I have spent a lot of time talking about hiring, interviewing and vetting developers without really talking about how a developer should evaluate a potential employer. I have been with the same employer for over nine years now and so my expectations are generally met in a slow incremental march to my imagined developer nirvana. In recent weeks I have gained a new manager and, to his credit, he is making meaningful inquiries about our environments and culture and looking for opportunities to make our work experience more rewarding.

So when you have the opportunity to ask an existing or potential employer about improving your work life I think the following is good place to start.

Hardware

This is obviously a moving target (Is Moore’s law still a thing?) and really depends on your specific technology stack but as a “nose to the grind stone” developer you should be requesting a machine that has maxed out RAM  and an SSD. As of today I would say 8 GB would be your minimum and you should consider more if you are running VMs on a regular basis.

If you are being offered anything else, or your IS department does not differentiate between developer PCs and others, then it may be that your company or manager do not understand what you do. It may also be that the hardware budget is grossly underfunded (bad sign either way). Quick tip is ask the developer who has been at the company the longest when that the last hardware refresh happened for them (assuming the more tenured developers have the worst devices).

Software & Platforms

MSDN licenses should be a staple for your entire team! This is often assumed but you should ask and ensure that is the case. Developers today should also be asking about access to Mac and mobile devices as they are playing greater part in our software development and testing.

Do know what versions of the .NET your current software development is bound to? How does your team and your customer deal with upgrades? Will that limit the kinds of projects that you will work on in the future? Ask, your future viability may depend on it!

Culture

How many people on your team are involved in the craft of software outside of the 9-5? Are folks involved in open source projects or Stackoverflow? Are they involved in local developer groups? Being a part of an engaged team that is looking at ways to improve the products they work on as well as themselves is critical. This kind of collective mastery is self reinforcing and can provide an enriching and supportive environment.

I have not had to deal with “on-call” rotations in a direct way for many years, but you should understand the existing support structure and how the work your produce is related to it (directly or in some tangential Tier 3 rotation). It is always disconcerting to receive undesired calls from your work during well earned time off, so ask questions about this and ensure you have figured out what the worst case scenarios can look like and whether that is right for you.

Training & Conferences?

This is an important issue that I have found can easily turn into a shell game. The first step is to understand the training budget, not in a amorphous sense but in dollars and cents. Find out how much of that budget is applicable to you and if there is a rotation for going to conferences. Do Senior Developers get first bite? My advice is to ask early and ask often, provide ball park figures for paid conferences and throw in local events that might be free as an alternative.

My manager has been discussing the idea of paid leave that represents an organized opportunity to learn in more informal ways (like Pluralsight ). For those of us with the desire and discipline, it helps reduce costs and simultaneously provides the benefits of repeatability and accessibility.


I am not suggesting for a second that missing items from the above list should result in a mass revolt, or that somehow you work is less important or meaningful, but I do think you should spend time considering what ways your employer can show a firm commitment to you, your work, and your craft.

Have I missed anything? What would you add?

December 9, 2014 2:21    Comments [0]
Tagged in .NET | Development Process | Programming | Software

Share on Twitter, Facebook and Google+


I recently had the opportunity to visit the city of Atlanta Georgia and one the highlights of the trip was a tour of the National Center For Civil and Human Rights. Of particular and personal interest to me was a draft of the "Letter from Birmingham Jail" penned by Martin Luther King, Jr. An small excerpt of the text reads as follows:

"We are caught in an inescapable network of mutuality, tied in a single garment of destiny. Whatever affects one directly, affects all indirectly… Anyone who lives inside the United States can never be considered an outsider…"

These letters capture a moment, serendipity allowed that moment to be written in the margins of an old newspaper which were hidden and snuck out of jail to preserved and later published. This moment where the frustration of incarceration and the backlash of "allies" conspired to produce a seminal text that inspire many people to this day.

One of the obvious byproducts of past social movement is that many pivotal voices are never heard or published. Otherwise towering figures speak only to intimate crowds and in classrooms, they speak in living rooms and on buses. A myriad of voices that may not have been blessed with the polished oratory skills of a Baptist preacher but have non the less produce the ripples that helped create a wave of change.

There is always countervailing force to the beautiful struggle, insidious blots in history, hate filled moments that are, mercifully, also lost to us. No one really mourns the passing of silent and reckless hatred, however, some of those moments have been caught on display, consider the following pictures linked to below (trigger warning):-

Captured in it are victims and aggressors, people with families, friends and loved ones, no doubt some of these folks have children and grandchildren that are with us today. This is who they were … this was their captured moment.

With the emergence of social networks we have almost unfettered access to voices that, fifty years ago, would have been lost in that moment. Today we have the opportunity to search, parse and collate the voices of the masses as they demand justice. This new historic record in digital form is capturing unedited moments of the American democratic experiment. Timelines can be cross referenced with images, locations, hash tags or simple keywords:-

While the data may currently appear scattered randomly or buried within poorly indexed timelines it seems inevitable that these moments and voices will be easily and intimately connected to discussions and records that heretofore would exist solely in newspapers, books and museums.

The question I am asking of myself and everyone else is, what are we choosing to say in our moment? What do our pictures say? What does our silence say? How will our progenitors regard our (in)actions? I sincerely hope they will be proud.

December 6, 2014 22:08    Comments [0]
Tagged in Musings | Social Networks

Share on Twitter, Facebook and Google+


I blog about the things that I find most interesting especially as it relates to software development (.NET more specifically) but that really only covers a small portion of my overall technical reading. While I tend to tweet these additional links I continue to be frustrated by the search capabilities of Twitter, and so I am using this series of  Developer Links posts to share my broader technical research and software interests. It has the added personal benefit of enabling me greater control (and search) over my curated work.

Hope you find something interesting!


  • Announcing the Open Sourcing of the .NET Core Runtime and Libraries [Read]
  • The effect of language on software quality [Read]
  • Independence Day - A new pilot program sets people with sight loss free to experience cities like never before [Read]
  • Machine learning in the cloud with Azure ML grants [Read]
  • Why is viewport a meta tag? Good question! [Read]
  • Build C# on Mac OSX [Read]
  • On the use and misuse of patterns [Read]
  • Cross-site Request forgery (CSRF) Prevention Cheat Sheet (double submit cookies) [Read]
  • Job vacancies and STEM skills research [Read]
  • Let’s Encrypt…absolutely everything (free, automated and open) [Read]
  • Internet Explorer Web Dev Support moving to Stack Overflow [Read]
  • Software patents are crumbling, thanks to the Supreme Court [Read]
  • US says it can hack into foreign-based servers without warrants [Read]
  • Microsoft Launches Office Apps for Android Tablets and iPhone, Updates Office for iPad [Read]
  • New Search Strategy for Firefox: Promoting Choice & Innovation [Read]
December 1, 2014 16:31    Comments [0]
Tagged in Developer Links

Share on Twitter, Facebook and Google+


Got into a discussion recently about securing websites via HTTPS and the implications of allowing any part of your site to be loaded via HTTP. The most egregious designs usually loads the site using HTTP and simply completes a form POST for sensitive data via HTTPS. Good enough? Not by a long shot!

Two points I want to bring up about this:

  1. Any part of your site that gets to you via HTTP can easily be manipulated by man in the middle attack. Leaving the integrity of anything in the page in doubt including the endpoint of your “secure” POST.
  2. Non-technical end users are realizing (if only at a high level) that the green lock in the address bar means a more secure conversation.

It is disappointing then to see major sites happily present entire pages (or just resources) over HTTP when there are clear advantages to pushing the entire site via HTTPS. The HTTP Strict Transport Security (HSTS) standard is a relatively new mechanism that is designed to facilitate this practice in conjunction with compliant browser, the abstract for HSTS reads as follows:

This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by web sites via the Strict-Transport-Security HTTP response header field

Here are some scenarios it helps combat:

User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker

  • HSTS automatically redirects HTTP requests to HTTPS for the target domain

Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP

  • HSTS automatically redirects HTTP requests to HTTPS for the target domain

A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate

  • HSTS does not allow a user to override the invalid certificate message

There are a variety of ways to tackle integration of this solution into IIS, here are the ones I have looked at recently.

Configure IIS directly

IIS does have the ability add custom header fields to the HttpResponse:

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager (instructions assume IIS 7).
  2. In Features View, double-click HTTP Response Headers.
  3. On the HTTP Response Headers page, in the Actions pane, click Add.
  4. In the Add Custom HTTP Response Header dialog box, type a name, and a value or set of values separated with commas (,) in the Name (Strict-Transport-Security) and Value (max-age=31536000) boxes as follows:
You could also add these headers via the web.config, something like this:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
</customHeaders>
</httpProtocol>
</system.webServer>

However, a strict adherence of the protocol means that you should not present this custom header over non-secure transport and unfortunately IIS does not support that type of conditional check. This means even if you force a 30x redirect to HTTPS for all HTTP traffic, that first 30x response over HTTP will contain the custom header.

IIS URL Rewrite

IIS 7 and above enables IIS administrators to create powerful customized rules, this one adds the custom header for only HTTPS traffic.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Add Custom Header for HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security"
pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>

ASP.NET HttpModule

Alternatively you could solve this by writing a HttpModule that runs within ASP.NET application context.

public class HSTSModule : IHttpModule 
{
public void Dispose()
{
}

public void Init(HttpApplication context)
{
context.PostRequestHandlerExecute += context_PostRequestHandlerExecute;
}

void context_PostRequestHandlerExecute(object sender, EventArgs e)
{
HttpContext context = ((HttpApplication)sender).Context;

if (context.Request.IsSecureConnection)
{
context.Response.AppendHeader("Strict-Transport-Security", "max-age=31536000");
}
}
}

If you elect to use a HttpModule you should be aware of which files are processed by ASP.NET, some static files (css, js, htm) are purposefully not sent through the ASP.NET pipeline, this can be configured within your Web.config but you should be aware of the implications of doing so.

Open Source IIS Module

The simplest alternative is to download and deploy the open source HTTP Strict Transport Security IIS Module, If you are comfortable with C++ and writing IIS modules you can find code details over at GitHub.


Related Posts
November 23, 2014 4:43    Comments [0]
Tagged in ASP.NET | IIS

Share on Twitter, Facebook and Google+


Connect is the cloud-first, mobile-first, developer-first, virtual event taking place today (and tomorrow) and the Microsoft team has been making some pretty amazing announcements, that genuinely transform the future opportunities  for .NET developers.

Microsoft is open sourcing the .NET Framework Libraries (MIT license), projects like Mono who have relied on contributors to their project who have not looked at disassembled .NET code, but can now freely introduce the .NET framework directly into the Mono project. The code is available here, just amazing!!!

Additionally Microsoft has begun redesigning .NET as the .NET Core which produces simpler versions of class libraries, the project is hosted on GitHub here. The .NET framework team also spent a lot of time trying to speed up the JIT compiler last year and released RyuJIT, this JIT compiler will *also* available under the same .NET Core release.

This bears repeating the MIT License is a permissive as it gets, and this also comes with a patent promise! This is Microsoft really living the open source software ideal!

Other notable updates

What announcement are you most eager to check out?


Related Posts

November 12, 2014 16:58    Comments [0]
Tagged in .NET | ASP.NET | Visual Studio

Share on Twitter, Facebook and Google+