Hacking Software

I run a small informal software business on the side of my day job. Recently I have been writing small programs which perform tasks that Internet hackers might do. The programs have been released on my Black of Hat blog. The interesting thing about this effort is that I have employed very little process in developing my own software.

For example, my latest program "Crawl" is one that scans a web page and extracts the URL links. I thought about the problem for a couple days. Then I went directly into coding this morning and developed version 1 of the software. Late in the morning I built my release version of the application. Finally I posted this app on my blog.

So far my application appears to be working. I have received no reports abouts bugs in it or it not working on different systems. There was not rigorous process applied to this application. I did do some thinking before coding. But I did not write down and specifications or designs. I really did not perform any formal testing on the application. And the software was developed in record time with not many problems.

In retrospect, this may have been a special case of software development. The application was not very complex or large in scope. The development team was just one person. And the developer (me) was the same of the person who determined the requirements. Things get more complicated and may require process overhead when they scale up. However for my side software business, the real question is whether I would gain any benefit it an added layer of formal process was imposed on top. I am still mulling this question over in my head.

Perhaps I shall try adding a formal process to the next application I develop for my side business. I can track how much additional time I spend on the process part of development. And perhaps I can try to objectively rate the quality or amount of problems in a process controlled application release. The results are not some theory that will get documented in a paper. They will help decide how to run my own software business which I hope to succeed.


My company is trying to close out the project we are working on. This is due to the fact that we lost the contract to perform the work. There are a number of personnel still working on the project. If they are not busy on other tasks, they are supposed to be working on locating, organizing, and storing our documentation. I assigned our least busy developer to work full time on this task. I told him to go find out what needs to be done, and do it.

In retrospect, this may not have been the best direction to give. But I did not want to get bogged down in the details as I have other priorities to attend to. There is an individual who is assigned to the documentation task. And there are many people working on the task. But after working for a while, we had a meeting where it became clear to me that this task was in a state of chaos.

I directed a few key members to come meet me in my office. At this follow-on meeting, I declared that we needed to finalize and document a folder structure in which all our application team documents needed to go. The person who was in charge of the task said it was their responsibility to determine what needed to be done. I concurred. However I also pointed out that it was evident there was not method to the madness of the task. Later that afternoon, the task leader put together a document demonstrating a folder structure for organizing documents for each team. In addition, the actual goals of the task we finally articulated in writing.

Sometimes you need to sit down, figure out what you need to do, and document the plan. This is required when the task at hand requires more than one person, and absolutely needed when it involves more than one team. One would think that tasks such as document collection and organization are nothing like rocket science. But without a plan, and more importantly a documented plan, you have all the ingredients for utter chaos in the workplace. Why must we have to relearn these lessons year after year?

Document Organization

Let's suppose that you have actually documented the main processes used. How does one access this information? When I first came to my current project, you got handed a huge three ring binder full of information. This was good in that I could read up without even having a computer or access yet. However this got to be a pain when the documents needed to by updated. And as staff transitioned through the project, the binder and documents seemed to get lost.

More recently our application development team put together a small Microsoft Access database. This contained all kinds of information pertinent to our team. It was nice because you could search it based on keywords. Updated were easy. There was some trouble when two or more developers tried to update the same document at the same time. But this was an infrequent occurrence. Since this was a side project, the server where the database was hosted was not up 100% of the time. Still it was a useful project.

Over the last year or two, the project has tried to organize and assemble all documentation in a single place. The goal was to have a common structure for each team. This was a monumental task. A couple people have tried to accomplish the task. They have failed. Now we have a full team working on this. I do not want to be negative, but I am not expecting much from this. The scope is large. And you usually don't get your best people assigned to a task like this. Such a shame.

Process Matters

My team performs software maintenance on a legacy product. Basically we respond to software trouble tickets. These tickets are tracked closely by the customer. Our company's help desk team has been recently hounding us for "estimated resolution dates" for each ticket. So development has been figuring out, given what we know about the problems, what is the most likely date when we can produce a fix.

Something did not seem right about the Help Desk stating they were being hounded by the customer for estimated resolution dates. So I decided to participate in the next meeting with the customer. It was here that I found out what the customer was looking for. They wanted to know what was the date that we could expect a user to be able to experience the fix and verify that the trouble ticket had been resolved.

That about blew my mind. There is often a huge gap between the time we release a fix to our customer, and when the user actually experiences the fix. Our customer has a lengthy configuration management process. Our fixes go through their quality control first. Then somebody has to actually implement the fix. This can take time, especially when pushing workstation fixes out to the multitude of our users. There are also some processes which run once a week. Depending on the timing, users may not see the process run for up to a week.

I was glad when our project manager also expressed concern about the definition of estimated resolution date. We had to amend the way we accounted for the days that make up this metric. It seems we had been shooting ourselves in the foot by using the wrong definition of this date. You need the right process in place. And that process needs to be continually monitored to ensure it is still relevant and correct. Otherwise you are potentially marching down the path to doom.