TEAM Zarate Tarrani Notes From the Field

Arcady Novosyolov's risk theory web site is an excellent resource for those of us who need to brush up on probability as well as for advanced risk management practitioners in a number of professional disciplines. The focus of the site is financial risk management, but the content is applicable to risk management in general. Among the highlights are: basics and an introduction to risk theory (including lectures), a comprenehsive glossary of terms that also contain formulae, a handbook of distributions and links to other risk management resources.

The following books are my favorites on the software risk management: Managing Risk: Methods for Software Systems Development, Software Engineering Risk Management and Risk Management Processes for Software Engineering Models. If you're looking for an introductory book on project risk I recommend Project & Program Risk Management: A Guide to Managing Project Risks and Opportunities, which covers the basics well.

Harshal Laddha who is a good friend at Thinking Minds's India office shared another outstanding resource: Sridhar Iyer's IIT web page Mr. Iyer is an Assistant Professor at the School of Information Technology, Indian Institute of Technology. His page contains a wealth of information for anyone who works with network technologies.

The presentations, tutorials and papers on this page span wireless and fixed networking technologies, with an emphasis on WAP, M-Commerce and mobile computing. There are also presentations and papers on internet technologies, including tutorials on TCP/IP, routing, network security and other topics. You'll have to dig through the material carefully because some of the links lead to other topic areas that point to yet more material. I spent an hour going through the page and associated links and was thoroughly impressed with the quality of information and the large number of valuable resources.

Manisha Saboo of eRUNWAY contributed a number of resources to share:

1. Software Test and QA resources
   • Software QA and Testing Resource Center - Everything from basic definition and articles on how to test Web applications to comprehensive lists of Web tools to links to other informative sites.
   • Cem Kaner's page - Mr. Kaner is unique in that he's an attorney and a software quality professional. He's also the author of Testing Computer Software, Bad Software: What to Do When Software Fails and a new book published in December 2001, Lessons Learned in Software Testing.
   • Testing Craft Wiki Forum Where Software Testers Share Techniques, and the associated mailing list.
2. Requirement Management in Testing, which is an 8-page PDF document that addresses an important topic for QA professionals.

I'd like to add to Manisha's impressive list a site devoted to GUI and UI testing.

Another topic that is worthy of discussion is software measurement. I recently wrote about resources available from Data & Analysis Center for Software (see my 30 January entry) and want to highlight measurement-related information that is also available, starting with their collection of Software Measurement Literature and a list of related sites. You'll also want to explore the official website of ISO/IEC JTC1/SC7, which is the ISO committee responsible for developing ISO standards in the area of Software and System Engineering. Data & Analysis Center for Software also maintains a page devoted to Cost Estimation. Project managers and SQA professionals will find a wealth of material in the Insight Newsletter, which is the Army's Software Metrics Newsletter and one of the best sources of software measurement information.

At the risk of drifting too far off topic I want to share an online book by Martin Fowler titled Information System Architecture. Mr. Fowler is one of my favorite authors with a number of books on patterns, Extreme Programming and UML to his credit. If you're a design patterns advocate his online book will not disappoint.

Please note that this weblog only tells half of the story. If you want the full picture of our thoughts and information we have to share I encourage you to also read Postcards from the Revolution. We use that weblog to balance the technical entries here with the realities of how technology applies to IT and the business.

You need only to follow the trade press and e-mail newsgrams to know that security is a top concern these days. This is especially true if you're in healthcare because of the law mandating compliance with HIPAA. My most recent experience in security was on a project in Kuwait. One aspect of that project, for Kuwait National Petroleum Company from December 2000-May 2001, was specifying an enterprise security infrastructure as a part of the company's strategic plan. I spent the better part of today revisiting this topic and thought I'd share some of my notes and research.

A logical starting point is a presentation titled LDAP and Security for two reasons: (1) directory services such as LDAP (lightweight directory access protocol) are key to an enterprise-wide security infrastructure, and (2) this presentation is a good introduction to LDAP. A more technical presentation is Simplified Management of Hosted Services through LDAP in which the power and utility of LDAP becomes apparent. Drilling down into more technical aspects, The LDAP Protocol presentation explains the protocol itself.

If you're serious about implementing LDAP you should be aware of the open source version and a free LDAP Browser. Moreover, if you're using Java to develop your infrastructure or associated services, then the LDAP and Java Naming Services presentation will spark ideas.

LDAP in and of itself can quickly become a hairball unless you design your services intelligently. The key is to understand role-based access controls (RBAC), which in turn requires an understanding of set theory. The best resource for RBAC is the National Institute of Standards and Technology RBAC page. You'll find a plethora of tools, papers and other artifacts, including the Draft RBAC Standard. Another excellent source of information is at George Mason University's Laboratory for Information Security Technology.

Still on the topic of enterprise architectures, a technology worth exploring is JXTA. This is a set of open, generalized peer-to-peer protocols that allow any connected device (cell phone, to PDA, PC to server) on the network to communicate and collaborate. The home of Project JXTA has all of the resources you need to evaluate and/or employ this technology. JXTA, by the way, is short for Juxtapose, as in side by side. It is a recognition that peer to peer is a juxtaposition to client server or Web based computing

Digging deeper into issues we always bump into QA. Issues in Testing Java Applets and a related source, Automating the Java build and test process address some aspects of Java QA. Another interesting resource is JUnit, which is a regression testing framework written by Erich Gamma and Kent Beck. Also take the time to visit IT Toolbox's Java page for a wealth of resources.

A surprising find is a site I just discovered called Quality Assurance & Software Testing Downloads. I thought I knew where every test and QA site on the web was until I found this gem. Although I haven't fully explored it, the content and downloads I did look at seemed to be high quality stuff. Before leaving the topic of QA and testing I'd be remiss if I didn't mention XPractices, which is a page devoted to extreme programming practices. There is a lot of test material here that any XP practitioner, development manager or QA professional will find useful.

I'll come full circle back to enterprise architectures in general and end this entry with a recommended whitepaper titled Web Services, Business Objects and Component Models by Philippe Mougin & Christophe Barriolade of Orchestra Networks.

Harshal Laddha of Thinking Minds shared an interesting resource titled Java Technology for Business Intelligence.

On the topic of business-enabling technologies, there are two publications that are worth reading if you're an architect:

1. XML: The Time is Now, which is a GartnerGroup presentation that makes a compelling business case for XML. This document is slanted towards healthcare and HIPAA, but is generic enough to be applied to any enterprise architecture initiative.
2. Progress Report: HR-XML Implementations describes the progress to date by the HR-XML Consortium on schemas and DTDs supporting human resources. This consortium is an independent, non-profit organization dedicated to the development and promotion of standardized XML vocabularies for human resources.

Regardless of your technical environment, there is no doubt that XML is an important component of enterprise architectures. Information about and links to XML resources can be found on the DACS XML page. DACS also maintains a Java page that points to the top Java resources on the web. Who/what is DACS? It's the Data & Analysis Center for Software. which is a DoD software information clearinghouse. DACS also publishes Software Tech News, which is an outstanding software engineering publication that has an emphasis on QA and SQA.

Manisha Saboo of eRUNWAY is a friend with whom I exchange technical ideas and discuss various SQA topics. She recently asked me if I had any ready references on organizational communications plans. I fear that my response may have been overwhelming. I rapidly sent off three e-mails with large attachments that would have taken a team a week to sort through. I tend to do that sometimes.

A bit of digging in my usual haunts yielded resources that are focused on what Manisha wanted:

• When I'm looking for software engineering processes the first place I go is SPARWAR's Systems Engineering Process Office (SEPO) Process Asset Library. This site has an overwhelming array of artifacts, including process documents, presentations, guidelines and procedures. Within a few minutes I found the following procedures: Software Process Improvement Tracking and Oversight and Software Quality Assurance, both of which were in MS Word format. I also found a PowerPoint presentation on the Integrated Product Team Process.
• The Software Technology and Support Center (home of CrossTalk Magazine) had a Word document titled Process Tailoring for Software Project Plans that fits within organizational communications plans. The site has a library of documents that anyone serious about software engineering process improvement should bookmark.
• Concurrent Engineering and Software Development (PowerPoint format) ties integrated teams and software engineering together.
• Strategic marketing and integrated product and process management is an interesting presentation on the integration of technical teams and business strategies. This type of material should be more widely read among the technical folks because marketing generates the revenue. It goes without saying that without revenue we would not get paychecks.
• An Assurance Framework: Can Process Replace Evaluation? doesn't completely fit the theme of this entry, but I found it to be interesting. I included it because it addresses aspects of organizational communications plans.
• I also included The CMM Integration Project presentation because it directly supports organizational communications. Indeed, CMMI requires a coherent organizational communications plan.

In my recent travels over and across the web in search of information on particular topics I found a few sites that exemplify what one can do with a personal web page. None of these sites are flashy, corporate entities - they are simple, filled with amazing content, and are an obvious labor of love. Here are the ones that most impressed me:

• DevelopSense, which is run by Michael Bolton and Nichola Lenehan is distinguished by a wealth of Testing & QA Resources and some exceptionally well-written Software engineering essays.
• Thomas B. Cox's page is an Oracle DBA's dream come true. Among the resources that set this site apart are: DBA Maturity Model and a large number of papers on backup and recovery, DBA checklist and more. If you're a DBA you'll love the site.
• Luigi Buglione's page has a cache of quality-related content in the Publications and presentations sections. Many of the documents and presentations are in Italian, but many are in English. An interesting feature is the page devoted to QEST & LIME models. QEST stands for Quality factor + Economic, Social and Technical dimensions, and LIME stands for LIfecycle MEasurement. If you've been following my references to ETVX you can also download a PDF document on the ETVX process model from this site.

A more mainstream site that security professionals will want to visit is the CISSP Open Study Guides web site. If you're pursuing Certified Information Systems Security Professional (CISSP) certification you'll want to visit this page. Of course, you'll also want to spend time on the International Information Systems Security Certification Consortium (ISC²) site for the latest news about the certification and requirements.

The joys of weblogs and the perils of free hosting. Within hours of Linda's last post Geocities lost her entire web page. Fortunately I had her site backed-up and was able to move her to her new home. I also corrected the URLs in her last post to reflect new page locations and have updated links on my list of sites and a few other locations.

Moral: A fool and his [her] data are soon parted. Fortunately we back-up after every change, and migrate those back-ups to CD ROM. If you're not doing the same thing ask yourself how long it would take to recover from a complete loss of all files and content on your personal page. Sobering, isn't it?

Linda's last entries are a tough act to follow. I have a few loose ends to tie:

• Sprint's presentation (PowerPoint format) on implementing TINA-C (Telecommunications Information Networking Architecture Consortium) is an approach that has promise as a customer/vendor process standard in the Managed Service Provider (MSP) world. If you are interested and want more information visit the TINA-C site. Another source of information that serves as a model for MSP is the Telemanagement Forum. This international organization has a number of projects and standards that can be adapted to the MSP domain with minimal effort. I have a collection of key Telemanagement Forum documents on one of my older sites in the Tools & Documents section - see Telecommunications on the page. Finally, if you are interested in processes and standards for MSPs (and ISPs), perhaps the TL 9000 standard that is sponsored by QuEST Forum (Quality Excellence for Suppliers of Telecommunications) is a good starting point. I reviewed a book on the topic titled TL9000: A Guide to Measuring Excellence in Telecommunications - my comments in the review will reveal the possibilities.
• On the topic of MSPs, check HostingTech's articles on the legal issues associated with hosting from vendor and customer viewpoints.
• There is an excellent article on disaster recovery that applies to service providers and in-house data centers.
• Although software configuration management does not fit the theme of this entry, I do want to share an excellent web page on software configuration management and the associated SCM PowerPoint presentation.

Goodnight from Tustin, California.