TEAM Zarate Tarrani Notes From the Field

More About Architecture. As a follow-on to my previous entry I have additional documents that are of interest:

• A short PowerPoint presentation on using the Software Architecture Analysis Method as a simple, scenario-based review technique, and a related, 80-page PDF document titled Software Design Reviews Using Software Architecture Analysis Method: A Case Study.
• 5-page PDF document titled Economic Modeling of Software Architectures
• 17-page PDF presentation titled Evaluating the Performance of Software Architectures
• 8-page PDF document titled Assessing Optimal Software Architecture Maintainability
• 28-page PDF document titled Analyzing Software Architectures for Modifiability

On Architecture. A new book that adds to the software architecture body of knowledge is Evaluating Software Architectures: Methods and Case Studies by Paul Clements, Rick Kazman and Mark Klein.

The authors provide an in-depth treatment of three methods for evaluating software architectures, all of which were developed at the Software Engineering Institute with involvement by the authors. The methods examined are:

1. ATAM (Architecture Tradeoff Analysis Method)
2. SAAM (Software Architecture Analysis Method)
3. ARID (Active Reviews for Intermediate Designs)

Each of the above address software evaluations in increasing levels of detail, with the book's main emphasis on ATAM.

What makes this book so valuable is the fact that you can learn much about developing software architectures from the criteria with which they are evaluated. For example, the discussion on quality attributes is eye-opening because what architects consider to be well formed quality attributes are usually too vague to properly evaluate, resulting in ill defined architectures in the first place. Knowing how to evaluate the architecture will provide the keys for defining a solid architecture. More important is the way the authors define the outputs of the architecture evaluation, which gives the practicing architect a framework for design that fully meets the evaluation criteria. The net result is that a defined architecture will unambiguously communicate the design to the development team, as well as to the QA team.

I especially like the business oriented approach that addresses the costs and benefits of evaluation, the three approaches from which to choose that best meets technical and business goals, and the case studies that support each of the approaches. Another strong point about this book is architecture is also evaluated with production in mind. Too many books only consider architecture from the development point of view, or in rare cases, from development and QA points of view. The evaluation techniques in this book extend to support and maintenance. The authors make selection of the best technique easy by comparing them in Chapter 9, and provide an approach to implement evaluations in Chapter 10.

If you're an architect I also recommend augmenting the excellent material in this book with Design and Use of Software Architectures by Jan Bosch , which gives an alternate method to ATAM that is more complete in many respects. Even if you espouse Bosch's approach, however, the approach and techniques given in Evaluating Software Architectures: Methods and Case Studies are complementary. I personally recommend both books and assign equal value to them.

Additional Resources:

• SEI's ATAM page
• SEI's SAAM page
• SEI's ARID page
• Jan Bosch's page (see articles and book page for additional documents and information about Design and Use of Software Architectures.)

Are We Winning Yet? Mark Twain once quipped, I refused to attend his funeral. But I wrote a very nice letter explaining that I approved of it. I refuse to use Hailstorm, but I certainly approve of the following news article: MS pulls the plugs on Hailstorm, pending rethink.

The demise of Hailstorm (however temporary while they're engaged in rethinking in Redmond) caused me to do some thinking about e-commerce risks. The fruits of my research into some of the top issues yielded the following documents:

• Electronic Systems Assurance and Control Model (eSAC)
• Electronic Commerce Risks and Controls
• eBusiness Risks and Controls

The PowerPoint presentation titled Business Process Data Activity Analysis is related to risks and controls, and to the process thread that Mike and Linda are maintaining in this weblog.

More on Metrics, Processes and Systems Integration. This entry will cover a range of topics, with an emphasis on metrics. One of the most important books on IT metrics was just published: IT Measurement: Practical Advice from the Experts. This book is a panoramic view of metrics across the enterprise. Although the book is written by members of the International Function Point Users Group it goes well beyond software estimating. It encompasses measurement techniques that are consistent with function points, but are also useful when applied to other methods.

As expected, the book starts with a discussion of function points, its evolution as a methodology, and how it has evolved as a means of measuring a full spectrum of attributes, such as quality, productivity, time and effort. In addition to generic attribute metrics this book shows how function points can be applied to earned value project management, developing a balanced scorecard that views the enterprise holisitcally, business and e-commerce metrics and evaluations and benchmarking.

Parts that I especially like include:

• The complete data collection, analysis and action process that is embodied in the book. This can be used in any setting, such as the Constructive Cost Model (CoCoMo), as well as FP.
• IT work units, which are applicable to production services and support. This dispells the notion that function points are only useful for software estimating. This is also augmented by a later section in the book that addresses IT and business measures that is sure to change the way you approach measuring the overall value of IT.
• Demonstrated use of function points as a viable project estimating technique that extends to projects other than software development.
• Clearly written explanation of statistical process controls.

I've only highlighted the parts of the book in which I have personal and professional interests. The book contains much more material that covers the entire spectrum of enterprise metrics, including case studies and reflecting the views of each individual author who contributed chapter(s). In my opinion this book is, and will remain for years to come, one of the most important texts on IT measurement. Time will tell, of course, but I can assure you that it's the best book on the subject that is currently available.

Traffic Engineering. Network traffic engineering is a science that can be applied to not only circuit capacity, but any activity or process where queuing is involved. This includes help desk staffing and similar uses. The basics are explained in Traffic Engineering, which is an outstanding 29-page overview that starts gently and goes into the details. If you are currently struggling with capacity planning for Voice over IP, the VOIP calculator, which is an Excel application, will help you arrive at capacity plans that are traced to quantitative analysis instead of the usual method (throwing money at the problem). You'll also want to read our previous entries that cover capacity planning, as well as the PowerPoint presentation about measurement capability.

Processes. Much of what I cover in this weblog is about software engineering. The MS Word document titled Integrating Iterative Processes examines life cycle approaches and is something every architect, project management and software engineer will find interesting.

Systems Integration. If you are faced with an enterprise integration project you'll undoubtably be using XML (if not now, you can be sure that you will be in the future). Connecting E-Commerce to XML is a good starting point for understanding the issues.

An excellent book on the topic is XML, Web Services, and the Data Revolution. In many respects this book extends David Linthicum's B2B Application Integration by focusing solely on the data aspects, and explaining the web services approach that has matured after Mr. Linthicum's book was published.

This book defines the tools, cuts through the hype and sorts out the pieces needed to design and deploy enterprise-wide solutions. What makes it particularly valuable is that it doesn't side with the two major factions espousing web services - the Microsoft .NET and Sun-sponsored J2EE approaches are presented without bias (refreshing in itself considering the hype and industry posturing). The same objective treatment of approaches by IBM, BEA, HP Oracle is given, which ensures that you have ample insights into the available approaches to developing web services. Of course, SOAP, the XML-family of protocols, and UDDI are also covered in depth using clear writing and excellent illustrations.

What I particularly like about this book are:

• The way Chapter 1, Extending the Enterprise, presents a coherent picture of the complexities of web services and enterprise integration. This is done in less than 30 pages and packs an amazing amount of information into those pages.
• Chapters 3 (XML in Practice), 4 (SOAP) and 5 (Web Services) drill down into the guts and sort out the complexities - especially the discussion of web services, which doesn't [yet] seem to have a standard definition.
• Chapter 7's discussion of XML security, which is a nice and needed touch that rounds out the information provided in the book.

You won't find specific development information in this book, and that makes it more valuable in my opinion. If that is what you're seeking there are other books that address that topic. I do believe that Linthicum's B2B Application Integration and William L. Oellermann's Architecting Web Services will complement this book - Linthicum's for the big picture (especially for legacy system integration) and Oellermann's for the process-oriented approach. I strongly recommend this book to anyone who is involved in architecture, specifications or development.

Problems in Paradise. Although it should come as no surprise to anyone who is involved in security, A trio of MS-Office security vulnerabilities have been reported. What would be a surprise is if we could go an entire week without a reported security flaw in Microsoft products.

Did Microsoft acquire Yahoo while nobody was looking? Yahoo apparently wants to compete with Microsoft through the use of a mechanism called a Web Beacon. This piece of code will track your activities long after you've departed Yahoo sites and services. See their explanation (at least they've disclosed the existence of web beacons). Also note that about halfway down the page in the body text there is a way to opt out (see Please click here to opt-out.). If you don't want to be stalked you may want to do just that. Just don't click the button marked Cancel Opt-Out at the bottom of the window, else you'll be back where you started: stalked.

Capstone. In my previous two entries I discussed performance, capacity and scalability. I want to end this thread (for now) with three documents that are related, and also cross into QA:

1. System Engineering Metrics Primer
2. Software and System Metrics
3. Software Reliability Tutorial

Want more? Not to worry - these topics are among the foremost in my professional interest and you'll see much more on these topics as time goes on. You may want to read earlier entries here and in Postcards from the Revolution for related material that I've already posted.

Performance Processes. In my last entry I discussed a number of performance and capacity planning books that I especially like. I covered the established books from the most prolific and known book authors. There is another book by Connie U. Smith and Lloyd Williams that is one of the most important recent works to emerge: Performance Solutions: A Practical Guide to Creating Responsive, Scalable Software. The books I cited in my previous entry were focused on techniques, while this one is about process. Moreover, while Jain, Menasce and Almeida are prolific book authors, Connie U. Smith and Lloyd Williams are also prolific writers who have made an impressive contribution to the body of knowledge in the way of whitepapers, journal articles and seminars.

I've collected a number of documents by these lesser known, but equally important, practitioners and wish to share them:

• Business Case for Software Performance Engineering
• Information Requirements for Software Performance Engineering
• Performance and Scalability for Distributed Software
• Building Responsive and Scalable Web Applications
• Tutorial: Designing High Performance Distributed Applications
• Performance Assessment of Software Architectures
• Software Performance Anti-Patterns
• Performance Modeling Interchange Format
• Performance Evaluation of Software Architectures

The above are but a sampling of the work that Smith and Williams have published, but the sampling captures their approach and adds wrinkles to the foundation of knowledge published by Jain, Menasce and Almeida in books. More important, what Smith and Williams bring to the practice area is process. If you are interested in performance, capacity and scalability, then you should read Performance Solutions: A Practical Guide to Creating Responsive, Scalable Software.

Performance & Scalability. I've been corresponding with Greg Barish, the author of Building Scalable and High-Performance Java Web Applications Using J2EE Technology (see my 4 April and Linda's 3 April reviews on Amazon), and have the highest regard for that book. I won't bore you with my entire review, but do want to highlight what I like about it:

[W]hile the performance and scalability techniques presented in this book don't approach those embodied in books by Daniel A. Menasce and Virgilio A. F. Almeida, or Raj Jain, they are more than sufficient for software engineers and architects ... The value of this book is that it does make scalability and performance techniques accessible to most developers, even those who are math-challenged (and there are quite a few of them out there)...

Who are Menasce, Almeida and Jain? They are among the foremost experts on capacity planning and performance/scalability. Raj Jain is probably the father of performance analysis. His seminal The Art of Computer Systems Performance Analysis Techniques for Experimental Design, Measurement, Simulation, and Modeling is one of the most comprehensive books on the subject. It's also not easy to read unless you have up-to-date math skills. I use MathCad to work through examples in this and other books, making learning much easier. Mr. Jain also coauthored Practical Performance Analyst with Neil J. Gunther - I have this book, but got it in the same timeframe that I discovered the body of work by Daniel A. Menasce and Virgilio A. F. Almeida. These two writers have taken the foundation laid by Raj Jain and have built upon it through a series of excellent books. While their work does not supersede Jain's first book, it does keep it alive in spirit and currency. The books they published, in chronological order, are:

• Capacity Planning and Performance Modeling: From Mainframes to Client-Server Systems (still valuable despite its age)
• Capacity Planning for Web Performance: Metrics, Models, and Methods (I frequently refer to this one)
• Scaling for E-Business: Technologies, Models, Performance, and Capacity Planning (my favorite among their books to date)
• Capacity Planning for Web Services: Metrics, Models, and Methods (their latest work and topical given the activity in web services)

There are valuable spreadsheets and other material on the Scaling for E-Business website, as well as supporting materials for the other books by Menasce and Almeida.

Waxing Poetic. Competitive intelligence is all about following news stroies and piecing together trends, moves and counter-moves. To quote from Edna St. Vincent Millay's First Fig:

My candle burns at both ends;
It will not last the night;
But, ah, my foes, and oh, my friends;
It gives a lovely light

Indeed, there are movements afoot and intrigue in the industry:

• Special report titled, Liunx in the Limelight shows the growing popularity of Linux, which is [in my opinion] fueled by the ongoing security issues with MS products
• Apple and Linux in pincer movement on PC market?. Apple? The worm turns (yes, that was a pun of sorts).
• In Windows to Linux Application Migration we find an exit strategy and means to break the bonds of mediocrity.

The point of this is not only the news itself, but the fact that competitive intelligence is useful to all of us.

Late entry by Mike Tarrani - there is lag between the time these entries are written, and when one of us reviews and releases them. This is one case in which I have an additional item to add to what Kate has reported above.

I'll keep this editorial remark in the same spirit as Kate's report by quoting from Edna St. Vincent Millay's Second Fig, which is unerringly appropriate:

Safe upon the solid rock the ugly houses stand
Come and see my shining palace built upon the sand

Yes, the security and reliability traits of certain products do appear to be palaces built upon the less-than-solid foundation of sand. The special report titled, IBM's Return to Dominance shows that systems built upon the solid foundation of reliability, availability and supportability - and security - bodes well for consumers.

In my 5 April entry I promised to give a more in-depth review of Building Secure Software: How to Avoid Security Problems the Right Way by John Viega and Gary McGraw.

What makes this book so important is that the authors provide an analysis of the major problems with all software, and give a collection of techniques with which to address the recurring problems, such as buffer overflows, access control exposures, randomness flaws and other security-related defects. They do not attempt to provide specific solutions. Instead they raise an awareness of the common problems, discuss the underlying causes, and give a framework with which developers can use as the basis for developing secure software.

Key points of this book that I found especially useful include:

• Even treatment of commercial and open source software. I found this refreshing because there are two camps, Microsoft developers and open source advocates, each of which criticize the other. Yes, Microsoft has a bad reputation for security, but the open source faction has its own challenges, and the authors show the strengths and weaknesses of each in an objective manner.
• Surprises, such as documented cases of peer reviews that failed. I am an advocate of this technique, yet a case where a flawed, two-line piece of code that was extensively reviewed by literally thousands of reviewers and readers of a technical publication slipped by without notice for a long time.
• The ten guiding principles for software security encapsulate the essence of building secure software. This list and the discussion of each principle should be required reading for every architect, developed and QA engineer.
Chapter 1 (Introduction to Software Security) and Chapter 6 (Auditing Software) give a framework for security and a methodical approach to quality assurance. These, in my opinion, are the heart of the book.

In addition to software security from a developer's point of view, this book also addresses other areas that need to be closely examined in order to achieve a solid security posture. In particular I liked Chapter 14, which covers database security, especially the treatment of statistical attacks. If you're a DBA this alone will make the book worth buying because despite the most careful design of views and access controls you may still be vulnerable in surprising ways. The chapters on Client-side security and firewall issues are also filled with excellent information, as is Appendix A (Cryptography Basics).

The authors have imparted the sum of their extensive experience in this book. It's up to you to take that experience and apply it. The book's accompanying website adds further value.