Monday, 8 May 2017

REST Web Service API Guidelines

in API, guidelines, REST, SOA, Web service

When building web services, one of the primary benefits of using REST over SOAP is the intuitive nature of service interfaces. However, this simplicity of interface can very easily be eroded. Below are some suggested (and hence flame proof) guidelines that could be followed to ensure continued interface simplicity: Resource-Oriented REST is resource-oriented, not service-oriented. Resources...

The Importance Of Simplicity

in software development

I remember way back when, a number of colleagues engrossed in the latest Obfuscated C++ challenge, an exercise in making code so concise, so cryptic, that even the hardened coder paled. This always struck me as an odd thing to want to do. Why make things more complicated than they have to be? Are code simplicity and readability not the important thing? After all, software only...

Generalising Specialists

in architecture, software development

There is this rumour going around that good architects need to write (production) code. I think the term was coined by Scott Ambler of agilemodeling.com, or was it ThoughtWorks? Anyway, I don't care, because I disagree, quite a lot. See, I did write code, a lot of it. I was good at it, and I still like to write code for my own pleasure, but my current, full-time role...

Black Ops Projects

in portfolio management, process, project management, software development

I think good project portfolio management is an essential discipline for software development. You have to know what you want to do, why you want to do it (in terms of measurable benefits), how much it is likely to cost, know who will do it, know when it will be done, how much it ended up costing, and how much benefit actually was realised. Then you have a defined pipeline of work, and software...

Illusory Comforts

in leadership, process, software

I like process. I appreciate that this is probably because it's in my nature to like order and predictability, but good process adds value, can often be automated, and frees up developers to do what they do best: create excellent software. Bad process on the other hand is a killer. It's a killer because it slows everything down. It's a killer because it doesn't work, and is often bureaucratic. But...

Correctly Assessing Security Risk

in owasp, risk, security

I found a security issue some time back, the logging of a long-lived security session token. This token enabled me to access an internal client data service which only checked the validity of the token, not its right to perform the operation on the data I was accessing. We had two types of tokens, managed by the same session token management service, one for clients (the type of token...

Uniform Service Authentication and Authorisation

in authentication, authorisation, oauth, openam, PKI, SAML, security, Service

The problem with using short-lived access tokens to enable authentication and authorisation of service requests, is that they only really work for synchronous interactions which themselves are short-lived. Access tokens in, potentially long-lived, asynchronous messages run the risk of expiring. An...

I Hate Documentation!

in development, documentation, software

For a software architect, and someone who tinkers with words, this is perhaps an odd thing to say, but it is true: I hate documentation. I hate it because it is laborious, very often serves no purpose other than to have been produced, and rapidly gets out of date. I have followed methodologies where every model under the sun is produced, code is generated, and round-trip engineering is attempted....

Evil Session Tokens

in oauth, openam, security

So we build a new web application, SIMPLES.COM. Clients login, over HTTPS of course, and a session token is issued. Since we don't want the client to have to log in frequently, we give the token a long lifetime, or at least a way of using it to get a new one. The application will have to persist the token on the browser, so cookies are used. We consider using browser local storage,...

Application Security Function

in organisation, security

Application Security is the software development concern of proactively ensuring that the applications being built, and integrated with, are secure. This will require that application security becomes a standard focus for all software development teams, along with delivery, architecture, and quality assurance. I suggest that this needs to be achieved through: Education Everybody (including...

SOA Probe

Reflections on Service-oriented Architecture