|
It's very harsh to hall-of-shame yourself for that, when you're first interacting with a new environment you can't possibly know everything the framework does for you. I'm sure I manually split before I found that function too.
|
|
|
|
|
Nearly Every time I open up a previous project I also enter myself into the Hall of Shame. It is natural, especially now days as the complications and convulsions are enormous.
Today I opened up a project that is many years old and found an Access Database named tempory. It was supposed to be temporary. I could have claimed that it was a play on the Japanese word for fried battered vegetable and meat treats called tempura.
It was for temporary issues of credentials, so a bit of a stretch.
Spelling has often caused me embarrassment.
Then again it is my right to call any DB or Table what ever I want to.
And quite frankly the end user never sees this any way.
We all learn and each project elevates us somewhat more out of the HOS.
Then they invent a new Language and a new framework and we all have to re-learn all the stuff that we know backwards and dream about.
It is an endless battle.
But we all love it.
|
|
|
|
|
Some misspellings are intentional and carried on like some kind of traditiuon. I always write 'Admon' instead of 'Admin'. In my project folder there even is a project with the name 'AdmonWebService'
At least artificial intelligence already is superior to natural stupidity
|
|
|
|
|
Last week we came across a serious security flaw in our soon to be released major web product that we had trusted the offshore partner (one the largest Indian IT firms) with. This happened despite clear guidance as to how to implement the security in the product which uses Silverlight and ASP.NET. They completely disregarded what was told and came up with a weird crazy arse lame mechanism of their own which led to the password being sent in a cookie merely as an ASCII valued string along with the login request!!! This is a cardinal sin, this is something you study in Web Security 101, totally unacceptable. Now, we can't just lay them off and bring all the work back onshore, the business financials don't probably allow for it. But it leads me to wonder whether outsourcing at all is worth the money spent or not? I know some of you may say, "you get what you pay for!!" but when a company boasts claims of excellence in delivery of solutions, I would atleast expect them to understand what web security is and what's the right way to do it. In my opinion all these cheap outsourcing companies are just that - CHEAP both in terms of money and quality. I m pretty sure many around here must have similar stories to tell.
|
|
|
|
|
gladiatron wrote: a company boasts claims of excellence in delivery of solutions
I suspect they'll tell you whatever you want to hear.
|
|
|
|
|
if a company has web development in their portfolio, you would expect them to take care of security at a professional level not at a school-boy level. heck! even school students know that ASCII converting the password string is just STUPID!
|
|
|
|
|
gladiatron wrote: ASCII
Do you mean base64?
|
|
|
|
|
Was gonna qote the same thing saying:
Just like when a site advertizes something is
FREE (< font size 500) * (< font size 1px)
|
|
|
|
|
May be you misread their slogan:
We do best according to your payment
|
|
|
|
|
we pay them to deliver a web product security of which is an integral part. It shouldn't even need stressing on, if they have a better idea then communicate not silently go in and do crappy work!
|
|
|
|
|
I have seen some students while I was in university, they used to do out-source through other companies.
The problem is, those university student has very little idea about security, because they know how to do javascript and html and other programming language, but security is more related with experience. The experience is not only gathered from year of working experience also working with the people who knows about it.
When you outsource your work you give it to some company in some country but you don't look at their setup. You really don't know how much they care about your security.
I am not telling you to do out-source. I am telling you to rethink how you would give your precious system to be developed by some company you barely know.
|
|
|
|
|
gladiatron wrote: must have similar stories to tell
Oooohhhhhhh yeah.... I know exactly what you are talking about.
Our "partner" was once tasked with building a very simple dialog based application consisting of a listbox and a couple of radio buttons. The app simply had to list files in a directory and write to a text file. They tried to tell us back here that it would take them a full month to write this application. A week just to do the UI! After 4 days of telling them that they are wrong, I wrote the entire thing in 2 days.
Why is common sense not common?
Never argue with an idiot. They will drag you down to their level where they are an expert.
Sometimes it takes a lot of work to be lazy
Please stand in front of my pistol, smile and wait for the flash - JSOP 2012
|
|
|
|
|
I guess you had a very bad experience of Mis-management.That sort utilities could not take that much longer time.Either the guys are trying to mint you or the team is lazy
Sastry
|
|
|
|
|
Sastry_kunapuli wrote: trying to mint
We heard from one of the guys after we severed our relationship with the company. The management over there was directing the employees to do everything that they could get as much money out of our company without actually producing anything.
Why is common sense not common?
Never argue with an idiot. They will drag you down to their level where they are an expert.
Sometimes it takes a lot of work to be lazy
Please stand in front of my pistol, smile and wait for the flash - JSOP 2012
|
|
|
|
|
Told you they are trying mint you guys out.After all the employee could not do anything better than what his management orders to do.Anyways all the teams of the company are not so,some of them are really good in delivering the work without getting back a remark from customer.
Sastry
|
|
|
|
|
So, if they didn't meet the terms of the contract, don't pay them until they do. If your contract failed to specify that they must follow your instructions in this regard, shame on you.
Currently reading: "The Prince", by Nicolo Machiavelli
|
|
|
|
|
When you outsource you have to be aware of cultural differences.
In India, close enough is good enough. So when you complain there heads start nodding in typical Indian fashion. They honestly don't understand what the problem is.
Ukrainians don't always deliver what you ask either. There response can be "That stupid, we do it this way". So don't expect them to read between the lines of your SRS.
Chinese it's a communication issue. There language is so different to ours, your request may not translate.
I would never outsource mission critical work to India. The Ukraine is a lot better place to go. China is also good but definitely don't give them the big picture. You may end up funding the development costs of a new competitor.
"You get that on the big jobs."
|
|
|
|
|
I'm sorry to point out that in INDIA close enough is never good enough,until they have very little time to put all the business requirements into action or the problem is really understated in one line "Security has to be enabled".
No offence meant.
P.S.: I'm a INDIAN and I never settled for anything less than perfect in my development if it means I have to defy project time lines set for completing the task.
Sastry
|
|
|
|
|
Sastry_kunapuli wrote: the problem is really understated in one line "Security has to be enabled".
well, the solution architects on our side drew the exact picture for them on what is expected and how, so the spec was in no way "understated". I think the real problem is they don't see our vision at the same level as we do, its not their baby, they don't care. Their job is to take payments, deliver half-baked stuff and charge more money for fixing defects they introduced in the first place. I am not implicating all the developers in India, I am sure there are brilliant ones that come at nearly the same cost as an onshore programmer that we would hire. But assuming that these "top" companies will do a top job (well, coz they are "top"), we trust them a little too much. The problem is most of these "top" offshore companies, as I have learned, hire fresh graduates by the thousands many of who lack appropriate soft skills i.e. time management, communication, sense of ownership for the task given, passion for the field of work etc. I have been told that 8 out of 10 so called engineers are only in IT for the money which obviously is plenty for Indian standards and an onsite trip which they seem to love. This kind of culture proliferates a lot of "wanna-bes" that can only ever produce low quality work.
Sastry_kunapuli wrote: No offence meant.
None taken
|
|
|
|
|
Don't go by the name,you could get very good people from companies whose names are un-heard of,or the other category from companies that are "Top".My suggestion if the next time you are offshoring some work do not go by the company name but have a good interaction with the team that is working on the specs and if they are not upto the mark as a customer I think you have the privilege of getting a new team(not sure though) and do not settle for something less.every $ is valuable.
Sastry
|
|
|
|
|
Its a reoccurring compliant I hear time and time again about off-shoring to India. Funnily enough it's not a reputation that applies to ex-pat Indians. If anything, its the opposite.
"You get that on the big jobs."
|
|
|
|
|
I was a part of the Offshore team once.Trust me not all are security experts.After you have mentioned that security is a big deal in the application and that has to be taken care of,all I can say is only one thing there are hardly any security experts in the team that the work has been delivered to.Since majority of persons who manage the projects look for people who can do DB and UI work so they ignore the fact that in web application security is critical.Well out of my experience in working with a few large IT firms in INDIA,the more they look for is all the test cases executed and has client not come back with any defects.So I would suggest to mark it as a defect and then they would get the right persons to do the job.In this case most of the web app security is done by experts in Onsite and then the DLL is sent back to be used by the team at offshore.So offshore has no idea how it gets implemented.
All the team members in offshore cannot tell which of MD5 or SHA1 is more secure for hashing.So my suggestion would be next time you are looking up for people in offshore to work on projects for security,look up their project profiles to see if they done anything of that sort previously or not.I hope you would get a chance to look at the profiles of the team before they get to start work on projects,if not you can always request for the profiles before hiring and they must provide that if it is one of the top companies.
Sastry
|
|
|
|
|
As a rule of thumb never outsource critical parts of an application. Outsourced teams are there to do the grunt work; keep anything critical in house to be worked on by domain experts.
This is not to say that outsourced developers are any better or worse than onshore developers; it's simply a lot easier to manage an onshore team than one that is thousands of miles away, in a different time zone and with cultural differences that are not always obvious.
"If you think it's expensive to hire a professional to do the job, wait until you hire an amateur." Red Adair.
nils illegitimus carborundum
me, me, me
|
|
|
|
|
I too was forced to work with an off-shore Indian company.
I was explaining to them that the file was binary.
Someone spoke up and said "I looked at the file and it's not binary as it contains more than ones and zeros."
Things did not get better from there!
<>
|
|
|
|
|
That was the Best Joke I ever heard and by the way who is the computer genius
Sastry
|
|
|
|