Blog @ andreaprovaglio.com

In his recent blog post, Pierluigi Pugliese asks the question "what is emerging today?", referred to software production teams. That's something I've been observing and working on, so I'd like to share a few thoughts about that here.

There was a post by Scott Berkun a while ago that defined the acronyms for many common dysfunctions in software development, in a way that was intended to be humorous and slightly provocative.

However funny (or sad) that post may be, I'm usually much more interested in what makes a team feel and work better, not worse; an interest that leads to defining what makes a team healthy.

Il 20 Novembre 2009 sarò a Bologna all'Italian Agile Day, a condividere esperienze ed idee con altre 400 persone e a tenere la mia presentazione "Systemic Software Development for Agile Teams".

Dal sito dell'evento: "L'Italian Agile Day 2009 è la sesta edizione della conferenza gratuita di un giorno dedicata alle metodologie Agili per lo sviluppo e la gestione dei progetti software come eXtreme Programming, SCRUM, Feature Driven Development, DSDM, Crystal e Lean Software Development aderenti all'Agile Manifesto".

Non solo vi invito a partecipare ma anche, trattandosi di un bell'evento la cui partecipazione è completamente gratuita, a fare una donazione tramite Paypal. Basta andare sul sito dell'evento ed in tre minuti potete fare del bene a voi ed agli altri!

Help support OWASP and spread the word about the upcoming OWASP conference in Portgual!

Able to digg?
http://digg.com/security/Web_Application_Security_experts_meet_at_Portugal

Let's move on from the FUD of my previous post and find some solutions. Let's start stating the worst case scenarios.

Security is the art and science of CIA, Confidentiality, Integrity and Availability (yeah, we know that!). But many of the truths we cling to depend greatly on our own point of view. While some businesses might consider our shopping history a legitimate piece of information for them to know, we, as customers, may want to protect our habits under the broad term of privacy. But is there such a thing as privacy in a connected (actually more and more unplugged) world? Sun Microsystems CEO, Scott McNealy's answer was a loud no, almost 9 years ago ("You have zero privacy anyway, get over it."). Eventually, things got worse.

SQL injection vulnerabilities are still very common in web applications (OWASP rates injection flaws as the second most important security issue in Top Ten 2007). Input validation and parameterized queries (also called prepared statements) are the most popular safeguard options to prevent SQL injections. However, even using parameterized queries, an application can still be vulnerable to SQL injections. This is not a new topic (early researches on exploiting parameterized queries appeared more than 3 years ago) but there is still a lot of confusion among security-unaware software developers and architects.

I find the Scriping for the Java Platform API (JSR-223) an interesting and promising extension to Java. It's even more appealing to me when used with JRuby (and optionally with Rails). I'll discuss the benefits of such a mix in a future post. For now, I just want to talk about the Java versions on which you can run JSR-223.