Sunday, August 30

Master Technology Architect Program 2015 : I received a lapel pin from our CTO Paul Daugherty

It was quite a pleasant surprise to receive Master Technology Architect lapel pin from Accenture  CTO Paul Daugherty. Now I can flaunt my certification on my coat!




What are the SOA Design Patterns every architect should know?



When I meet architects and developers at different forums I see some people consider SOA to be a independent optional discipline. The fact is tears back there was a time when concept of SOA was new and people had to decide if they should do changes to their application to make them SOA compliant. Today we are convinced about the benefits of SOA and it is defacto design principle. I would go to the extent of stating that if you are not following SOA Principles when designing and coding applications i any technology, any programming language then you are doing something very wrong.

My past employer Accenture was a pioneer in SOA implementation and innovation for SOA. I got opportunity to lead the SOA Practice, work with industry leaders and implement multiple projects as a SOA Architect for some of the top clients. The best way to learn is to implement solutions for the most demanding fortune 500 clients and I was fortunate to get the opportunity as the lead SOA architect for Accenture. One of my innovations SOA Service Bench won 1st prize in Accenture wide innovation contest and I was honored by Accenture CTO Don Rippert which probably is the most rewarding thing an architect wants in his career.

This post is about some basic SOA Design Patterns that you should be familiar with. You can evaluate your existing application to see if they implement these patterns and if not then analyze the benefits of  implementing the SOA Design patterns to make the applications SOA complaint. I assure you the benefits are immense in terms of maintainability, simplicity, loose coupling, reuse and atomic code.   If you require any guidance feel free to write to me. I usually respond to queries on weekend.

1. Agnostic Services
Service capabilities derived from specific concerns may not be useful to multiple service consumers, thereby reducing the re-usability potential of the agnostic services. Agnostic services implement logic that is common to multiple business problems. Separating agnostic logic into discrete services facilitates service reuse and composability.

2. Service Declaration
Agnostic services should explicitly declare that they are agnostic. This makes it clear to future designers and builders which services are designed to be reused.

3. Atomic Service Transaction
Services can be wrapped in atomic transactions with a rollback feature that reverses all actions and changes. Transaction management services can be implemented in the component layer and reused by multiple services.

4. Enterprise Service Bus (ESB)
An ESB acts as a message broker between consumers and services. The ESB can perform message transformations, routing and connect to applications via a variety of communication protocols. YOu can use open source ESB products.

5. Service Façade
The service façade sits between a service and a contract. It eliminates the tight coupling between the service and its contract. This is intended to minimize changes to the service if the contract changes. A service can have multiple service façades to support multiple contracts.

6. Long Running Services & Service Callback
A service requires its consumers to call it asynchronously. If the consumer needs a response it provides a callback address. When the service reaches some milestone in processing it messages the consumer with a response. This approach frees resources and is useful when services are expected to be long running.

7. Backward Compatibility & Multiple Service Contracts
A service may support multiple contracts concurrently. This can be done to support backward compatibility (so that when a service changes all the consumers do not have to be updated). It is also done to provide different views to the service for different purposes (thus facilitating reuse).


8. Authentication Broker
In an enterprise scenario an authentication broker assumes responsibility for authenticating consumers. Consumers are issued a token they can use to access services.

9. Message Origin Authentication
Digital certificates are used to authenticate enterprise clients.


10. Message Filtering
Messages are filtered for harmful data before processing.

Tuesday, August 4

16) What implementation should an enterprise prioritize - Mobile Applications,SaaS or Big Data?

Mobile Revolution, SaaS & Big Data followed in succession. Each of these technologies changed the playing field and churned the markets. Yet their are over 70% enterprises that have not implemented mobile platforms, over 90% enterprises that have not leveraged SaaS and over 99% enterprises that have not taken any Big Data initiative as yet. Don't worry about the accuracy of numbers because this is my conservative estimate and real numbers could vary by a huge 20% but the proportion of implementation should be very close.

And for the enterprises that have yet to implement any of these 3 technologies it is quite a clallenge, There are enterprises that were on the verge of building their mobile platforms and suddenly got hit by the SaaS wave and then the Big Data wave.
                            Mobile Platform roll out is a challenge by itself and I have worked on projects that have gone back and forth on mobility platform at times because of lack of understanding of the mobility architecture and at other times due to their rigid service layer which would have to be rebuilt to cater to the mobile platform because of the 'Different Nature & Requirements of Mobile User Interface'. The challenge is around using your existing architecture ad capabilities to support the Mobile Application instead of replicating and rebuilding applications for mobile & we can say the challenge is to implement a classic Service Oriented Architecture to reuse the existing services of the enterprise applications.
                            SaaS or Software as a Service is  value proposition and the need of the hour but it will take some time for enterprises to move to SaaS.  To implement SaaS in true sense, apart from the challenges faced by Mobile implementation there are additional challenges across architecture layers. The good part is that three are multiple 'Multi-Tenancy Models' and an enterprise can implement SaaS incrementally and still derive the benefits of the shared model. My opinion is enterprise should start Mobile & SaaS implementation in parallel. Of course the need an experienced architect to guide them and the 1st step of each implementation would be to build a working prototype.It is also very important to educate the employee of the structural and cultural changes that come along adapting these 2 technologies but that is something we will not discuss here.
                          Finally Big Data, the Big Daddy everybody wants to tell the world that they have Got It Tamed but nobody knows whats will be the end result. No kidding! Ask Apple, Amazon, Bestbusy, IBM, Telstra, AT&T and many other who got started with a humble goal. This is because unless you have a clear understanding of the varacity of Bog Data for your enterprise and its applicability to various areas of business it does not make sense to invest in Big Data. So first things first is to study the changing industry landscape, revisit the enterprise vision and update it and then define the Big Data Vision. I think it is clear that Big Data implementation can follow as you start implementing Mobility and SaaS or even better have all three programs run in parallel if you can. I will be happy to exchange learning's with these technologies if you drop me a mail. Cheers!

15) Tribute to my Idol Scientist & Ex President APJ Abdul Kalam (aka. Father of Indian Nuclear Program & Missile Man)

Most hard working people retire at age of 75 and enjoy a relaxed lifestyle. Those who are fit like to travel across the globe visiting countries & enjoying life and there are few 84 years old people like Indian Ex-President APJ Abdul Kalam who continue to work 24/7, sharing their vision & experience with the youth and guiding them. It is interesting that at the age of 84 Mr Kalam would share his personal email-id at a press conferences & invites people to write to him and guarantees a reply with 24 hours. I have been proud of the fact that I always reply to my business emails, the same day I receive them but I cannot imagine myself sharing my email-id with entire India and replying to any question on any subject 24/7 like Kalam did, it takes Mr.Kalam to Just Do It.
                   I become Mr.Kalam's fan when I heard his interview after 'Pokhran' nuclear test which made India became a nuclear power under his leadership. Most people don't realize the impact of becoming a Nuclear power and if you read last few years of history you will realize the change in world's outlook towards India pre/post becoming a Nuclear power. Interestingly it took two most honest and non-violent people Atal Bihari Vajpaye & Dr Kalam to finally make it happen. When a reporter asked him 'Why does India need a nuclear bomb?'  Dr.Kalam's reply was ' Today the world's top 4 nations are nuclear power and if India wants to be 'Heard as a leader' we cannot sit and do Tapas ( Tapas or Tapsya meaning Doing Penance)'. To be heard as a leader India needs to be one of the top 5 powerful nations and that is why India had to develop its nuclear program.'  If you have heard his lectures would know that Dr. Kalam approach was always Practical, Precise and to the Point and he conveyed his ideas in a very polite way. I like his examples of what a good leader should be like. He said a good leader should face the world and own teams failures & when the team succeeds the leader should let the team take the center stage and he himself should take a back seat - I wish we had more and more leaders following his example. There are far too many leaders who are too eager to own the credit that at times rightfully belongs to someone else or the entire team. He said leaders are watched by people and followed so their integrity should be beyond question and at 84th year of his life he enjoys the popularity because of his honesty, integrity & character. Kalam said a leader should be courageous and should be able to take difficult decisions. I have seen leaders who have been scared of taking tough decisions even when the risk was minimal and the leader fails to understand that a wrong decision put his team back by ages. I wish Indian political leaders would start following Kalam's principles if only to become popular and succeed like Dr.Kalam because no Indian has tasted success like Dr.Kalam in recent years.

I can think of few leadership principles that may not be part of Dr Kalam's speeches but I have observed these qualities in Mr.Kalam and many other good leaders.

1) A leader should be friendly and approachable to everybody in his team - remember Mr.Kalam himself used to read emails sent by anybody & ever body even after he retired.

2) A leader should regularly communicate with his team. Leader's communication should be crisp and to the point and he should listen to the spoken and unspoken.

3) Leader should seek opportunity to appreciate his team rather than finding faults in his team and the team will work hard to seek his appreciation


I did not have the fortune to meet the great APJ but I always felt I had a connect with the man. I guess each patriotic Indian today feels that he has a connect with APJ Abdul Kalam and that is what makes him People's President - a loving title that no other president in the world has been bestowed with by the people. I am happy my son has a modern Indian Idol to follow and I can tell him stories of the great Dr APJ Abdul Kalam.

Rest in peace Sir, Dr Avul Pakir Jainulabdeen Abdul Kalam. You will always be loved and remembered by India

Sunday, August 2

Session Token In URL Vulnerability

The HTTP protocol and web servers are stateless by nature. This means that there is no way for them to track user activity. The web server treats every request as a new one. For this reason, browsers and web servers need to use session tokens. Session tokens are unique pieces of information shared between the browser and the server. They make it possible to track user activity and differentiate between users. For example, an e-commerce application may use a session token to identify the shopping cart that belongs to a particular user.
There are different ways to share session tokens. They are most commonly included in cookies but alternative methods are quite widespread as well. Such methods include sending the session tokens directly in URLs, in dynamically rewritten URLs, or hidden in the HTML source of the web page. These methods are also often combined and on the rise because users often disable cookies in web browsers due to privacy concerns.
Why Is Using Session Tokens in URLs a Bad Idea?
The easiest method of sharing session tokens is placing one directly in the URL, for example, http://www.example.com/account.php?token=12345. Using such an URL, a user who was authenticated earlier can access their account. This method is not inherently insecure but if the session token is not validated by the server, it could lead to potentially high-risk vulnerabilities.
If you place a session token directly in the URL, it increases the risk of an attacker capturing and exploiting it. Anyone who follows that URL inherits the session. When you connect to the web server using HTTPS the risk is less than if you use HTTP but it is still a threat.
HTTPS URLs are encrypted during transmission but they are often stored in server logs. Anyone who gains access to the logs can exploit these tokens. In the worst case, this can lead to session fixation or session hijacking. Therefore, even though we classify the Session Token in URL vulnerability as low severity, you should not take it lightly.
What Are the Alternatives?
Applications should use alternative methods of sharing session tokens, for example, HTTP cookies. You should also encrypt such applications because it is possible to retrieve session tokens from unencrypted applications.If you cannot use cookies, you can send session tokens using hidden input fields. Unfortunately, this is also not foolproof. Attackers may explore the HTML source code to identify and hack hidden fields used to send these tokens. For more on Session hacking read my post about
What is Session Hacking?

MUSTREAD : How can you use Index Funds to help create wealth? HDFC MF Weekend Bytes

https://www.hdfcfund.com/knowledge-stack/mf-vault/weekend-bytes/how-can-you-use-index-funds-help-create-wealth?utm_source=Netcore&...