Email	Print Reprint
	add to:
	Del.icio.us Digg Google Furl	Slashdot Y! MyWeb Blink

Keeping out crackers (the black-hat kind, I mean, not saltines or rednecks) is like trying to seal a leaky basement: Every time you plug one hole, the water flows to another. Our firewalls sealed off everything except for port 80; naturally enough, Web services flowed in to fill it. I remember tool vendors crowing that XML-based remote procedure calls would "travel unimpeded by your firewall." I groaned, and with good reason: The crackers were only a few milliseconds behind.

Of course, Web services can be implemented securely, and the techniques for doing so are known. Then again, software can be implemented without bugs, too. Sure, I'm a development genius ... but I test anyway.

[click for larger image] In addition to functional, client, regression and penetration testing for your SOAP apps, SOAPTest handles load testing.

If "test anyway" is your style as well, check out Parasoft's SOAPTest, now at release 4.0, which sports new ways to give your Web service security precautions

a good sweaty run for their money. SOAPTest 4.0 uses your UDDI, WSDL or even HTML traffic to craft a test program that actively bangs on the security doors, using crackers' known techniques. Ever hear of an "XML bomb," for example? To create one, you carefully craft some XML that will expand infinitely when parsed (recursively defining an entity in terms of itself will do the trick), send it in to the unsuspecting Web service, and watch the pretty lights. Sometimes you'll crash the server. Sometimes you'll get interesting and enlightening error messages back that can inform your next attack. SOAPTest 4.0 knows how to do it, so your software had better be ready to defend against it, along with a host of other cunning tricks, such as our old friend SQL injection, parameter fuzzing (mucking with SOAP parameters in an effort to elicit more-interesting error messages), XPath injection, and links to external entities.

SOAPTest retains its ability to wring out your Web services apps via client, functional and load testing, of course, and you can start with the wizard-generated tests and extend them with Jython, JavaScript or Java into veritable QA armies. SOAPTest 4.0 starts at $3,495.

Parasoft, 101 E. Huntington Dr., Second Floor, Monrovia, CA 91016, Tel: (626) 256-3680, Fax: (626) 256-6884, www.parasoft.com

—Rick Wayne

Effective Swingers All Ship It 

When the Pragmatic Programmers started their own press, it wasn't to put out some oinker. Instead, they produced the Pragmatic Starter Kit, which lives on my easy-reach shelf. Their latest is Ship It! A Practical Guide to Successful Software Projects (Pragmatic Bookshelf, 2005), a compendium of eminently practical project tips that authors Jared Richardson and William Gwaltney Jr. have found useful throughout their combined 30 years of experience writing code and getting projects out the door.

In a way, there's not much that's new here. It's not exactly a revelation that revision control can prevent disasters, for example. And yet ... and yet! Plenty of development shops still aren't using many of these practices, and Ship It! gives good advice to help you herd your outfit toward adoption—or at least to get you off to a good start if you're new to software project management. In addition to recommendations for tools and infrastructure and pragmatic project techniques, they also talk up tracer bullet development, which advocates (among other things) stubbing out a product from end to end, then refining the stubs into working code. Consider this: I've been building software for 20 years, and I blasted through Ship It! in a single evening, learning lessons to implement immediately in our group. Ship It! is available for $29.95.

Fair or not, Java UI programming has an ugly reputation among our development team at the University of Wisconsin. Heck, just uttering the phrase within earshot of the Finn puts you in imminent peril of receiving the Look.

But it doesn't have to be that way, say Joshua Marinacci and Chris Adamson, authors of Swing Hacks (O'Reilly, 2005). The two point out that Sun's Swing UI library lets you craft user interfaces that would be impossible to achieve with Web techniques, without giving up cross-platform compatibility. Deep, rich, responsive UIs are expected—nay, demanded—by today's users, and Marinacci and Adamson show you how to achieve them in Swing, with the O'Reilly-standard 100 hacks to give your applications "the cool stuff."

These hacks cover much of UI implementation, with chapters on lists and combos, tables and trees, rendering, drag-and-drop, and eight others. The hacks themselves range from the utilitarian (Use HTML and CSS in Text Components) to the flashy (Create a Magnifying Glass Component) to the whimsical (Earthquake Dialog and Fun with Keyboard Lights) to the seemingly quixotic (Make Mac Applications Behave Normally—to which I envision 10,000 programmers roaring "YEAH!" in unison). Swing Hacks is available for $29.95.

What's new? Scott Meyers' Effective C++ (Addison-Wesley, 2005) has been revised into a third edition. What's noteworthy about that? Two things: First, Meyers has completely revamped his items format to address the changing world of C++ (Boost, TR1 and the ubiquity of templates, for example) and how it affects its users (today, he notes, one may safely assume that programmers are familiar with object-oriented programming and design patterns). Second—and this has been true since the original book hit the shelves in 1991—if you program in C++, you'd be crazy not to have this book within reach. Its 55 items will improve your programming style and spare you red-faced embarrassment (to say nothing of possible unemployment). C++ has never been a language for fools or dabblers, and harbors pitfalls aplenty even for intelligent newbies. It pays to let Meyers be your point man. For example, take item 9: Never call virtual functions during construction or destruction. Think about that for a minute. Sends a chill up your spine, doesn't it? And yet many of us would never have considered that issue.

You get the idea. Now go get Effective C++, which lists for $44.99.

—RW

Script 'Em, Load 'Em, Ship 'Em, Rawhide

[click for larger image] You needn't be a developer to build a comprehensive suite of functional, regression and load tests with AccordSQA's SmarteScript and SmarteLoad.

To deploy, you must test. (OK, you can deploy once without testing. But by the time your ex-users are finished with the torches and pitchforks, version 2.0 is going to be a tough sell.) To test effectively, you must automate. To automate effectively—well, that depends on the scale of your projects. If you've got more than a handful of integration or acceptance tests to run, consider SmarteScript 4.0 and SmarteLoad 1.0 from AccordSQA. These apps test management out of the realm of "I know I put those scripts somewhere" to a place where complete, repeatable test suites become merely the elementary building blocks of your entire enterprise's test program.

SmarteScript's user interface is aimed at business analysts—those folks who know how to invoke and operate the application in question (be it a Windows executable, .NET application or Web app) but don't necessarily know what makes it tick. A "learn" function walks you through the application, while SmarteScript recognizes objects on the screen and parses values out of them. (It's not simple screen capture. Developers moving objects around on the UI won't break tests, claims the company—but they wouldn't tell me exactly how they do it.) Next, the tester is presented with a grid in which he can specify which values are the ones to look for, and voilà, a new test is born. Tests can incorporate clicks and keyboard events, and even shell out to arbitrary commands (to initialize a test database, for example). Natural-language documentation can be automatically generated for each test, sort of like Javadoc for testers. The test can be recalled, edited, lumped with others into suites, scheduled or run directly, all from a management console. One crucial advantage over "dumb" (or is that "dumbe"?) scripting is that when objects in a test change, that change is reflected over all tests using that object—you don't have to go back and edit all your regression tests.

SmarteLoad takes the abstraction one level higher, pulling in the tests you build with SmarteScript and orchestrating entire galaxies of simultaneous test runs to stress test your applications and report the results through a dashboard that gives you the skinny on your applications' health and responsiveness.

SmarteScript starts at $4,950 for a single seat; SmarteLoad starts at $9,980.

AccordSQA, 15 Doeskin Drive, Framingham, MA 01701, Tel: (508) 877-1594, Fax: (508) 877-1595, www.accordsqa.com

—RW

Software Development does not review New & Noteworthy inclusions. The features, capabilities and, in some cases, the images have been derived from the manufacturers' information. The words, however, are all ours. New product announcements may be sent to newandnoteworthy@cmp.com.

RELATED ARTICLES No Related Articles		TOP 5 ARTICLES No Top Articles.