Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
I have long been of the opinion that the time and resources it would take to write a piece of malicious software, of whatever type, could better be spent on other things. However, as a developer I am constantly worried about the possible security flaws in systems I work on.
Of course I know about validating input, I understand fully how code and sql injection can work and obsessively sanitise against these risks. Also, whenever I am able, I bone up on new security risks with whatever resources are to hand (e.g. articles, whitepapers, presentations etc.) but I often feel I'm missing the point, maybe because most of my knowledge could well be classed as "new-fangled" (C#, MSSQL, PHP, some Python, a smattering of Ruby): the oldest language I know is Classic ASP.
Sometimes when I read about things like Cross Site Scripting and URL hijacking I read the articles upon which they are based but I feel like I'm not following 100%.
What are the best resources you know to get to grips with security concerns and really understand how they work? Could be anything, books, websites, other types of resource. I know I don't know enough about these issues so where could I go to learn more?
http://www.owasp.org/
Well, you could start with a recent post from Jeff:
Top 25 Most Dangerous Programming Mistakes and work your way forward from there.
Try James Whittaker's How to break software security
One Monkey,
The fact that you are asking the question means you are well on your way. The real issue is that so many don't ask, are not worried as you are.
One thing I would modify is change the thought that you know some security issues fully. There are some really devious little jerk-offs out there. I am of the opinion you are better off assuming they are smarter than you and so bolt things down as tight as possible. I find it is a better mindset.
Two resources you should look at:
XSS Cheat Sheet
A good example of SQL Injection
I must admit to being somewhat surprised at the lukewarm response to this query. Does this mean:
a) everyone else knew about OWASP and I'm way behind the curve?
b) everyone else is confident enough in the security of their code to not need a little help staying up to date?
c) no one else cares?
d) other?
I have found the reference to OWASP most helpful, so far I'm about to install some of their project software to see how it works, once I feel that I'm better off security wise for having a look at their site I'm marking that answer as accepted, unless something better comes in in the meanwhile.
http://www.securityfocus.com/ and the categorised mailing lists.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
So, I'm almost 100% self taught in programming (save for a course in C after I had already taught myself C). This means that to keep myself programming, I have to be constantly finding materials (i.e. tutorials) on the web (I'm poor). Unfortunately, I've found myself stuck in a sort of limbo, where I understand the basics of programming (in theory, I'm able to grab a new language and get comfortable enough to solve a few Project Euler problems, as is evident by my time spent here) but I'm not able to get any deeper than that, like GUI programming or web interfacing.
I don't know if it's just me, but there seems to be a sort of great divide in terms of the level of difficulty in the tutorials on the internet. All I can find fall under either Maddeningly Easy or Maddeningly Difficult. Are there no intermediate tutorials out there? The kind that say, okay, you've seen this before, here's some code but we'll explain what's happening. But I digress.
Given my lack of ability to breach the practicality gap in terms of programming, I find myself stagnating. I can only teach myself the first six Project Euler problems in so many languages. I need to find something, some sort of project, before my spark dies out. I'm worried about it. I know this is such a broad question, but... can anyone help me out? Point me in some sort of direction?
You need to start making things. You can start out small, but find a project that you can contribute to or that you want to work on yourself.
If you can't think of anything "useful" to make, then start writing simple games: a tetris clone, a top-down shooter, something like that. It doesn't have to have AAA graphics but even a simple game like tetris will teach a lot about the more complex structure of a program, user interface, and that sort of thing. But at the same time there's nothing so complicated than you'll get completely stuck.
Passion is not something that will die out that easily. There are tons of local user groups/developer groups that you can join to learn from them (most of them are free) To get to some of what you defined as intermediate problem, getting a job is definitely the best solution. You could work on Dave Thomas's coding kata. For difficult ones, you can do some facebook puzzles (they get real hard at the second level and up, easily take hours to days to solve)
A couple of suggestions which I might offer, as they have worked for me in the past, when in the same situation:
1) Get involved in an Open Source Project.
One of the best ways to learn programming is to read/review/refactor code created by other programmers. You learn new tricks, as well as good style guides for formatting your code in later work, and start building a good understanding of a pile of packages which you can roll together to create solutions down the track.
2) (If you aren't already) Get a Job as a Programmer.
The single greatest kind of learning experience I have had when it comes to programming is when I need to extend my skillset to solve a particular problem. Being put in a role where you are given a problem, which, when you start, is beyond your skills and then creating a solution using experimentation, sourcing existing solutions online, referring to documentation, asking a learned colleague, etc. is great. It is almost like a trade apprenticeship - you learn as you go and sooner or later you can handle 95% of the solutions autonomously.
One thing I have seen said time and time again on various blogs and forums is that trying to be highly skilled in a wide range of languages is an almost impossible challenge - it is better to pick one (or maybe two) and then practice, practice, practice to develop it's associated skillset to a great degree.
Perhaps you should start working on REAL WORLD projects for either friends or family.
This will give you positive feedback for your efforts and a sense of "acheivement" when the job is finished.
Great programming theory is all very good, but without introducing some kind of "reward cycle" I can understand how frustrated you could become.
You need to start and finish a project that's a large enough to force you to learn different things, but small enough to actually finish. Here are some ideas:
Jabber client
RSS reader
Twitter client
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
What, in your opinion (although I would highly appreciate articles / books on related issues), should be the the level of the programmers knowledge of the domain?
(This related question didn't quite answer my question / had a reference to something I can use)
If programmers were domain experts, they would not be programmers. :-)
For example, I do a lot of software development for archaeologists. If I knew as much about archaeology as the users I work for, I would be digging and surveying in the field rather than programming. Which makes no sense.
Having said this, I think that programmers need to be knowledgeable about the domain, and as much as possible, but without losing track of priorities.
If you need domain expertise, bring a domain expert into the team.
Yes and no.
As Kyle pointed out, programmers are often changing domains on every project and this pretty much precludes you becoming an "expert" in any given domain. On the other hand, you need to understand the problem well enough to a) craft a solution, and b) test that it actually solves the problem at hand.
One reason for not claiming domain knowledge is so that your customers are forced to take ownership of this part of the project. The best way I have fouond of forcing them is to require a clear overall description of the project (no more than a couple pages long) plus a ton of User Stories ... written by the users. You can lead them through the process of how to write US's, but they will not truly own the end solution unless they were intimately involved in creating it.
Having US's and using them both for design and testing puts project ownership where it ultimately belongs -- in the hands of the users of the system.
As a consultant I am constantly (every 6 to 12 months) changing domains. Though I can never proclaim to be a true expert by the time I finish a project, the more domain knowledge I acquire, the more value I can add the project.
If you don't understand the problem domain, you shouldn't be coding a solution.
You don't have to be an expert, but you cannot be ignorant of the key ideas.
As a FORTRAN expert, you won't make any progress coding an FFT unless you have
some background in signal processing, and understand why an FFT is necessary,
and know a variety of implementations.
That depends on how related to the domain the specific job they're doing is. In team context, I can imagine that the lead programmer and some others benefit from a bit of domain knowledge while others in the team don't need it.
Banking/financial applications
Networking/wireless/telecom
Mobile Applications
Web/storage/enterprise/Numerous others..
If by "domain" you mean your area of work, yes you should strive to understand everything related to your area of work. How far into other areas that extends is another question.
programmer is like people who can interface "other people" with computer by creating software, and better understanding of the domain where you're working for would help the communication between the problem and the "other people" thus would make you a better programmer.
but the problem domain is often very wide and deep, you can expect everyone to be expert at programming and expert at another field, for example you can expect great scientist or physicians to be expert at programming to solve his problem when creating space-ship because programming is not his main concern, so with programmer, but programmer or scientist who can talk to each other is the best fit
Even if you change projects and with them domains frequently, domain specific know how and experience in one sector (or branch of trade) will be always a plus.
I look at this as "WHAT" versus "WHY". As in What is the business requirement versus Why is the requirement such as it is. A junior programmer only needs to understand the WHATs of a project. An analyst needs to understand both. In my opinion and my professional status, to stop being a developer and to become a software engineer, you need to add analyst to your skill set.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
We do distributed agile development and could really us a solution like story cards on a wall/board, only on a webpage where you could easily drag and drop them. Any suggestions? Thanks.
Trello is perfect for something like this. It's very simple, yet flexible. It's like a simpler version of PivotalTracker, mentioned above.
Its been a while since this was asked, but the best option out there in my opinion is http://www.Sprint.ly
Really powerful. Really beautiful. Really User Story focused!
I've used Eidos. I think it's the best if you want to use in Agile project (I've used it for real 3-4 projects for the real customer). Eidos team keep developing to serve human's need in Agile project. I think they invite beta users to test now. If you have problems about co-located team, this tool is quite useful (I prefer physical thing anyway if my team is co-located)
Me using Eidos, it's easier than Jira and focus more in Agile than Trello.
Not drag and drop, but I find basecamp very nice for agile development.
http://basecamphq.com
See if scrumy suits.
It's a tool roughly based on scrum. You create stories from them assign tasks to a story board assign them to people. In fact it is exactly what you've asked for! :)
You can set up a free project and play around with it.
Screenshot here
For User Stories, I find Pivotal Tracker to be awesome. It automatically fits user stories into each iteration based on computed velocity. Implements just enough workflow so everyone understands what they're responsible for. And is one of the cleanest, nicest implementations I've seen. (Although AgileZen is up there too... that app is gorgeous - but I just didn't gel with it in the same way)
However the drag-drop in PivotalTracker is limited to User Story-level objects. You don't move tasks around. For a more this-sprint/iteration task board, Scrumy is probably the one to go for.
Mingle may be something to explore and see if it'll work for your situation.
maybe a Bit oversized for your purposes, but targetprocess is a nice full blown project Management Software. It has a nice Kanban Board which fulfills your stroyboard requirement including Drag&Drop. It is free for up to 5Users.
I have used xPlanner before successfully.
http://www.xplanner.org/
Also, I have seen peole use Google Sites for similar effect. Either is drag and drop though
You could try using http://www.cardmeeting.com/
Take a look at Assembla tickets and its agile planner, it is a way to go.
Drag & Drop for:
to make tickets and user-stories
to sort tickets inside a milestone
to sort user stories
to move stories/tickets between milestones
sorting will be available on Monday(26 Oct) with next release as they promised.
Finally distributed agile development is a way that Assembla is doing their client jobs.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 9 years ago.
Improve this question
Anti-virus, malware, botnets and the like are becoming larger and larger parts of our daily lives. Are there any resources that discuss creating anti-virus tools, security tools and such? Seems like an interesting topic, but I have not been able to find any real source to refer to in order to learn more.
Suggestions? (Good and bad?)
I assume most languages used for this are C++ or assembly? Or are there others that work well for these sort of items?
Alex's suggestion of Bruce Schneier's work is excellent, and everyone should read his stuff, but probably won't address what you're talking about. Even so, you should read it. He's the clearest writer on security topics today, and a voice of sanity in an often hysterical industry.
A free place to start for the bare bones is the SANS reading room. It's far from enough, but it's the basics.
I was fairly pleased with The Shellcoder's Handbook. It's a good introduction with some practical code to work with. It shows how real exploits are written, which is the first step in understanding how to protect against them.
Exploit work is done in a variety of things, but for the classic stack-smashing attacks, you need to know C and the assembler of the target platform (generally Intel). C++ is much less common in this world. It's too twisty-turny by the time the compiler gets done with it, and too bloated for the kinds of things needed. Objective-C is almost more useful in my opinion so that you can understand Mac reverse engineering. But that isn't where security is usually done. In this I'm speaking of exploits themselves. Many security tools are of course written in C++.
For the security tools side, you probably want to ask on serverfault. There are many, and the SANS link above should have links to some of the common tools (Nessus, nmap, hping, metasploit and the like). sectools.org maintains a big list that I like.
If you're going to be a security developer, you need a lot of breadth and a lot of depth. You need to understand the network protocols as well as the code that talks to them. You should be reasonably comfortable in languages from assembler to ruby. Much of it is more a way of thinking than an actual skill set, but those who are good at it tend to have broad skills and pick up new things quickly and often.
Since you noted specifically detecting and monitoring for exploits, you should dig into tools like snort (for learning how to detect) and metasploit (for generating the attacks to detect).
go to http://www.milw0rm.com/ to see the exploits.
For a holistic view on security, anything by Bruce Schneier comes highly recommended -- not the threat-specific focus you have in mind, but a background that will make you more effective at security issues in whatever role you play, whatever background you have.
For more specific views, I would recommend this book (and just about every book I've looked at in depth in the same series, but I can't personally vouch for all of them, they're dozens!-).
As well as what Alex Martelli posted, this book might be something you can consider.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
Are there any statistics for this? I realize it must vary from person to person, but it seems like there should be a general average.
The reason I ask is that the company I contract for has multiple software products, totaling ~75,000 lines of code - and they seemed disappointed and shocked when they ask me a question about a specific portion that I don't immediately know the answer to (I am the only programmer they have, and did not author the majority of the systems) They think I should just know it all from memory. So I wanted something like a statistic to show them that an average programmer couldn't possibly have all that in his head at one time. Or should I?
You should remember where to find the needed stuff not remember it itself.
You should also be familiar with code structure and architecture enough to make an educated guess where a problem might originate and where you could possibly find the stuff you know exist but not sure where exactly.
You brain works like cache. The stuff you used recently is kept there, more older entries are erased. But there will never be enough memory to remember the code all at once. Because then you will want to remember all API functions, then all specs, then something else. This all is not feasible.
And being surprised with you that you don't remember all the code is probably one more instance of those perversed notions of how programmers do things. Ignore them.
It depends not only on your memorization skills, but also a lot on the code. Obviously, clean, idiomatic code is much easier to memorize than a badly written inconsistent mess.
Probably because clean code can be broken down into much larger "abstract tokens".
Indeed interesting question but I am in doubt if there is adequate answer at all. Here are only obvious factors I see right from the start:
Overall design quality. Even if you are new in well designed code you can very quickly identify where you should look to get answers.
Project documentation quality. For poor documented projects even developers that are in project from the start can't say anything about some parts.
Implementation quality. OK. You have good general architecture, good documentation for interfaces but even one really bad programmer could break all of this. This is because many companies are very strict about code reviews and I think it is the only one technique to prevent such situation.
Programmer experience. As you move ahead you see number of 'already known' code "bricks" in software new to you and experience is great help in this so contractors are often very experienced specialists familiar with various approaches and this gives average contractor ability to move much faster then full time programmer which is brilliant but worked 10 years in only 1 project context.
General person smartness. My opinion this is really not so important as most of others factors but it is really important.
... but the common problem is often companies hire contractors for some existing software improvement and they simply think this is only about to hang picture on the wall. You should perform some negotiation to force them to understand part of work is to understand what really should be done to meet their requirements at all. And such "learning" requires resources and is part of work itself. But I think it is slightly off-topic for StackOverflow (despite I voted up ;) ). Is it more for Startups discussion?
Even if you have written all that code you might forget portions of it. But you'll be able to recall it once you review it.
I think its natural for a programmer to forget some portions of his/her code after a long time.
Ask them how they want you to spend your time: surveying vast amounts of code you didn't write and perhaps writing up internal documentation, or whatever currently keeps you occupied It's not a facetious question. If they want quicker response to new issues, they need to invest in research.
I don't think there's a meaningful answer to this measured in LOC. As a manager, what I want to know is that someone in your situation can answer a question in a reasonable amount of time -- and unless I know you're in the middle of something, I wouldn't expect that 'reasonable amount of time' to be 'instantaneously'.
You should be able to understand all the components within the system and how they interact so that when there is a problem you can isolate one or two likely components and drill down.
I find it helpful to draw a few diagrams and keep them handy so I can use them to communicate with my boss\customer as well as jog my memory.