:20:00 PM by Mike Tarrani
More on SQA + Reliability. In my haste to provide SQA resources yesterday I left out two important ones that should be bookmarked and frequently visited by anyone who is interested in software quality assurance:

These are my personal favorites, and I have been using them for years as primary resources.

Software Reliability - Short Version. I am still pressed for time, so this entry is going to be as terse as my last. In the same manner that I use a single book as my primary reference for SQA, I use Software Reliability Engineered Testing by John Musa as my primary reliability reference. My 11 May 2001 review on Amazon will show why I hold it in such high regard. That doesn't mean that it's the only book I use - I have a large collection of SQA and reliability books - it means that it's the first one to which I turn for authoritative information on the topic. On the web the first place I go is the Data and Analysis Center Software Reliability page, which points me to the resources I need for particular aspects of reliability.

Past Information. Reliability has been addressed in this weblog in many previous entries, so I am not going to repeat much of that material here. However, during the next few days (when I get a break in my routine) I am going to wrap up this thread with a few longer entries that describe my own views about SQA and reliability.

Posted 2:07:00 PM by Mike Tarrani
SQA. We've now come to SQA, and while most of my testing resources are books, there is only one book that I use as a primary reference for SQA: The Handbook of Software Quality Assurance by Gordon Schulmeyer and James McManus. My reasons for using this book as a primary reference are cited in my 18 April 2001 Amazon review. However, my most frequently used resources for SQA, and the ones which have shaped my thinking, are:

CrossTalk Magazine.
Software Technology and Support Center, which has a rich cache of technical documents, great material about software quality engineering and testing, as well as related topics.
Data and Analysis Center for Software SQA page.

One interesting page I want to share that crosses SQA and software engineering practices is Nine Steps to Defect-Free Software, which should be made into a poster and placed in every cubicle in development.

I am pressed for time, so am going to abruptly end this without further commentary. I'll pick up where I left off tomorrow.

Posted 6:11:00 PM by Mike Tarrani
Closing In. This thread started with a brief set of reasons why I was enamored with Systematic Software Testing by Rick D. Craig and Stefan P. Jaskiel, and has grown into a series about testing, quality, SQA and reliability. I opened the last entry with a quote attributed to Hesiod, who remains an influential Greek poet and philosopher. The theme of this entry is metrics, so I am going to open with a quote by Albert Einstein:

Not everything that can be counted counts, and not everything that counts can be counted.

How true. Einstein's legacy of genius will live on for ages because he has influenced generations of mathematicians and physicists.

While perhaps not at the same level as Einstein, Robert B. Grady will remain in my memory because of the deep influence his work has had on my thinking. I first discovered Grady in 1992 when I read Practical Software Metrics for Project Management and Process Improvement (see Linda's 22 April 2001 Amazon review). This is Grady's first book and it sets the tone for his later two books discussed below. What makes this book so important is that it is one of the first to integrate software metrics with project management metrics.

What I particularly like about this book includes:

Complete view of metrics that matter, and the chronicle of how these metrics evolved in a large company (Hewlett-Packard).
Recognition that any software metrics initiative extends beyond the project that delivers the software - Grady examines post-production metrics and ties them back to not only the development life cycle, but the product life cycle as well. Ten years after this book was published there are still large organizations that are struggling with doing this, yet Grady's book provides a clear roadmap to achieving this elusive goal.
Continuous improvement is the central theme in this book. Grady does not stop with collecting and analyzing metrics, but how to effectively employ them to spot improvement opportunities and develop a strategy to effect those improvements.

The book is written as both a story of how a successful metrics program evolved, complete with anecdotes that will prove helpful, and as a collection of data that illustrates what is and is not important to a comprehensive metrics program.

Among all of Grady's books I like this one the best; however, I recommend that his other two also be carefully read if software process improvement is your goal. He has much to say and backs it up with data and a chronicle of his experiences from real projects.

Five years later Grady wrote Successful Software Process Improvement, which followed-up on the foundation he laid in the first book by showing how his metrics-based approach can be leveraged into a viable process improvement program. This book uses the TQM Plan-Do-Check-Act framework as the basis for process improvement. However, he goes deep into the issues and factors to give a complete approach to developing and managing a continuous improvement posture.

Highlights of this book include:

The same story telling approach he successfully used in his first book. The conversational writing style and the logical sequence of the book makes it easy to read. Moreover, the real life examples add credibility and make the content practical instead of merely blue sky theory.
A complete survey of assessment methods, such as the CMM, Software Productivity Research's Software Quality and Productivity Assessment, and Hewlett-Packard's internal QUality Maturity System. The latter two are especially interesting because they are, in essence, balanced scorecards.
Business-oriented - the approach taken never strays from cost/benefit and ROI.

The parts I especially liked included the chapter on software failure analysis (a personal interest), key lessons from adopting best practices, and moving past reasons not to succeed. In fact, if you get nothing else from this book the last part will make this book a worthwhile investment because he shows how to deal with the six most common excuses for not pursuing process improvement (or any other initiative for that matter).

In also like the wealth of metrics, data and examples. While this book is longer than his first one, it's still a manageable 314 pages and is highly readable. If you are involved with software process improvement initiatives this book should be on your short list.

His last book, Software Metrics: Establishing a Company-wide Program, is about how to establish a viable metrics program. See my 28 November 2000 review on Amazon for details.

There is one other book that has deeply influenced me, Software Excellence: A Total Quality Management Guide. This book is a collection of papers that were made into a text under the editorial control of Shigeichi Moriguchi. Mr. Moriguchi did a superb job of ensuring both readability and structuring the content in such a manner that it can actually be viewed as three books:

A textbook on software quality control.
Catalog of techniques used in testing and SQA.
Training guide for testers and SQA professionals.

More details can be read in my 20 February 2002 on Amazon.

Moving Along. Life is a journey, not a destination. This thread is going to imitate life because in the next entry I'll continue the journey, which will pass into the realm of SQA - a strange place inhabited by many cultures, and whose inhabitants are still trying to figure out who they are.

Posted 2:02:00 PM by Mike Tarrani
Picking Up. My last entry opened the door to test process improvement, which is summed up in a 2800 year old quote by Hesiod:

It is best to do things systematically, since we are only human, and disorder is our worst enemy.

Isn't it amazing how something uttered so long ago by a Greek poet is relevant to software testing?

It's beyond question that the Greeks made many lasting contributions to culture and civilization. In the world of test process improvement the lasting contributions may well be coming out of the Netherlands. As an aside, our Dutch brothers and sisters are also making significant contributions to service level management (see my 5 April 2002 entry in our sister weblog, Postcards from the Revolution). The reason I believe that the Dutch are leading the way in test process improvement is because the Test Process Improvement (TPI) and Test Management Approach (TMAP). Each of these approaches are documented in the following books:

Test Process Improvement: A Practical Step-by-Step Guide to Structured Testing. This book provides a coherent process improvement approach for software testing. It provides a model that supports the assessment of strengths and weaknesses of an existing software testing process and an approach for developing and implementing remedial action to rectify the weaknesses. As such this book is not useful to organizations that have not achieved a mature and stable testing process because the model will not apply. If you are seeking a book that will get your processes stable you will find Systematic Software Testing by Rick D. Craig and Stefan P. Jaskiel a better place to start.
However, if your processes are stable this book is among the best because it stays focused on improving the testing process and does so in the same manner that SEI's CMM does for software development. In fact, the TPI approach in this book is cross-referenced to the CMM, which gives you an approach that can be viewed as a testing maturity model that aligns nicely with the CMM (including the newer CMMI). This is one of the strong points of the book and TPI.
Another thing to know about this book is that it's written more like a specification than a narrative. Some readers may find this difficult, but if you are involved in mapping the TPI key process areas to the CMM (or SPICE, Bootstrap or PSM), you'll appreciate the format. Also, the book views TPI as a subset of software process improvement, and software process improvement as a subset of TQM. While the authors focus on the software testing process, they do not isolate it from the bigger picture. This allows you to view then entire quality process as a coherent whole when you're assessing the software testing process and developing improvement strategies.
I personally think this book adds considerably to the software testing body of knowledge, and that the approach the authors give is both practical and sensible. If you work in an organization that has a stable testing process or is at CMM level 2 or above this book is essential reading.
Software Testing: A Guide to the TMAP Approach My first introduction to TMAP was in the above book, which the author co-authored. It piqued my interest, but unfortunately all of the literature on TMAP was written in Dutch. This book makes this powerful test management approach available to English speaking readers, making it invaluable.
First, a little about TMAP to explain why I think the approach is important and useful: It views testing as a process instead of a collection of procedures. The advantage is that once a process is in place it can be stabilized and improved upon. The key to testing is repeatability, and without a process there can be no repeatability. TMAP consists of four elements that combine to form a cohesive test management model:
Testing life cycle that is aligned to the development life cycle. This life cycle is encapsulated within a planning and control framework that easily fits into the project management activities of the development life cycle.
Testing techniques - not the techniques used in the execution of test cases, but the techniques employed for defining a test strategy, developing test specifications, and the associated artifacts. This book does cover some basic test execution techniques, but they are not the focus of the book and are not covered in great detail.
Infrastructure and tools - addresses what are the minimums for an effective test process in the form of environments and tools. If you're establishing a test organization this aspect will be invaluable.
Organization - how the test organization is structured and how it relates to external functions, such as development, configuration and release management, project management and other major stakeholders.
Each of the above elements and their parts are covered in great detail, resulting in a sound framework for test management. That alone makes this book invaluable, but there are some additional gems that I especially liked:
Test point analysis and estimation, which is an estimating method for test effort that is based on function point analysis. This is incredibly valuable because accurate estimation is one of the shortfalls in testing. This alone is reason to buy the book. For more information about Test Point Analysis you can download Test point analysis: a method for test estimation or look through the presentation slides from Conquest 2000, which also includes presentations on TPI and other items of interest. Although off topic, Test Effort Estimation Using Use Case Points is a related approach that fits nicely within the unified process.
The wealth of checklists - I especially liked the comprehensive list of quality characteristics.
Testing in maintenance situations - probably the most common situation for software testing and this book covers it well.
This book and the first one I discussed above combine to give a complete picture of test management and test process improvement.

There are a few other books about test process improvement that are worth reading:

Software Testing in the Real World (see Linda's 21 March 2001 Amazon review for details).
Lessons Learned in Software Testing
Surviving the Top Ten Challenges of Software Testing: A People-Oriented Approach

While the last two are more slanted towards advice and examples, they do promote process improvement by showing what does and does not work.

Posted 3:23:00 PM by Mike Tarrani
Testing, Quality and Process. In our 13, 14 and 16 May entries Linda and I have taken turns discussing quality- and testing-related books.

The software testing profession came into its own in 1979 when Glenford Myers published The Art Software Testing. Although this book is still in print (a remarkable feat in itself), it's quaint when compared to what we now have in published works and the body of knowledge. What this book did for the profession is legitimize it as a valid career path and to portray software testing as a profession instead of an activity to which mediocre programmers were exiled. Myers deserves the credit bestowed, but there is an unsung hero in the software testing and quality movement whose prolific writing has had considerable influence: William E. Perry.

Perry was writing about maintenance, testing and quality before Myers' book arrived on the scene, and his 1991 book, Quality Assurance for Information Systems: Methods Tools, and Techniques, is an interesting blend of holistic IT quality and software testing. I still refer to my copy for ideas when I am researching metrics. This book is about mid-point in Perry's publishing career. While his subsequent books focused more on software testing, this one is among the first to cover both software quality assurance and software testing in a coherent manner.

William Lewis' Software Testing and Continuous Quality Improvement that both Linda and I have recently discussed here (and reviewed on Amazon) extends Perry's work with respect to a holistic view of software quality.

Testing vs. SQA. I make the distinction between testing and SQA as follows:

Testing is an activity to find or prevent defects in software using older inspection techniques or more modern preventive techniques. Note that I am not including value judgments in my definition, else I would have ignored the inspection approach. What I want to do is highlight differences between testing and SQA.
SQA is an oversight function that collects and analyzes quality data to be used in pursuit of process improvement.

Based on my definitions testing belongs in the application delivery domain and serves as the boundary between application delivery and service delivery (i.e., production). This is shown in the organizational diagram that Linda and I developed. SQA, in my opinion, should be a function of a program management office (an ideal spot for oversight), or an entirely separate function that reports directly to the CIO.

However, software testing is evolving to the point where testing and SQA are becoming blurred. In fact, to put it crudely, finding the boundary between testing and SQA is akin to picking fly shit of pepper. I apologize for that analogy, but it best describes the situation. The two books I've recently discussed, Systematic Software Testing and Introducing Software Testing each integrate testing and SQA, and it looks like the direction that software testing is going to take. There are some strengths and weaknesses to this:

Strengths: end-to-end quality infrastructure, with a viewpoint that encompasses the entire systems life cycle (not just the development life cycle).
Weaknesses: misses the big picture because testing is a narrow viewpoint of software quality. Other stakeholders in the service level management and project management domains have different viewpoints. See our Life Cycle Quality Gates document for an overview of metrics we deem important and you'll see why many will not be on the RADAR of a test organization.

I fall on the side of centralized SQA as an oversight function. I believe that Edward Deming was correct when he stated, [I]f the measurements you’re using are unfair, inconsistent and not within the control of the person being evaluated then you will demoralize and de-motivate your employees. Testers should be concerned with testing, not the politics of metrics. In fact, Craig and Jaskiel raise this as an issue (in different words) in Systematic Software Testing.

Clouds in My Coffee. The way I see it the maturity of the software testing profession, as evidenced by the two books I discussed yesterday, and the affinity of testing and SQA, are on a course that needs to be carefully considered. For small organizations this isn't such an important issue, but for large enterprises the strengths and weaknesses need to be more carefully examined and weighed than I've done in this entry. The good news is we have reached a point where quality is considered to be important and proactive approaches to achieving it are becoming more prevalent. Better yet, thses approaches are wrappd in process.

Where the issues become even more cloudy is in the growing (and excellent) body of knowledge and practices supporting test process improvement. My next entry will focus on that aspect of testing and quality before moving on to software reliability in a future entry.

Have a wonderful weekend!

Posted 3:43:00 AM by Mike Tarrani
Proverbs. There is a proverb about a jackass that starved to death while standing between two bales of hay because it couldn't decide which one to eat first. The moral is to make a decision and move forward. My dilemma is that I have two new books on software testing and I am having difficulty in deciding which is better. At the risk of starving with such delectable food for the mind within reach I am going to give my opinions about the merits and best audience for each. The books are: Systematic Software Testing by Rick D. Craig and Stefan P. Jaskiel (see my 14 May entry) and Introducing Software Testing by Louise Tamres. One thing is clear: May 2002 will go down as the month and year that the software testing body of knowledge dramatically improved. That said, here are my thoughts about each of the books:

Systematic Software Testing. Synopsis: Process-oriented and applicable to test professionals at all levels; test managers will benefit the most.
This book provides a detailed roadmap for establishing and managing a comprehensive test process that is closely aligned to the IEEE standards for software testing. The process, called Systematic Test and Evaluation Process (STEP) is designed to improve quality by early involvement in the development life cycle instead of having testing as an activity on the critical path at the end of the build phase. This approach ensures early detection of defects, including those introduced in the requirements, specifications and design milestones. Clearly, the STEP approach supports testing and SQA (where SQA is an oversight function outside of the testing domain).
The STEP process has three main steps:
Plan the test strategy (develop a master test plan and associated detailed test plans).
Acquire testware (define test objectives, design and create test plans).
Measure (execute the tests, ensure that tests are adequate and monitor the process itself).
This framework is supported in Chapters 2-8, each of which addresses supporting activities and artifacts in detail. Chapter 2 covers risk analysis since testing is by its nature done to reduce the risk of defects escaping into production systems. I like the way the authors separate technical and schedule risks in this chapter because each are integral to the realities of testing.
Chapters 3 and 4 show how to perform master and detailed test planning, and provide example plan templates and how to develop them, and requirements and factors for each test phase for the detailed planning (unit, integration, system and acceptance testing).
The analysis and design activities covered in chapter 5 are focused on test design. The systematic and structured way the authors approach these activities walks you through developing test cases. You're shown how to ensure that they account for requirements and features, and are given high level advice about how to types of tests to employ. Test implementation covered in Chapter 6 introduces organization and process issues from a team perspective. One of the strongest chapters, 7, does deeply into the issues and factors surrounding test execution, and gives metrics to consider and internal processes for managing defects. I felt that this chapter should have paid more attention to issue and defect management from an enterprise problem management perspective, but despite this the information is solid.
The chapters that will most benefit test managers, especially new ones, are 8 through 10 that address the test organization, people and management issues. These sections would warm the heart of HR professionals and is unique in that leadership is given the same weight as management techniques. The detailed comparison of certifications from ASQ (CSQE), IEEE (CSDP), QAI (CSTE) and IIST (CSTP) includes everything you need to know to select the best certification to pursue, including salary increase data for each of these certifications. I also liked the chapter on improving the test process and thought the discussions of the CMM and the TPI model that is the subject of Test Process Improvement: A Practical Step-by-Step Guide to Structured Testing discussed. The appendices are also valuable in that they provide a glossary and templates that are consistent with IEEE specifications for software testing, and other valuable aids, such as checklists, an example master test plan and process diagrams.
Overall, the 15 years of field experience in teaching testing that is embodied in this book shows. It's practical, captures best practices and provides a solid model for a process-oriented test organization that employs preventive techniques.
Introducing Software Testing. Synopsis: Teaches good habits to new testers, and offers much to experienced test professionals.
I cannot imagine a better introductory book for software testers because this much needed text bypasses the theory that similar books inundate you with and goes straight to the essence of what testers spend most of their time doing: writing test plans and developing test cases. In fact, the first chapter (Tackling the Testing Maze) is the roadmap for the rest of the book, as well as the test process itself. The approach is modern in that it's aligned to iterative development life cycles, which is based on eight stages:
Exploration
Baseline test
Trend analysis
Inventory
Inventory combinations
Boundaries
Data
Stress the environment
What I like about this book is the no-nonsense approach to developing a test outline from which the test plan(s) and test cases will be derived, and the way that this documentation is aligned to the real world. For example, due diligence in the form of meticulous attention to sign-offs and authorities to proceed is emphasized. This alone is a common failure point in many test organizations. I also like the way that the realities of the project are highlighted, especially the interactions with the development team and the integration of project considerations into the process - in particular, the schedule constraints that all testers must juggle while meeting quality goals.
Other areas that make this a realistic look at testing include the chapters on object-oriented and web testing, and the inclusion of security testing - especially the latter which has been neglected in many advanced books and is an important, but overlooked, aspect of the full test suite.
Because this is an introductory text the author uses case studies and copious examples to illustrate and reinforce concepts and activities. But most important, the focus is on activities that reflect what testers do and theory only when required. This makes the book interesting and will give to anyone who follows the approach solid skills that will increase their worth to their team as well as dramatically increase their professional knowledge and skills.
For new testers this is probably the most important book you can buy. If you're a test manager you'll find this book to be an ideal training tool, and if combined with Systematic Software Testing by Rick D. Craig and Stefan P. Jaskiel will give you a complete reference library. The approach in the Craig and Jaskiel book is completely consistent with the approach in this one, making both books all the more valuable.

Which to get? Why not both?

In my next entry I am going to continue this theme and extend it with my thoughts on SQA, software process improvement and software reliability.

Posted 6:22:00 AM by Mike Tarrani
Foul Play. Linda's last entry highlighted some disturbing behind-the-scenes maneuvering that, frankly, are a threat to open computing and interoperability. A 14 May article By Wylie Wong titled Microsoft ploy to block Sun exposed uncovers more foul play.

This goes much deeper than Microsoft's shenanigans. IBM shares the guilt, and based on past history Sun isn't exactly clean either. In this case they are the victim, but do you doubt that they would have been the perpetrator given the opportunity? No, this isn't a Microsoft or IBM sin, it's an indictment of the lack of ethics in our industry and it underscores the reason why we have anti-trust legislation to begin with. However, the courts should not bear the burden of sorting this mess out. We have a responsibility to just say no to technology based on proprietary standards. Until that happens we're going to get what we deserve, and it will be a regression to closed-systems and lack of interoperability.

On a Positive Note. If you develop in the J2EE environment you should be frequently visiting The ServerSide, which contains news, articles and other resources. Registration is free, and two great reasons to register are free PDF copies of:

Mastering Enterprise JavaBeans (the same material that is contained in the paper book with the same title by Ed Roman, Scott W. Ambler, Tyler Jewell and Floyd Marinescu). The source code that goes with the book is also available for free download.
EJB Design Patterns in PDF format, which is identical to the paper book with the same title by Floyd Marinescu and Ed Roman. Note: the PDF version of the book has not been put in the download section yet, but you can still get the source code.

Remember, you need to register for a free account to download these valuable books and source code. You'll also get access to discussion boards and articles, such as Critical measures when beginning a J2EE project, that are sure to increase your knowledge (not to mention saving money on books).

The ServerSide has a sister site called The Middleware Company, which also requires registration and also has invaluable resources. Their article library is filled with whitepapers and articles that you'll find useful.

Posted 12:47:00 PM by Linda
Eye's Wide Shut? In a 7 April article titled IBM, Microsoft patents pose dangers David Berlind exposed behind-the-scenes acts that would do Machiavelli proud. A quote from the article is an attention grabber:

The potential for the two giants to erect a toll booth is tied to the likelihood that Web services protocols such as SOAP, WSDL, and UDDI--and the related ones to which the two companies hold patents or other intellectual property rights--will one day be as important as the standard protocols (such as TCP/IP and HTTP) on which the Internet is based today.

A month later Mr. Berlind reports that IBM and Microsoft are not going unchallenged. His 7 May article titled Web Services Hero shows that both Hewlett-Packard and Apple are proactively challenging the moves by IBM and Microsoft. While Mr. Berlind's reporting is well written and researched, and his tenacious investigation is a true service, one of his readers, Gary Edwards, summed up the issues and threats in his Reader Talkback. This is important stuff and I think both David Berlind's articles and Mr. Edwards' thoughts merit a careful read and a lot of thought.

Yesterday I singled out Soft Java for its light, humorous approach to teaching Java. I found another site, Java Ranch, that uses the same approach and am now becoming interested in Java. One final note: If you are interested in CASE tools you'll like the collection of Freely Available CASE Tools that I stumbled upon by accident.

Posted 10:41:00 AM by Mike Tarrani
Linda's thoughts about Software Testing and Continuous Quality Improvement in the previous entry are on the mark. The book takes a wide look at software quality improvement across the life cycle and wraps it into a continuous improvement process. I just received a review copy of Systematic Software Testing by Rick D. Craig and Stefan P. Jaskiel and have to exclaim, what a difference a day makes. I've only had this book for 18 hours as I write this, and in my opinion it's destined to become the standard reference for software testing. It won't completely supplant Software Testing and Continuous Quality Improvement because, as Linda pointed out, that book's encyclopediac format for testing techniques, and the complete picture of pre- and post-production metrics make it useful in its own right.

The reason I believe that the Craig and Jaskiel book will become the standard reference is based on:

It not only proposes a preventive testing process (called STEP; Systematic Test and Evaluation Process), but is also aligned to IEEE standards for test documentation and uses IEEE terminology throughout. These accomplish three things: (1) it gives a test process that takes the entire life cycle into account and employs an approach that begins before a single line of code is written, (2) leverages established standards and shows how they can be successfully used in practice, and (3) uses established and standardized terminology.
The STEP approach is based on risk management, which is missing other books on testing. The up front risk analysis in the test planning phase makes sense when you consider that testing is all about finding and removing defects, which represent risks to the software to be delivered. Finally, someone gets it right!
The chapters on master and detailed test planning add clarity and consistency to these processes. If you've worked in more than one organization you'll understand the significance of this because it seems that no two organizations approach it the same way, and I have never seen an organization approach it in the logical manner in which it's outlined in this book.
The same structure and consistency is applied to test implementation and execution - and the combined benefits will promote repeatability, which is a fundamental goal of testing.
Forms, checklists and templates (unfortunately only in hard copy) that are provided are invaluable. If you tailor them to your own organization you'll have a ready-made set of testware that covers every facet of the QA process.

A few other highlights that I picked up in the 18 hours since I've had this book include: a side-by-side comparison of software quality and test certifications. There were some interesting surprises here. For example, there are a little over 1900 ASQ CSQEs, compared to over 2200 QAI CSTEs, which means that the I lost the debate with Manisha Saboo of eRunway over which was the most prevalent certification. Another fact that emerged from the comparison makes Manisha's arguments in favor of CSTE even more compelling is the average salary increase for those who attain one or the other certification, which is a mere 3% for CSQE and 19% for CSTE. The two other certification programs compared in the chart, IEEE CSDP and International Institute for Software Testing CSTP, are relatively new certifications with less than 200 certified professionals each.

I also liked the chapters on test management (from a test manager's perspective) and improving the test process. If you are with an organization that is assessed against the CMM or are considering going in that direction, the brief piece on how to align the test process to the CMM is invaluable. If you are familiar with Test Process Improvement approach proposed by Koomen and Pol in Test Process Improvement: A Practical Step-by-Step Guide to Structured Testing, you'll especially like the way that this book cross references STEP to TPI.

Obviously I will have much more to say about this book as I read through it in detail, and after I have I'll post a comprehensive review here. However, I found the book to be so impressive and compelling on the first scan through that I wanted to get the word out that this is, indeed, a book that is essential if you're involved in software testing.

Posted 6:38:00 PM by Linda
Mike's earlier mention of the Life Cycle Quality Gates document, that Mike developed and we both continue to refine, caused me to think of the source material we used as its basis. Software Testing and Continuous Quality Improvement was probably our most influential resource. This book represents the most complete and comprehensive approach to total quality of any I've read on either software testing or software quality assurance.

Highlights include:

A structured quality cycle based on Plan-Do-Check-Act. This cycle is the foundation of continuous improvement, which is the theme of the book.
Complete description of testing techniques. In this respect the book is an encyclopedia for software test professionals and a definitive reference.
Comprehensive resource for forms and checklists (I wish these were also provided in soft copy on a CD ROM or author's web site, but they are not).
Full view of metrics across every aspect of the development life cycle. In the same manner that the testing techniques are encyclopedic, the metrics are also an encyclopedia for SQA professionals.

It does not confine itself to testing alone, and in fact, has something for production services and service delivery professionals, as well as project managers involved with large scale development and implementation projects. You would have to buy at least a dozen books or download thousands of documents off the Internet to get the information contained between the covers of this book.

I recently finished reading Business Rules Applied, which covers business rules from an implementation approach, and does so in great detail. If you are new to business rules you should first read Business Rules and Information Systems: Aligning IT with Business Goals by Tony Morgan, which is better for beginners. That book introduces business rules at a basic level.

This book expands Morgan's work by drilling down into details and exposing the nuances that a seasoned practitioner will appreciate. However, the main value of this book is the way Ms. von Halle steps you through the complexities of implementing business rules as an organizational methodology. This is not an easy task, but she manages to provide a complete and comprehensive approach that will guarantee success if carefully followed. I think the work breakdown structure alone that is provided in the book makes it essential to anyone who is tasked with implementing business rules.

In addition, the tables, checklists and documents and information from the book's web site add even more value. This is an important book about an important topic. It's not easy to read, but the diligent reader (assuming prior experience) will find everything he or she needs to know about business rules, the value proposition for using them, and how to implement them. It's the most authoritative book on the subject, and will probably remain so for years to come.

There's always some delightful site to be discovered, and the most recent is Soft Java, which is the creation of two women, Jeannie and Joy who are funny, slightly over the edge and have other similar qualities that will endear them to you. Their site is dedicated to teaching Java to the masses. I'm up to my eyeballs with my Oracle OCP training and am not about to add learning Java to my workload at this time, but when I do have the time and energy I might just return to their site and add Java to my skills.

Posted 7:05:00 AM by Mike Tarrani
Monday Morning Postscript. I forgot to include an interesting assessment of Extreme Programming within the context of CMM level 2. If this topic interests you, you'll also want the associated PowerPoint presentation and Excel worksheet that were used in connection with the assessment. An interesting viewpoint is contained in an article by Mark C. Paulk (Software Engineering Institute's CMM guru) titled Extreme Programming from a CMM Perspective.

Posted 6:45:00 AM by Mike Tarrani
Software Process Improvement. There are three outstanding sources of information for SPI:

The last one contains documents by categories ranging from assessments to strategies and is one of the best collections of information I've seen in a long time.

Software Configuration Management. The clearest overview of SCM that I've found is on a University of Calgary page for a software engineering class. This page also has a PowerPoint presentation on software configuration management that is excellent.

Configuration Management for Software by Stephen B. Compton and Guy Conner is the best book I've read on SCM. This wonderful book was out of print, but a quick check on Amazon shows that it is once again available. If you get one book on SCM this is the one I recommend.

Another source of SCM information, along with software engineering processes by CMM key process area is the Systems Engineering Process Office maintained by the Space and Naval Warfare Systems Center, San Diego. Their document collection is mostly in MS Word and PowerPoint formats.

An Old Friend. Linda and I have a document that we frequently cite. It's titled Life Cycle Quality Gates and provides key metrics for every phase of the development life cycle, with attention paid to production (a phase that is too often ignored). Another of our old standbys, titled Configuration Management - The Big Picture, is a quick reference guide for configuration, change and release management. We've included both the technical and business value of each facet of configuration, change and release management, which is a starting point analyzing the ROI that will result from establishing and managing these critical processes.

Project Management. I've written three fairly comprehensive articles in the 9, 10 and 12 May entries in Postcards from the Revolution. If PM is a topic of interest you should read the articles.

Posted 1:32:00 PM by Mike Tarrani
Small World. This entry is dedicated to a good friend, Julia Jamal, who is a consultant at iPerintis in Malaysia. What makes this world so small is the fact that I met Julia via e-mail when she commented on one of my Amazon book reviews. That in itself is not uncommon, even though she lives half way around the world from me. What we did discover through a chance encounter is that while we are separated by distance and culture, we have many things in common: we're in the same business (IT consulting), we're both Muslim and I speak a language (Tagalog, the national language of the Philippines) that is derived from Malay.

Julia's current research interests center around M-Commerce, so this collection of links and documents is dedicated to her:

From IBM, a large collection of articles and papers about wireless technologies, and a related collection of papers about security. While many of the security papers are generic, some are specific to wireless and M-Commerce.
Internet World's M-Commerce Portal.
VoiceXML Review.
A collection of papers (mostly in PDF format): On Designing M-Commerce Applications, Why M-Commerce Requires Robust Middleware, Next Generation of Communications Technology (M-Commerce architecture overview), Consistent M-Commerce Security on Top of GSM-based Data Protocols.
Proceedings from Mobile Summit 2001 (sponsored by IST)
Building Trust in Secure M-Commerce (MS Word format.
V-Commerce Application Design (PDF format)
Singapore Testing Mobile Location Services.
Mobile Commerce World.
M-Commerce Revolution (PDF format).
Direct Payment Systems for M-Commerce.
M-Commerce Readiness Checklist (online version), also in MS Word format.
Wireless Web Magazine.
Miscellaneous M-Commerce Articles and papers.
Sun's end-to-end M-Commerce solutions based on Sun ONE.

There are also books on the subject that I either have read and reviewed or have been highly recommended by colleagues:

The Mobile Internet: How Japan Dialled up and the West Disconnected (see Linda's 17 December 2001 and my 4 April 2002 reviews).
Mobile Commerce: Opportunities, Applications, and Technologies of Wireless Business
M Commerce: Technologies, Services, and Business Models
Managing Internet-Driven Change in International Telecommunications (also see the author's personal page, which contains numerous articles).
The Wireless Application Protocol: Writing Applications for the Mobile Internet
GPRS and 3G Wireless Applications: Professional Developer's Guide (see my 16 September 2001 review on Amazon)

In addition to the above, Sridhar Iyer's personal page contains an impressive collection of resources, including two excellent PowerPoint presentations:

Wireless Application Protocol. The 100 slides in this presentation cover WAP in great detail. Regardless of whether you're designing, developing or managing WAP applications you should grab this presentation and study it.
M-Commerce: Mobile Applications. All you need to know that's important is contained in this 36-slide presentation.

I'll be posting more focused entries about M-Commerce in future entries. This collection will provide ample background material across a wide spectrum of technical and business factors.

Posted 12:12:00 AM by Mike Tarrani
Architects and developers will gain a wealth of knowledge from a new book titled The Power of Events: An Introduction to Complex Event Processing in Distributed Enterprise Systems. The short description is: adds a structure, formal approach to system and business events. This book applies structured engineering methods to systems and software engineering, making it a unique and much needed addition to the body of knowledge. Prior to this book event processing was in the domain of embedded and realtime systems developers and hardware designers. This book shows how to effectively use these techniques in IT.

The first two chapters give reasons why complex event processing (CEP)is essential to the distributed systems that characterize supply chain, e-commerce and internet-enabled applications. They also sort out the key issues and present a paradigm for a global event cloud that is decomposed in subsequent chapters. Instead of providing an in-depth analysis of each chapter, which would make for a lengthly and boring review I'll give the highlights of what I liked:

Architecture is an important theme throughout the book. In particular the Rapide architecture description language adds formality and structure. The key elements of Rapide are causal event modeling, event patterns/pattern matching and event pattern maps and constraints.
Events, timing and causality, and their interrelationships, are thoroughly explained. These are the key to understanding the treatment of patterns, rules and constraints that follow, and for tackling the subsequent discussion of complex events and event hierarchies. This is slow reading, but the essence of the book.
Event processing networks, which are a practical use of the knowledge imparted by this book. Moreover, the two case studies showed real world application of the concepts instead of abstract theory. They reinforced all of the key points made earlier in the book.

CEP is particularly applicable to enterprise application integration projects that depend on business events and network and systems management instrumentation (especially developers who write Tivoli software adapters, develop network monitoring solutions or similar endeavors).

Posted 4:18:00 PM by Mike Tarrani
Capstone. It's only fitting to put a capstone on my previous entries about architecture. I have a few loose ends in the form of documents and links that complete the picture of what constitutes architecture, and a tie-in to component-based software engineering, which is a close cousin.

The quick and dirty list:

SEI essays on software architecture.
ISO TC 184 SC 5 WG1 Page on international standards regarding enterprise modeling and architecture.
Documenting Software Architectures: Organization of Documentation Package, also available in PDF format. This document is the basis for a forthcoming book to be published by Addison Wesley on 5 July 2002 titled Documenting Software Architectures: Views and Beyond. The authors of the paper are the same authors of the book.
Proceedings from Component-Based Software Engineering Workshop.
Packaging Predictable Assembly with Prediction-Enabled Component Technology and the related document, Predictable Assembly from Certifiable Components.

Also related are two documents from IBM: Business Rules for Electronic Commerce and Multi-Dimensional Separation of Concerns Using Hyperspaces (see also: previous entries about separation of concerns).

Posted 6:31:00 AM by Mike Tarrani
Architectures Redeux. I've been discussing architecture within the context of web services, which is but one facet of the topic. First, I want to get a pet peeve out of the way: architect is a noun, not a verb. You can be a software architect, but you don't architect software. This atrocious misuse of the English language was introduced by Steve Jobs many years ago, and has unfortunately become a permanent part of the IT lexicon.

What is the essence of architecture? One of the best descriptions of software architecture is provided by Bredemeyer Consulting's Software Architecture Page. Despite the use of the dreaded word, architecting, the definitions provided capture the essence. My personal view is to consider architecture in its traditional form, which is the development of a high level design - the big picture. That is what those folks who design buildings for a living do. However, there are some marked differences between the original architects and software architects, which can be summarized in these three comparisons:

Those who design buildings are have stringent education requirements and are licensed. There are legal definitions as to who can proclaim themself to be an architect. In software anyone can claim that he or she is an architect - and they frequently do just that. No credentials other than a proclamation and, perhaps, some references that will support the claim that they actually functioned as a software architect.
Architects who design buildings are held to legal and engineering standards to which their designs must comply. Software architects can do pretty much anything they can get away with without legal or professional oversight.
Building architects blend design with engineering constraints. They use both creativity and a good deal of science and math. Software architects may or may not employ either - and they are not compelled to do so in order to claim to be an architect.

However, my objective is not to bemoan the misuse of English or the sorry state of software architecture, but to provide reference material that I hope will be used to get one thinking about the essence of software architecture and advance our profession through knowledge sharing. The resources that I am providing portray many different ways to approach architecture, and some are better than others. Moreover, some of the resources conflict with one another, but what they have in common is the fact that the approach is based on methodology and quantification. Each provides an opportunity to learn.

Resources that I recommend include:

Introduction to Software Architecture
Software Architecture: A Roadmap
Discipline of Software Architecture
Architecture Blueprint: the 4+1 model
Software Architecture: Foundation of a Software Component Marketplace
Object-Oriented Software Architecture A Practitioner's Approach
USC's Software Architecture Page
UCI's Software Architecture Research Page (also see their ArchStudio 3 architecture development tool page).
Software Architecture Resource Sites
The Three "R's" of Mature System Development: Reuse, Reengineering, and Architecture
A Two-phase Process for Software Architecture Improvement
Don't Let Architecture Astronauts Scare You, an interesting and opinionated essay by Joel Spolsky

Architectures also define the building materials and techniques needed to execute the design developed by the architect. This is true regardless of whether the architect is a licensed professional or a software architect. Both the building and the software architect need to understand the characteristics of the materials and techniques. To that end I am including miscellaneous references to materials and techniques that a software architect will find interesting:

Java resources related to architecture
Redundant Arrays of Independent Components(RAIC)
xADL 2.0 Architecture Description Language
xArch XML Representation of Architecture
A Formal Architecture-Based Approach to Software Integration Testing

My next entry will depart from the architecture theme, and will focus on M-Commerce and related topics.

Posted 4:00:00 AM by Mike Tarrani
No Surprises Here. According to an 8 May eWeek article titled Error in MS Protocol Could Compromise Security, "Microsoft Corp. has already identified at least one protocol and two APIs that it plans to withhold from public disclosure under a security exemption in the federal antitrust settlement proposal agreed to in November, according to Jim Allchin, Microsoft's group vice president for Platforms, who testified in the antitrust case in court Tuesday."

Plans to withold from public disclosure? Yeah, and we need to destroy this villiage in order to save it, right?

Posted 9:56:00 PM by Mike Tarrani
Availability. Linda and I are now available for consulting assignments, either as a team or individually. Marcia Hopkins will be available in early June. A summary of our experience and qualifications is available on the TEAM Zarate-Tarrani page.

Posted 3:07:00 PM by Mike Tarrani
Dimming Light. Kate Hartshorn has taken an indefinite leave of absence from contributing her insights and thoughts here. Her time and efforts have been redirected towards a difficult, but surmountable, challenge. Until her return this weblog and its Postcards from the Revolution sister will be bereft of rare points of view and a touch of humor and class that is missing from most technical resources. When she does return it will be on a permanent basis.

Shedding Light. What are web services, and why is there so much debate about a definition? I subscribe to a large number of news services and this question arises, debate ensues, issues become murky and the process repeats itself. I go with the definition that is set forth in the W3C Web Services Architecture Requirements that states:

A Web service is a software application identified by a URI, whose interfaces and binding are capable of being defined, described and discovered by XML artifacts and supports direct interactions with other software applications using XML based messages via internet-based protocols.

That wasn't too difficult. We have a definition that is sanctioned by an internationally respected body, and until a better definition comes along why not go with it? It certainly cuts through the hype spewing forth from Microsoft, Sun and the industry experts.

If you're interested in web services architecture the following resources are essential reading:

W3C Web Services Architecture Working Group. Yes, the W3C is a politically-charged organization, but they are respected and set standards to which the squabbling factions (a.k.a., Oracle, Microsoft, Sun, etc.) pay close attention. Ignore their standards and what is happening within their working groups at your peril. It's also interesting to note that the W3C cites the Architecture Trade-off Analysis (ATAM) approach supported by the Software Engineering Institute as an influence. I have a few papers on ATAM in the December 2000 issue of my old Information Technology Newsletter. If you want solid information about ATAM and related approaches read Evaluating Software Architectures: Methods and Case Studies, which I reviewed on Amazon.
IBM is another reliable source of information. I have long admired their objectivity, which I've witnessed firsthand in numerous consulting engagements where they have played a role (they have no problem recommending products that compete with what IBM sells, and will not hesitate to provide professional support for those products as well). In the web services domain they publish some of the best information that is available from a commercial vendor. One such document is Web Services Architecture Overview, which is entirely consistent with the W3C views cited above. I also like their PDF document titled Web Services Conceptual Architecture, which is packed with information and describes architecture in both abstract and practical terms. Introduction to Web Services Architecture is a more generic paper published by IBM, and is well illustrated (a picture is worth a thousand words in this case). Web Services and UDDI look beneath the architecture at some of the moving parts, and related whitepapers complete the picture.
Web Services Architectures: How they stack up, also available as a PDF document, is an interesting comparison of different approaches to web services architectures.
Yet another source of information (and viewpoint) is the O'Reilly Web Services FAQs, which address the technical underpinnings more than the architecture. Their book titled Web Services Essentials, and another book (published by Addison Wesley) titled XML, Web Services, and the Data Revolution are worth reading.
Architecting Web Services by William L. Oellermann Jr. is a still valid early work that attempts to do the right thing: define an architecture that is traceable to business requirements. Although this book goes into technical details, it remains at a high enough level of abstraction to be a book about architecture. I especially like the book's web site, which provides a test environment that allows you to test your web services, and other resources. While this book is not strictly about architecture, it comes the closest to addressing web services architecture in the real world than any other I've read (or read about).
Doug Kaye's Web Services Strategies weblog, which contains news, opinions and trends.

I've by no means exhausted my thoughts on this topic, and you can be sure that it will resurface again in the near future.

Bright Light. When Kate does return I promise that I'll make sure she stays around, and her place will never be filled until that time.

Posted 3:30:00 AM by Mike Tarrani
Correction. In my last entry I left out one of the true Oracle gems off the beaten path on the web: Thomas B. Cox's home page. This little known page contains some of the most impressive whitepapers I've found, including a DBA capability maturity model, DBA checklist and Oracle security information that you won't find elsewhere.

XML Update. One of the themes I've started this month has been web services, with a focus on some of the common building blocks such as VoiceXML, and specifications such as the Web Services Flow Language. I'm going to provide a few updated links on ebXML, which is in a constant state of change and is emerging as an important standard.

Technical specifications, white papers and reference materials are available at ebXML.org's specification page. This is a primary source of up-to-date information, work in progress documents and deliverables related to ebXML. If you're unclear about what ebXML is and why you should be paying attention to it, the site's FAQ will answer any basic question and provide the business and technical reasons for ebXML.

Another source of information is Sun's online whitepaper titled Overview of ebXML Specifications. This paper sorts our the specifications and their relationships to one another.

Posted 11:19:00 AM by Mike Tarrani
Off the Beaten Path in Search of an Oracle. Actually, I am not seeking a source of wisdom - I'm updating my primary Oracle links and want to share the lesser known ones and some of my frequently visited favorites:

Los Angeles Oracle User Group has always been a great source of information, especially since I live nearby. Their site has an extensive library of presentations from past meetings and other useful info.
Ari Kaplan's page is one of those content-rick pages off the beaten path. Highlights are the extensive collection of Oracle tips and an equally extensive collection of links. In addition, he has six informative PowerPoint presentations that you'll want to download:
Steve Rea has an impressive collection of tips and scripts
Oracle Power is a portal dedicated to Oracle, and contains an impressive amount of information and content.
DBA Support is another Oracle-oriented portal that is worth bookmarking.

Oracle Base

If you're looking for free Oracle and UNIX scripts and/or free and inexpensive tools, you'll like Oriole Corporation.
DB Domain has a large listing of Oracle freeware and shareware utilities that are worth checking.
If you're learning Oracle, do bookmark Teach Yourself Oracle 8 in 21 Days. This is the online version of the popular paper book of the same title.
Two commercial sites that sell innovative and/or inexpensive utilities that DBAs will love are:
1. Expand Beyond which sells DBA and admin tools that run on PDAs (both WIN CE and PalmOS), that allow DBAs to reach their instances over wireless connections. This is an excellent approach for Tier 2 and 3 DBAs, and the ROI can be significant for mission-critical databases.
2. Benthic Software, which sells some of the best, cost-effective tools I've used. When I was roped into DBA chores a few years ago I purchased the full suite of tools, most of them in the USD 20.00-35.00 range. If you write SQL queries I highly recommend Golden, and if you write a lot of PL/SQL scripts you'll find the $35.00 USD cost of PLEdit to be a bargain.

Posted 12:45:00 AM by Mike Tarrani
More on Web Services. Two documents that neatly tie up my last entry on web services flow language are Web Services Architecture Directions and Web Services Flow Language Specification 1.0. Both files are in PowerPoint format.

Loose Ends. A few other documents and presentations tie any loose ends left from last week's entries. My descriptions are terse, but each is interesting and worth downloading and reading:

Software Engineering Processes at Start-Ups (interesting presentation to say the least!)
System Success Models
High Dependability Computing in a Competitive Environment

Enjoy, and have a wonderful workweek.

Posted 9:52:00 PM by Mike Tarrani
Eric Knorr's 30 April article in ZDNet Tech Update titled Web Services Meet Process Management made me think about the many different directions we are going. Yes, we need to integrate process design and management into the architecture of systems we're designing and building. However, is yet another process notation or methodology needed? Given the activity surrounding Web Services Flow Language (WSFL) my question is moot. Personally, the best approach I've seen so far is that proposed by Nick V. Flor in Web Business Engineering. Bemoaning the fact that this well thought out approach is being ignored accomplishes nothing. I can console myself that at least the importance of process as a foundation is recognized and standards are being developed. I've collected a number of articles and documents about Web Services Flow Language and encourage anyone who is involved in the design and development of web-based systems to become familiar with them:

A good starting point is Web Services Flow Language (WSFL) by Robin Cover
IBM's five part series on web services: Part 1, Part 2, Part 3, Part 4 and Part 5 cover WSFL and related aspects and is essential reading. In fact I consider IBM to be leading the way in web services, posturing and hype from other factions aside, and invite your attention to the wealth of articles and journal articles they have published on the subject.
ebPML.org, which is an organization dedicated to architectures and technologies of business process management systems. This site has an excellent description of WSFL, among other related resources.
The archive of documents provided by Web Services Architect, and especially the article titled Business Process Standards for Web Services: The candidates.

Posted 11:39:00 AM by Mike Tarrani
If you're developing a business case for e-commerce, or are exploring the business and technical impacts of implementing a major initiative I strongly recommend reading Handbook of E-Business.This is an expensive book that will be a sound investment for the right audience and a disappointment to others. The right audience consists of high-level management in business process domains, IT executive management, marketing and strategic planners.

I'll start with what this book is not, which will help you determine if it's right for you. It is NOT:

a technical book, although technology is discussed, compared and contrasted within the context of e-commerce
a methodology, however the information provided is a straightforward examination of business issues and how e-commerce processes and associated technology can be leveraged for competitive advantage
highly detailed, although there is sufficient information with which to develop business strategies around e-commerce

What this book does provide is a high-level, succinct discussion of the major issues and factors that will be of interest to its target audience as I've defined it above. Although Jessica Keyes is credited as the author she is really the editor who has pulled together articles from experts and those in the trenches and one of then more frequent contributors. Ms. Keye's selection of content and her skills as an editor are showcased in this book, which consists of 6 sections (A through F), that address specific aspects of e-business as follows:

Section A: Introduction. Although one would think that all businesses have thought this through, most are still reacting to the phenomena of the web and its possibilities, with no realistic idea about the opportunities and pitfalls that are inherent. Highlights that I like are: selling and value propositions from a business perspective, learning from mistakes, partnering and alliances, implementation strategies, personalization, and a strategic framework for e-commerce.
Section B: E-Commerce. This section covers customer retention, e-commerce testing, driving revenue and customer satisfaction, e-merchandising, and strategic models.
Section C: E-Business. How to recast your thinking from bricks and mortar to e-business. Highlights include: integrated B2B, selling hard goods and info to businesses (business models and product development life cycles), ASPs, transforming your business into e-business-best practices, budgeting & reporting.
Section D: Financials. This is the most business-focused section, and one that is in line with Ms. Keye's extensive background in business and financial analysis. It includes: valuing an internet business, financial model for CFOs, e-procurement, taxation, e-service, infrastructure investment decisions, finance dept role in e-biz development, developing e-business plan, raising money for internet venture, web revenue models, measures for e-business, outsourcing and initial costs to build e-business, procurement savings.
Section E: Social Aspects, including legal issues, advertising, trust management, and e-culture and change.
Section F: Technology. This collection of articles is a high-level overview that is aimed at upper management and decision makers to reveal the technical issues. Included are: content as cornerstone, testing, underlying technology, security and the impact of e-business on IT organizations.

Each chapter is an easy read and is packed with only the essentials. In fact, I marveled at the way the information is condensed and presented because most chapters were less than 10 pages, yet captured everything a decision maker needs to know. In many respects this book is similar to a highly focused collection of Gartner or Meta Group reports, and therein lies the value - busy executives can quickly get the information they need to make strategic and tactical decisions without getting bogged down in unnecessary details.

Posted 5:05:00 PM by Mike Tarrani
Last week I briefly discussed reliability and quality in a few entries. Both of these topics are heavily grounded in probability and statistics, as are most of of the activities in which IT professionals engage. I use three basic tools, depending on the type of work I'm doing: Excel for business and simple computational problems and analysis, MathCAD for more complex work, such as queuing and linear programming/optimization, and risk analysis, and STATVIEW for heavy statistics.

Each tool has its place. If you're using Excel and want to learn how to tap into its power I recommend Management Decision Making: Spreadsheet Modeling, Analysis, and Applications . This college-level text is also useful to business and IT professionals because it provides a refresher for decision techniques that are the foundation of a number of disciplines. The book is divided into two parts:

Deterministic methods, mainly focused on linear programming and optimization
Probability and queuing.

What makes this book valuable to the practicing professional is that it uses one of the most common business tools, Microsoft Excel, and shows how to apply this tool to real world problems. The accompanying CD ROM comes with TreePlan for developing decision trees and CrystalBall for Monte Carlo simulation, as well as workbooks that are used to support the plethora of realistic examples used throughout the book.

Although the book is business-oriented and better suited for operations analysis and MBA students and practitioners, I've used it as a reference for project planning, computer system capacity planning and performance analysis, and IT security risk management - these practical uses of the material show the value of the book in the real world. The supporting web site that the author maintains has materials for lesson plans, errata and additional resources that make this book particularly valuable for the academic and business environments.

For more intense computations the best tool is MAthCAD 2001 Professional. This progam is valuable because there are limitations to spreadsheets for performing advanced statistics, differential equations and graphing. Yes, if you're clever with common spreadsheet applications, such as Excel, you can work wonders. However it's time consuming, clumsy after a certain point, and often requires third-party add-ins. MathCAD, on the other hand, allows you to perform complex operations with a simple drag and drop from its extensive library of built n operators and functions.

I use it for computer systems capacity planning and performance analysis, general statistical analysis and probability in project planning and control. In that respect I haven't begun to tap into the power of this program because, especially calculus and matrix operations. However, what I do use it for gives me an idea of the time savings that results from building equations by dragging the symbols onto the screen, adding the variables and seeing the results immediately. The graphing function is as easy (and powerful). What I can do in MathCAD in less than a minute would take hours to set up in Excel, for example.

What I particularly like about MathCAD is the document management capabilities that are built in, the fact that it seamlessly integrates with Microsoft Office applications (you can drag your equations and graphs into a Word document, for example, with the same ease as an Excel table or graphic), and ability to save your documents as HTML.

Another strong point about MathCAD is the large collection of files and electronic books that are freely available from the publisher's website. They serve as a clearinghouse and solution sharing point for MathCAD users and the solutions that are available cover every business, scientific and technical discipline. An example that is in my technical area of expertise is the Closed queuing network analysis solution that came in handy when I was analyzing batch processing optimization.

If you work with equations and have reached the limits of your spreadsheet application you may find MathCAD to be a great value. You'll certainly become more efficient and productive with it. You'll also find that the learning curve is relatively flat because the user interface is similar to Microsoft's Office family of products. You'll probably wonder how you got along without the ability to build equations with drag and drop shortly after you begin using it. Technical support is responsive, the documentation is clear and complete, and the publisher's web site provides a wealth of add-ons and other tools.

When it comes to probability and statistics one of the best programs is Statview 5.0, which is one of the more popular statistical programs used in business and scientific applications. Amazon sells a student version, and the only difference between it and the professional version is the licensing. The student version has all of the features and capabilities, but you are restricted by legal terms and conditions of the license from using it outside of the academic environment. This is also an ethical issue.

What it contains: a comprehensive suite of descriptive statistical, statistical process control capabilities, regression, analysis of variance, factor analysis and non-parametric test functions are built in. The power and ease of use comes from the innovative user interface, data management and reporting features. In particular, the user interface stands out as my favorite feature because of its simplicity and power. It contains two types of windows, dataset and view, which accounts for its simplicity, and interactive browsers that allow you to access and data and apply analytical functions that account for the power. The dataset window is similar to a spreadsheet, and the plethora of functions allow you to perform any common (and many less common) analyses. You can also analyze more than one dataset in a single analysis, and you can save the work as a template to save time for similar analyses. Results can either be displayed in tabular or graphical format at literally a click of your mouse. The preview feature allows you play 'what if' in the same manner as spreadsheets, by changing data or parameters, seeing the changes. Page layout is powerful and flexible, which is something one expects from a professional tool.

If you are a student and qualify for the license terms and conditions STATVIEW is a bargain and a time saver. In addition to getting a tool that will make short work of statistical analyses regardless of whether you're majoring in social sciences, business or technology, you'll be learning the same software that you'll probably use after graduation because SAS Institute, the publisher, is one of the most respected names in statistical software.

If you are not a student and want a more focused statistical program I recommend JMP Statistical Discovery 4.0. Unlike STATVIEW, which is for general statistical analysis for a number of business and technical disciplines, this application is focused on operations analysis, statistical process control and design of experiments.

What makes this an industrial-strength tool is the fact that it works with mainstream applications, such as Microsoft Excel (open tables can directly access Excel files), and with any database that can be accessed via ODBC (MS Access, Oracle, SQL Server, etc.). Further ease of use is provided by the column browser that combines a familiar spreadsheet view with powerful navigation capabilities. Additional flexibility is given by extensive reporting features (easy layout, save as HTML for web publishing, and editing data while in the report function). If you want to automate repetitive tasks JMP also includes a scripting language that is reasonably easy to learn and is integrated with the formula editor.

One of the more powerful functions is design of experiments, which sets this application apart from general statistics programs - if you use DOE or Taguchi methods then you have ample justification for investing in JMP because you're be significantly more productive.

In addition to DOE/Taguchi methods JMP does descriptive statistics (eliminating the need for a separate statistics program), linear models, correlations and multivariate computations, statistical process control charts, and time series analysis. These capabilities make it ideal for anyone involved with quality assurance, R&D, operations analysis and reliability modeling. This is a professional tool that will save more time than more general packages such as the company's other product, STATVIEW, or applications such as MathCAD.

Posted 9:04:00 AM by Mike Tarrani
VoiceXML is a topic that I am currently researching in support of developing a business strategy for Unmesh Laddha's company Thinking Minds, Inc. and our team's resources for end-to-end support for VoiceXML systems. Among the best resources I've found are:

Additional resources of interest include IBM's AlphaWorks VoiceXML resources (IBM is one of the major contributors to W3C's VoiceXML specification), Websphere's Voice Server page and World of VoiceXML, which is a personal page maintained by Ken Rehor.

One of the most highly regarded books on the subject is VoiceXML: Professional Developer's Guide with CDROM by Chetan Sharma and Jeff Kunins. This book has received consistent praise and is up-to-date (it uses the VoiceXML 2.0 specification as reference).

Posted 8:46:00 PM by Mike Tarrani
Loose Ends. A new month is here and that means new themes, unplanned entries that reflect whatever we are individually and/or collectively doing, and the occasional rants about pet peeves. I want to share a few files that I've accumulated, but didn't have an opportunity to work into an entry during April. Sans rhyme or reason, here are the ones that didn't fit but I found interesting:

Posted 5:04:00 PM by Mike Tarrani
The Role of Business Case Analysis in Software Engineering is an excellent 81-slide PowerPoint presentation on an important topic. The presentation's author, Donald J. Reifer, wrote Making the Software Business Case, which Linda reviewed on Amazon on 22 September 2001.

In my 21 April entry I wrote about a book titled Requirements by Collaboration: Workshops for Defining Needs. This book synthesizes three approaches to collaboration, including joint application development (JAD). The PowerPoint presentation on JAD shows how one collaborative approach works. I've also have a collection of documents that support collaborative workshops. Collaborative requirements, like business case analysis, are keys to bridging the gap that exists between the technology focus of IT and the bottom line focus of the business. That gap needs to be bridged.

Posted 5:16:00 PM by Mike Tarrani
Arc of Quality is an interesting paper on measuring the effectiveness of the testing process. If you're involved in testing this paper offers a sane, cost-effective approach to assuring quality.

Although unit testing is a developer activity it's important because it's the foundation of software assurance and integrity. The three MS Word documents in the Zip archive containing unit test artifacts provide unit testing guidelines, a developer checklist and unit test plan.

Rounding out the test theme of this entry is a PowerPoint presentation on security testing fundamentals.

Posted 3:16:00 PM by Mike Tarrani
In my 23 April entry I waxed enthusiastic about A Practical Guide to Feature-Driven Development. I have a few additional documents that support the book's approach and FDD in general:

Feature-Driven Development Overview
Feature-Driven Development Presentation (PowerPoint format)

On a different topic I read an interesting paper by Ed Bryce titled Failure is Not an Option. It discusses the costs associated with maintaining 24x7 systems, and the costs of those systems failing. This paper is closely aligned to Linda's Recovery Management whitepaper that she discussed in her 26 April entry.

Posted 2:01:00 PM by Linda
More on Oracle: I just discovered a cache of Oracle presentations that cover the full spectrum of Oracle-specific and general database knowledge domains. Enjoy.

Posted 5:39:00 PM by Linda
I am stil in the midst of my Oracle Certified Professional training, and the topic of the week has been back-up and recovery. While the Oracle-specific information is new to me, the process isn't. I wrote a recovery management whitepaper over a year ago, and much of the material remains valid. There are two recent articles that wish were available when I was writing the whitepaper. They are certainly useful as references in my current class:

Posted 10:23:00 AM by Kate
Brave New World? I just discovered a growing movement that centers on digital presence. What is it? According to a Primer on Digital Presence by Sean Gallagher it's defined as:

[T]he digital existence of a user—that is, a person, device or application—on a network. Being present ranges from simply being registered to actively participating with others.

It's being legitimized by the Internet Engineering Task Force in the form of an Instant Messaging and Presence Protocol work group charter, an independent, nonprofit consortium called the Presence and Availability Management (PAM) Forum, and a growing body of work. More information about the PAM forum can be found in PAM Forum Overview, and additional documents from various sources, including:

This is not some obscure movement - at stake is our privacy and this movement may add some sanity to the Liberty/Passport services that are emerging as both competing web services and potential intrusions on privacy.

Posted 7:26:00 AM by Mike Tarrani
Planning Smarter: Creating Blueprint Quality Software Specifications is a new book that fills that unique niche between the dozens (or more) books on requirements, and the thousands of books about development.

Read this book with an open mind because it is going to expose specification and planning shortcomings in the major methodologies, such as the Microsoft Solutions Framework, Unified Process, Unified Modeling Language. In fact the author states in the preface that he does not expect readers to agree with everything in this book.

What I like about this book is that it's independent of methodologies and development environments. More importantly, it's not another methodology, but a short, focused book that will teach you how to make your existing methodology workable. It's also focused on the planning process and does not stray from it. Among my favorite parts are:

Pathology of bad plans and how to recognize them.
A best practices comparison of the CMM, Microsoft Solution Framework, UML and Rational Unified Process. Note that I disagree (as predicted by the author in his preface) that the CMM belongs in the discussion since it's not a methodology but an indicator of process maturity based on key practices.
The emphasis on communications during the planning process. This is a common failure point and the fact that an entire chapter is devoted makes this book all the more valuable.

The book is engaging because the author has an active writing style and uses anecdotes from real life to reinforce points. It's also filled with common sense (something that appears to be uncommon during the planning phases of many of the hundreds of projects in which I've been involved). If you take the time to carefully read through this book you'll come away with some solid principles that support effective planning, and a process-oriented approach that will fit within any methodology. Do not expect to find procedures for performing quantitative planning activities - those can be found in most books on project management. Do expect, however, to learn how to approach the planning process the right way. I think every software project manager, requirements analyst and specification developer sho/wwwread this book before taking on their next project or assignment.

Posted 3:57:00 AM by Mike Tarrani
Back to Reliability. Software quality and reliability are two topics that I discuss frequently. I have a collection of new articles on these important subjects for those of you who are actively involved with reliability and/or quality:

Holistic Engineering for Software Reliability (46 pages)
Software Reliability Growth Model (10 pages)
Software Reliability
Module Size Distribution and Defect Density

In addition, you may find IEEE Standard 1220-1998, Application and Management of Systems Engineering Process, useful because it adds process to the techniques in the above papers.

Posted 9:49:00 AM by Mike Tarrani
A new book titled A Practical Guide to Feature-Driven Development proposes a method that I think is on the right track.

What is proposed and described in this book is elegant in that it combines simplicity and power, and effective because it will deliver applications that support business requirements.

Although the approach is based on object-oriented development, and the book is focused on that approach, it can be refactored into function- and procedure-oriented programming environments. Moreover, while the book is written to fit within agile methods, it be fit to any development life cycle approach. This is because the focus is on features, which translate into what the business needs from an application. This is where elegance and simplicity comes in. By focusing on the features needed applications are less apt to be gold-plated with unnecessary features that developers may think is nice, but add little business value. In this respect the time to deliver is shortened and what is delivered is going to reflect genuine business requirements.

The power of FDD comes from the highly structured approach based on the ETVX (entry-task-validation-exit) framework. Entry criteria is typical: requirements, authority to proceed and other quality gates that must be passed before a development project is initiated. The tasks follow a five-step process as follows:

Develop the model, including scope, validation in the form of walkthroughs, and peer reviews. The approach described in the book assumes an object model, but in a non-OO setting this can be realigned to first cut system diagramming in the form of block- and data flow-diagrams,and first-cut design.
Build the features list. The OO approach is domain partitioning based on the model; in a non-OO setting this is where the team maps functional requirements to features.
Plan by feature. This step, in my opinion, shows FDD to be a legitimate software engineering method. Feature prioritization, dependency analysis and effort estimation occur here. Done properly this step will make the difference between success or failure. I do have one issue with the book at this point: the prioritization is done by the technical team - it should be done with the business stakeholders.
Design by feature. This is an iterative step that feeds back into step 1 (build the model) wherein class ownership is determined and the original model is refined based on the design approach. In non-OO environments this would loop back into the first-cut design and trigger trade-off analysis and design refinement.
Build by feature. This is where the application is actually developed on a feature-by-feature basis within the context of the defined architecture (model).

Verification is accomplished using traditional methods. The authors introduce what they call feature-based testing which is no different than product test (also called functional qualification testing, and in some circles, acceptance testing). Verification procedures are thoroughly covered in the book, further adding to the software engineering approach that is incorporated into FDD. Exit criteria is when the sponsors accept the system.

What makes this book important is that is gives a straightforward approach that is based on deliverables (features) within a process context (ETVX). This approach is consistent with best practices in software project management and has the additional benefit of assuring that what gets designed and built is what the customer needs. Bolt FDD onto your favorite methodology and you'll probably see quality increase, and costs and time to deliver decrease.

See the collection of Feature-Driven Development articles for more detail.

Posted 12:47:00 AM by Mike Tarrani
In Linda's 20 April entry she discussed John Dvorak's encounter with Windows XP in his article titled The Good, The Bad and Microsoft. There is a follow-on to that article dated 22 April titled The Good, the Bad, and Microsoft, Part Two. If you're thinking of moving to Microsoft's XP you may want to take the time to read these articles.

Posted 11:50:00 PM by Mike Tarrani
If you frequently read this page or its sister, Postcards from the Revolution, you'll quickly discover that we are strong proponents of requirement management. Get the requirements wrong and your project will either fail or, at best, exceed your budget. There are a number of methods for eliciting, documenting and managing requirements, but the best ones involve workshops where the major stakeholders are involved. There are three methods that amploy workshops and stakeholder involvement:

Participatory Design (PD)
Rapid Development (RD), sometimes called rapid application development (RAD)
Joint Application Development (JAD)

I recently read a groundbreaking book titled Requirements by Collaboration that synthesizes the best of PD, RD and JAD. To this synthesis it adds modern elements such as business rules.

To understand why this book is a ground breaking work a little history is in order:

Participatory design (PD) began in England by Enid Mumford and was refined in Scandinavia by Pelle Ehn and Morten Kyng in the late 1970s.
RD (Rapid Development) was first formalized by DuPont in mid 1980s and was then known as Rapid Iterative Production Prototyping (RIPP).
JAD was first developed by Toby Crawford and Chuck Morris at IBM in 1977.

Each of these approaches have one thing in common: participatory requirements elicitation accomplished in a workshop setting.

Most of the previous documents about these approaches focused on general aspects of workshop management and requirements. Although this book certainly addresses these two aspects, it goes beyond.

This book is structured in three parts and 12 chapters. Part I covers the basics of constructing a workshop and provides a comprehensive list of deliverables. The author's web site that supports this book provides checklists and templates in Word and PDF format, which will save you time. The web site also has links to other resources that will prove extremely useful. Part II provides the workshop framework, covering logistics, managing roles and ground rules and the workshop process itself. Part III addresses the strategies for conducting the workshop. What I particularly like about this book are:

It defines a process with inputs, tasks and defined outputs (deliverables).
Adds structure by aligning business problems to model views, and by defining the deliverables that need to be produced to develop the model. The models views are: behavior, structural, dynamic and control. These cover the four basic business problem domains.
Does not lock you into any single model (you can use multiple model types), and provides criteria for selecting the best model(s) to employ for capturing requirements.
Introduces business rules, which is (in my opinion) one of the most powerful and effective means of capturing requirements.

The approach set forth is effective and thoroughly modernizes the approaches that were synthesized. More importantly it provides a structure in which to conduct participatory workshops, and clearly defines the types of goals you should be setting based on the business problem, and clear definitions of the deliverables that the workshop should produce. This book goes into my short list of best books read in 2002, and I suspect it will remain on my short list of recommended books for years to come.

Posted 5:09:00 PM by Linda
After more than my fair share of challenges that I faced when I upgraded one of my systems from Windows 98 to Windows 2000 (which I needed in order to run Oracle), I thought I was plagued by bad luck. One of the dumbest problems I encountered was the fact that Microsoft's Windows 2000 would not recognize my Microsoft keyboard. But I digress. In his 15 April column in PC Magazine titled The Good, The Bad and Microsoft, John Dvorak recites the problems he had when he installed Windows XP. I am usually neutral about operating systems, but I'm beginning to develop a genuine mistrust of Microsoft.

Posted 3:15:00 AM by Mike Tarrani
SureTrak is a Sure Thing. In my 16 April entry in Postcards from the Revolution I briefly described the strengths of my favorite project management application, SureTrak Project Manager 3.0. In my opinion it's the best single-user PM software bar none.

SureTrak was designed with features that practicing project managers need, not glitzy fluff. Among its features are:

Multiple calendars - you can have up to 31 base calanders per project, giving you absolute control that is not possible with other PM applications in this price range. This feature allows you to model different resource baselines, which is powerful. Also, unlike MS Project, SureTrak does not assume it knows better than you and change the project in strange and mysterious ways after you've made an adjustment. This alone makes SureTrak worth using.
Earned Value project management is built in and works correctly. If you're a PMP you'll not only appreciate the solid implementation of earned value, but should also know that the earned value portions of the PMBOK were developed by members of the Primavera team--Quentin Fleming and Joel Koppelman--who also authored Earned Value Project Management, second edition (see my 18 March 2001 review on Amazon for details). This adds a high level of trust in the way SureTrak works.
Project resource leveling works (it's somewhat challenged in MS Project), and the ability to automatically forecast resource shortages, trace PERT logic, and use precedence diagramming method if you so choose. It also gives you the ability to jump from WBS, resource, activity or PERT views with a mouse click shows your project from any perspective. Another nice feature is the cosmic view of the PERT view that shows the entire network in one window and details in another.
The reports, profiling and analysis options are too many to list. Suffice it to say that if there is a view or report that isn't shipped with SureTrak (and I cannot think of any), you can easily create one.

Although it has serious features, it also has glitz: you can publish in HTML, add graphics to your schedule and customize bar legends. It also has team features, such as email management, the ability to manage multiple related projects simultaneously, and the ability to exchange files with MS Project via MPX files. Note that there are some losses when you exchange MPX files because SureTrak has features that Project doesn't have and they will not import correctly into MS Project.

If you make the leap from MS Project to SureTrak I strongly recommend investing in Planning Using Primavera SureTrak Project Manager Version 3.0 by Paul E. Harris, which will get you quickly started.

Posted 5:23:00 PM by Mike Tarrani
ISO 9001:2000. Among Linda's recent topics are ISO 9001 and 900-3. There is a single sentence in the new ISO 9001:2000 requirements that's a bombshell: Customer perception, as to whether customer requirements have been met, shall be monitored. There is a book on this topic, Customer Satisfaction Measurement Simplified: A Step-by-Step Guide for ISO 9001:2000 Certification, that has as its sole purpose to provide you with ISO 9001-friendly techniques for meeting the requirements in that sentence. The author provides a clear, 7-step process for tackling that daunting task:

Identify your customers.
Identify their requirements. (Maps to ISO requirements 5.2, 7.2.1).
Determine what you're going to measure, and how.
Measure satisfaction based on step 3. (Maps to ISO requirement 8.2.1).
Analyze the data. (Maps to ISO requirement 8.4).
Report the results.
Communicate the results and employ continuous improvement methods. This complies with the change from the 1994 version in that continual improvement is now required, where it was only implied in the 1994 version.

What makes this book so valuable is that it reduces the complexities for meeting each of the requirements using the process to a series of steps in each process stage. Each chapter contains a summary of the goals, then gives step-by-step procedures needed to attain the goals, and identifies the deliverables that must be produced. This sounds simple on the surface. In reality implementing customer satisfaction requirements management, measurement and continuous improvement is a complex undertaking that not only touches virtually all parts of an enterprise, but also mandates a change in corporate culture.

Additional value in the form of worksheets and checklists covered in the appendices (and provided in electronic format on the CD ROM) make this book absolutely essential to any company that is pursuing certification (or are re certifying under the 2000 version).

Other factors that make this book invaluable include:

The author's extensive experience in customer satisfaction management is condensed into this reasonably short book
Layout of the book makes it easy to follow and find information
The straightforward manner in which necessary information is presented.

This is the only book, to the best of my knowledge, that solely focuses on this aspect of ISO 9001:2000. Fortunately, it covers all of the essentials and leads you step-by-step through the process of meeting this important set of requirements. I personally believe that it's the key to getting certified under the 2000 requirements because of the scope and magnitude of effort that is required to comply with a seemingly innocuous requirement that can be a major barrier to achieving certification.

Posted 6:56:00 PM by Kate
When Will They Stop? Are you using Microsoft's XP family of products? If so you should know that it may be doing things behind your back. A 12 April article titled Win-XP Search Assistant silently downloads files is yet another of the growing reports of how the tagline, Where do you want to go today? is starting to look like I'll take you where I damn well please.

Microsoft isn't the only culprit. Consider the ramifications of Data Mine—Or Yours? by Diane Savage, then read World Without Secrets that Linda discussed in her last entry. That book has an associated web page from which you can download a sample chapter and read related articles.

The only reassuring news in the past week is an Associated Press article titled Web Group OKs Privacy Standards.

Posted 4:41:00 PM by Linda
ISO 9001 & CRM. Mike's is preparing an entry about the ISO 9001:2000 requirement to manage and measure customer requirements. This requirement, as he will show, will make attaining (or maintaining) certification a challenge. At some point customer relationship management is going to become a hot topic. The best book on the topic that I've found is Jill Dyché's The CRM Handbook: A Business Guide to Customer Relationship Management.

This book is thorough, clear and filled with useful information. It's organized in two parts. Part 1 defines CRM in chapter 1 and in the next six chapters covers the reasons and issues for implementing CRM from five perspectives: (1) Marketing, (2) Customer Service/Call Centers, (3) Sales Force Automation, (4) E-business and (5) Data Analysis. The case studies, all based on real clients and situations, add life to the well written chapters on marketing, customer service and sales force automation. In addition each chapter contains nuggets of insight, clear discussion of the topic and numerous checklists and tables that you can use for your own projects.

Part 2 covers delivering CRM and is structured in the logical sequence of planning, tool selection and CRM project management. Like the first part of the book the four chapters in Part 2 contain case studies, checklists and excellent advice. It is in this part of the book where you'll benefit from Jill's experience because she reveals common traps and pitfalls, and gives advice on how to deal with them or bypass them altogether.

What I like about this book is that it covers the business and technical parameters, requirements and issues. Jill's writing style makes it not only readable, but engrossing as well. She goes into considerable detail about how and why CRM is important to meeting business requirements and gives business metrics, explains differences between CRM and business intelligence, and the pro's and con's of all issues and factors. Because she covers the subject from the five perspectives I listed above this book is valuable to all possible stakeholders in a CRM project. I especially liked her use of the Porter value chain and how she leads you through the development of a business case for CRM.

If you're involved in CRM, or are in a company that is implementing ISO9001:2000 (which requires that organizations have an effective method of measuring customer satisfaction to achieve ISO certification), then this book will be your most valuable source of information.

The Dark Side of CRM. It's ironic that after finishing Jill's The CRM Handbook that the next book I pick up is World Without Secrets. This book is chilling for a number of reasons, but the top ones (in my opinion) are:

As an IT professional I am involved in CRM (customer relationship management), which has a goal of knowing your customer and providing individualized service. This requires knowing your customers and collecting data. After reading this book I had to step back and think about the impact on privacy and customer rights. This is a Catch-22 situation wherein providing high levels of service requires a great deal of data, but the same data eats away at privacy.
The array of technologies to gather information, including those that have migrated from the intelligence community into business and/or law enforcement, further chip away at privacy. This is exacerbated by laws passed and national attitudes since September 11. Privacy and freedoms are interrelated, so these technologies, combined with laws and attitudes pose a threat to our freedom as well.
Attitudes, business imperatives and social evolution are merging to change the entire social fabric of our way of life - and we are active participants in some aspects, and in other aspects we are facilitating this change. The ways we are doing that is through willingness to accept changes that are detrimental to privacy, and/or the pursuit of meeting business imperatives and competitive advantage without fully examining the long term ramifications.

What I like is the way the author thoroughly and systematically addresses the threats to our privacy, freedom and well being. The discussion in "Rise of the Mentat", aside from catering to fans of Frank Herbert's Sci-Fi masterpiece, Dune, will open your eyes about how information is processed and fed to us. After reading this chapter you'll wonder how much you really know, and how much of what you think you know is based on all available facts and data.

However, the real eye-opener is the way that virtual communities are coming together in ways that could not have been predicted ten years ago. The Internet has enabled people of like interests, both benevolent and malevolent, to find one another on this planet, band together and begin exerting influence. In the same manner that maps drawn with political borders do not display cultural borders, these groups called "Network Armies" in the book go beyond cultural or national interests and are changing our social fabric in ways that the author only touches upon.

This book is well written, filled with examples and facts, and arrives at thought-provoking conclusions. It does not matter if you work in IT or another technology-focused industry, law, business or non-profit organizations, what this book has to say and the facts and conclusions that are presented are important. If the author is correct (and I think he is), our lives are changing in dramatic ways and this book is a rough roadmap to where we're headed.

Posted 2:04:00 PM by Mike Tarrani
Book Review. Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes by by Albert J. Marcella Jr (Editor) and Robert S. Greenfield (Editor). Thorough and suitable for the experienced professional.

This book is an excellent follow-on book to Computer Forensics: Incident Response Essentials by Kruse and Heiser, which introduces the fundamentals. See my 14 April entry in Postcards from the Revolution for details. This book goes much deeper and is more technical than the Kruse and Heise, therefore the ideal audience is practicing professionals who have prior experience in forensics and a wide range of hardware, software and network knowledge.

Tools and techniques are presented in painstaking detail. I was unable to find a single gap or omission, which speaks highly of the editorial and review process behind this book's 464 pages. While most technical disciplines can dispense with finer details, the nature of forensics is to overlook nothing. If you find the step-by-step thoroughness boring that is an indication that forensics may not be your forte; if you're an experienced professional you'll appreciate the coverage of every technique or use of tools.

While the discussion of tools and techniques will satisfy even the most experienced practitioner, I found the detailed discussion of legal aspects, HR considerations and overall security and incident response processes to be the book's strongest points. This area is what sets forensics experts apart from technicians, and it is here that the book (in my opinion) adds the most value. Procedures ranging from how to properly gather, preserve and control evidence, to legal considerations for designing processes are covered in clear language, as are US and international legal guidelines.

Parts that I especially like include: intrusion management and profiling, up-to-date information on electronic commerce legal issues, the numerous checklists and cited resources, and the clearly delineated process for dealing with incidents.

If you're new to forensics you will probably get more from this book by first reading Computer Forensics: Incident Response Essentials by Kruse and Heiser. If, however, you have previous computer forensics experience or are currently serving in that role this book is probably one of the best investments you can make.

The book's accompanying web site keeps it up-to-date and provides additional material and links on forensics and other security-related information.

Posted 6:17:00 PM by Linda
Mike's last entry in Postcards from the Revolution about CMM inspired me to thumb through Ken Dymond's excellent A Guide to the CMM: Understanding the Capability Maturity Model for Software. That book and Kim Caupto's CMM Implementation Guide: Choreographing Software Process Improvement are two of the most effective books for anyone who needs to understand and implement the capability maturity model.

Last summer Mike and I were playing around with Paintshop Pro (see my 29 May 2001 review) and created a graphic that depicts the evolution of process maturity. We had fun creating the graphic, and made sure that it was consistent with the capability maturity model levels. We also made sure that it was aligned to our professional focus, service delivery.

As I was pondering Dymond's books, another book came to mind: Jill Dyché's The CRM Handbook: A Business Guide to Customer Relationship Management. Was it the 3-letter initials, CMM and CRM? Both authors' last names, Dymond and Dyché, starting with the letter 'D'? Or the excellent writing? Minds work in mysterious ways.

However, if CRM is a topic that interests you you'll like the MS Word document titled Customer Relationship Management: Successful Implementation and Innovative Practice. This 17-page document, in presentation format, captures the essence of CRM.

I'm a loyal fan of Jill Dyché. She is smart, personable and straight-talking. I first discovered her when Mike lent me a copy of her first book, e-Data: Turning Data into Information with Data Warehousing. As luck would have it, she was checking her book standings on Amazon and noticed my 30 June 2001 review, then spotted Mike's 28 June 2001 review. She contacted me, and sent both Mike and I copies of The CRM Handbook: A Business Guide to Customer Relationship Management. My goal this month is to write an Amazon review, and a glowing one at that. Both of Jill's books are outstanding and have my highest recommendation.

Now it's time to return to my studies so I can complete my requirements and pass the tests for Oracle Certified Professional. Believe me, it's not an easy certification to earn.

Posted 4:30:00 AM by Mike Tarrani
Administrative Note. Over the next few days my ISP will be doing maintenance. Most of the documents we provide here reside on the server that hosts tarrani.net. You may experience Document not found errors during the next 48 hours. If there are any documents that you absolutely need during this period let me know and I'll e-mail them to you.

Posted 3:33:00 AM by Mike Tarrani
Scalability and Performance + Yet More About Architecture. In my 8 April entry I mentioned Greg Barish's excellent book, Building Scalable and High-Performance Java Web Applications Using J2EE Technology. I was so impressed with the common sense approach that Mr. Barish proposed, and his clear writing, that I did a little investigating. As it turns out, Mr. Barish isn't your run-of-the-mill developer who wrote a book, but is a Ph.D candidate in the prestigious USC Computer Science Program. Two additional papers authored or coauthored by Mr. Barish that I found interesting are:

Using Tcl to Rapidly Develop a Scalable Engine for Processing Dynamic Application Logic. I recently cited the findings and conclusions from this 11-page PDF document to support the use of tcl in a proposed project.
World Wide Web Caching: Trends and Techniques. This 8-page PDF document is one of the clearest discussions of caching as a scalability technique that I've read. It's lavishly illustrated and masterfully explained.

An additional document that serves as a nice capstone on my previous entries about architecture is Conflicts Among Architecture Evaluation Criteria, which sorts out some of issues related to architecture evaluation that I've been discussing.

Posted 3:36:00 AM by Mike Tarrani
More About Architecture. As a follow-on to my previous entry I have additional documents that are of interest:

A short PowerPoint presentation on using the Software Architecture Analysis Method as a simple, scenario-based review technique, and a related, 80-page PDF document titled Software Design Reviews Using Software Architecture Analysis Method: A Case Study.
5-page PDF document titled Economic Modeling of Software Architectures
17-page PDF presentation titled Evaluating the Performance of Software Architectures
8-page PDF document titled Assessing Optimal Software Architecture Maintainability
28-page PDF document titled Analyzing Software Architectures for Modifiability

Posted 10:36:00 AM by Mike Tarrani
On Architecture. A new book that adds to the software architecture body of knowledge is Evaluating Software Architectures: Methods and Case Studies by Paul Clements, Rick Kazman and Mark Klein.

The authors provide an in-depth treatment of three methods for evaluating software architectures, all of which were developed at the Software Engineering Institute with involvement by the authors. The methods examined are:

ATAM (Architecture Tradeoff Analysis Method)
SAAM (Software Architecture Analysis Method)
ARID (Active Reviews for Intermediate Designs)

Each of the above address software evaluations in increasing levels of detail, with the book's main emphasis on ATAM.

What makes this book so valuable is the fact that you can learn much about developing software architectures from the criteria with which they are evaluated. For example, the discussion on quality attributes is eye-opening because what architects consider to be well formed quality attributes are usually too vague to properly evaluate, resulting in ill defined architectures in the first place. Knowing how to evaluate the architecture will provide the keys for defining a solid architecture. More important is the way the authors define the outputs of the architecture evaluation, which gives the practicing architect a framework for design that fully meets the evaluation criteria. The net result is that a defined architecture will unambiguously communicate the design to the development team, as well as to the QA team.

I especially like the business oriented approach that addresses the costs and benefits of evaluation, the three approaches from which to choose that best meets technical and business goals, and the case studies that support each of the approaches. Another strong point about this book is architecture is also evaluated with production in mind. Too many books only consider architecture from the development point of view, or in rare cases, from development and QA points of view. The evaluation techniques in this book extend to support and maintenance. The authors make selection of the best technique easy by comparing them in Chapter 9, and provide an approach to implement evaluations in Chapter 10.

If you're an architect I also recommend augmenting the excellent material in this book with Design and Use of Software Architectures by Jan Bosch , which gives an alternate method to ATAM that is more complete in many respects. Even if you espouse Bosch's approach, however, the approach and techniques given in Evaluating Software Architectures: Methods and Case Studies are complementary. I personally recommend both books and assign equal value to them.

Additional Resources:

SEI's ATAM page
SEI's SAAM page
SEI's ARID page
Jan Bosch's page (see articles and book page for additional documents and information about Design and Use of Software Architectures.)

Posted 7:57:00 AM by Linda
Items of Interest. In Postcards from the Revolution I've been discussing the organization and core processes in the foundation layer of the Tarrani-Zarate Model. Some of the work product and supporting material that I've amassed do not fit well into that discussion, so I am going to share them here:

Cost Control through Asset Management
GartnerGroup's View of ITIL (we've discussed the ITIL in previous entries)

IT Value Can be Determined
British Standard for IT Service Management

Also, since I've previously been discussing ISO 9001 and TickIT, I'm sharing a graphic depiction of ISO 9001 called the ISO 9001 Roadmap. Enjoy and have a wonderful weekend.

Posted 10:38:00 AM by Kate
Are We Winning Yet? Mark Twain once quipped, I refused to attend his funeral. But I wrote a very nice letter explaining that I approved of it. I refuse to use Hailstorm, but I certainly approve of the following news article: MS pulls the plugs on Hailstorm, pending rethink.

The demise of Hailstorm (however temporary while they're engaged in rethinking in Redmond) caused me to do some thinking about e-commerce risks. The fruits of my research into some of the top issues yielded the following documents:

The PowerPoint presentation titled Business Process Data Activity Analysis is related to risks and controls, and to the process thread that Mike and Linda are maintaining in this weblog.

Posted 4:18:00 AM by Mike Tarrani
More on Metrics, Processes and Systems Integration. This entry will cover a range of topics, with an emphasis on metrics. One of the most important books on IT metrics was just published: IT Measurement: Practical Advice from the Experts. This book is a panoramic view of metrics across the enterprise. Although the book is written by members of the International Function Point Users Group it goes well beyond software estimating. It encompasses measurement techniques that are consistent with function points, but are also useful when applied to other methods.

As expected, the book starts with a discussion of function points, its evolution as a methodology, and how it has evolved as a means of measuring a full spectrum of attributes, such as quality, productivity, time and effort. In addition to generic attribute metrics this book shows how function points can be applied to earned value project management, developing a balanced scorecard that views the enterprise holisitcally, business and e-commerce metrics and evaluations and benchmarking.

Parts that I especially like include:

The complete data collection, analysis and action process that is embodied in the book. This can be used in any setting, such as the Constructive Cost Model (CoCoMo), as well as FP.
IT work units, which are applicable to production services and support. This dispells the notion that function points are only useful for software estimating. This is also augmented by a later section in the book that addresses IT and business measures that is sure to change the way you approach measuring the overall value of IT.
Demonstrated use of function points as a viable project estimating technique that extends to projects other than software development.
Clearly written explanation of statistical process controls.

I've only highlighted the parts of the book in which I have personal and professional interests. The book contains much more material that covers the entire spectrum of enterprise metrics, including case studies and reflecting the views of each individual author who contributed chapter(s). In my opinion this book is, and will remain for years to come, one of the most important texts on IT measurement. Time will tell, of course, but I can assure you that it's the best book on the subject that is currently available.

Traffic Engineering. Network traffic engineering is a science that can be applied to not only circuit capacity, but any activity or process where queuing is involved. This includes help desk staffing and similar uses. The basics are explained in Traffic Engineering, which is an outstanding 29-page overview that starts gently and goes into the details. If you are currently struggling with capacity planning for Voice over IP, the VOIP calculator, which is an Excel application, will help you arrive at capacity plans that are traced to quantitative analysis instead of the usual method (throwing money at the problem). You'll also want to read our previous entries that cover capacity planning, as well as the PowerPoint presentation about measurement capability.

Processes. Much of what I cover in this weblog is about software engineering. The MS Word document titled Integrating Iterative Processes examines life cycle approaches and is something every architect, project management and software engineer will find interesting.

Systems Integration. If you are faced with an enterprise integration project you'll undoubtably be using XML (if not now, you can be sure that you will be in the future). Connecting E-Commerce to XML is a good starting point for understanding the issues.

An excellent book on the topic is XML, Web Services, and the Data Revolution. In many respects this book extends David Linthicum's B2B Application Integration by focusing solely on the data aspects, and explaining the web services approach that has matured after Mr. Linthicum's book was published.

This book defines the tools, cuts through the hype and sorts out the pieces needed to design and deploy enterprise-wide solutions. What makes it particularly valuable is that it doesn't side with the two major factions espousing web services - the Microsoft .NET and Sun-sponsored J2EE approaches are presented without bias (refreshing in itself considering the hype and industry posturing). The same objective treatment of approaches by IBM, BEA, HP Oracle is given, which ensures that you have ample insights into the available approaches to developing web services. Of course, SOAP, the XML-family of protocols, and UDDI are also covered in depth using clear writing and excellent illustrations.

What I particularly like about this book are:

The way Chapter 1, Extending the Enterprise, presents a coherent picture of the complexities of web services and enterprise integration. This is done in less than 30 pages and packs an amazing amount of information into those pages.
Chapters 3 (XML in Practice), 4 (SOAP) and 5 (Web Services) drill down into the guts and sort out the complexities - especially the discussion of web services, which doesn't [yet] seem to have a standard definition.
Chapter 7's discussion of XML security, which is a nice and needed touch that rounds out the information provided in the book.

You won't find specific development information in this book, and that makes it more valuable in my opinion. If that is what you're seeking there are other books that address that topic. I do believe that Linthicum's B2B Application Integration and William L. Oellermann's Architecting Web Services will complement this book - Linthicum's for the big picture (especially for legacy system integration) and Oellermann's for the process-oriented approach. I strongly recommend this book to anyone who is involved in architecture, specifications or development.

Posted 12:10:00 AM by Mike Tarrani
Problems in Paradise. Although it should come as no surprise to anyone who is involved in security, A trio of MS-Office security vulnerabilities have been reported. What would be a surprise is if we could go an entire week without a reported security flaw in Microsoft products.

Did Microsoft acquire Yahoo while nobody was looking? Yahoo apparently wants to compete with Microsoft through the use of a mechanism called a Web Beacon. This piece of code will track your activities long after you've departed Yahoo sites and services. See their explanation (at least they've disclosed the existence of web beacons). Also note that about halfway down the page in the body text there is a way to opt out (see Please click here to opt-out.). If you don't want to be stalked you may want to do just that. Just don't click the button marked Cancel Opt-Out at the bottom of the window, else you'll be back where you started: stalked.

Posted 3:45:00 AM by Mike Tarrani
Capstone. In my previous two entries I discussed performance, capacity and scalability. I want to end this thread (for now) with three documents that are related, and also cross into QA:

Want more? Not to worry - these topics are among the foremost in my professional interest and you'll see much more on these topics as time goes on. You may want to read earlier entries here and in Postcards from the Revolution for related material that I've already posted.

Posted 12:39:00 PM by Mike Tarrani
Performance Processes. In my last entry I discussed a number of performance and capacity planning books that I especially like. I covered the established books from the most prolific and known book authors. There is another book by Connie U. Smith and Lloyd Williams that is one of the most important recent works to emerge: Performance Solutions: A Practical Guide to Creating Responsive, Scalable Software. The books I cited in my previous entry were focused on techniques, while this one is about process. Moreover, while Jain, Menasce and Almeida are prolific book authors, Connie U. Smith and Lloyd Williams are also prolific writers who have made an impressive contribution to the body of knowledge in the way of whitepapers, journal articles and seminars.

I've collected a number of documents by these lesser known, but equally important, practitioners and wish to share them:

The above are but a sampling of the work that Smith and Williams have published, but the sampling captures their approach and adds wrinkles to the foundation of knowledge published by Jain, Menasce and Almeida in books. More important, what Smith and Williams bring to the practice area is process. If you are interested in performance, capacity and scalability, then you should read Performance Solutions: A Practical Guide to Creating Responsive, Scalable Software.

Posted 4:38:00 PM by Mike Tarrani
Performance & Scalability. I've been corresponding with Greg Barish, the author of Building Scalable and High-Performance Java Web Applications Using J2EE Technology (see my 4 April and Linda's 3 April reviews on Amazon), and have the highest regard for that book. I won't bore you with my entire review, but do want to highlight what I like about it:

[W]hile the performance and scalability techniques presented in this book don't approach those embodied in books by Daniel A. Menasce and Virgilio A. F. Almeida, or Raj Jain, they are more than sufficient for software engineers and architects ... The value of this book is that it does make scalability and performance techniques accessible to most developers, even those who are math-challenged (and there are quite a few of them out there)...

Who are Menasce, Almeida and Jain? They are among the foremost experts on capacity planning and performance/scalability. Raj Jain is probably the father of performance analysis. His seminal The Art of Computer Systems Performance Analysis Techniques for Experimental Design, Measurement, Simulation, and Modeling is one of the most comprehensive books on the subject. It's also not easy to read unless you have up-to-date math skills. I use MathCad to work through examples in this and other books, making learning much easier. Mr. Jain also coauthored Practical Performance Analyst with Neil J. Gunther - I have this book, but got it in the same timeframe that I discovered the body of work by Daniel A. Menasce and Virgilio A. F. Almeida. These two writers have taken the foundation laid by Raj Jain and have built upon it through a series of excellent books. While their work does not supersede Jain's first book, it does keep it alive in spirit and currency. The books they published, in chronological order, are:

Capacity Planning and Performance Modeling: From Mainframes to Client-Server Systems (still valuable despite its age)
Capacity Planning for Web Performance: Metrics, Models, and Methods (I frequently refer to this one)
Scaling for E-Business: Technologies, Models, Performance, and Capacity Planning (my favorite among their books to date)
Capacity Planning for Web Services: Metrics, Models, and Methods (their latest work and topical given the activity in web services)

There are valuable spreadsheets and other material on the Scaling for E-Business website, as well as supporting materials for the other books by Menasce and Almeida.

Posted 11:36:00 PM by Linda
Busy ... Business. We're all busy these days. Mike, Kate and I are developing a proposed solution requirements set forth by Media Lab, Asia (we're working this as members of the Thinking Minds, Inc. team). I am immersed in my Oracle Certified Professional Training, and Mike and Kate are working on a project that will take them to Kuwait at the end of the month.

What's New. Since we are so busy I want to rekindle the thread that Mike is still working about processes and strategy. A PowerPoint presentation on Information Systems Strategy provides excellent information and a structured approach to developing a strategy. The strategy is the root of policies, processes and procedures, and it also ties nicely into Mike's and my entries about the Tarrani-Zarate Model that we're discussing in Postcards from the Revolution. A related document is Models of Quality, which covers the Goal-Question-Metric approach (among others).

Because we are working on a proposed solution that addresses development of a collaborative computing environment, I want to share one of our source documents we're using that discusses the key issues of web engineering. This document is not the same approach as set forth in Nick Flor's excellent book, Web Business Engineering (see Mike's and my reviews dated 16 and 14 September 2001, respectively). Where the book is focused on a business approach, the PowerPoint presentation I'm sharing is more technical in nature.

I want to wrap up with two documents about service management. We usually focus on that subject in Postcards from the Revolution, but many readers here do not read our sister weblog and the topic is too important to our profession. The documents are:

IT Service Management Whitepaper - this document is brief and covers all of the important points.
IT Service Management in eGovernment, which is focused on the IT Service Management Forum's approach, and documents successes achieved by the Government of Ontario. Although the theme is eGovernment, the information applies to commercial organizations as well.

Best wishes from Azusa, California - Linda Zarate.

Posted 8:56:00 PM by Kate
Waxing Poetic. Competitive intelligence is all about following news stroies and piecing together trends, moves and counter-moves. To quote from Edna St. Vincent Millay's First Fig:

My candle burns at both ends;
It will not last the night;
But, ah, my foes, and oh, my friends;
It gives a lovely light

Indeed, there are movements afoot and intrigue in the industry:

Special report titled, Liunx in the Limelight shows the growing popularity of Linux, which is [in my opinion] fueled by the ongoing security issues with MS products
Apple and Linux in pincer movement on PC market?. Apple? The worm turns (yes, that was a pun of sorts).
In Windows to Linux Application Migration we find an exit strategy and means to break the bonds of mediocrity.

The point of this is not only the news itself, but the fact that competitive intelligence is useful to all of us.

Late entry by Mike Tarrani - there is lag between the time these entries are written, and when one of us reviews and releases them. This is one case in which I have an additional item to add to what Kate has reported above.
I'll keep this editorial remark in the same spirit as Kate's report by quoting from Edna St. Vincent Millay's Second Fig, which is unerringly appropriate:
Safe upon the solid rock the ugly houses stand
Come and see my shining palace built upon the sand
Yes, the security and reliability traits of certain products do appear to be palaces built upon the less-than-solid foundation of sand. The special report titled, IBM's Return to Dominance shows that systems built upon the solid foundation of reliability, availability and supportability - and security - bodes well for consumers.

Posted 5:48:00 AM by Mike Tarrani
In my 5 April entry I promised to give a more in-depth review of Building Secure Software: How to Avoid Security Problems the Right Way by John Viega and Gary McGraw.

What makes this book so important is that the authors provide an analysis of the major problems with all software, and give a collection of techniques with which to address the recurring problems, such as buffer overflows, access control exposures, randomness flaws and other security-related defects. They do not attempt to provide specific solutions. Instead they raise an awareness of the common problems, discuss the underlying causes, and give a framework with which developers can use as the basis for developing secure software.

Key points of this book that I found especially useful include:

Even treatment of commercial and open source software. I found this refreshing because there are two camps, Microsoft developers and open source advocates, each of which criticize the other. Yes, Microsoft has a bad reputation for security, but the open source faction has its own challenges, and the authors show the strengths and weaknesses of each in an objective manner.
Surprises, such as documented cases of peer reviews that failed. I am an advocate of this technique, yet a case where a flawed, two-line piece of code that was extensively reviewed by literally thousands of reviewers and readers of a technical publication slipped by without notice for a long time.
The ten guiding principles for software security encapsulate the essence of building secure software. This list and the discussion of each principle should be required reading for every architect, developed and QA engineer.

In addition to software security from a developer's point of view, this book also addresses other areas that need to be closely examined in order to achieve a solid security posture. In particular I liked Chapter 14, which covers database security, especially the treatment of statistical attacks. If you're a DBA this alone will make the book worth buying because despite the most careful design of views and access controls you may still be vulnerable in surprising ways. The chapters on Client-side security and firewall issues are also filled with excellent information, as is Appendix A (Cryptography Basics).

The authors have imparted the sum of their extensive experience in this book. It's up to you to take that experience and apply it. The book's accompanying website adds further value.

Posted 3:06:00 PM by Mike Tarrani
My special friend, Muthukumar U sent me an interesting article titled Lemon Law for Software? that is completely in line with my thoughts on the subject. This article proposes the opposite of UCITA (discussed in previous entries). As an aside, I should be in Kuwait in a few weeks, and may have the opportunity to meet Muthukumar in person. He and I have been corresponding for nearly a year, and have collaborated on projects in the past. He's a risk management analyst for HSBC Bank Middle East in the Sharjah, UAE offices, so we'll be close enough to visit.

Kate reported in her 2 April entry that Microsoft's anti-Unix campaign backfires. Here's an update that is sure to bring another smile: Anti-Unix site returns - on MySQL? - at least they managed to move the site to IIS ... of course, they'll probably have to hire two additional bodies to keep up with the security patches, and an additional dozen to monitor security. The question I have is, how did they even become a monoploy? Sounds more like a stand-up comedy routine to me.

Posted 11:36:00 AM by Kate
Culture and Process. One of the most interesting articles I've read in a long time is Cultural Obstacles to Measurement and Process Maturity. This article validates the assertions Mike has made here in previous entries, but I am not entirely sure I concur with all of the author's conclusions. In a nutshell, the article posits that,

[I]t's easier to implement CMM in a "prescriptive" culture. Professionals from cultures with a history of British dominance tend to embrace prescriptive models with far less resistance than their American counterparts.

I personally believe the thesis that there is a difference between prescriptive and the ad hoc nature of the U.S. culture. I'm not quick to buy into the history of British dominance part. Is it a coincidence that CMM level 1 is defined as ad hoc and the cultural nature in the United States can be described as such? I think not.

That said, I do agree with the intent of the article, to show that there are cultural gaps and the implied message that we need to become more procedure-oriented. What I see as the root of the problem is that we in the U.S. are more focused on management, when it takes leadership to establish and maintain a culture of process maturity. I believe a closer examination of the problem will reveal insights that this article to another level. Regardless of my disagreement with portions of the article, however, I hope it gets read by a wide audience (which is why I chose it as my topic), and the cultural barriers to implementing process maturity in the U.S. as the rule rather than the exception fall.

Posted 3:21:00 AM by Mike Tarrani
What I'm Reading. One of the reasons I've been keeping such a low profile is because I'm immersed in Building Secure Software: How to Avoid Security Problems the Right Way by John Viega and Gary McGraw. I'll be posting my review of this book on Amazon and here Saturday night, but in the interim I want to mention that this book is absolutely essential reading if you have any role in the software development projects.

Another book that has received unanimous rave reviews is Writing Secure Code by Michael Howard and David Leblanc. Ironically, this book is published by Microsoft Press.

I haven't read it, but judging from comments this is another essential book for anyone who is serious about developing secure software, and is on my list of books to buy and read. Lest you question the credibility of this book because of Microsoft's notoriety for insecure software (as reported by the trade press), bear in mind that Microsoft Press publishes books by authors who have no connection with Microsoft's business other than writing books. Therefore, do not discount this book until you've checked it out - something that I plan to do.

Posted 2:20:00 PM by Mike Tarrani
Run, Forrest, Run. Yes, you can cast off the braces that shackle you and run like the wind. The case study about Life Time Fitness and How to Bid Farewell to Microsoft shows that you can escape. Also worth reading: Bad Software Can "Enronize" Anyone.

Web Services. Nobody seems to agree on the exact definition of web services, but that doesn't stop it from being a hot topic. Imperial Sugar Rebuilds on Web Services is an excellent case study of how to look beyond the buzzwords and muddled definitions and harness technology to meet business requirements (which were dire in this case). Linda and I reviewed two books that look beyond the trendy definitions and go to the heart of practical use(s) of the technology:

Architecting Web Serivces by William L. Oellermann Jr. (Linda's 17 December 2001 review; my 13 December 2001 review)
Building Scalable and High-Performance Java Web Applications Using J2EE Technology by Greg Barish (Linda's 3 April 2002 review; my 4 April 2002 review)

Posted 4:47:00 PM by Mike Tarrani
Risks & Requirements. The April 2002 issue of CrossTalk is out and is essential reading for project managements, software engineers, and requirements analysts.

What's inside:

Risky Requirements. Three articles addressing aspects of the April issue's theme:
Two articles about software engineering technology:
1. Seven Characteristics of Dysfunctional Software Projects
2. Add Decision Analysis to Your COTS Selection Process
In the Open Forum section: Prerequisites for Success: Why Process Improvement Programs Fail, and the issue's final article, Mapping the Capability Maturity Model

Good stuff all! I am always enamored with articles that provide quantitative measurements, processes and lessons learned, and this issue has it all.

My bliss after reading the entire issue was leveled by the Backtalk section. This is the last page in each issue and is usually a humorous look at some aspect of the theme. However, this column, titled Risqué Requirements, had more stark truth than humor (not that it wasn't facetious in its own way). The guest columnist, Gary Petersen, wrote what I consider to be one of the most incisive analyses on what's wrong with our profession that I've had the pleasure and pain of reading in a long time. I'm tempted to quote and provide my own analysis, but it would only diminish the clear message that Mr. Petersen broadcasts. I encourage you to carefully read the article, then download it, then send it to your friends, enemies and everyone else who works in software engineering in any role.

Posted 9:55:00 AM by Linda
Scalability & Performance, Quality, Process and Outsourcing. The busy weekend is behind me and I'm ready to face the world of IT and work. Although many of my weekend activities were focused on family and the holiday, I found time to squeeze in a book review and consolidate a few loose ends. The book review first.

Building Scalable and High-Performance Java Web Applications Using J2EE Technology - Clear description of important concepts

While this book uses J2EE as the basis for scalability and performance strategies in web application development, it is also useful regardless of the development and technical environment.
The author begins this book with the clearest and easiest-to-follow descriptions of performance and scalability and how to measure them that I've ever read. The same treatment was given to web applications architecture, which is the second topic in sequence. I like Mr. Barish's straightforward, conversational writing style and use of simple (but effective) illustrations, graphs and examples that make complex concepts easy-to-grasp.
I stated above that this book can be used outside of the J2EE environment, and here are the chapters that are generic enough to accomplish this: 1 (Scalable and High Performance Web Applications), 2 (Web Application Architecture), 4 (Scalability and Performance Techniques), 5 (HTTP Client/Server Communication), 10 (Effective Database Design) and 12 (The Future of Web Applications). While each of these chapters are well written and go into sufficient detail for developers and architects I particularly liked chapter 10 because he explained relational database fundamentals and SQL programming with such clarity that I got more from the 42 pages that comprise this chapter than I did from a 300+ page book on the topic. The follow-on chapter on JDBC and SQL is as well written. Another reason why I liked chapter 10 is many developers understand how to develop servlets and components, but do not have sufficient understanding of relational databases. This book rectifies that, which is particularly important since most real world applications are data intensive and need to connect to databases.
Additional strong points about this book include: code examples are only given to reinforce a concept or show an example. Don't expect to find a recipe book based on code - this book is about making it scalable and giving it performance characteristics. The J2EE-specific parts of the book use realistic examples and propose real world approaches. However, the strongest aspect of this book is the author stays focused on scalability and performance throughout the book, always ending each chapter with scalability and performance hints that are related to the chapter's topic.
This book is for architects and software engineers who are building applications that support business-critical needs. It's clear, concise and exceptionally well written.

Loose Ends. I've recently discussed ISO 9001 and outsourcing in entries here and in Postcards from the Revolution. I am going to devote my next efforts to helping Mike describe the Tarrani-Zarate Model in Postcards from the Revolution, and before I embark on that I want to provide the remaining documents I have on ISO 9001 and outsourcing to cleanly close out those topics (for the time being - I'll revisit them at a later date). The documents are:

ISO 9000-3, which is a PowerPoint presentation on that important standard for software and services.
CMM and ISO 9001, describing the relationship between the capability maturity model and ISO 9001 quality standard, and giving a comparison. (PDF format).
Vendor Perspective of Outsourcing (MS Word format - how the dark side views outsourcing).

If ISO 9000-3 is a topic in which you're interested you'll want to visit ISO 9000-3 1997 Guidelines in Plain English.

Parting Note. We frequently address security here and in Postcards from the Revolution. I just discovered International Security Technologies, Inc.'s page on Cost of Risk Analysis. This is a commercial product that is worth investigating. The site also has a collection of whitepapers that are valuable and informative, and independent of the product.

Posted 9:50:00 AM by Kate
April Fool? Mike's facetious 1 April entry was no joke. There is more to add about what I consider to be poor integrity of products coming from Microsoft. As a competitive intelligence specialist I certainly see the advantage of having competitors using Microsoft products. However, since exploiting security holes is an illegal and unethical approach to gathering intelligence the exposures that are reported I cannot take advantage of the problems that seem to go with using Microsoft products.

In addition to the issues that Mike raised, here is another that was reported on 2 April: MS security patch fails on local files. It's no coincidence that Mike, Linda and I all use Netscape - we closely follow security issues and the reported problems with Microsoft products is one reason why we avoid using them when there are alternatives. Of course, there are barriers to escape as shown in Windows Messenger 'Trojan update'. Sounds like monopolistic behavior to me. Oh, I forgot - they're convicted of monopoly. Never mind.

One approach to resolving the problems is proposed by Sun's chief scientist, John Gage, in a 29 March interview with The Register. See Make Microsoft pay for bugs and BSODs - Sun's Gage for the full text.

Intellectual Property and Lunacy. The Gage interview is important for reasons other than Microsoft's problems - the true message is in his thoughts on intellectual property; specifically what he has to say about Surviving Valenti. Along these lines the Wired News article titled The Kazaa Ruling: What It Means is an outstanding analysis of intellectual property issues, especially as they relate to peer-to-peer and file sharing. It's a brave new world and the law makers just don't seem prepared to deal with it. But deal with it they must. See ElcomSoft squares up to Feds in Sklyarov test case. This is the first time in a case that will challenge America's controversial Digital Millennium Copyright Act (DMCA). In my opinion this is a good move. For more background see the 16 November 2001 article titled IP conference: copyright law has gone too far. Not only has it gone too far, it seems to cater to special interests and is anti-consumer. If you want to closely follow these issues read Lisa Rein's weblog - she is on top of the issues and pulls no punches when reporting them.

A Smile a Day. You just have to smile when you read reports like Microsoft's anti-Unix campaign backfires. Never ascribe to malice that which can be explained by stupidity. Just don't be stupid yourself - there's sage advice in Your Biggest Threat, and you'll do well to heed the advice.

Final Note. I'll be working with Mike on a project in Kuwait (Insh'Allah) - Insh'Allah means God Willing. And if He is willing, in a few weeks I will have an opportunity to engage in process design, developing reference data and applying knowledge management in support of service delivery goals. Salaam from Irvine, California.

Posted 7:46:00 PM by Mike Tarrani
Want Competitive Advantage? I think I've managed to come up with a strategy for achieving competitive advantage before Kate Hartshorn, our resident competitive intelligence specialist, thought of it. Here it is: pay for your competition's upgrades to Microsoft products. Dumb idea? It depends on whether you subscribe to Niccolo Machiavelli's approach to strategy. Consider the following recent news items, then draw your own conclusions:

I wish I could say the above is in the spirit of April Fools day, but the sad truth is if you're using the products cited, or are considering an upgrade you may want devise a strategy for dealing with the exposures. You may also want to read my review of Acquisition: IT Due Diligence (one of the IT Manager Development Series books) in Postcards from the Revolution.

Posted 7:04:00 PM by Mike Tarrani
Objective, Objectivity and QA. Late last week I received a message from the originator of RSI approach to use cases. RSI stands for "Requirements-Service-Interface". I first learned of this technique from Quality Web Systems: Performance, Security, and Usability. I was so impressed with the approach that I wrote in my 22 September 2001 review of the book:

[t]his book contained a real gem: RSI approach to use cases. RSI (Requirements-Service-Interface) is an interesting and highly useful approach to use cases. Some key strengths of using the RSI paradigm is that you will ensure traceability between requirements and the services and interfaces that are implemented. Moreover, this approach partitions services and interfaces, which allows you to manage the complexities when developing a test strategy and associated test cases. To me the chapter on RSI was worth the price of the book.

RSI's originator, Mark Collins-Cope, also wrote most of the chapter that so impressed me. The reason he sent me the e-mail is that he's gathering feedback on RSI, and is particularly interested in how I approached partitioning services and interfaces, and managing the complexities of developing a test strategy and associated test cases (I'm paraphrasing Mark's message). I do not have notes that I can share, but if you've used RSI and have supporting material please contact Mark. He's open to collaborating on a whitepaper.

Mark's company, Ratio Group publishes a valuable newsletter (ObjectView), and has a publicly available technical library that covers object-oriented development, component-based software engineering, UML and related topics. The documents are well written, detailed and of the same quality as chapters from major technical book publishers.

Manisha Saboo sent a Zip archive full of Usability Testing artifacts, which I'm sharing. Manisha's a top software quality professional who always has something interesting to say about quality, software engineering and related topics.

New and Newsworthy. The March issue of TUSC Client Chronicle is available (top item is Kevin Loney's article about online database block size rebuilds in Oracle 9i). Also the newest issue of The Data Administration Newsletter is available, as is the newest issue of Doug Kaye's IT Strategy Letter.

Good afternoon from Tustin, California.

Posted 4:28:00 AM by Mike Tarrani
Are you in a time warp? Have you visited this weblog or its sister, Postcards from the Revolution, discovered no new entries, then returned the next day to find entries that were date/time stamped as being posted during your earlier visit? You are not going crazy. We post our material, but don't publish it until one of the other team members has peer-reviewed it. In that respect we practice the same quality procedures that we preach. Invariably something will slip through, but it usually gets corrected by Kate Hartshorn who is one of the sharpest technical editors I know. As a team we all have come to depend on Kate's meticulous command of English and grammar, and I have grown to depend on her for much more. I'll leave that topic for another time.

Risky Business. I recently discovered a site that you'll want to bookmark: Risk Audit Benchmarks, which is like having an online list of common business risks a mouse click away. There are no long-winded dissertations, just a list of common risks for a number of business areas. Although it's little more than a memory jogger, it's a comprehensive one, as evidenced by the listing of list of internet based applications risks.

My Previous Entry. On the topic of risks above, and the software defect and project management discussions in my last entry, the paper titled Avoiding Premature Delivery of Software serves as a keystone for many of the topics I've introduced. Another paper that augments my last entry is Screening Contracts for Product and Process Development. There is a contradiction between the approach I advocate (the buyer is responsible for requirements) and the views of the authors that claim the seller is responsible. However, that does not diminish the value of the paper because the underlying message is to carefully examine your supplier's processes.

Security is Everybody's Responsibility. It is also an important consideration in any IT contactual arrangement. Security for IT Contracts is a paper that should be read and heeded by buyers and sellers alike.

Neat Packages. I'm going to wrap this up with two documents that support the ones in this entry and in my preceding entry: A single-page MS Word document that summarizes Deming's 14 points (think of it as either an inspiration or an extension of your conscience), and an IT Security Evaluation Manual (this 261-page MS Word document may save you days of effort and shave off a significant fee to consultants if you tailor it to your organization and employ it).

Good morning from Tustin, California.

Posted 11:53:00 AM by Kate
A Rose by any other name. At what point does knowledge management become process management? If you carefully study the Agile Enterprise Reference Model the distinction becomes blurred. Knowledge management, like all other disciplines, is a collection of processes. The Agile Enterprise Reference Model, however, is clearly process-oriented. You can download the model in MS Word format for off-line reading.

All that glitters. A wealth of related material is available from Paradigm Shift International's series of articles called Real-Time Chronicles, short essays on the emerging knowledge of agile enterprise.

Down to Earth. I've put together three collections of presentations and documents that show different facets of knowledge management:

All the news that's fit. I wish to share three more documents that do not neatly fit into this entry's theme:

A brief (terse is a better word) PowerPoint presentation on Systems Theory.
PowerPoint presentation on KM Metrics Framework (if you can't measure it, it doesn't exist!)
Knowledge Management and the Enterprise

Good morning from Irvine, California.

Posted 11:14:00 AM by Mike Tarrani
Buying Software and Other Frightening Acts. Recent entries in Postcards from the Revolution we're discussing software RFPs and related topics. It all boils down to the same issues and factors, regardless of what you're buying - a house, car, landscaping. You want the best possible product or service at the best possible price. The seller wants your business and to make a profit. At issue is quality, and in the case of software quality encompasses a number of attributes:

Works in your environment without requiring upgrades, modifications to your equipment or processes and does not impose a maintenance burden.
Contains the features and functions you specified.
Is free of defects.

Bug or Feature?. Of course, the list of attributes is longer, but these are the major ones.

Let's focus on the last: free of defects. There used to be a facetious saying, It's not a bug, it's a feature. In real life, if requirements and specifications are poorly written the definition of defect may be open to argument. I like Cem Kaner's article titled, What is a Software Defect? because he clearly defines what a defect is, and as importantly, what a defect is not. Mr. Kaner is a well known software quality professional and an attorney, so a prudent person would consider his definition as at least a starting point.

Caveat Emptor. Testing, especially acceptance testing, is the responsibility of the customer. This holds true whether you're buying a car or outsourcing software development. Therefore, before a contract is signed there has to be agreement between both parties as to what constitutes quality and non-quality, how defects are to be handled when your acceptance test detects them, and a plethora of related issues that are beyond the scope of this entry.

One of the goals of acceptance testing is to make sure that the features and functions you specified are actually included in the software and they operate consistently with what you specified. My preferred method for specifying requirements is through business rules. I've covered this method in reasonable detail in Postcards from the Revolution, so I'll only mention them here. However, there are other methods that may be a better fit to your organization's processes and procedures for requirements management. One article that shows viable alternatives is Requirements that Handle IKIWISI, COTS and Rapid Change by Dr. Barry Boehm. IKIWISI stands for I know it when I see it (a common phenomena encountered by requirements analysts and facilitators), and COTS is commercial off-the-shelf software.

If you are contracting for software development with a vendor that employs object-oriented methods (or are developing in-house using them), you may want to read Business Rules and Object Role Modeling, which aligns the business rules approach to object-oriented methods.

It's About PM. There is more to outsourced or in-house software development than requirements, specifications and acceptance testing - there is an entire life cycle that needs to be managed. While there are distinct issues that need to be addressed when the project is outsourced, there are common issues shared by outsourced and in-house development. I've put together a Zip archive that contains three short PowerPoint presentations that cover the project management basics as a PM briefing. In addition, the PowerPoint presentation titled Nature of IT projects will prove useful, especially the facts cited in the form of quick quizzes.

You may also want to get a copy of the 1996 version of the Project Management Body of Knowledge (the 2000 version is not available as a complete document in the free version). Don't forget that properly closing out projects is as important as the initiation and management processes. You'll find valuable advice in the MS Word document titled Project Post Mortems. This connects nicely with Kate's work supporting knowledge capture.

Loose Ends. Wrapping this entry up are three documents that relate to what I've covered above:

Cost-Benefit Analysis of Test Automation. At some point it's going to make good business sense to invest in test automation tools. This paper will help you to determine when is the optimum time to make the investment and expected ROI. Don't forget to have a process in place before spending money on tools!
Familiar Metric Management - Effort, Development Time, and Defects Interact, which seamlessly ties together project and testing metrics.
Customer Negotiation Metrics - 17 PowerPoint slides you should read before sitting down with your vendor.

Posted 3:23:00 AM by Mike Tarrani
Process and Architecture. Kate and Linda have both written entries about process in one form or another during the past two days. I'm going to continue with documents that discuss aspects of process.

One interesting paper that blends software and system engineering processes and process improvement is titled Assessing the Rational Unified Process against ISO/IEC 15504-5: Information Technology Software Process Assessment Part 5. ISO/IEC 15504, also known as SPICE (Software Process Improvement Capability dEtermination) is a viable and popular assessment method, and part 5 of the document set specifically addresses the assessment model and provides indicator guidance. An FAA document titled Guidelines for Software Measurement (MS Word format) takes a different view of the subject and is more aligned with the Capability Maturity Model approach to assessment and process maturity. If you're trying to build a business case for implementing the CMM, a short MS Word document titled CMM Benefits contains a summary of the ROI achieved from implementing the CMM in a sampling of companies.

If your focus is architecture Model Driven Architecture provides a process approach to developing sound architectures. For teams that are working within the Rational Unified Process or employing key elements, such as unified modeling language, Using UML for Architecture Description is a worthwhile resource.

On the purely business side of IT processes IT Efficiency and Business Value and a companion document (both in PDF format), Principles of Effective IT Management give ideas and methods for IT operational process improvement and business/IT alignment.

What I'm Currently Reading. I'm working my way through a pile of books right now, but one stands out as excellent: Building Scalable and High-Performance Java Web Applications Using J2EE Technology by Greg Barish. First, let me assure you that I haven't been enticed to the dark side and am turning into a developer. That will never happen. What makes this book so interesting is the author's focus on scalability and performance, and his ability to clearly write about these two subjects. I have a pile of books on performance, capacity management and related topics and can attest that clear writing makes the difference between merely grasping concepts and achieving enlightenment. This book will enlighten. Linda just wrote her review of this book so I'll leave it to her to provide a more complete description of this book. I will say that you need not be a developer to gain a great deal of knowledge from it.

Posted 4:41:00 PM by Linda
Of Processes and Service. The theme unfolding in the latest entries here is process design. Designing and implementing service management processes are TEAM Zarate-Tarrani core competencies, and will be the recurring subject of entries here and in Postcards from the Revolution.

Tie-in. I'll start by providing a document that supplements Mike's recent entry on policies and how they relate to processes: Managed Service Provider Security Policy. This document serves as an example policy document, and can be used virtually unchanged by any company that provides managed or outsourced services.

On the topic of processes and process improvement, Application Service Provider SWOT analysis (strengths/weaknesses/opportunities/threats) gives an in-depth look into all facets of ASP services. I also like the way Service Level Improvement Method discusses the ways to baseline service levels as a starting point for a process improvement initiative. Patching Blind Spots in IT Processes takes the improvement method in the former document one step further, and is valuable to anyone who is embarked upon IT process improvement.

Every minute of my weekend has been committed, so I'll not be posting here until Monday. Happy Easter.

Posted 1:51:00 PM by Kate
Knowledge Fest. I've been reading Working Knowledge: How Organizations Manage What They Know, which has inspired much additional research in quest of related material. My research has yielded a large number of documents and presentations, which I'll dole out in manageable portions over the weekend. There are three that I'll make available today to whet your appetite:

The last document does not fit within the theme of Working Knowledge: How Organizations Manage What They Know as much as competitive intelligence, but I so liked it that I'm sharing it immediately.

Check in here and in Postcards from the Revolution over the weekend for more material because I'll be posting in both weblogs every day.

Posted 4:51:00 PM by Mike Tarrani
Out of the Wilderness. Open source development, or using open source software in the enterprise, is not as straightforward as the proponents would have you believe. Nor is open source as fraught with risk, if properly understood, as its detractors would have you believe. The problem is that there seems to be no middle ground in the literature. I've found that you're either promised paradise of eternal damnation, depending on who wrote the literature. That was the case until Understanding Open Source Software Development.

This may be the perfect book about open source software because it places open source within the context of business value and does not promote it as the great panacea that characterize the message of far too many books on the subject.

What I like is that, after providing an overview of open source, its history and proponents, the authors discuss how to analyze open source software within two major frameworks: the Zachman framework (see prior entries) that was developed in 1987 and is popular today as an enterprise-wide information systems paradigm. The book also introduces a newer framework called CATWOE. I'm new to the latter, but it is solid and is independent of open source. CATWOE stands for Clients, Actors, Transformations, World View, Owners and Environment.

The remainder of the book discusses aspects of open source as they relate to the CATWOE framework, which ensures that fair and complete treatments of the business and technical issues are given. I would have liked a more in-depth discussion of the legal issues and business risks that are associated with the GPL; however, that information is in a state of flux and is probably best gotten from daily news sources.

If you want to understand open source software development, especially as it relates to business value, this book is the one I recommend. The authors also have an associated web site that supports the book.

Posted 8:03:00 PM by Kate
In & Out. I've been pulled in many directions this past week, but want to share three documents that captured my attention:

The first document links business imperatives that Mike has discussed here and in Postcards from the Revolution to my specialty, competitive intelligence.

Measuring Process Effectiveness also has a direct connection between Mike's series on processes here, and competitive intelligence in that process measurement is important to those who are designing and implementing processes and those of us who reverse-engineer competitor processes to determine if they are a threat to our own competitive posture in the market.

If the third document has you scratching your head wondering where the connection is, consider how difficult it would be to gather competitive intelligence without the wealth of resources provided via the Internet. Yes, there was a time not so many years ago that we did it the hard way. But most intelligence gathering operations would be dead in the water today if the Internet would suddenly be unavailable.

Welcome a New Face. Marcia Hopkins has joined us as a contributor. She brings a new perspective to this and Postcards from the Revolution with her unique background and experience.

Posted 3:14:00 AM by Mike Tarrani
Process - Part 3: Policies. In my 21 March entry I gave an example process, using IT change control and the ETVX model to illustrate how a process works. I concluded the entry by stating that the process did not contain policies and left that for this discussion.

What is a Policy? A policy is a directive that has the following attributes:

scope and applicability (what and whom does the policy govern?)
comes from a source of authority that exercises control over all individuals who have roles and responsibilities in carrying out, enforcing or complying with the policy
governs the scope of a processes and procedures that enable or support meeting the policy's objectives
traceable to business imperatives (if you've been following my discussion of the Tarrani-Zarate Model in Postcards from the Revolution you'll have a basic understanding of business imperatives)
enforceable

Mechanics. These imply that there is a system of authority, responsibility and accountability. The authority behind the policy is directly responsible for the implementation, execution and enforcement of the policy. Even if responsibility is delegated, the direct responsibility should be placed on the authority who created the policy.

Responsibility entails accountability for how well or poorly the responsibility has been discharged. This chain of authority-responsibility-accountability is a basic precept of leadership and the foundation of any organization.

Why Policy? Without policies there would be no control mechanism for processes. In the real world there are processes that are operating without governing policies, but such processes are often ad hoc and too often are a duplication of effort or are inefficient at best and wasteful at worst.

Relationships and Connections. Here is how it's supposed to work and why: business imperatives spawn policies. These imperatives come from many sources, including law, competitive pressures, the fiduciary responsibility of the board and executive management to safeguard shareholder value, etc. The execution of the policy is within the scope of processes, which are decomposed into procedures (see the ETVX model in my 21 March entry).

A few rules of thumb:

Policies are executed via processes, and processes are comprised of procedures and validation points.
Processes without governing policies have no controls, and if they cross organizational boundaries, depend on personalities instead of positional authority.
Policies without processes have no repeatable means of being executed and are probably unenforceable.
An unenforced or unenforceable policy erodes authority and can result in morale problems, inefficiencies and worse.
A policy needs a source of authority who has control over all stakeholders.

Example Policy. The following policy is linked to the change control process presented in my 21 March entry. You'll see direct links between the policy, roles and responsibilities and the process itself.

It is the policy of (Enterprise) to manage the life cycle of all information systems supporting its business and technical objectives. As such, the processes and procedures for change control set forth in this policy document governs change, and release management. The scope of this policy is the management of changes to the production environment. Specifically: before any change to a system or a baseline, the proposed change will be evaluated and approved by the (Enterprise) Change Control Board.
No approved change will be implemented without:
Entry criteria needed to initiate the change control process.
An approved plan of action with milestones for implementation, that provides a sequence of events or steps for implementing and releasing the change into the production environment, a roll-back plan, assigned roles and responsibilities and post implementation validation (PIV) test plan.
A completed test plan showing the results of testing the change in a pre-production or staging environment.
Approval from the application owner(s) affected by the change and the business systems managerresponsible for the application or system being changed.
A formal review by the Change Control Board to ensure that all entry criteria for the change have been met.
Any system or application failure or defect traced to a change made to a system or application that was not made in accordance with this policy, process and procedures will result in disciplinary action. Specifically:
The error will be communicated to all stakeholders of the affected system and/or application.
Individual(s) making the unauthorized change will be required to develop an action plan specifying which measures will be taken to avoid a future occurrence of the failure or defect.
The action plan will be reviewed and approved by the individual's management chain and posted in a public place for review.

Closely examine the policy statement above, then compare it to my definition and discussion. Also analyze the process that was described in my 21 March entry and see if there are any gaps in the integrity of the policy or the process.

Here's a key question: from which level in the organization should come the source of authority for the policy and process we've been discussing? Hint: it's not IT.

Next Up. My next entry on processes will discuss goals, critical success factors and key performance indicators.

Posted 8:59:00 PM by Linda
Supporting Information. My independent research has intersected Mike's current series of entries on policies, processes and procedures. Among the documents that I've been reading that apply to Mike's topic are:

Business Process and Business Document Analysis Overview and Business Process and Business Information Analysis Overview, which are also related to our previous ebXML entries.
How to Document Quality Systems.
Internal Quality Audits.

The last two should interest anyone who is applying or implementing a quality program.

Quality and People. I've also posted two new reviews on Amazon that tie into the above documents:

Demystifying ISO 9001:2000: Information Mapping's Guide to the ISO 9001 Standard. I like this book for two reasons:
It steps you through what it takes to implement a quality system based on ISO 9001:2000
It shows how to develop your quality manual and documentation using Information Mapping techniques.
First, the approach to ISO 9001:2000. The author clearly explains what ISO 9001 is and what to expect in the certification process. If you're new to ISO 9001 (or 9002 or 9003) then the comparison in Chapter 2 between the 1994 and 2000 versions can be safely skipped. If your organization is already certified, or you wish to move from 9002 or 9003 to 9001, then the explanation of the differences is extremely helpful. Chapters 3 through 8 are standard fare that you would expect to find in any book about ISO 9000-series. What sets this book apart is the clear writing and ease of finding information. If you've read other books on the subject you know how dry they can be. This book is as lively as the subject matter permits (believe me, *any* book on the subject is going to be ponderous reading).
Chapter 9, Transition Planning, stands out as among the most valuable in the book (or any book about ISO 9000 in my opinion) because it covers the make-or-break issues for achieving certification. As an Information Mapping practitioner I especially liked the discussion of documentation considerations. I've long been convinced that Information Mapping and quality documentation should be integrated. With respect to ISO 9001 there has been much reluctance on the part of companies pursuing registration to stray from the rather ugly standard format of quality documentation. I hope this book changes that because the approach that the author proposes will add value to the quality manual by making it easy to read by all levels in your company, while keeping it 'assessor friendly' for certification and re-certification purposes.
People CMM. In the seven years since the 1995 release of the P-CMM, version 1 I've not encountered any sincere effort by any US client to implement the process. My personal theory is that the P-CMM was little known outside of the software engineering community, especially the DoD-related community, when it should have received wider dissemination to human resources and higher-level management. This book from a mainstream publisher should change that. With respect to the model itself, the previous reviewer has done a remarkable job of describing the model and how this book supports it. I have a few additional notes to add:
This book is about version 2, which corrects some flaws in the first version which had team building at level 4. In version 2, described in this book, team building has been placed at level 3.
Another change from version 1 to version 2 is the alignment of the P-CMM to the CMMI, especially with respect to integrated product and process development.
Version 2 adds institutionalization goals to each process area.
If you have previous experience with the older versions of P-CMM, or CMM-SW, or the newer approaches as set forth in later versions and CMMI, you'll note that there are two implementation models: staged and continuous. The staged approach is the only supported implementation for P-CMM version 2.
The book goes into extraordinary detail about the P-CMM and how to implement it. You can easily use this book as a roadmap to achieving levels 2 through 5 of the P-CMM, or as a resource for improving the people part of the people-process-technology triad that defines IT. As such you need not have certification as a goal to gain value from this book. If you do decide to pursue certification at level 2 or higher, however, I strongly recommend that you also get a copy of Kim Caputo's CMM Implementation Guide: Choreographing Software Process Improvement. That book, while focused on implementing the CMM-SW, contains sage advice and a sound approach to dealing with the real problems that you'll encounter: organizational inertia and resistance, training and implementation issues and obtaining the key ingredient - commitment to perform.

Posted 4:52:00 PM by Mike Tarrani
I just finished reading Doug Kaye's second issue of his IT Strategy Letter and am overwhelmed by the depth of analysis and array of topics covered. Doug is well-connected in the industry and is an insighful observer. Add the fact that he is an articulate writer who addresses topics that are of interest to consultants, IT managers and those in the trenches, and you'll understand why I listen to what he has to say.

The newest issue of Methods & Tools is also out. This issue covers the following three topics:

Understanding the Unified Process.
Software Process Improvement: Assessing Readiness
Web Site Mapping

You can subscribe to this newsletter, read back issues or catch up on breaking news at the Newsletter's home page.

Posted 9:09:00 PM by Mike Tarrani
More Books. I've discovered two excellent books, both of which I've recently reviewed on Amazon. As I wrote the reviews it occurred to me that the overall quality of IT-related books has dramatically improved over the past two years. My two favorite publishers are Prentice-Hall and Addison-Wesley. These two imprints are now a part of the Pearson Publishing Group.

Testing. The newest book on software testing, and one of the better ones I've read, is Rapid Testing. This book provides a testing process and associated techniques that adds the agility required to meet fast-paced business requirements without sacrificing the due diligence or controls necessary to manage risk.

There is nothing especially new about the processes or techniques that the author proposes and explains; however, the way the processes are designed recasts tried and true methods into a streamlined process. Indeed, if the rapid testing process is correctly implemented it's possible to reduce testing cycle time while improving quality. I like the way the author begins by clearly defining terms. I know from experience that "acceptance test" means one thing in one organization, and something quite different in another. What I especially like, though, is the clear process itself, which consists of four major elements, each of which is thoroughly addressed in the book:

People.
Integrated test process.
Static testing.
Dynamic testing.

Another key strength of this book is the way the traditional (and much maligned) waterfall model is transformed into a hybrid called a parallel waterfall. This hybrid model is the best of the waterfall and V model, and like the V model, it tightly integrates testing and development. The author's approach to activity-input-output in the discussion of life cycle models is close to the entry-task-validation-exit process model, and the structure that is presented allows you to develop a process chain that produces predictable and repeatable results. This approach is partially why the testing process can be rapid without compromising quality or ignoring risks.

In Part II the book provides tips and techniques. Again, there is nothing especially new, but all of the key techniques are covered, including requirements and analysis, test planning, executing and reporting. Black box testing is covered well, as are an array of dynamic testing techniques (equivalence partitioning, boundary value analysis, memory leak testing, use case testing and performance tests.) If you're in a Microsoft-centric environment you'll appreciate the material on memory leak testing, and if you are in a development environment that employs UML or the Rational Unified Process the techniques for use case testing will prove helpful.

Part III provides detailed examples that are based on material presented in Part II. Overall this book lives up to its title by providing a 'safe' and effective process for rapid testing.

Project Management. One of the most exciting finds is Quality Software Project Management. This is, without a doubt, the most comprehensive book available on software project management. I don't make this statement lightly - I have over two dozen books on the subject, and have reviewed a significant portion of them on this site. It isn't the fact that the book consists of 33 chapters and 7 appendices and consumes nearly 1700 pages that makes it comprehensive. What distinguishes this book from the rest are:

A process-oriented approach that is completely consistent with the PMI PMBOK, fully supports requirements for the higher levels of the capability maturity model, and can be adapted to virtually any life cycle model.
It completely covers the important elements of planning, scheduling and control, including work breakdown structure development, associating tasks and deliverables, estimating (the focus is on the constructive cost model), advanced scheduling techniques (including critical chain scheduling that has emerged from the theory of constraints body of knowledge), and earned value project management.
Ties software engineering, system engineering, reliability, SQA and software configuration management to the project process. Many books briefly address these, while this book addresses the requirements, issues and techniques head-on.
Business plan development, requirements analysis, project deliverables and other artifacts are thoroughly covered.
The web site that augments this book has errata, templates and checklists (in HTML format), links and other material that supports using the book as a course text.
There are so many things I like about this book, but the size and depth of content makes it nearly overwhelming. My favorite chapters are 21-Metrics, 26-Continuous Improvement, 28-Post Performance Analysis and 32-Legal Issues. However, these reflect my personal interests. The book is, in my opinion, uniformly excellent. The only flaw I found was the scant attention given to releasing an application or system into production, and no mention of how to tie together issue management to the enhancement and maintenance cycle that initiates once an application is in production. However, to be fair, this book is focused on project management and not software engineering. An outstanding companion to this book would be Successful Software Development by Scott E. Donaldson, Stanley G. Siegel, which provides the same in-depth treatment of software engineering as this book does for project management. See Linda's 11 September 2001 and my 5 September 2001 reviews of this book for more details.

Posted 9:42:00 PM by Kate
Gordian Knot. In my last entry I discussed complexity and perception. To many these topics are akin to the Gordian Knot, which if you know how to untie will give you skills and knowledge that will serve you well. I'm going to recommend two books that will help you to untie that knot:

Turning Numbers Into Knowledge: Mastering the Art of Problem Solving. This book isn't as much about numbers as it is about how to think. In fact, numbers aren't introduced until chapter 27, which is exactly midway through the book. The author, Jonathan Koomey, skillfully leads you through the process of learning to think critically, probe, question and analyze. Along the way he helps you to develop a mindset and collection of tools and techniques, which prepare you for the second half of the book that does cover numbers and how to interpret them, transform them into knowledge, and use them to solve problems. This 221 page book is a masterpiece because it's clearly written, offers sage advice and contains easy to perform--yet powerful--exercises throughout. Unless you've mastered critical thinking and problem solving you'll ignore this book at your peril.
Systems Thinking: Managing Chaos and Complexity (subtitled, A Platform for Designing Business Architecture) is to understanding complexity and perception that Turning Numbers Into Knowledge is to critical thinking skills. Like that book, this one has more to do with techniques and concepts than with what the title implies. To be sure, it does delve into designing business architectures, but the focus is on sorting through complexities and perceiving reality without filters. I'm going to share two examples that underscore this book's approach, and why I think it's one of the more important books one can read:
- Counter-intuitiveness in social dynamics is illustrated with a cause and effect diagram that clearly shows counterintuitive behavior in a welfare system. The diagram shows how a program designed to reduce the number of poor families can actually cause the opposite effect.
- A side story about a birth control project in India illustrates perceptual differences between and among cultures and deeply influenced my own perceptual awareness. The synopsis of this story is the foundation team who was trying to teach birth control gave an incentive in the form of a free transistor radio to anyone who attended their educational lectures. Despite their best efforts the birth rate remained at a steady average of 4.6 per family. This unchanging fact was a source of great dismay and perplexity to the team of Americans who were about to deem the project a failure. Fortunately they dug deeper into the causes and discovered that in India there are no retirement benefits, social security or unemployment benefits. The retirement system is based on three sons. It takes an average of 4.6 births to produce three sons, so the mystery was solved. This short story was used to reinforce a triad of factors that support decision making: cultural, emotional and rational. We tend to examine the rational, which represents only one third of what needs to be considered. The rest of this book contains the same deep insights throughout and gives you the tools and approach to untie that Gordian Knot.

If this topic interests you please see my entry today in Postcards from the Revolution, which uncovers some of the roots of contemporary knowledge management and collaborative computing.

Posted 4:29:00 PM by Mike Tarrani
I recently posted a review of Information Systems Success Measurement on Amazon. This book reflects best practices in a narrow discipline, and is important to anyone who is concerned with delivering (or proving) value using information technology. My review:

The nine chapters in this book are essays that are written by experts in their fields of expertise, with contributions by Garrity and Sanders who are credited on the cover.
Each of the chapters can stand alone, although they are presented in a sequence that build upon the preceding one. Each chapter ends with endnotes and references. Chapter 1 introduces information systems success measurement as a discipline. It does so in clear terms and is consistent with each of the subsequent chapters. Chapter 2, Dimensions of IS Success, is especially strong in that it introduces models, including DeLone and MacLean's model for IS success, and variations that show different viewpoints. It decomposes the dimensions into domains, provides questionnaires, and ends with an appendix that gives example ratings and measurements. This chapter shows how to quantify factors and portray success in hard numbers.
Chapter 3 extends the previous one by providing a 3-D model approach to measurement. Because I work in multi-cultural and multi-national environments I especially liked Chapter 4's focus on cross-cultural environments. In addition, the legal aspects of measurement that is Chapter 5's topic is essential reading. Regardless of your specific interests do take the time to read this short chapter because it applies to anyone in IS/IT. One glaring omission here is UCITA (Uniform Computer Information Transaction Act), which is an optional modification, on a state-by-state basis, to the Uniform Commercial Code (which is covered).
The remaining chapters address (Ch 6) Comprehensive Model for Assessing Quality and Productivity, (Ch 7) Development of Process and Outcome User Satisfaction, (Ch 8) Interpretive Approach to IS Success Measurement, and (Ch 9) Five Secrets to Systems Success. Each contained one or more interesting concepts and/or sparked ideas. Because much of my work as an IT consultant involves process improvement strategies and service level management I found this book to be an invaluable source of information. Each of the chapters contains valuable information, insights and ideas that will be useful to anyone in IT management or service delivery roles.

There are two documents that will interest anyone who is among this book's primary audience:

IT Efficiency and Business Value, which is a brief, nine-page overview.
Principles of Effective IT Management, that is more of a book. Its 186 pages, in presentation format, cover all of the key topics and is one of the best documents on the big picture available for free.

End Notes. I hope to find the time to continue my process discussion during the weekend. I'm sure that Kate or Linda (or both) will also contribute items of interest over the weekend.

My most recent entry in Postcards from the Revolution addresses the business requirements layer in the Tarrani-Zarate Model, and this material is directly related to IT critical success factors and value. Next up in that discussion is the link between business requirements and service level objectives.

Posted 3:11:00 AM by Mike Tarrani
My newest review just posted on Amazon. The book is Practical Software Measurement. What I couldn't say in the review, because Amazon doesn't allow URLs to be included in reviews, is you can download two chapters of the book directly from the PSM website:

Chapter 1, Measurement Key Concepts and Practices
Chapter 2, Measurement Information Model

More importantly, you can also download the official guidebook, an application called PSM Insight, and related whitepapers and documents. All are free, but you do have to fill in a simple registration form.

Posted 11:53:00 PM by Kate
Things aren't as they always seem. Competitive intelligence specialists, knowledge management analysts and software engineers share one core skill: information gathering and analysis. It matters little whether you're seeking information about competitors or trying to nail down requirements, the tough part is recognizing what you see for what it is in reality.

The potential for misinterpreting an observation, statement of fact or a more subtle indicator is great. We're human and subject to mental filters that cloud or color our perceptions.

MIT's Perceptual Science Group has some interesting lessons in perception. I was fascinated (and amazed) by the simple, effective demonstrations of lightness perception and lightness illusions. While this doesn't appear to have much to do with information gathering it, in fact, has everything to do with it because it goes to the essence of cognition. We are knowledge workers, and cognition governs how well or poorly we perform any task that calls for analysis or reasoning.

Another resource that provides background material that connects perception with systems under observation, especially complex systems, is New England's Complex Science Institute's page on Visualizing Complex Systems Science.

Granted, this is not your normal fare for IT professionals; however, it does give insights about how we think and provides guidance on how to sort through complex problems. One final site that I think will interest anyone who wants to dig deep into cognition and perception is The Complexity & Artificial Life Research Concept for Self-Organizing Systems. This site isn't about the cutting edge of science and cybernetics - it covers arts and sciences. The page that interested me the most is about Value Metascience and Synergistic Choice. In plain terms the subject is about how to apply complexity thinking to the world around us.

Before you write this off as impractical theory that doesn't apply to what you do, remember this wonderful quote from Hamlet:

There are more things in heaven and earth than are dreamt of in your philosophy.

I think what the Bard was trying to convey is to not dismiss something out of hand because it seems to be outside of what you consider to be your frame of reference. The corollary is a quote from George Orwell's 1984:

I enjoy talking to you. Your mind appeals to me. It resembles my own mind, except you happen to be insane.

You decide.

Posted 5:23:00 PM by Mike Tarrani
Process - Part 2. I am picking up where I left off in my 11 March entry. In that entry I discussed the basics of processes and introduced the ETVX model. Today I am going to provide a real life process as an example for how ETVX can be applied to processes.

Example. Change control is a key IT operations management process that is governed by policy (more about policies tomorrow), and is accomplished through a series of tasks. Refer to the graphical depiction of the process as you read through it.

Entry Criteria. The change control process is initiated when there is a requirement to make a change. Change is defined as any of the following:

New system - application, operating system, database, hardware platform or infrastructure.
Major upgrade to an existing system - version release, new or upgraded components and/or subsystems (hardware or software), database schema reorganization, etc.
Minor upgrades to an existing system - patches, modifications to existing scripts or additional scripts (batch, shell, SQL, etc.), minor database schema reorganization (dropping columns, adding or modifying constraints, triggers and stored procedures, etc.) and infrastructure changes that are transparent to end users (i.e., upgrading IOS in a Cisco router, etc.).
Changes to service level objectives - permanent maintenance window changes, changes to problem management response times, mean-time-to-repair metrics, availability commitments, etc.
Maintenance to any system that has dependencies with the system being managed - in this special case the subject matter experts (SMEs) will open a change request to document the maintenance being performed on the inter-dependent system even though the SME has no direct control over, or responsibility for, the system. For example, if a particular application exchanges data with an application that is managed and supported by different SMEs, and is owned by a different application owner a dependency exists. The SME for the external application are responsible for initiating change control. However, since the change will affect the second application, that application's SME will open a change request as well. This provision will ensure that the scope of the required impact analysis will extend to all systems that are affected by the change. It will also ensure that each SME remain cognizant of any change or maintenance activity that affects his or her system.
The following are the minimum entry criteria that must be met before the process can move to the task stage:
Release notes, build analyses, installation manuals and any other documentation that is needed to correctly test and install the product (hardware or software).
Test results from QA (product test/UAT and/or pre-production/staging).
Operational requirements, such as special training, maintenance window considerations, help desk entry criteria, spare parts, etc.

Tasks.

Perform an impact analysis. Deliverable: completed impact analysis.
Develop planning package. Deliverable: description of change and why change is being made (including benefits and how the change will create value for the users), how the change will affect users during the implementation (scheduled start and end time, impact on maintenance window and service level objectives) implementation plan, roll-back plan, roles and responsibilities, notifications, quality assurance plan.
Provide operational requirements, implementation plan and change request to application owner and SME for review and approval.
Application owner approve change.
Technical owner approve change.
Submit change control package to change control coordinator.
Change Control Board reviews and approves the change request.
Change is implemented in accordance with implementation plan.
Change action is closed out as complete.

Validation. The following are checkpoints in the change control process:

All entry criteria will be checked for accuracy and completeness by the SME(s).
Application owner will review and approve the change request before proceeding.
The change control coordinator will review the implementation plan and change request for accuracy and completeness before including the change as an agenda item at the next scheduled change control board.
The change will successfully pass all post implementation validation test checkpoints before the change is released into production, else the change will be rolled-back.
In the event of a roll-back there will be a root cause analysis performed and responsibility for eliminating the root cause and, when applicable, developing a process improvement plan will be assigned to individual(s) by cognizant authority. The change request will also be cancelled and resubmitted after the root cause has been determined and eliminated.

Exit Criteria.

The change is successfully released into the production environment or cancelled and resubmitted depending on validation checkpoints above.
After a change is successfully released into the production environment the change control coordinator will close out the change request as completed.

Policies. It may appear that policies are mixed with this process, but they aren't. Tomorrow I am going to provide the policies that govern the process just described, then discuss the relationship between policies and processes.

Posted 10:29:00 PM by Linda
Giving or Getting Value. You are either a provider or consumer of services, or both. I've been thumbing through my favorite books on IT operations, each of which addresses service delivery in varying levels of detail. The best starting point, in my opinion, is Foundations of Service Level Management, which covers all of the key points of this important discipline. What makes this book so valuable is the supporting web site that makes the book a constantly updated, living reference.

I've also been heavily influenced by the books in Harris Kern's Enterprise Computing Series, all of which are focused on some aspect of service delivery. My exposure to this outstanding series was IT Services Costs, Metrics, Benchmarking and Marketing. Discovering this book was a turning point because it synthesized all of my experience that I'd gained in a quarter of a century in the industry. I quickly snapped up the other books in the series, many of which had the same profound influence on my thinking and/or validated my own experience and knowledge. The best among them are

IT Problem Management, which widens the scope of help desk operations into a unified view of enterprise-wide problem management processes. It also shows that help desk operations is but a small part of problem management - a fact that seems lost on too many help desk "experts".
High Availability: Design, Techniques and Processes, augmenting IT problem Management by adding a layer of detail about supporting processes.
IT Systems Management: Designing, Implementing, and Managing World-Class Infrastructures,which Mike and I recently reviewed - see Mike's 18 March entry in Postcards from the Revolution.

Two other books that I rank with those in the Enterprise Computing Series are:

Mission Critical Systems Management.
Strategies for Web Hosting and Managed Services (see the book's associated discussion forum for more information).

However, you don't have to rush out and buy a pile of books to get started. I've assembled a collection of documents that cover the key topics in the collection I've discussed above:

If these topics interest you please see my latest entry in Postcards from the Revolution, which provides supporting material for performance and capacity management.

Best regards from Azusa, California. Linda Zarate

Posted 11:02:00 PM by Mike Tarrani
Great News. Two items that made my day:

My 26 February entry announced the sad news that Process Dashboard was withdrawn. This open source application was designed as a Personal Software Process support tool. I am happy to announce that Process Dashboard is once again available.
Doug Kaye has launched a newsletter titled IT Strategy, which will come out weekly and cover news items about web hosting services and managed services, and web services. If these topics interest you (and they should) you can sign up for a free e-mail subscription.

Spin Control Out of Control

Internet security is a worldwide issue that affects not just Microsoft's customers, but also anyone connected to the Internet- no one is immune to the problem.
Microsoft has taken a proactive approach to this problem by introducing the Microsoft Strategic Technology Protection Program (STPP). This two-phase program represents an unprecedented mobilization of Microsoft's people and resources to integrate product, services and support. In January, Microsoft Consulting Services presented an initial seminar that introduced the components of the STPP program, which includes" Get Secure" and "Stay Secure."

Microsoft's security page

Ironically, the next message was from a service to which I subscribe: e-Week. Here's the stories for today:

IE, Apache Clash on Web Standard, ...The incompatibility lies in how Microsoft has implemented digest access authentication, a World Wide Web Consortium standard (RFC 2617) that specifies how users can securely log in to Web servers. Digest authentication is widely acknowledged to be the best available Internet standard for this purpose.
The upshot is that IE cannot be used as a Web client for any Apache-based Web application that uses digest authentication. In addition, every non-IE browser we tested couldn't be used as a client for any Internet Information Services-based Web application that uses digest authentication.
Security Flaws Found in IE 6.0 followed by Microsoft Patch Repairs 6 IE Flaws

On the other hand, e-Week also discussed the opportunities that more mature and proven technologies have, including an article titled Java: Potent Security that discusses the strengths of Java from a security viewpoint compared to Microsoft's newer .NET initiative. Another article from the same publication, Apache Avoids Most Security Woes, indicates that Apache is vastly superior from a security perspective than IIS.

Back in the Fast Lane. I'm caught up and will resume my entries here and in Postcards from the Revolution starting tomorrow.

Posted 8:37:00 PM by Linda
More Reviews. I'm finally getting caught up with the backlog of book reviews I wanted to write and post on Amazon. Here are the most recent three, which were posted earlier today:

Securing Business Information
Cookbook approach that makes a complex task manageable
Of all the security books I've read this one stands out as the best for two reasons: (1) it lays out what is needed and the steps to take to develop an enterprise security policy in a clear, logical sequence, and (2) there no gaps in the proposed process. Indeed, it appears that the authors had 'due diligence' as their foremost principle when they wrote this book. In addition their experience is evident by the way they approach the subject and tie it together.
The approach is straightforward: initiate, assess, gather requirements, perform a gap analysis, develop a baseline and implement. What makes the approach unique is the 'divide and conquer' technique that partitions the business into security domains. This has benefits beyond decomposing the complexities of enterprise security into manageable pieces - it can also be linked into enterprise problem management and business continuity planning processes because you're forced to examine your resources and systems, and to prioritize them according to their criticality. I also liked the discussion of policies, which discussed the merits of identity-based and role-based approaches, and included excellent advice on policy auditing. One strong point about this section was the treatment of finding documented *and* undocumented policies. This material is applicable to anyone who is involved in policies and procedures development, regardless of whether or not it's related to security. I also especially liked the chapter on trust modeling. This is one area where I learned much from the book.
I've only touched upon key elements of this book. A review of the table of contents will reveal that it's complete and filled with case studies and important discussions of technologies that can be employed to create an effective enterprise security posture. This book is obviously applicable to security specialists, but is also useful to business continuity planners, service delivery practitioners and service providers. It is, to date, the best book on security from among the 20 I've read, that I've come across. It's also a complete recipe for a successful development and implementation of enterprise security policies, processes and procedures.
Enterprise Data Center Design
Hard to find information that is clearly presented
There is a large gap between IT data center operations and facilities management professionals. This book bridges that gap, at least on the IT side, by clearly explaining the issues and factors that need to be addressed for effective management of a data center that complies with local codes and regulations. Most IT professionals are unaware of the regulatory requirements with which a data center must comply - unless they've been shut down by a city inspector at which point the concept of reliability, availability and support becomes moot. This book provides a good education about this obscure topic, as well as everything else that a data center operations manager should know in order to do his or her job. This doesn't shift responsibilities away from facilities managers, but does give IT and facilities common ground and a shared understanding of each domain's roles and responsibilities. Here's an example of why this is necessary: systems that need to be brought into production usually require platforms, storage and network connections. These consume power, environmental system capacity and require space, all of which are finite and all of which are governed by building, fire and safety codes. Many organizations order equipment first, then notify facilities, when the right way is to jointly plan and manage data center growth. This book provides the basis for doing this, and if followed by both IT and facilities, will ensure smooth and uninterrupted operations and proactive physical capacity management.
The book starts with data center design philosophy, giving the top ten design guidelines. This is followed with detailed design criteria that covers project issues, insurance and local building codes. While these are of more concern to facilities managers, IT needs to be aware of their impact. It also discusses availability profiles, which does directly concern IT. Chapter 3 is also of direct interest to IT because it discusses physical and logical Security, facilities system monitoring and planning for expansion. In fact, this chapter is where IT and facilities professionals intersect.
Chapters 4 through 8 are of more interest to facilities professionals because the topics cover details such as physical capacities and resources, site selection and construction details, implementing raised floors, power distribution and HVAC. Despite the slant towards facilities, reading through these chapters will give IT data center managers insights into the challenges faced by facilities, and will offer a lot of information that can be used to develop safety plans and general housekeeping procedures.
The next chapters (9 through 12) are of interest to both IT and facilities, and cover network cabling infrastructure, shipping, receiving, and staging, hazards and environmental contaminants, codes and construction. These are areas in which IT and facilities need to closely collaborate.
This is the first book that covers data center facilities in a manner that IT professionals will find readable and understandable. It usually takes years of experience and reading facilities-focused materials of which only a fraction is applicable to gain the knowledge that the author provides.
Information Technology: Management Challenge
Essential to seeing the big picture
The eleven chapters in this 199-page book give a roadmap for aligning business and IT, and for effectively delivering value. As such this book should be on the book shelf or reading list for anyone who is involved in IT management or consulting.
Chapter 1 opens with IT as it relates to the global business environment. Much has been said about the global nature of the connected world, but views provided by two essays, reinforced with a case study and capped off with an action checklist sum up the key issues.
The book uses the same discussion-reinforcing case study-action checklist structure in every chapter. I like this approach because it has enabled the author to provide the key issues in succinct terms, demonstrate those issues in action, then give a structure from which you can develop your own plans. I also like the fact that management views written by other writers who are experts in their fields are included in many of the chapters.
Each chapter addresses a specific and important aspect of IT management, and each builds upon the preceding chapter. The sequence is: frameworks for thinking about business and IT (an especially solid chapter because it gives a point of reference for the rest of the book), delivering information, IT for competitive advantage (another excellent chapter!) and managing the development of an IT strategy. Although the book is not divided into sections, the preceding chapters are a foundation for what's to come. The next two chapters cover analyzing IT investments and impact of IT on an organization. These set the stage for the two that follow: implementing the IT strategy and the business manager's role in development. The book concludes with two chapters that cover major trends in IT (this chapter is still valid despite the fact that the book was written in 1999) and management concerns for the future.
The book is well written and thought-provoking. I got through it in a weekend, then spent weeks thinking about much of what was presented, and frequently referred back to key chapters. The action checklists are probably the most valuable parts of the book and are carefully crafted to make you think about key issues as they relate to your organization.

Wrestling Demons. I've recently upgraded my desktop system to Windows 2000 and am having my share of problems. One of the most frustrating is the fact that my vanilla, PS/2 keyboard is not recognized! The good news is my system now boots faster. The bad news is I cannot interact with it via my keyboard. The worst news, though, is my keyboard is the Microsoft Internet model. I'm starting to share Mike's disdain for anything coming out of Redmond.

Posted 7:14:00 PM by Kate
Threats from the Web. In my 15 March entry I discussed the basics of competitive intelligence and sources of information. I've gathered some examples of threats (or opportunities, depending on where you're sitting) that underscore my discussion.

Be afraid ... be really afraid! Web job listings are one surprising source of information. As innocuous as job listings may seem, the paper titled Competitive Intelligence and National Security Threats from Web Job Listings shows that useful intelligence can be gleaned from publicly available sources. If this paper doesn't provoke reflective thought and a bit of paranoia you may be living in a different reality. Remember, when everything is uneventful the optimist will say, "we're safe" and the pessimist will claim that "we're due." I tend towards the pessimistic view when it comes to intelligence.

If the preceding paper didn't get your attention perhaps Civil Liability for Computer Security Professionals will give you pause. Although this paper is not specifically about competitive intelligence, it does show the potential risks a company faces if information that is made available isn't carefully reviewed by competent legal counsel. This document isn't for security professionals only. I think the proper audience should include marketing, content developers and corporate communications/public relations.

Other Matters. If you carefully read the US Government's advice contained in a document titled Intellectual Property: Navigating Commercial Waters you'll discover exposures to which your company may be subjected. This document is not ostensibly about competitive intelligence, but much of it is useful to those who gather or protect information that is considered to be competitive intelligence.

I still have loose ends on my personal web page, but will be rectifying them in the next few days. Mike is in the process of adding sample deliverables to our TEAM Zarate-Tarrani page, but this will be an ongoing process.

Linda left me an opening in her recent entry in Postcards from the Revolution to provide additional content about knowledge management. If you check my latest entry there you'll find five useful documents on the topic. Best wishes from Irvine, California.

Posted 5:37:00 AM by Mike Tarrani
Up for Air. I've been buried in projects, but feel guilty about not doing my part while Linda and Kate have been taking the time to write well thought out entries about important topics. Both have provided information and documents that are valuable and their writing is remarkable. If you haven't also been reading Postcards from the Revolution you're missing some excellent material on knowledge management and service delivery.

I am going to provide a few testing and reliability documents I've recently found, then disappear back into the woodwork until Wednesday. I should be caught up by then and will resume my discussion here about process design and implementation, and will begin my discussion of the Tarrani-Zarate Model in our sister weblog, Postcards from the Revolution.

The testing and reliability documents are:

Also of interest to software testing and QA professionals is Security Aspects of XML and Web Services, which provides a brief look at the considerations from which you can derive test cases.

If you want to know more about who we are visit our TEAM Zarate-Tarrani page. Until Wednesday, best regards from Tustin, California.

Posted 10:57:00 PM by Linda
Service Management For Everyone. In my previous entry I initiated a discussion of service levels and processes. Although this topic is normally discussed in Postcards from the Revolution, I feel that it's important to expose a wider audience to service level management. Regardless of our job or function, all IT professionals are directly or indirectly involved in service delivery. My assertion of this is supported in Creating an IT Service Delivery Utility, which is the perfect paradigm.

IT Architecture: An Executive Overview is an interesting presentation that ties together an end-to-end architecture and organizational structure that supports service delivery. If you're in the software engineering/applications delivery domain you'll see how your world can connect to production support and service level management. This is addressed in even more detail in Processes for Successful Solution Deployment. I especially like this document because it covers production entry criteria and applications acceptance - critical activities that are not always implemented as a formalized process. This paper shows why they should be a part of the interface between applications and service delivery. I also liked the paper on application availability because it contains items of interest to applications and service delivery practitioners, and is one of a slowly growing body of knowledge that views IT as a whole instead of development and support functions.

Parting Notes. In my next entry I'll cover service level management basics, including service level agreements and vendor management.

Posted 2:32:00 PM by Linda
Service Levels and Processes. I found an interesting whitepaper on FMEA for IT (FMEA is Failure Mode, Effects and Analysis) that is in line with facilities management research that Mike and I conducted a few years ago. This paper sets forth an excellent framework for service level management, specifically with respect to reliability and availability.

Manageability is another aspect of reliability and availability that is important to those of us who specialize in service level management. Manageability usually comes with a steep price tag, so the IDC whitepaper titled Business Case for Investing in Manageable Systems is a valuable document that will give you ideas about how to justify the right level of manageability to meet service level objectives.

I've put together two archives of presentations and documents on service level management basics and service level performance metrics from resources I've gathered in recent research. This information is useful to all IT professionals, including applications delivery and software engineering folks because at some point the products that are designed and developed are going to be placed into service as business-enabling tools.

Two additional documents that are of narrower interest are Service Quality for Financial Institutions, which is a high-level view of unique requirements (with little specific service level management information), and Using SAP R/3 for SLM. This paper's primary theme is SAP R/3 in supply chain management. However, it goes into detail about supply chain management, service level management, service level agreements and business maturity. Although the paper does not directly address IT service level management, it does contain a wealth of ideas, especially about workflow.

Posted 12:04:00 PM by Kate
Competitive Intelligence Defined. Competitive intelligence is one of those terms that mean different things to different people, with many definitions based on misconceptions. One of the best definitions I've found is What Competitive Intelligence Is and Is Not.

Framework for Competitive Analysis is an MS Word document that provides a structured approach to CI, and Process to Define Intelligence Needs adds more structure to the art and science of competitive intelligence.

Mining Competitive Intelligence from Public Sources. By some estimates 90% of the information needed to perform an in-depth assessment of competitors is publicly available. What is required to obtain this information is knowing where to look. Also be aware that if you can so easily learn about your competitors they will probably learn much about your organization with the same ease.

Who Are You Assessing? Conducting competitive intelligence operations requires executive level commitment, funding and resources. You cannot [cost-effectively] watch everyone. The whitepaper titled Identifying Adversaries will help to identify the scope of your research.

Sources. The best starting point is Hoover's Handbook of American Business 2002, or if your scope is international, Hoover's Handbook of World Business 2002 is the place to begin. You will also want to bookmark Hoover's Online. One well-written article on competitive analysis is titled What Are Your Competitors Up To?. This article is aimed at recruiters, but the information is applicable to marketing analysts, members of benchmarking teams and product developers.

I urge corporate communications and legal departments to also be familiar with this material because there is latitude for implementing effective countermeasures. As a competitive intelligence specialist I know only too well that many companies make more information publicly available than is necessary. Look at it this way: your competitors are almost certainly expending money and resources to learn about you. Developing a business case for countermeasures may reveal a surprisingly large ROI.

Transformations. Information does not equal intelligence. It needs to be transformed into raw and processed intelligence (see Mike Tarrani's 28 February 2002 definitions of raw and processed intelligence in Postcards from the Revolution).

A document that addresses the information-to-intelligence transformation is Business Intelligence for the Finance Industry. Although this document is focused on the finance industry the concepts and approach can be used in any industry sector. Another source of valuable information and key indicators is a company's investment in information technology. The whitepaper titled Value Implications of IT Investments gives insights on how to interpret competitor information technology spending.

When competitive intelligence in turned inward it's called business intelligence. The same framework and processes used in competitive intelligence gathering and assessment can be used to evaluate your own competitive position. The whitepaper titled E-Commerce Internal Intelligence shows the value of business intelligence techniques when applied to e-commerce solutions, while Realtime Business Analysis provides a broader look at the value, factors and issues of internal intelligence. An interesting paper that looks inward is Agency Theory Online Analysis. This document is a case study that illustrates the value of web-based online evidence as research tactic for business intelligence.

Challenging Exercise. If you want to test your skills at analysis and developing intelligence from information read Information Technology for European Advancement. Place you findings within the context of European Union initiatives and develop conclusions. You may uncover interesting insights and trends.

Posted 9:50:00 PM by Mike Tarrani
Secrets Revealed. If ever you wanted to know who we (me, Linda and Kate) are, our backgrounds and professional interests, visit the TEAM Zarate-Tarrani Capabilities page. You'll also notice a name you may have seen mentioned here, Marcia Hopkins. I hope to entice her into posting here one of these days.

Process Artifacts. As soon as I complete pending work that has priority I'll return to my topic about processes. In the meantime I have some relevant documents to share that you'll find interesting: Experience Factory Model is a 96-page manual describing the PIE Experience Factory Model. This model is of interest to process analysts, knowledge management specialists and software engineering process group members. The model fosters continuous learning in a software engineering environment with emphasis on organizational process control and change.

Defining Software Processes is a PowerPoint presentation that provides an excellent comparison of the ETVX and IDEF0 models that I discussed in prior entries. Another presentation that covers the ETVX model in detail is titled Process Action Team Processes. In a future entry I'll be discussing process action teams in more detail, so this presentation will serve as an introduction to this powerful and proven model.

The final document, titled Business Process Innovation (Data Analysis) discusses an important aspect of process design and/or improvement.

If your interests are focused on software process improvement see my latest entry in Postcards from the Revolution.

Posted 7:13:00 PM by Linda
Exciting Documents. Although I am pursuing my Oracle Certified Professional training by day, I continue to research topics of professional interest in the evenings. I recently discovered a few treasures that will excite anyone in concerned with outsourcing and service level management:

Capability Model for IT Enabled Outsourcing Service Providers is the most exciting of the bunch. This PDF document is Part I of a two part set, and provides an overview of the initiative called the eServices Capability Model. Part II of the document set is titled Practices. Other documents of interest include: IT Services Qualification Center and Capability Models, which is intended as a CIO-level briefing presentation, and a pared-down version of the same presentation that gives a quick overview. The eService Capability Model bibliography is also valuable. My question is simple: how will this initiative affect the work done to date on the IT Service CMM, which is sponsored by the Software Engineering Research Centre (SERC)? We've discussed the IT Services CMM in previous entries.
ITIL Compared to the CMM is an interesting comparison of the IT Infrastructure Library, the UK standard for service level management, to the CMM. In view of the existing eServices Capability Model and IT Service CMM initiatives, it appears that all parties should get together and come up with one standard. My vote is for the IT Service Management Forum as the governing body. This international organization has been at the forefront of setting international, standardized service management processes and has the credibility to sort out the best practices among the contending models and craft them into a seamless standard. See my 13 March 2002 entry in Postcards from the Revolution for more about the ITIL.
Who, What and When to Outsource is an objective paper that discusses considerations in the decision of whether or not to outsource, and what should be outsourced.
Test of Trust provides additional insights that outsourcing decision makers will find invaluable.

contract risk management

Ending Thoughts. As you can see, there's a lot of activity surrounding service level management. A year ago the service management total body of knowledge was somewhat limited and relatively static. It now seems that keeping up with the emerging and competing initiatives, and the rapidly growing body of knowledge is going to take effort. In my opinion this represents a major step forward, and I would rather struggle to keep up than to witness the apathy with which this important discipline was treated in the past.

Posted 7:00:00 PM by Kate
News. My web page is completed and available for viewing. There is still much content to add, but none of the pages are under construction. They are in a state of evolution, and more content will be added in the coming week.

Technical Topics. I want to share three resources that build upon those I've posted in my past few entries:

Knowledge Management Issues is a collection of three documents that address aspects of knowledge management. This topic (knowledge management) is directly related to business intelligence, and is indirectly related to competitive intelligence. The documents in the collection include knowledge management fundamentals, knowledge management in technical organizations, and expert systems.
The Role of Competitive Intelligence in Mergers and Acquisitions, which covers the relationship between competitive intelligence and due diligence (MS Word format).
Using Customized e-Learning, which is an MS Word document that discusses e-learning and how to tailor it to meet organizational objectives. E-learning is a knowledge management enabler.

My Role. If you've been reading this weblog or its sister, Postcards from the Revolution, you've probably noticed that I'm taking a more active role in developing and publishing content. Mike and I are in the process of developing a new web site that focuses on business and competitive intelligence, which will tie together my entries in the weblogs and broader material about those topics. Stay tuned.

Posted 10:51:00 AM by Mike Tarrani
Time and Again. My time is becoming precious, which means that I am only going to be making brief entries here and in Postcards from the Revolution for the next few days. However, I do want to continue adding content to augment the topic I started about processes, which will give more background information. I also have some interesting documents that address Oracle capacity and performance planning that will be of interest to DBAs and production support staff, as well as to software test professionals.

Process Documents. The first set of documents is a Zip archive that contains materials on balanced scorecards. This relates to processes by providing a structured means of measuring the important elements of business and IT processes. Balanced scorecards can be applied to a single business or technical process area, or rolled up into an enterprise level view of how well you are doing.

A document that will be helpful in the development of process improvement initiatives, which relate to both balanced scorecards and process design is the process improvement impact questionnaire (in MS Word format). The questions in this document can be tailored to your organization's goals and objectives, and is a solid foundation from which to proceed towards measurements or improvement initiatives.

Evolving Business Process Reengineering from Art to Engineering is a gem. This MS Word document covers processes in depth, and is a wealth of information about process analysis and design, and reengineering approaches. A companion document, Organizational Impact of IT-enabled BPR, contains case studies of IT-enabled business process reengineering initiatives. The key word is IT-enabled. I am a staunch advocate of business-led BPR initiatives in which IT plays a supporting role. There are many reasons for this, not the least of which is that fact that IT [in general] has a poor track record of managing projects or demonstrating an understanding of business imperatives. That isn't the case in all IT organizations, but is still the rule rather than the exception.

IT-Specific Topics. Two resources that are related to IT technical processes are:

Zip archive of ISO 9000, CMMI and software supportability documents.
Document in PDF format that describes a high availability model for SAP. The connection between this document and IT processes requires a slight stretch of the imagination, but the connection is there if you carefully read through the paper.

Oracle Capacity and Performance. If you are an Oracle DBA, or are involved in Oracle capacity and performance planning or conducting database stress testing you'll find the Oracle Capacity and Performance Methods document collection to be invaluable. This Zip archive contains documents and spreadsheets on: SQL performance, 3-Tier capacity and performance, the Ratio Modeling Technique and other performance and capacity planning techniques that are specific to Oracle databases.

As a performance and/or capacity analyst you already know that queuing modeling is a recurring activity. This MS Excel queuing analysis spreadsheet will make your job a little easier. If you have a Palm-based PDA you can put it to work with this queuing analysis application.

End Note. Kate Hartshorn is posting more frequently here and in Postcards from the Revolution. I, for one, appreciate the information that she is sharing and her insights into topics that are illuminating.

Posted 3:10:00 AM by Mike Tarrani
Process 101. This is the first of a series of entries that will cover policies, processes and procedures. In this weblog I'm going to concentrate on processes and procedures, and cover policies in Postcards from the Revolution when I launch my series on the Tarrani-Zarate Information Technology Management Model. In that series I will also be reviewing Mike Sisco's IT Manager Development Series, which is a 10-book collection of professional guidance that covers every facet of IT management. This series and the model that Linda and I developed are closely aligned.

The tie-in between policies and our model is at the business imperatives/business requirements layer.

Our Approach. Linda and I both use a process model that is called Entry-Task-Validation-Exit (ETVX) model. This model is similar to the Plan-Do-Check-Act (PDCA) process model that is an integral part of total quality management (TQM).

The similarities between the two models include: a structured approach that ensures correct input into a process, documented tasks (procedures), validation checkpoints and defined action. In the case of the ETVX process the sequence is linear and it's designed to take a process trigger or input, perform a series of tasks to produce something or transform the input, check the finished product against quality criteria and exit criteria. If all of the quality and exit criteria are satisfied the process ends (until the next triggering event or arrival of entry criteria), and if not, the discrepancy is corrected in the task phase. It then goes back through the validation phase, and either exits or is reworked until all quality and exit requirements have been met.

The PDCA model differs in subtle, but important ways. The plan and do phases are nearly identical to the ETVX entry and task phases. However, the PDCA check phase is designed for continuous improvement and measures whether or not quality is being achieved within upper and lower control limits defined in statistical process control charts. The most common charts are X-bar (mean) and R (range) charts. If there are indicators that a process is drifting out of statistical control, even if quality requirements are met, an action is initiated to investigate and rectify the root cause. One such indicator is more than three data points above or below the statistical mean in an X-Bar chart.

From the comparison there are key differences between the two models despite surface similarities:

PDCA is preventative through the use of statistical process controls, while ETVX is inspection-based.
PDCA is cyclic and designed to support continuous improvement by constantly measuring and comparing, while ETVX is sequential and only loops back into the task phase for rework.
PDCA has early warning indicators built in, using trends to spot processes that are drifting out of control that can be remedied before quality is compromised. ETVX depends on the validation phase to spot out of conformance processes and has no mechanism other than rework to deal with quality problems.

This of course begs the question, why not use PDCA? Among the reasons why ETVX is used include:

PDCA requires a strong commitment to implement and manage. It looks relatively simple on the surface, but the training, discipline and organizational commitment to make it work are high hurdles.
Some processes are difficult to manage within the PDCA model, or PDCA would be overkill. It comes down to a business case to determine if the cost of non-quality outweighs the cost of quality. Approach it as an exercise in cost/benefit analysis to see which model makes more sense. Do bear in mind that PDCA imposes training costs, and also requires a change in most organizational cultures.

A Twist. Linda and I add a wrinkle to the traditional ETVX model by adding controls and constraints. These two elements were heavily influenced by the IDEF0 functional process model.

Definitions. Before proceeding I want to provide definitions of terms that you'll see in all subsequent entries:

Process controls: limits that have been purposely placed on the process to prevent undesirable outcomes. Examples include:
1. Policies.
2. Checkpoints.
3. Audits and integrity checking.
4. Error detection and correction processes.
Process Constraints: Limitations imposed on a process are called constraints. Examples include technical capabilities, available time frames, resources, transmission speeds, etc.
The key difference between a control and a constraint is that a control is designed into the process to produce or effect a desirable outcome, while a constraint is a limitation to the process (or environment) that may impact on the effectiveness and/or efficiency of the process.
Quality Gate: A checkpoint for verification and/or validation. tasks or procedures cannot proceed until the checkpoint has been successfully passed. If a quality gate fails the remedy is rework or other corrective measures.

Examples. A starting point is the ETVX summary, which describes the basics of the model and includes our additions. I also have examples of how the ETVX process was employed in projects in which Linda, myself, or both of us developed solutions based on the model:

Contact Center Entry Criteria, developed by Linda for a project that required a problem management process. The criteria in this document is a subset of the entry criteria for production support, but there is sufficient detail to illustrate what constitutes the entry criteria phase of the ETVX model.
Project Plan. This example is from the same problem management process project, and shows how ETVX can be applied to project planning. As a side note, this plan also follows the phases in the Rational Unified Process, which shows how ETVX can be used in conjunction with life cycle models.
Change control process based on the ETVX model. This document shows an entire process aligned to the model.
Change implementation plan, used in conjunction with the change control process. Note how the implementation plan is also structured using the ETVX model.
Validation process, that not only uses the ETVX model, but also employs controls and constraints.

End Note. I'll be expanding on the ETVX model in particular, and processes in general in future entries. I'll also be providing related information in Postcards from the Revolution, so be sure to check that weblog as well.

Posted 5:06:00 PM by Linda
In Praise of Process. I'm going to lay the groundwork for Mike's forthcoming entries on process. Tom Gilb's Process Out, Quality In presentation in PowerPoint format, with an accompanying MS Word document shows the direct relationship between process and quality. These documents are essential reading if you're serious about quality and want to understand how to design processes to assure it.

It's impossible to implement effective processes or achieve true quality without metrics. This simple, immutable fact is reinforced by Serious Metrics Pay Off, which is a short PowerPoint presentation about the value of metrics.

If processes need metrics, it's axiomatic that they also need documentation. Process assets is a PowerPoint presentation that discusses the value of process assets in the form of policies, procedures and guidelines. This presentation is a nice lead-in for Mike's future entries, and a great resource for anyone who is involved in implementing CMM.

If you read this weblog or its sister, Postcards from the Revolution, you know that we never stray far from the CMM as a topic. The PowerPoint/MS Word combination of documents about software capability evaluations and capability models discusses the use of the Software Capability Evaluation (SCE) V3.0 appraisal method and how to tailor an appraisal to multiple reference models. The models discussed in this slide presentation and accompanying document are the Software Engineering Institute's (SEI) CMM for Software V1.1 and the EIA/IS 731.1, Systems Engineering Capability Model (SECM).

Along the same lines, the two PowerPoint presentations and PDF file that address getting to CMM Levels 4 and 5, and productivity statistics provide insights about the difficulties of attaining software process capability maturity. The information can also be applied to other process models and benchmarks, making this set of documents especially valuable source material to anyone who is involved with process improvement initiatives.

A comparison of IEEE/EIA 12207, CMM and ISO 9001 discusses models and processes that relate to the previous document set about Levels 4 and 5.

I've also posted related information in Postcards from the Revolution in the form of documents that discuss security processes.

Posted 1:57:00 PM by Mike Tarrani
Laura Brown, author of Integration Models: Templates for Business Transformation, is now publishing a newsletter. Her inaugural issue covers a wide range of topics, all of which will be of interest to IT professionals. I also recommend a visit to Laura's web site, especially the pages devoted to integration models and data warehouses.

She is one of my favorite authors, and her book was among the top four that I read in 2001. You can read reviews Linda and I wrote on Amazon during June 2001 if you want more details about Integration Models: Templates for Business Transformation, or you can visit Ms. Brown's Books and Articles page for an in-depth look at what's between the covers.

Posted 5:55:00 PM by Kate
A Place for Everything, and Everything in its Place. Yesterday I made my debut by posting a short entry in Postcards from the Revolution to add to Mike's earlier discussions that touched upon knowledge management. Since this weblog is the one Mike and Linda intended as a diary into which interesting documents and links were to go, I am going to use this for its intended purpose.

Data Management. I am not an IT professional. I am, however, a knowledgeable (and demanding) user of IT services and have a keen appreciation of the tools that are made available by technology. The adage that a craftsperson knows their tools is applicable. I first want to share a collection of documents that introduce databases and data warehouses to any reader who does not routinely work with either (i.e., network support, technical writers and others in IT who know only the bare fundamentals). The first set of documents is in a Zip archive that contains four PowerPoint presentations that introduce database and data warehouses at a basic level.

The next document is a data mining tutorial, which will lay the groundwork for a more in-depth set of PowerPoint presentations about data mining and online analytical processing, which is a business intelligence specialist's most powerful tool set.

For the more technically inclined I've put together a collection of PowerPoint presentations about modeling and schemas that cover the basics, and discuss star vs. snowflake schemas, and get deeper into multidimensional databases.

General Interest. I have more to share than database-centric documents. One of the better presentations I've read lately is Building Business Intelligence Systems, which is an excellent overview of the issues you need to explore. Be aware that this presentation was designed to showcase a specific vendor product, but that does not diminish the value of the message and information in the first seventy-five percent of the document.

Another vendor-specific document that contains excellent information that can be applied in a vendor-neutral environment is eContent Management. Not all data is neatly housed in a data structure, and the overview of challenges that is provided in this presentation is invaluable.

Some Things Just Don't Fit. In parting I want to share three documents that do not fit the theme of this entry:

eLearning Standards, which is surprising because the document was put together by Cisco, which most of us associate with networking and routers. A little research revealed much about Cisco, such as the company has a sophisticated customer relationship management approach, and is heavily involved in distance learning and other initiatives.
On Enterprise Integration is more slanted towards Mike's Zachman Framework theme in Postcards from the Revolution, but with a little imagination and vision you can see how the data mining and OLAP topics I addressed above relate to this PowerPoint presentation. It's all the more valuable if you're an architect who is visualizing a big picture that includes business intelligence, CRM and knowledge management.
I included Overview of the Internet and Data as a "101" presentation you may find useful as a tool for educating your end users.

Parting Note. If your interests are more focused on information warfare than competitive intelligence you should visit the Information Warfare page that Mike and Linda created. This page is on their IT Security site and covers the darker side of information intelligence in depth. My favorite link from that page is Robert D. Steele's OSS Net Whitepaper collection. Mr. Steele is also one of my favorite Amazon reviewers. I'm currently reading The Ends of the Earth by Robert Kaplan because of Mr. Steele's insightful 12 July 2001 review of this fascinating book.

Posted 6:08:00 PM by Linda
Tidying Up. Today is one of those days when I feel as though I'm simultaneously juggling and trying to move forward. The problem is that for every two steps forward I'm being pushed one step back. Worse, some of the items I'm juggling are dropping. My solution is to take a deep breath, smell the roses and clear my mind. Before I enjoy the beautiful day here in Azusa, California, bathed in sunshine with the majestic San Gabriel Mountains as a backdrop, I want to share the fruits of my research during the past few days.

Manifestations. Kate Hartshorn's recent entry in Postcards from the Revolution is one of the clearest explanations of competitive intelligence I've read. Her supporting material on competitive intelligence, knowledge management and intellectual property law is overwhelming. Coincidently I was also reading about competitive intelligence earlier this week and want to contribute one more document to the impressive collection that Kate has shared: Applying Business Intelligence.

Directions. Mike has taken both weblogs into a direction that neither of us planned when we started this one and Postcards from the Revolution. This weblog was going to be a jumbled collection of documents and links that we wanted to share as we came across them in our research. Postcards from the Revolution was intended to be our soapbox from which we were going to preach professional improvement. Instead, both have become showcases for themes. The current theme in Postcards is the Zachman Framework, and the coming theme here is going to be policies, processes and procedures. That theme is good for a week of Mike's entries because he has much to share in the way of knowledge and experience on the topic.

Architecture. Some of the material I've amassed this week will support Mike's and Kate's entries. In particular, architecture, which plays nicely into Mike's Zachman Framework topic. The Action Guides for the Enterprise Architect, which I downloaded from Bredemeyer Consulting site, blends process and systems architecture into a coherent approach. Another source of architecture information that takes the same approach is Enterprise-Wide IT Architecture (EWITA).

Business Issues. Regardless of how deep we get into the nuts and bolts of technology we need to remain constantly aware of the business aspects. IT exists to enable business processes and to support users. Period. To that end I have four documents that will refocus attention on business issues:

On the Process Front. We never stray far from software engineering in this weblog, and I don't intend to make an exception today. Among the documents that were caught in my research net this week are:

CMMI Explained, a PowerPoint presentation that clearly explains the Integrated Capability Maturity Model, and the differences between the CMM and CMMI.
CMM Assessment Findings, a PowerPoint presentation showing CMM assessment findings and key practice trouble spots. Forewarned is fore armed.
CMM Tutorial in PDF format - for anyone who is new to the Capability Maturity Model.
Statistical Process Controls and the CMM, which is a PowerPoint presentation about a critical success factor for organizations striving for CMM levels 4 and 5.

Additional documents include: a PowerPoint presentation on ISO 9000:2000, and the differences between it and the 1996 version, a best practice in the form of a PowerPoint presentation that describes SAIC's change management practices, and a Software Risk Management Guide in MS Word format.

Project Management. When projects are correctly managed careers light up. Ed Yourdon's 246-slide PowerPoint presentation titled, Managing Internet-Time Projects has advice that can propel you into the fast track. If, on the other hand, your career is looking shaky because of a project gone sour, Nightmare on Project X is a PowerPoint presentation that shows how to get projects back on track. It might just contain the redemption you're seeking.

Odds and Ends. I'm going to end with two documents that don't fit anywhere else: Introduction to Erlang B and C, which is essential to managing queues. You'll need to thoroughly understand the concept behing Erlangs if you model help desk staffing, telecommunications capacity and any other model that involves queues (including how many checkers are required in a supermarket for a given number of shoppers). If you're in QA you'll appreciate the two PowerPoint presentations on regression testing. They cover the process of regression testing, and how to prioritize regression test cases.

I'm off to enjoy the sun and the rest of the day.

Posted 10:39:00 PM by Mike Tarrani
Setting the Stage. I've been focusing on the Zachman Framework and business rules in my latest Postcards from the Revolution entries. Since that theme is going to continue for a few more days I want to use this weblog as a vehicle for discussing process models.

Catalyst. The reasons why I want to discuss process models are:

Linda and I frequently write about, or make reference to, processes in both of our weblogs. To many readers the term process may be too abstract. It's time we clarified this by providing definitions and approaches that we use for process analysis, design and implementation.
There are direct relationships among policy, process and procedures. Many practitioners focus on process and procedures without taking into account the fact that policy governs process. In the same manner that a direct relationship exists between policy and process, there is also a direct relationship between business imperatives and policy. I want to portray those relationships in future entries.
Standards, both de facto and de jure govern the continuum of policy-process-procedure.

Since Linda and I use these weblogs to share information the reasons cited above provide ample justification for a series on process.

Prelude. I've gathered material that will accomplish two things: (1) give background information about domain specific processes, such as supply chain management, software process improvement, etc., and (2) provide common standards and techniques. The material is diverse and is more valuable when studied to see how the embedded processes were derived. To be sure, it will take careful study to accomplish that; however, if you're feeling ambitious you may want to see how the processes, models and standards in the material fit within the Zachman Framework described in the last three Postcards from the Revolution entries.

The background material is as follows:

Supply Chain Management, which is a Zip archive that contains seven PowerPoint presentations. The presentations cover a full range of topics, including: Supply Chain Operations Reference Model (SCORM), supply chain process mapping methodology, metrics and the integration of supply chain and customer relationship management.
Software Engineering Standards and Processes, including documents on software process improvement, software configuration management, CMM and SQA.
ISO/IEC 12207 Software Life Cycle Processes, consisting of a PowerPoint presentation and MS Word document describing this important international standard.
Software Development and Implementation, an esoteric and eclectic collection of documents covering development processes, technology management, Oracle Financials tips, and E-business scalability. There is something here for everyone.
System and Software Selection Techniques. An interesting collection of documents about the processes for selecting an IS architecture, business applications and integrating commercial off-the-shelf software.

End Note. In earlier entries Linda and I discussed the state of software engineering at the international level. If you're interested in Asian initiatives the whitepaper titled, Software Entrepreneurism in Korea is worth reading, as is the collection of reports and presentations from the 14th Asian Forum for the Standardization of Information Technology.

Posted 3:54:00 AM by Mike Tarrani
On a Tangent. My current topic in Postcards from the Revolution is the Zachman Framework, and I want to stay focused on that topic and two closely related topics: enterprise architecture planning and business rules. So, I'm going to use this entry to address a wider view of architecture.

Being Rational. Although I've discussed the Rational Unified Process (RUP) in previous entries, I have some PowerPoint presentations that tie the RUP to architecture:

Introduction to the Rational Unified Process
Software Engineering Best Practices (based on the RUP)
Architectural Analysis within the context of the RUP
Subsystem Design using RUP techniques
Describing Distribution about modeling the distribution decisions of the system in the Deployment Views

All That's RUP is Not Gold. Or, put another way, the RUP is but one way to look at architectures. It is also not the final word on processes either. While I happen to be both a fan and advocate of the RUP, I look for best practices anywhere I can find them. Requirements is one of my areas of professional interest. I tend to collect any artifacts I come across, and I've recently discovered three, which I've zipped into an archive of requirements artifacts that contains a requirements engineering process, an elicitation worksheet and a whitepaper about requirements quality. There is an outstanding book on requirements management within the RUP titled, Managing Software Requirements: A Unified Approach.

Another of my passions is project management. I'm always on the lookout for best practices, documents, forms and templates and new techniques. I've zipped up two new discoveries, the Department of Energy project management guide, and a project planning questionnaire, both of which are in MS Word format. These project management artifacts can be tailored to your specific organizational requirements. Walker Royce's excellent book titled, Software Project Management: A Unified Framework. If you're working with the RUP you'll want this book. I personally found the approach and techniques to reflect best practices in software project management, and recommend this book regardless of whether or not you're using the RUP.

Other Topics. I'm going to take a shotgun approach and share a few links and documents that I discovered earlier in the week. These are random and loosely related, so there is sure to be something for everyone:

Solving the Measurement Dilemma (How EVA and the Balanced Scorecard Fit Together), will provide insights into the challenges and issues faced by the business process owners that we IT professionals support.
IT - Business Relationship is an article that discusses strategic information system evolution. The source of this article is Enterprise Works, which has a large number of interesting articles on IT/business topics. As an aside, I am currently reading Information Systems Success Measurement, which is a nine-essay book edited by Edward J. Garrity and G. Lawrence Sanders (both of whom authored some of the essays), and can recommend this book without reservation to anyone who is interested in the subject.
Method 1-2-3 is a site that describes a fairly straightforward project life cycle called Method 123, and contains a repository of free artifacts, an example of which is the Change Management Process in MS Word format.
XLink, XPointer and XPath at the Social Security Administration is a 48-slide PowerPoint presentation that combines the RUP and XML topics.

End Note. Linda and I are in a race to post a review of Rich Schiesser's book, IT Systems Management: Designing, Implementing, and Managing World-Class Infrastructures. The book is about processes, and includes application acceptance, change control and other essential service delivery topics. In my opinion this is the best book so far among the excellent titles in the Harris Kern Enterprise Computing Series. Bravo Mr. Schiesser!

Posted 4:12:00 PM by Linda
I've just added an entry on database security in Postcards from the Revolution to supplement Mike's recent security and tools entries. I also wanted to complement his enterprise architecture planning theme that he started. My entry here connects to security and tools, starting with Handbook of Information Security Management, which is an online version of the print version that's available from Amazon.

Another resource is Security Architectures for Large-Scale Distributed Collaboratory Environments. Combined, these two documents will provide QA practitioners with ample background information for developing test strategies that include security.

We live in a connected world, so understanding network security testing is a skill that QA professionals need to add to their knowledge base. I have a network design guide in MS Word format that will get you up to speed in network technologies if you need to understand more than the bare basics. An additional resource is The Art of Network Testing, which Mike reviewed on Amazon on 16 September 2001.

More specific security issues which all IT professionals should understand include internet vulnerabilities. Architects and QA should be aware of these exposures so that designs and test strategies can proactively address them at all stages of a system's life cycle. By reverse-engineering Modeling Internet Attacks you can see what needs to be designed into a system, as well as what needs to be tested before the system is deployed. You can use the same strategy by using the materials I provided earlier today in Postcards from the Revolution about database security.

Another area that needs attention in all phases of the system life cycle is Denial of Service Attacks. The PowerPoint presentation on DoS attacks is a good starting point. There is a new twist on this type of attack called Distributed Reflection Denial of Service reported and documented by Steve Gibson.

Idea Generator. I'm always looking for ways to succinctly convey information. While browsing DARPA's site earlier today I came across one of the best examples, which is shown on a project summary page. The project itself was of little interest, but the way it's summarized is nicely done. What I especially like is the Quad Chart format that captures the entire project in a single visual quadrant, with the other three quadrants for new ideas, impact and schedule. It's compact, conveys an incredible amount of information and is more effective, in my opinion, than ten or fifteen PowerPoint slides. I've archived three example quad charts for three different projects. Take a look and judge for yourself.

Posted 6:07:00 AM by Mike Tarrani
Fair is Fair. I provided security tools in my 3 and 4 March entries in Postcards from the Revolution. I'm going to provide advanced testing tools here to even things out. These tools will be of value to performance and capacity planners, as well as members of QA teams involved in conformance testing.

Network Test Tools and Simulators. The tools listed below are free, but you will be required to fill out a request form before you can download them. The form is used for internal project justification purposes. After you complete the request form(s) you will be immediately given a link to download the tool. Also note that many of these tools are provided as source code (usually C or C++).

ABRtest, an implementation tool for conformance testing the ATM ABR Service Rate Control.
PNNItest, for Private Network-Network Interface (PNNI) Routing Interoperability Tests.
APROPS, a Private Network-Network Interface (PNNI) Simulator.
ATM/HFC Network Simulator.
NISTnet, which is a general-purpose tool for emulating performance dynamics in IP networks. The tool is designed to allow controlled, reproducible experiments with network performance sensitive/adaptive applications and control protocols in a simple laboratory setting.
Integrated Services Protocol Instrument. ISPI is an interactive, integrated tool for measuring the performance of quality of service (QoS) sensitive data streams while conducting experiments with emerging Internet resource reservation protocols and real-time network services.
IP Security Web Based Interoperability Tester.

Integration Tool. WebSubmit is a Web-based utility providing access to applications on a collection of heterogeneous computing resources. Its goal is to make it easy to use computing resources via the Web without requiring knowledge of the specifics of unfamiliar operating systems and dynamic application environments. Users can effectively log into distinct computing environments and perform tasks without needing a detailed knowledge of their operating environment.

End Note. Outsourced software development is a reality. I am not going to open Pandora's Box by expressing my opinions on the problems in the US software industry, but am going to share a whitepaper I found titled, Applying Software Quality Assurance to Outsourced Software Development.

Posted 8:15:00 PM by Linda
I was reading through a message thread on a forum in which Mike was debating the state of our industry. Basically it's the same old story: those users have the audacity to treat us dismissively. I am not going to become embroiled in the debate, and personally think Mike is wasting his time since most of the debaters are developers who probably spend their lives doing heads-down coding.

Many of the debaters also seem to come from small company/small-to-medium client environments--the wild, wild west. The issue seems to boil down to professional standards, or the lack thereof.

There are professional standards, which Mike mentioned in some of his posts. I think the most promising professional organization is the International Council on Systems Engineering, which has technical standards committees and working groups, and international influence. They are organized and are actively promoting professionalism in their community. So it can be done. I just don't think it is going to get done by a group of independent consultants.

Interestingly, Mike mentioned in a different discussion thread that the US was being left behind because of quality and professionalism issues. Naturally there was a lot of heated push-back about that. A little research on my part yielded the following fact that deflates the naysayers' arguments: a Canadian organization called CIPS (Canadian Information Processing Society) is taking the initiative by establishing professional standards and a certification called I.S.P (Information System Professional). The CIPS mission statement is strongly worded and shows both national leadership on the part of Canada and an example of how to go about establishing professional standards and certifications:

CIPS, through the work of the Certification Council is dedicated to establishing a registered and regulated information systems profession in Canada as well as to establishing the groundwork for a fully licensed profession. The council works to determine, develop and maintain the integrity, credibility, and competence of individuals active in the IT field.

I've made a CIPS presentation available in PowerPoint format if anyone is interested in the history and a summary of objectives.

I came across four PowerPoint presentations that augment recently discussed topics here and in Postcards from the Revolution:

HIPAA Readiness for those who are in the health care industry.
ebXML Update.
XML and E-Business.
Internet Commerce: Understanding Payments, Security and Storefronts.

That last presentation has 234 slides. Good evening from Azusa, California.

Posted 10:58:00 PM by Mike Tarrani
Testing ... testing .... This theme allows me to tie together assurance from my last entry here and security topics from my recent Postcards from the Revolution entries.

Statistically Speaking. Testing and quality require knowledge of statistics, and ready reference to this dry subject is a good resource to have close by. I recommend bookmarking the Engineering Statistics Handbook, which will always be available as a reference if you can connect to the web.

If you're doing statistical analysis with a spreadsheet you will soon run into limitations. You may want to obtain a copy of Dataplot, which is a free, public-domain, multi-platform (Unix, Linux, PC-DOS, Windows NT, etc.) software system for scientific visualization, statistical analysis, and non-linear modeling. The price is certainly right.

The "M" Word. Yes, it stands for Microsoft. Manisha Saboo of eRunway shared two links that will be of interest to anyone who is in a Microsoft-centric environment, either by choice or by necessity. The first link is a page devoted to Load Testing Tools for Windows DNA Solutions. The second link is to an article titled, Why Microsoft.com Believes in Testing the Web. It's a well-written article. Given the ongoing stream of patches coming from Microsoft's application and operating system folks perhaps they can learn a lesson from their dot com brothers and sisters.

Compliance. The 28 Feb 2002 issue of LWN.net has an update of the NuSphere/MySQL issue that is the first court case to test the validity of the GPL. This is a clear signal to anyone who is developing open source software. If you are an open source developer you should check Lineo's GPL Compliance Tool.

Other Testing Resources. Data Network Penetration Testing is a short whitepaper in MS Word format that adds to the QA body of knowledge by providing guidance for conducting penetration tests.

Testing Software Product Lines is just what the title implies. Software Test Performance Benchmarking in MS Word format is an interesting whitepaper that will provide ideas about test process improvement.

I'm including A Risk Driven View of Electronic Contracting because I forgot to add it when I wrote my previous entry. This document can be used as an assurance tool for electronic contract transactions.

End Note. If you're looking for test tools and artifacts try QA Downloads which is an excellent repository for QA professionals.

Posted 10:26:00 PM by Mike Tarrani
Components. If you're involved in component-based software development, Robert Fichman's paper titled Activity Based Management of Component-based Software Development is a well thought-out approach that provides a lot of insight. You can also download the paper in PDF format for off-line reading. You'll also want the accompanying tables if you download the base document.

Software Metrics. Robert Fetcke has a comprehensive list of software metrics sites that you'll want to bookmark. On the topic of metrics, version 4.1 of COSMOS, a software cost estimating tool from Oak Ridge ETSU Design Studio Group is a free tool that is both sophisticated and a step forward for project managers and estimators. I've been using this tool since it was first released in the mid-90s as SEAT.

Assurance. In my last entry in Postcards from the Revolution I discussed security standards, with a focus on international standards. One such standard is Common Criteria, discussed in previous entries. The Common Criteria is a security standard for assurance, which fits within the theme of this weblog. One specific article that is interesting is Banking Industry View of Common Criteria. If you work with the banking industry and are involved in either security or SQA this article is essential reading.

Risk and quality go together. You risk much if you take shortcuts to quality. An MS Word document titled, Can Quality Management Systems Improve Your Software Development and Business Performance? explores one half of the risk-quality relationship. A whitepaper titled Software Risk Management explores the other half. Additional papers can be found on the NIST Software Quality Group page.

End Notes. On 11 June 2001 I wrote a book review of Configuration Management for Software by Stephen B. Compton, Guy R. Conner, Joan R. Callahan. The book was out-of-print when I wrote the review, but because Amazon sells used books I thought the effort to write the review was worthwhile. I've read numerous books on the subject and this was the best one among them. I was recently contacted by one of the authors, Joan R. Callahan, who mentioned that a revised edition was being considered. If you have ideas and opinions about SCM, or want to voice your support and encouragement, please send Ms. Callahan your comments. I, for one, would love to see the book back in print.