Better Software Conference East 2014

Posted by

Better Software Conference East 2014 by Software Quality Engineering
Better Software Conference East Logo

The Better Software Conference is a biannual conference, held every June in Las Vegas, and every November in Orlando. I have the privilege of attending the latter, and here is my report from two of the half-day tutorials that have taken place the first few days.

Risk Management: Project Management for Grown-Ups

Presented by Tim Lister, Atlantic Systems Guild, Inc.

Risk management theory is very simple:  Figure out your risks, consider likelyhood of happening and necessary action if they do, then follow up throughout the project life-cycle.  I have attended several talks on this topic, and while I still remember the first one as an eye-opener, others have added few new things.  I still chose this tutorial, since a 3,5 hour tutorial should dig at least somewhat deeper than what I have heard before.  -  There certainly was many worthwhile and interesting points made.  Here are some highlights.

The Rayleigh distribution for project end-date.

The Rayleigh distribution is a curve that climbs steeply, then tapers off slowly:

Rayleigh Distribution by Tim Lister

This represents the likely finishing time of the project.  Assuming there was some sanity in the planning process, hopefully, you can finish on time, represented by the peak of the curve.  There is of course a small possibility that you can finish early, as represented by the steep incline to the top, but many things can appear along the way, which may delay the project, and the long tail represents the likelyhood of this happening.

Using estimates to weed out misunderstandings

Risk management is no exact science.  The problem is often stating the assumptions.  If all assumptions are correctly stated and understood, any member of the team trying to estimate the effort needed, will likely arrive at fairly equal numbers.  Asking for estimates is a good way of finding out if everybody understands a problem.  If the estimates vary greatly, there is likely some misunderstanding.


Tim Lister had several good quotes that I thought worthwhile to repeat:

  • Somebody wins the Lotto, but it's never you.  -  The probability that none of the risks in a project will fire, is very low.
  • The killers are unkunks.  -  This is a military term, the unknown unknowns.  Known risk can be managed, but unknown risks are very hard to deal with.
  • There's a risk all muffins will be eaten by the other tutorials.  -  On why we took an early coffee break.

Security Testing for Test Professionals

Presented by Jeff Payne, Coveros, Inc

Having just been in charge of the project to test our product according to the OWASP methodology, security testing is important to Enonic and myself, so this presentation should be right up my alley.  It was.  Again, I can only share a few select highlights, unfortunately.

What exactely is Information Security?

Definition: Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

Key concepts include:

  • Confidentiality
  • Integrity
  • Availability
  • Authenticity
  • Non-repudiation

Those last two items are new in the internet age, and very important.  How can you be really sure that somebody on the other side of a connection is who they say they are?  And even more important:  Can you be sure what happened actually happened?  If you sent important information to someone.  There are times you need to know that it was actually recieved, or they can claim innocence.

Short history of information security

Castle with moat, as used by Jeff Payne in his presentation

In the middle ages, seals of wax was used to guarantee information security.  This was probably the start, protected by the three G's, gates, guards and guns.  Castles and it's moat worked fine until the airplane was invented.  From then on, progress has been fast.  Today, information is all about software.  If our code does not work or have vulnerabilities in it, somebody will exploit it.  There is software in everything today.  Cars, slotmachines, even locks are software based.

 Discussion of Open source software

The common thought about open source software used to be that it was safe and secure, because everybody could check it out and bugs could be fixed by anyone.

Now, first of all, this makes it important to stay current.  If a bug is discovered and fixed, implementations need to upgrade to the latest release.  Software based on an old release with a security bug is a big problem.  Known bugs in open source software is very well documented on the web and much easier to exploit, compared to bugs in commercial software.

Also, lately, several bugs have surface, including the infamous Heartbleed, that have existed in open source software for a long time, without being discovered.  In fact, some bugs like this have been so hard to discover, that there is reason to think that they were placed there and concealed on purpose.  This definitely gives reason to question the old adage that the transparency of open source makes the software trustworthy.

Some final thoughts

The tutorial format of longer sessions is nice in a conference.  It certainly lends opportunity to go more in depth than regular 50 minute presentations, but also require some foreknowledge and careful selection.  Going to a wrong or bad tutorial waste a lot of time, while a bad or wrong presentation can be just a nice break.  -  Watch this space in a few days for more on the rest of the conference, including the social part.