/* Google Analytics ----------------------------------------------- */

Thursday, June 25, 2009

Google on Web Performance

I spend some time looking for everything I can around web performance and never discovered the dedicated Google Web Site. You can find everything you need: tutorial, video, articles and the list of great software to use.
Never mind ....

Wednesday, June 24, 2009

MIT Technology Journal on Cloud

All you need to know concerning cloud in several posts. Look at the July/August 2009 MIT Technology Journal.

Value proposition of EA

A very good post was made recently concerning a "A Value Proposition for Enterprise Architecture". It was also commented in InfoQ. It describes very well the issues, but did not really look at the root causes.
In this post I will provide my contribution to the debate ...

The main issue with EA in North America is related to the lack of experience and confidence in what we call in Europe urbanization (or city planning). In France, there is no need to discuss this need. It is part of any big enough IT organization.

Architecture is part of our culture (Bazaar and Cathedral). North American people are more "pragmatic people", they hate to plan three years ahead. Even if it is a virtual target. They rely on short term adjustments and agile development. I never heard of agile architecture ... But merely of resilient IT architecture (the name of my blog)

What's the difference between the architecture of New York and Chicago or New York and Washington. The first one was built using a pragmatic view (each road as a number, it is easy to grow and efficient to find your way), the two seconds where thought before being built and showed a clear organization of the city (by French architects ;)).

In North America, you talk about flexibility and quick wins, low hanging fruits. That's great on the short term or in a dynamic industry where companies are living and dying quickly. EMEA is more oriented towards planning and organizing (everybody knows our bureaucracy), thinking long term. That's why I recommend to have multi-cultural EA teams when possible.

It is also why TOGAF is well adapted to North America and will never work in its current form in Europe. In that case, the process is more important than the way you are organizing the city. It is not enough and covering mainly IT side of EA.

Then Finally, the latest issue I see, the most important one, is that the EA team is not independent. It is either attached to the business, the CFO or to the CIO. If you want to play the role of the man in the middle thinking globally and acting locally, you need to be independent. Of course you need your teams to be part of projects (not all projects, but the most important ones based on the business value chains) to be able to follow what is going on (Busines and IT alignment). EA team should be attached directly to the CEO.

Tuesday, June 23, 2009

Aptimize Latency Simulator - Open Source

I always struggled to make non IT people understand latency. With this small add-in (only working for IE, that's bad!) you can simulate the effects of network latency.

As the developers said: "Simple and easy to use – designed for “non-experts”, developers, operations and business people to quickly see how fast or slow their website will be over the Internet or across the WAN."

Download the Aptimize Latency Simulator

Monday, June 22, 2009

Domain Specific Language to automate deployment

I found some Domain Specific Language to automate deployment and ensure quality and security. Could be an alternative way to fill the gap between dev and ops.

Governance - Where is my code coming from?

With PCI compliance, i have to ask all teams to look at all the libraries, frameworks etc we are currently using in our code. The objective is to validate that we do not violate copyright. of course this should not be done once, we need to validate for each build. So, I was looking for tools. And you know what, I found some.
  • HP Fossology (open source): used to track and monitor the use of Open Source software within an organization. The main functionality made available at the moment is license detection, more features will be added in the next future. HP FossBazaar is a community platform to discuss best practices related to the governance of FOSS.

  • Black Duck (leader on this market): Three products are available within a unified framework- Black Duck Code Center, Export and Protex.
    • Code Center supports the front-end of the development process where developers search for and select open source components, as well as the ongoing monitoring of the components in use.
    • Protex and Export are used on the back end of the process when code needs to be validated before it is deployed.
    • The foundation of the Black Duck Suite is the Black Duck KnowledgeBase.

  • Protecode: Protecode offers a full range of products and services to help organizations properly manage their Software IP. They pretend to have solutions that detect, identify, record and report on all of the IP attributes of any software repository:

    • Enterprise IP Analyzer™ - analyzes and identifies all code in a directory, producing customizable reports identifying all IP attributes and potential violations.
    • Developer IP Assistant™ - is an Eclipse or Microsoft Visual Studio plug-in,. operating unobtrusively on a developer’s workstation, detecting in real time all code that is brought into the development environment.
    • Build IP Analyzer™ - analyzes all code that is consumed as part of a build creating a detailed report on all components that were used in the final product, ensuring there are no violations against enterprise policies.
    • Protecode IP Audit Service™ - is a software due diligence service that provides expert, analysis and reporting of an enterprise code portfolio. It establishes the Intellectual Property (IP) attributes of existing code and is effective and accurate in preparation of mergers & acquisitions or commercial transactions.

  • OpenLogic: OpenLogic provides software and services that enable enterprises to safely acquire, support, and control open source software in order to reduce potential risks and maximize the value of open source. OpenLogic Exchange (OLEX) is a free web site that provides on-demand access to over 130,000 open source packages, including the OpenLogic Certified Library of hundreds packages that have been certified for use in the enterprise. OLEX enables companies to find, research, and download hundreds of certified open source packages on demand

  • Sun License Tool (open source): utility tool that helps in analyzing the copyright headers in your sources

Sun's Next-generation SOA integration platform

I'm following this project since a year now, and I'm really impressed about the results obtained so far. I hope Oracle will be intelligent enough to leverage this work and the team around it.

Lots of new features are now available in OpenESB v3 (Project Fuji) Milestone 6:
  • Felix Runtime upgraded to version 1.8.0
  • Enhanced Enterprise Integration Patterns
  • New / Enhanced Service Types
    • S3 - (new) supports deployment to the Amazon S3 cloud environment
    • Java - (new) supports POJOs as services
    • REST - (enhanced) now supports SSL connections
  • GlassFish v3 Support: Fuji server can run on the GlassFish v3 OSGi runtime
  • Fuji Command Line Interface (CLI)
  • Web UI Enhancements
  • NetBeans IDE Enhancements
You can see nice demo application that showcases some of the new things in Milestones 5 and 6. But the best is to try it!

Top 25 Security coding error

A must read on line or pdf.

"Experts from more than 30 US and international cybersecurity organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale."

Until now, most guidance focused on the 'vulnerabilities' that result from programming errors. This is helpful. The Top 25, however, focuses on the actual programming errors, made by developers that create the vulnerabilities. As important, the Top 25 web site provides detailed and authoritative information on mitigation. "Now, with the Top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens." said Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).

Open source integration products

The integration market is still alive ... I discovered some interesting open source products.

Sunday, June 21, 2009

SOAP over JMS W3C spec - never too late

The SOAP over Java Message Service 1.0 specifies how SOAP should bind to a messaging system that supports the Java Message Service (JMS) [Java Message Service]. Binding is specified for both SOAP 1.1 [SOAP 1.1] and SOAP 1.2 [SOAP 1.2 Messaging Framework] using the SOAP 1.2 Protocol Binding Framework.
It is never too late ...

Cloud Impacts on Software Design

When I see the evolution of computing moving from personal computer to small devices (iphone, netbook, etc), and the evolution of software from single application to social near real time mashup application, it is rather clear that to face millions of possible users Cloud Computing will be more and more used.
Cloud computing promises a dynamic behavior enabling infrastructure supporting your application to scale up, but also and that is as important to scale down (if you have only once a month or once a year volumes peaks it's ideal).
The dark side of the story : nobody knows how it can cost ... The costing models and comparison of several players are great subjects for journal and blogs recently. Offers are difficult to compare, platforms offered are different and evolving quickly and of course, nothing is really free.
The most important impact for software architects is the cloud supplier cost model impact on the architecture to build. In order to reduce the cost, you may have to adapt the architecture to reduce the operational cost. Some people already talk about Software Design By Explicit Cost Model.r
That's why I forecast the market to be split in four:
  • New entrants will use cloud infrastructure and platform as a service in order to reduce their fixed cost at the beginning and adapt more or less dynamically based on their success.
  • Companies with already legacy code will try to use less disruptive technology like AZURE for Microsoft dotnet users (and also now PHP!), Tibco Silver for people ready to encapsulate their code in SCA, or Heroku for people developping in Ruby, etc.
  • Companies ready to be locked-in technologically in order to gain on time on integration to their major application, but still willing to benefit from cloud. Best example is Salesforce.com or Google AE. I'm sure that SAP and Oracle will follow soon.
  • People requesting high computing power for their business will use cloud computing to facilitate grid architecture implementation
Anyway, we all have to understand that cloud has a very positive impact on financial reporting and accounting (to understand why read this excellent article from William A. Sempf. So, once again, IT may be forced to use cloud ...

To go further read:

Open Source load testing tool not known

I discovered setools I was not aware of, so may be helpful for you:
  1. Pylot is an open source tool which runs HTTP load tests for testing performance and scalability of web services. It generates concurrent load (HTTP Requests), verifies server responses, and produces reports with metrics. Tests suites are executed and monitored from a GUI or shell/console.
  2. Tsung is an open-source multi-protocol distributed load testing tool. It can be used to stress almost any kind of server with HTTP, WebDAV, SOAP, PostgreSQL, MySQL, LDAP, Jabber/XMPP servers. HTTP reports are generated during the tests.
  3. Siege is an http regression testing and benchmarking utility. It was designed to let web developers measure the performance of their code under duress, to see how it will stand up to load on the internet. It supports basic authentication, cookies, HTTP and HTTPS protocols. Siege was written on GNU/Linux and has been successfully ported to AIX, BSD, HP-UX and Solaris.
Of course you can also use the most know ones: Apache JMeter, The Grinder.

For microsoft, as usual, their provide some very useful tools:

Microsoft offers 2 tools for stress testing IIS servers:

Finally, Browsermob created by Patrick Lightbody (avid open source contributor, having founded OpenQA, created Selenium Remote Control, and co-created Struts 2) is not an open source tool, but offers load testing in the cloud at a very affordable price (per as you go).

Dotnet Tools

Free continuous integration plug-in in Hudson for dotnet code are available! If you need a first tutorial, you can go here. Hudson now supports team foundation server, and Fxcop.

Static code analysis tools are also available:
  • StyleCop (free): Whereas FxCop evaluates design guidelines against intermediate code, StyleCop evaluates the style of C# source code. Style guidelines are rules that specify how source code should be formatted.
  • StyleFix provides a GUI interface to selectively exclude/include files for StyleCop
  • CodeIt.Right ($250 per user license). CodeIt.Right's biggest benefit is the automatic code refactoring within Visual studio. From the results screen you can check which violations to fix and then click the Correct Checked button.
Some interesting tools for dotnet performance optimisation:
Finally, here are some resources I found on the web concerning dotnet performance optimisation.

Lyza - Free Desktop BI for the Dummies

This soft is free, based on Java, really simple to use.
It provides just what I was needing to aggregate several sources of data easily (file, DBMS, excel, etc.). http://www.lyzasoft.com/
Great job ...

Saturday, June 20, 2009

End User Application Performance Tools again

After my post on tools for testing RIA applications, I would like to share the new list of tools I tried for finding performance issues on the web.

Visual Round Trip Analyzer

First set of tools are coming from Microsoft. They are free, easy to install, and to use. VRTA (Visual Round Trip Analyzer) requires Microsoft Network Monitor 3.x to work. In fact VRTA abstracts the use of Netmon so the user does not need to know the details of Netmon but can simply click to start/stop the capture.
VRTA has three primary features
  1. A main chart which displays http traffic in 3 dimensions,
  2. An All Files view that shows critical measurements for each file loading, and
  3. An Analysis report that indicates which file transfers are exceptions to best practice rules.
This article explain the basis for using it.


Fiddler version 2 is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.
This tool is beginning to have some numbers of interesting add-ons like watcher (security testing) and Netxpert (to identify common web performance issues)


Firebug Firebug integrates with Firefox to put a wealth of web development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page. You already know yslow or PageSpeed, but check those two new ones:
  • FirebugCodeCoverage is a benchmarking Firebug extension inspired by Selenium IDE for determining the percentage of your code being executed for time duration, known as code coverage. This is typically measured during automated testing to see how well the test cases are able to thoroughly test your code (with higher percentages being your goal).
  • SenSEO is a Firebug extension that analyzes a web page and indicates how well it is doing for search engine optimization (SEO). The extension checks for correct use of meta tags, presence of a title, headings, and other relevant criterions for optimal search engine optimization.

AOL Pagetest

You can also use pagetest from AOL

Free Tools for Monitoring Your Site’s Uptime

You can find here a short version of the article provided by the excellent Six Revisions web site. In this article, you will find free and useful monitoring tools to help you know when your website or web application becomes unavailable. In general advanced web sites are offering the service with some important limitations.

Here is the list of the advanced ones:
Here is the list of the basic ones:
You should be able to find one that fits your needs!

The Browser and the cloud

First installment:
Last week one of the VP of my company using a MacBook (not compliant to corporate standards which are HP PC with Windows XP and IE 6 only) with Safari, complains that one of our "business service" sending confirmation email with HTML message inside had an ugly layout. It was not a requirements when building the apps, but now it is.

Second installment:
You connect to a cool web site and then, you get a message like:
"This application requires Microsoft Internet Explorer 6.0 or higher version"
My browser should be able to post in response the following message: "I understand your point however as a customer I like to use the browser I want".

We are in 2009 and some software suppliers still not get the disastrous effect of the Lock-in anti-pattern.

When evaluating or using the cloud do not forget to see if the vendor is not trying to lock you in with a particular browser or OS or technology. When you design an SOA service, do not forget the long tail of browsers in the world (begin to test the ones of your VP ;)

For me, a good "cloud" oriented software should run in the browser. If a SaaS application needs external components or add-in to be installed, then, it's not really cloud anymore. If I need to have headaches for deploying a SAAS solution by managing all possible platforms in my company I loose the main advantages of SaaS.

Friday, June 19, 2009

Tibco Silver - The PAAS from Tibco

I was invited to the first official presentation of Tibco Silver worldwide! A very simple show made on a boat floating on the Paris Seine river.
To my best surprise, most of the people there were not aware about cloud computing. So the presentations were quite simple. In fact they ware made by marketing guys. Fortunately, Thierry Schang (VO engineering was there to answer my questions).
So to sum-up:
  • Tibco Silver is a Platform As A Service, that will be hosted by different Hardware as a service provider. Today only Amazon is available, but some others will follow pretty soon.
  • Tibco Silver is still in beta ...
  • The pricing is still not defined.
  • It is a platform offering all services around SCA components execution in the cloud. So you can not deploy your java or C++ code directly. They need to be wrapped in SCA components.
  • Tibco reuse all Tibco ActiveMatrix Services to provide you a full SCA on demand platform (governance, security, etc.).
  • Tibco Silver enables you to create, monitor, govern an environment where everything is already in place to let you deploy SCA components, not just CPU and OS.
  • Governance, security and SLA management are the heart of the platform. My question is still how Tibco Silver will be able to ensure SLA are met (and adapt the cloud resources used via cloud platform elasticity) on platforms hosted by others, with Internet in the middle. I suspect that the client wil have to define an SLA with the cloud provider first and use Tibco Silver second to control it.
So this is, as far as I know, the first attempt to propose an SCA (some will say more generally an SOA) execution platform in the cloud.

You can apply for beta testing the Tibco silver platform on their official web site : http://silver.tibco.com/

Sustainable IT Architecture Forum Material now On Line

All presentation and videos of the last annual conference (April 30th 2009 ) were published on the official web site: http://www.sustainableitarchitecture.com/materialsac2009

You can help the Sustainable IT Architecture through following works:

Thursday, June 11, 2009

JwebUnit ... HTMLUnit + Selenium

JWebUnit is a Java-based testing framework for web applications. It wraps existing testing frameworks such as HtmlUnit and Selenium with a unified, simple testing interface to allow you to quickly test the correctness of your web applications.

JWebUnit provides a high-level Java API for navigating a web application combined with a set of assertions to verify the application's correctness. This includes navigation via links, form entry and submission, validation of table contents, and other typical business web application features.

The simple navigation methods and ready-to-use assertions allow for rapid test creation. See example below:

public class ExampleWebTestCase extends WebTestCase {
public void setUp() {

public void test1() {
setTextField("username", "test");
setTextField("password", "test123");
assertTitleEquals("Welcome, test!");

To use JWebUnit you only need to download the latest release JARs and include them into your project classpath.

Fitnium = Selenium + FitNesse

Fitnium (http://www.magneticreason.com/tools/fitnium/fitnium.html) is a Non Specific Domain Specific Language (DSL) that provides the power of Selenium (http://seleniumhq.org/) for automating web based acceptance tests with the power of FitNesse (http://www.fitnesse.org/).

FitNium provides you with the ability to write and execute Selenium tests using the FitNesse framework but without the need to write a single line of code!

Based on a FitNesse DoFixture FitNium provides a english language interpretation of the Selenium API that you would normally call from Java, Ruby, Python, Perl or C#. In this instance it allows none developers, testers, and even customers to write UI driven automated acceptance tests.

Every single API available to Java, Ruby, Python, Perl or C# developers is now available as an easily understand english phrase that anyone can use to develop their own tests.

Wednesday, June 10, 2009

You want to create and share simple (dynamically created) UML diagrams in your blogs, wikis, forums, bug-trackers and emails?
Look at this yUML simple, efficient and still in beta web site. For now only class and use case diagrams are available.

To diplsay the class, you need to add in your Html page:

img src="http://yuml.me/diagram/scruffy/class/[User|+Forename+;Surname;+HashedPassword;-Salt|+Login();+Logout()]"/

Some people are already using this tool to generate automatically Database diagrams with Powershell + yUML.

Looking for MDA tools

MDA is more an approach or a vision, so finding the right tool is highly depending on your needs. Nevetheless, I've been reviewing some tools on the market recently.

The ones I prefer were all created by french companies (yes we can!):
  • MODELIO: http://www.modeliosoft.com/ - The new product from Objecteering based on UML 2, with a UML profile editor and using Java for developping inside the tool. Not expensive ...
  • OBEO: http://www.obeo.fr/ - Very impressive tool, integrated in eclipse, powerful and well designed. A little bit too expensive for a small IT shop like our.
  • Bluage: http://www.bluage.com/ - Generate 100% of the code. I do not know about pricing yet.
MENDIX (http://www.mendix.com/) is a tool supporting MDA and DSL and seems outstanding, but I did not have time to review it.

You can also look at the following tools that complements most of the current UML 2 tools:
If you want to use lightweight MDA and do java development OMONDO propose a very integrated and optimized tool.

NEPTUNE 2009 a French conference is also proposing some very good recent analysis on the model driven development topic (in French). They also published a book on the subject you can download here.

Friday, June 5, 2009

Sonar: Technical Debt Plugin

The Technical Debt plugin is an advanced metric that combines existing quality axes (Duplication, Violations, Complexity, Coverage, Documentation) to output a global measure.

To make it easy to understand, this global indicator reports how much it would cost to bring all axis to maximum values (100% coverage...) and therefore reimburse the Technical Debt. The indicator is calculated in man days and in $$ (that is now really easy to understand, isn't it ?). Next to the technical debt appears the repartition of each quality axis.

Technical debt plugin dashboard image

Clicking on the debt brings to the usual drill down page showing modules / packages / classes most impacted

This plugin does not pretend to calculate in an exact manner the cost of reimbursement. Here are its primary objectives :
  • - enables to compare the projects global level of quality, rather than axis by axis
  • - help to understand what axis is going to cost most, thank to the repartition
Here is how the debt is currently calculated at resource level:

Debt(in man days): cost_to_fix_duplications + cost_to_fix_violations + cost_to_comment_public_API + cost_to_fix_uncovered_complexity + cost_to_bring_complexity_below_threshold

Having a weight on coding rules or being able to distinguish checkstyle, PMD and FIndbugs would add a lot accuracy

News Web page performance tool from Google

Page Speed that is a fully open source performance Firebug plugin. It’s a Firefox Add-on integrated with Firebug. When you run Page Speed, you get immediate suggestions on how you can change your web pages to improve their speed. For example, Page Speed automatically optimizes images for you, giving you a compressed image that you can use immediately on your web site. It also identifies issues such as JavaScript and CSS loaded by your page that wasn’t actually used to display the page, which can help reduce time your users spend waiting for the page to download and display.

People will obviously compare it to YSlow (I wish they called it GFast ;) but the main advantages is that: sometimes it will do the work to optimize the page for you!

A must have performance tool to add to your eWallet.

Thursday, June 4, 2009

EC2 Continuous Deployment

I found an excellent introduction to what could be the future of continuous integration. Have a look at the series of posts made by Jeppe Nejsum Madsen.

The series is comprised by the following articles:

Testing a web site on several Internet Browsers

Several tools exist on the market and they are becoming more and more powerful.

  1. Testing all Internet Explorer versions: http://www.my-debugbar.com/wiki/IETester/HomePage
  2. Testing different browsers types and versions: Adobe BrowserLab (Preview). BrowserLab provides web designers exact renderings of their web pages in multiple browsers and operating systems, on demand. BrowserLab is a powerful solution for cross-browser compatibility testing, featuring multiple viewing and comparison tools, as well as customizable preferences. Since BrowserLab is an online service, it can be accessed from virtually any computer connected to the web. Also, Adobe Dreamweaver® CS4 software users have access to additional functionality such as testing local and active content. http://labs.adobe.com/technologies/browserlab/
  3. Launching a browser without having to install it on your machine: Xenocode.
  4. Browsershots: the most complete one ... http://browsershots.org/
Enjoy ...

Cloud Hosting/Storage Toolbox

Cloud hosting, storage & content delivery networks (CDNs) are very popular services now offered to deployed "globally" applications. They offer a series of advantages in running and serving web applications in the cloud.
This post here proposes a quick overview of the most advanced services available today.

Wednesday, June 3, 2009

Good news - Sonar J has a community edition now

Do you know whether or not your source code matches the architecture of your system? SonarJ is a software architecture management tool for systems written in Java and is based on static code analysis. No repository is needed. Everything happens in memory. Nevertheless SonarJ can be used to analyze very large systems with several million lines of code. It fits in ideally in agile as well as more traditional development processes.

For projects with up to 500 classes (50 to 60 KLOC) SonarJ can be used free of charge. Be sure to not confuse the open source Sonar tool with Sonar J!

Tuesday, June 2, 2009

Java in the cloud: Google, Aptana, and Stax

Great article in MIS-Asia comparing Java in the cloud: Google, Aptana, and Stax written by By Peter Wayner, on 22 Apr 2009. It it is a must read if you are interested in cloud computing. I nevertheless copy here a sample of the article that can summarize some of the findings.

"Which solution should you choose? Much depends upon the nature of your application. If your data falls neatly into columns, and not much computation needs to take place when you save or recall it, Google's App Engine is a nice choice. Google offers a free tier of service that makes it great for prototyping solutions that can turn into full-fledged applications without any deployment hassles. Google's solution changes the failure modes of running an operation. If your application finds wild success on the Internet, you don't need to frantically try to purchase new servers that won't arrive until the fad is a distant memory. But you'll need to bump up the daily quota on your account because Google will only keep your code running as long as you authorize the spending.

There are hefty tradeoffs to choosing Google's easy chair. If you want to use all of the standard APIs, write to disk, log into a shell account, or just enjoy the freedom to move your application to another provider without rewriting it, you'll need to look elsewhere. Taking advantage of Google's scaling prowess means writing to its tightly restricted APIs.

Both Aptana and Stax offer more standard solutions that can easily be duplicated because they're just Tomcat and a database under the hood. There's much less lock-in with their tools because you can pretty much take your WAR file to any other server farm. You'll have to handle all of the deployment issues yourself, but it's feasible.

Aptana might be more useful to someone writing applications that will run on one server. It's a great tool for prototyping new systems and getting them on the Internet quickly.

Stax offers more room to scale because it deploys the application to multiple servers and load balancers with just one click. I think it offers a nice mixture of the scalability of Google with the openness of Aptana.

It's worth noting that some applications aren't well supported by any of these choices. These three are not great solutions for jobs that require bursts of heavy computation like, for instance, geologists prospecting for oil with big numerical processing simulations that churn through terabytes of data. Even though these applications are often highly parallel, they aren't great matches for any of these services. Stax is probably the best choice because it lets you click on a button to launch your application on five computers, but it's still intended for Web servers and five is only five. The ideal solution for these heavy computational jobs would let you start up thousands of machines for just an hour."

After Google App. Engine, enters heroku

Heroku debuted a commercial version of their Rails hosting solution recently, after a free beta stage that lasted over a year. They describe their service as "provisionless deployment" because it operates and scales automatically, without any system administration.
It is based on Amazon's EC2 cloud (with its accompanying SLA limitations), but they nevertheless offer solid offering that is worth further examination.

Shared Cluster offer: "Light to medium data needs"
  1. Blossom: FREE / 5MB storage / Fits a blog, personal site or small project wiki.
  2. Koi: $15 / 50MB storage / Great for a small company intranet or staging server.
  3. Crane: $50 / 500MB storage / Perfect for a small biz app, e-commerce site or CMS.
Dedicated: Need muscle? Choose a high-performance / high-capacity database box. Fully managed.
  1. Ronin: $200 / 1 compute unit / 500G storage / Guaranteed performance for heavy duty, high-traffic apps.
  2. Fugu: $400 / 5 compute units, 1TB storage / Highly concurrent apps with complex transactions.
  3. Zilla: $1600 / 20 compute units, 2TB storage / World Domination.
Costs are provided for information, billable per month and subject to change (see web site)

Enterprise Architecture Free Tools

Good news

Discussing with from Forrester analyst Henry Peyret about EA tool evolution, I discovered three "free" EA tools.
  1. Essential: Interesting tool since based on an ontology open source product (protege) and a web server. Very easy to customize;
  2. Iteraplan: Again, a tool mainly based on data and links with some capability to generate export in form of graphical export;
  3. Promis is not yet available but should in the coming months.
The open source products are mainly around managing the right metadata and ensuring the data quality. Clearly they do not invest heavily on the GUI. Data are not entered by drawing. There are more based on IT planning and portfolio Mgt than in offering a free drawing tool.

You should anyway test them.

Web Storage Portability Layer: Abstract on top of HTML5 and Gears Storage

Robert Kroeger has released a nice library for local database access. The Web Storage Portability Layer nicely abstracts on top of HTML5 and Gears for database access.

The WSPL consists of a collection of classes that provide asynchronous transactional access to both Gears and HTML5 databases and can be found on Project Hosting on Google Code.

Testing Frameworks for managing RIA

I was looking for some new stuff recently to be able to test an AJAX application accessible everywhere in the world that was showing some performance issues (at least users complained about it).

First major issue: no SLA was defined by the business. So how can we say if the application is slow or not?

Second major issue: We used extjs for building the Ajax based windows and the time to set-up the small javascript engine in the browser is killing the performance in ASPAC and sometimes in EMEA (servers are hosted in the USA). It is very difficult for a centralized team to check performance from different locations in regions and not on the intranet. So we were looking for a tool.

So that's what I found:
Desktop tool, very simple to use, created by Keynote:
  • The most interesting one: Kite
Code based:
I also found a very good resource for testing any browser to test compatibility without installing on your laptop:

PCI Compliance will shape IT security in the coming years

I have been quite busy recently with PCI compliance in my company. This is a great chance for all architects to make people do the right thing about security. PCI-DSS is very prescriptive and companies are taking it very seriously.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network
  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
  • Requirement 12: Maintain a policy that addresses information security

Trust me, PCI compliance will shape the IT security for the next 10 years.

PCI-DSS is also reusing all the work done by OWASP and especially the Top ten vulnerabilities. Look at the free stuff available in the OWASP web site, it is quite incredible. You can find security guides and efficient tooling.

Long live PCI ...