Software Development and Management

Production Workflow for Game Development

2011-11-24T18:08:00.001-08:00

There is a discussion forum on how to use Source/Version Control System for Game Assets:

http://www.gamedev.net/topic/513765-asset-management/

After going through the various discussion, I propose the following:

1. Version control to be used by programmers only:
The programmers will check-in everything including the integrated game asset to work well with their version of code.

2. File server to be used by artist for their daily work:
The artists' artwork in progress should be loaded and saved from/into the mapped folder and not in their local PCs.
The file server need to be backup regularly to allow the artist to fall back on any over-written artwork.

3. Digital Asset Management to be used to upload final artwork cum source by artist only.
This system will allow artists to browse through the company digital library and re-use digital assets.
A list of open source DAM systems
http://www.opensourcedigitalassetmanagement.org/reviews/available-open-source-dam/

Compare C# with Objective C and Java

2011-01-27T17:23:00.001-08:00

A good article that makes the comparison on these three popular object oriented programming languages is available from Microsoft App Hub (formally known as Creators Club for XNA):

Introduction to C# from Objective-C and Java

I have created a blog on learning C# for beginners: Software & Programming Fundamentals

- Programming Basic
- Getting Started - Console Program and Problem Solving
- Windows Forms
- Variables
- Conditional Logic
- Calculator App Dev process
- Loops - for, while, do
- Arrays
- Strings
- Review 1 with answers
- Review 2 with answers
- Revision Exercises on "Loops"
- Events
- Graphics
- Simple Lots Drawing Program (Extra)
- Simple Hangman Program (Extra)
- Flickering in .NET Graphics
- Additional Exercise #1
- Additional Exercise #2
- Full Revision from variables to arrays

[ Classes and OOP ]
- Introduction on Class
- Exercise: Human
- More detail on class
- Properties of class
- OOP
- Performance considerations
- Testing
- Data Driven Unit Testing

Developing Java ME Games using Netbeans IDE 6.9.x

2011-01-25T17:38:00.001-08:00

I have created a new blog on how to develop Java ME games using Netbeans 6.9.x:

http://mpgddmgd.blogspot.com/

Freelance Developers Trends

2009-12-28T20:15:00.001-08:00

From oDesk’s Singapore Freelancer listing [ link ], the top developer is Alex N and he is affiliated with Jupiter/ BeHappy. He is an experienced RoR, Java developer.

From oDesk’s oConomy page [ link ], the average size per project is 494.7 hours and the average rate is $9.95 / hour.

There are more statistics in the oConomy page such as distribution by job category, etc.

With the bad economy and uncertainty ahead, the number of freelancers will surely increase further.

Deployment of Flash Lite Applications

2009-09-16T01:35:00.001-07:00

With the end in mind, what do we deploy after we complete testing our Flash Lite applications?

If it is a simple application with just one swf file, then copying the file to a Symbian S40/S60 handphone in its default location, the application may just work out of the box. But if the application has more files and does not want to reside in the default location, then we need to deploy the files as NFL for S40 and SIS for S60 (plus signing).

Nokia Flash Packaging Tool

Nokia forum has a online tool just for this purpose:

http://www.forum.nokia.com/Technology_Topics/Web_Technologies/Flash_Lite/flashpackager.html

Start by clicking on the “SIS” or “NFL” tab. After that, fill up the information in the sub tabs.

Create SIS Step by Step

The following guide from Nokia library provides a step by step tutorial on how to generate a SIS package using the tool.

http://library.forum.nokia.com/index.jsp?topic=/Flash_Lite_Developers_Library/GUID-E08FE0A9-B2BA-420E-AECC-84D887D415F9.html

Create NFL Step by Step

The following guide from Nokia library provides a step by step tutorial on how to generate a NFL package using the tool:

http://library.forum.nokia.com/index.jsp?topic=/Flash_Lite_Developers_Library/GUID-E08FE0A9-B2BA-420E-AECC-84D887D415F9.html

Yet Another High Level Programming Language – IBM’s EGL

2009-09-10T16:13:00.001-07:00

“Simplify Web 2.0 with IBM Rational EGL Community Edition” that is the promise from this latest release of an Enterprise Tool to the open source community.

The language is declarative and it will auto generate into Java and Javascript for deployment.

As an example of how the codes look like:

handler MyRuiHandler type RUIhandler { initialUI = [ addressForm, map ] };

addressField TextField { text = “my home address”, width = 250 };

goButton Button { text = “Go!”, onClick ::= goButton_clicked };

addressForm Box { children = [ addressField, goButton ] };

map GoogleMap { width = “500px”, height = “300px”};

function goButton_clicked (e Event in )

addressses String[] = [ addressField.text];

map.showAddresses(addresses, addresses);

end

For more information, refer to the EGL Community Edition Hub:

http://www-949.ibm.com/software/rational/cafe/community/egl/ce

Developing Application for Mobile Devices

2009-09-09T19:03:00.001-07:00

Symbian Developer Network published the following two useful papers:

1. Multi-Language Programming – Part I overview

http://developer.symbian.com/main/downloads/papers/Multi_Language_Programming_Part1_Overview.pdf

This paper covers the pro and con of C++, Java ME, Flash Lite, Python, Web runtime (widgets) and .NET compact framework.

It also lists the pro & con, supporting tools and packaging for development with 2 languages – Java & Flash, C++ & Flash, C++ & Widgets and Java & C++.

2. Multi-Language Programming – Part 2 extending Flash Lite with Java ME or Symbian C++

http://developer.symbian.com/main/downloads/papers/MLP_Paper+2_v1.0.pdf

This paper illustrated two examples of combining two programming languages for mobile application development:

1) FlashLite for UI and interface with Java ME (using Jarpa); and

2) FlashLite for UI and interface with C++ (using KuneriLite).

Jarpa facilitates the launching of application and the communication between two runtimes to enable access to additional functionality.

Kunerilite is a Rapid Application Development toolkit to allow flash Lite in accessing native Symbian APIs such as accelerometer, camera, bluetooth, GPS, file system and etc.

These two papers are worth reading to have an overview of the strengths and limitations of each of the programming languages and then based on the specification of our project, to make decision on which one or two languages to use.

Web-Based Hosted and Open-Source Test Management Tools

2008-06-30T23:47:00.001-07:00

Branded Tools such as IBM Rational and HP Mercury are comprehensive, flexible but "expensive". Big corporate such as banks and defense organizations may choose to use them purely for their brand and support. But for small software development companies that need to improve on their software testing & bug tracking process, they need an option to start small (cheaply) and later on the ability to scale up => hence, web-based hosted test management tools may be one key option for them to consider. The other option is to evaluate a suitable open source test management tool, setup it up and build up in-house "experts" to support the tool.

Web-Based Hosted Test Management Tools

Testmanagement: http://www.testmanagement.com/

" QaTraq is one of the leading software test case management tools available today. QaTraq provides the rock-solid foundation that IT teams need to create and update test scripts, test cases and test results. QaTraq provides you with instant access to a wide variety of reports which improve the visibility of your testing and pin-pointing test case execution progress. QaTraq encourages a structured approach to test management and test case management which will help to increase productivity and improve visibility of your case execution progress. "

Features: (1) User role based (test mgr, test lead, test analyst & tester); (2) Test plan, design, test scripts and test cases; (3) Test results and reporting; (4) full version control; and (5) excel & XML inport/export.

Zephyr: http://www.getzephyr.com/

" Zephyr is based around the concept of Desktops & Dashboards. Every role in a Test Department has a customized Testing Desktop with relevant applications that allow them to do their jobs faster and better, as they all share data from a centralized repository and communicate via a collaborative backbone. Dashboards are automated and live, keeping the whole company updated on every aspect of testing and product quality."

Features: (1) Role-based web desktop by Department or by project; (2) Resource, project and document management; (3) Metric and reporting; (4) Test cases creation, execution and repository; and (5) Defect tracking (Bugzilla) integration.

Open-source Test Management Tools:

From Opensourcetesting, the three most popular open-source testing tools are TestLink, Selenium and Watir.

TestLink: http://www.teamst.org/

" TestLink enables easily to create and manage Test cases as well as organize them into Test plans. These Test plans allow team members to execute Test cases and track test results dynamically, generate reports, trace software requirements, prioritize and assign tasks.

The tool has web based interface with PHP and background database MySQL, Postgres or MS-SQL. It cooperates with known Bug tracking systems as is Bugzilla, Mantis, etc."

Features: (1) Organize tests into projects to allow collaborations; (2) Requirement-based testing; (3) Import/export test cases to/from XML format; (4) Organized tests by test plans; (5) integrate with bug tracking system such as Bugzilla, Mantis, Jira, TrackPlus, Eventum, Trac, Seapine, Redmine; and (6) Reporting (bugs, progress, failure rates and etc).

Selenium: http://selenium.openqa.org/

" Selenium is a test tool for web applications. Selenium tests run directly in a browser, just like real users do. It runs in Internet Explorer, Mozilla and Firefox on Windows, Linux, and Macintosh, Safari on the Mac."

Features: (1) Firefox plugin allows you to record and playback tests in the browser; (2) Remote Control mode to test a wider range of web-applications; and (3) Selenium Grid to allow scaling by adding hardware.

Watir: http://wtr.rubyforge.org/

" Watir is a simple open-source library for automating web browsers.

Watir drives browsers the same way people do. It clicks links, fills in forms, presses buttons. Watir also checks results, such as whether expected text appears on the page.
Watir is a Ruby library that works with Internet Explorer on Windows. Watir is currently being ported to support Firefox and Safari. "
Features: (1) Generate test result reports; and (2) Use excel or Ooo for data driven tests.

References:

http://www.dmoz.org/Computers/Programming/Software_Testing/Test_Management/

Software Testing

2008-05-01T18:31:00.001-07:00

Reports:

Magic Quadrant for IT Project and Portfolio Management 2007 (Gartner)

Terminologies:

Software Testing: It is the process used to assess the quality of computer software.
Test Bed: a development environment that is shielded from the hazards of testing in a live or production environment.
Test Automation: It is the use of software to control the execution of tests, the comparison of actual outcomes to predicted outcomes, the setting up of test preconditions, and other test control and test reporting functions. Commonly, test automation involves automating a manual process already in place that uses a formalized testing process.

IBM Rational Testing Suite:

AppScan: It automates web application security audits to help ensure the security and compliance of websites. Named the worldwide market-share leader according to Gartner and IDC, our AppScan product suite offers a solution for all types of web application security testing needs - outsourced, individual scans and enterprise-wide analysis - and for all types of users - application developers, quality assurance teams, penetration testers, security auditors and senior management. [Standard Edition: scans and tests for all common web application vulnerabilities - including those identified in the WASC threat classification - such as SQL-Injection, Cross-Site Scripting and Buffer Overflow.]
ClearCase: It is a software tool for revision control (e.g. configuration management, SCM) of source code and other software development assets. It is developed by the Rational Software division of IBM. ClearCase forms the base of version control for many large and medium sized businesses and can handle projects with hundreds or thousands of developers, but the price is quite steep for smaller companies. Rational supports two types of SCM configurations, UCM, and base ClearCase. UCM provides an out-of-the-box SCM configuration while base ClearCase supplies all the basic tools to make it very configurable and flexible. Both can be configured to support a wide variety of SCM needs. ClearCase can run on a number of platforms including Linux, Solaris and Windows. It can handle large binary files, large numbers of files, and large repository sizes. It handles branching, labeling, and versioning of directories.
ClearQuest: It is a workflow automation tool (in particular bug tracking system) from the Rational Software division of IBM. The tool can be linked to Microsoft Project to create ordered steps for resources assigned to specific goals. The product was originally designed for tracking defects (bugs) in software development projects. In addition to its capabilities to track bugs ClearQuest allows organizations to organize tasks related to new features. ClearQuest also integrates well with Rational ClearCase revision control system. This allows to correlate source code change sets with ClearQuest records (i.e. bugs), simplifying some aspects of bug tracking and source code management.
Functional Tester: RFT is a GUI test automation tool. The tool provides capabilities to record a user’s interactions with an application and create a script representing the same. The user can modify the script to enhance or make specific changes if required. The user can play back this script to repeat the same sequence of actions that was performed during recording. The user can create a script to represent a test case. This test case can be considered to have passed if the script executes without any failure, else it is a failed test case. In an iterative development cycle, multiple builds of the application are delivered in short time frames. Manually testing the existing and new functionality in each of the new builds can be a challenge. RFT provides the ability to create a test harness to replay test cases on multiple builds to ensure that both existing and new functionality work as designed.
Performance Tester: It is a load and performance testing solution for teams concerned about the scalability of their Web-based applications. Combining multiple ease-of-use features with granular detail, Rational Performance Tester simplifies the test-creation, load-generation and data-collection processes that help teams ensure the ability of their applications to accommodate required user loads.
Robot: [Win] It is a test automation tool for functional testing of client/server applications.
Test automation tool for QA teams for testing client/server applications. Enables defect detection, includes test cases and test management, supports multiple UI technologies.

Other Testing Products:

HP/Mercury Interactive WinRunner: [Win] It is an automated functional GUI testing tool that allows a user to record and play back UI interactions as test scripts. As a Functional test suit, it works together with HP QuickTest Professional and supports enterprise Quality Assurance. HP WinRunner software is standard, functional testing software for enterprise IT applications. It captures, verifies and replays user interactions automatically, so you can identify defects and determine that your business processes work as designed. The software implements a proprietary Test Script Language (TSL) that allows customization and parameterization of user input.
HP/Mercury Interactive LoadRunner: [Win] It is a performance and load testing product by Hewlett-Packard (since it acquired Mercury Interactive in November 2006) for examining system behaviour and performance, while generating actual load. LoadRunner can emulate hundreds or thousands of concurrent users to put the application through the rigors of real-life user loads, while collecting information from key infrastructure components (Web servers, database servers etc). The results can then be analysed in detail, to explore the reasons for particular behaviour. Consider the client-side application for an automated teller machine (ATM). Although each client is connected to a server, in total there may be hundreds of ATMs open to the public. There may be some peak times — such as 10 a.m. Monday, the start of the work week — during which the load is much higher than normal. In order to test such situations, it is not practical to have a testbed of hundreds of ATMs. So, given an ATM simulator and a computer system with LoadRunner, one can simulate a large number of users accessing the server simultaneously. Once activities have been defined, they are repeatable. After debugging a problem in the application, managers can check whether the problem persists by reproducing the same situation, with the same type of user interaction. Working in LoadRunner involves using three different tools which are part of LoadRunner. They are Virtual User Generator (VuGen), Controller and Analysis.
JMeter: [Java, cross platform] It is an Apache Jakarta project that can be used as a load testing tool for analyzing and measuring the performance of a variety of services, with a focus on web applications. JMeter can be used as a unit test for JDBC database connections, FTP, LDAP, Webservices, JMS, and generic TCP connections. JMeter can also be configured as a monitor, although this is typically considered an ad-hoc solution in lieu of advanced monitoring solutions. While JMeter is classified as a "load generation" tool, this is not a complete description of the tool. JMeter supports assertions to ensure the data received is correct, per thread cookies, configuration variables and a variety of reports.
Microsoft Visual Studio Team Edition for Software Testers: It provides Web testing, load testing, unit testing, code coverage, and other testing tools.
HP/ SPI-Dynamics WebInspect: Security Scanner.
Parasoft WebKing: Security Scanner.

Certifications:

Certified Tester Foundation Level Syllabus:
The Foundation Level qualification is aimed at anyone involved in software testing. This includes
people in roles such as testers, test analysts, test engineers, test consultants, test managers, user
acceptance testers and software developers. This Foundation Level qualification is also appropriate
for anyone who wants a basic understanding of software testing, such as project managers, quality
managers, software development managers, business analysts, IT directors and management
consultants. Holders of the Foundation Certificate will be able to go on to a higher level software
testing qualification.

Web Application Security

2007-11-03T19:26:00.001-07:00

The Open Web Application Security Project (OWASP) is an open-source application security project. The OWASP community works to create freely-available articles, methodologies, documentation, tools, and technologies on Web Application Security.

OWASP maintains the OWASP Guide (to Building Secure Web Application) and the OWASP Top 10 awareness (to list the ten most critical web application security flaws) documents.

Building Secure Web Application

In the OWASP Guide (version 2.1), users are guided through the technologies involved in web applications, security framework & policy, secure coding principles and many more security related topics.

How serious is web applications security flaws? Web applications have the ability to make a skilled attacker rich!

Each chapter in the guide is organized into 1) Best practices, 2) Secure patterns and 3) Anti-patterns (i.e. non-secured patterns).

The following figure (extracted from the guide) illustrate what web technologies are covered:

Web applications development: with cumulated generic knowledge, new tools enable entry level developers to build complicated web applications with ease but unaware of the security implications of their codes.

Policy: Organizations that have security buy-in from the highest levels will generally produce applications that meet basic information security principles. Most organizations produce information security policies derived from ISO 17799 (risk-based Information Security Management framework). The OWASP Guide is useful as a suitable control for application procurement and in-house development, as part of a wider compliance program.

Policy - Development: to employ a development methodology and some set of coding standards or conventions. All code and test changes must be able to be versioned and capable of being reverted.

Secure Coding Principles:

1) Minimize attach surface area - eg remove a search function and provide a site map instead;

2) Secured defaults - eg password complexity should be enabled by default and allowing users to simplify their use to turn off the complexity but increasing their risk;

3) Principles of least privilege - i.e. grant permission based on need only;

4) Principle of defense in depth - eg multi-tiered validation;

5) Fail securely;

6) External systems are insecure - third party partners should be considered external and treated as such;

7) Separation of duties - eg administrator can turn on/off an application but should not be able to log on to the application as a super user;

8) Do not trust security through obscurity;

9) Simplicity; and

10) Fix security issues correctly.

Threat Risk Modeling: When you start a web application design, it is essential to apply threat risk modeling to channel resources and time in focusing on the real risks. OWASP recommends Microsoft’s threat modeling process - two different approaches for writing up threats: One is a threat graph and the other is a structured list.

For identifying threats - STRIDE (Spoofing Identity, Tampering with Data, Repudiation, Information Disclosure, Denial of Service & Elevation of Privilege).

For rating risk - DREAD (Damage, Reproducibility, Exploitable, Affected Users & Discoverable).

Yahoo! Developer Network on Web Application Security: Most of the cases of user data making its way into the wrong hands stems from application bugs or security holes. Here are some basic guidelines for building safe Internet applications:

Never store passwords in clear text - use hash function(password). Instead, use a hashing algorithm to create a signature of the user's password for storage. To authenticate user, simply apply the same algorithm to the password received from login page and compare with what have stored.
Never store username in cookies for identification - use unique (random) key generated based on login userid & password (& random(time)). This makes it difficult for a hacker to guess or forge.
Check parameters pass to SQL statements in application. Untreated user input can easily be hijacked to clear out your database. PHP has a function called mysql_real_escape_string() that will prevent most attacks of this type. Refer to MSDN for preventing SQL injection on ASP .net.
Purge unused/unnecessary user data from your system regularly. This limits the damage that could be done if an attacker gains control of your system.

Top 10 web application security flaws (2007)

Extracted from the Top 10 (2007) document:

A1 – Cross Site Scripting (XSS)
XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.

A2 – Injection Flaws
Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.

A3 – Malicious File Execution
Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.

A4 – Insecure Direct Object Reference
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.

A5 – Cross Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.

A6 – Information Leakage and Improper Error Handling
Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data or conduct more serious attacks.

A7 – Broken Authentication and Session Management
Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.

A8 – Insecure Cryptographic Storage
Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.

A9 – Insecure Communications
Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.

A10 – Failure to Restrict URL Access
Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.

Learning Web Security - WebGoaT V5

WebGoat is a deliberately insecure web application created to teach web application security lessons. In each lesson, users are guided to demonstrate their understanding of a security issue by exploiting a real flaw in the application.

Lessons covered are listed below

HTTP Basics
HTTP Splitting and Cache Poisoning
How to Exploit Thread Safety Problems
How to Discover Clues in the HTML
How to Exploit Hidden Fields
How to Exploit Unchecked Email
How to Bypass Client Side JavaScript Validation
How to Force Browser Web Resources
How to Bypass a Role Based Access Control Scheme
How to Bypass a Path Based Access Control Scheme
LAB: Role based Access Control
Using an Access Control Matrix
How to Exploit the Forgot Password Page
How to Spoof an Authentication Cookie
How to Hijack a Session
Basic Authentication
LAB: Cross Site Scripting
How to Perform Stored Cross Site Scripting (XSS)
How to Perform Reflected Cross Site Scripting (XSS)
How to Perform Cross Site Trace Attacks (XSS)
Buffer Overflow (TBD)
HTTPOnly Test
How to Perform Command Injection
How to Perform Parameter Injection
How to Perform Blind SQL Injection
How to Perform Numeric SQL Injection
How to Perform String SQL Injection
How to Perform Log Spoofing
How to Perform XPATH Injection Attacks
LAB: SQL Injection
How to Bypass a Fail Open Authentication Scheme
How to Perform Basic Encoding
Denial of Service from Multiple Logins
How to Create a SOAP Request
How to Perform WSDL Scanning
How to Perform Web Service SAX Injection
How to Perform Web Service SQL Injection
How to Perform DOM Injection Attack
How to Perform XML Injection Attacks
How to Perform JSON Injection Attack
How to Perform Silent Transactions Attacks
How to Add a New Lesson
The Challenge

Installation and startup: download the window zip file (~42 Meg), unzipped. Disconnect your PC from the Internet before executing the "webgoat_8080.bat" file.

In the browser, point the URL to "http://localhost:8080/" to confirm that TOMCAT is running:

In the browser, point the URL to "http://localhost:8080/WebGoat/attack" and login using userid = guest, password = guest:

Click on "Start WebGoat", then click on "Show Params" and "Show Cookies". For each lesson, click on "Show Java" to go through the App codes:

Follow the instruction given in each stage of the lesson as illustrated above, read the lesson plan to learn more:

Use the tips to fully understand the steps involved for each lesson, example:

Tip #1: Use CR (%0d) and LF (%0a) for a new line

Tip #2: The Content-Length: 0 will tell the server that the first request is over.

Tip #3: A 200 OK message looks like this: HTTP/1.1 200 OK

Tip #4: Try: language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesirable content here</html>

Just copy and paste the following segment "?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesirable content here</html>" into the textbox.

Good to have a copy of the ASCII reference code - %20 represent space.

(From http://game-editor.com/tutorials/images/ascii.jpg)

Proceed with the rest of the lessons....

Books and References

Book: Developer's Guide to Web Application Security

OWASP Guide: http://www.owasp.org/index.php/OWASP_Guide_Project

OWASP Top 10 2007: http://www.owasp.org/index.php/OWASP_Top_Ten_Project

OWASP WebGoat: http://www.owasp.org/index.php/OWASP_WebGoat_Project

Yahoo! Developer: http://developer.yahoo.com/security/

Yahoo! Design Patterns

2007-10-31T23:07:00.001-07:00

At Yahoo! Developer Network, Yahoo! shared their Design Patterns.

Each pattern has four primary components:

a title
a problem
a context
a solution

User Need To

The Design Patterns are categorized by the need of user to perform certain actions such as:

One Example - Vote to promote

Problem

The user wants to promote a particular piece of content in a community pool of submissions. This promotion takes the form of a vote for that item, and items with more votes rise in the rankings to be displayed with more prominence.

Use When

Users in the community have the ability to submit content to a 'pool' of resources.
Some democratic form of judgment is needed, to allow the community to compare the subjective quality of one submission to another.
A sizeable-enough community is required. Ideally, popular submissions in the pool should receive significantly more (dozens, hundreds?) votes than non-popular ones, in order to make comparisons meaningful.

Solution

Provide a voting mechanism, attached to each candidate item in the community pool. Clicking this mechanism counts as a vote in favor of that item's promotion.
- User gets only one vote per item.
- Display a user's vote back to them, so they can tell what they've voted for.
- Users may change their vote after it is cast.
Highlight popular items
- Display them on the property's Main Page
- Display them first in Search results
Prominently display the number of votes that an item has received
Try to ensure that users are voting on items that they have actually consumed (read, watched, listened to.)
- On article pages, place vote controls after the article.
- Consider withholding the vote mechanism on high-level listing pages. Make readers click down to an article page before voting.
- Provide a stand-alone voting mechanism that third-party publishers can include on destination sites.

Books and References

Yahoo! Design Patterns: http://developer.yahoo.com/ypatterns/

Microsoft Popfly Block Basic Tutorial

2007-10-27T18:53:00.001-07:00

Microsoft Popfly is currently Beta (as at 18 Oct 2007). This quickstart will focus on the overview and then creating a new BLOCK. Refer to the beta release notes for requirements and stuff supported.

Menu and stuff

After sign in, there is a menu bar with four items on it: Create Stuff, My Stuff, Find Stuff and Other Stuff.

	This is the start of creating stuff such as Mashup, Web Page and Block. Popfly Explorer enables us to share our Visual Studio Projects onto the popfly space with other users.
	This is where we keep track of projects created and our profile.
	This is where we search for stuff and people.
	This is where we share our stuff.

Getting Started

The easiest way is to go straight to mashup and start linking BLOCKs to create customised project. There is no programming at all and need only setting the parameters => watch popfly mashup videos to see how it works.
Now we will focus on creating a customised BLOCK: Create Stuff > Block, it will take us to the page for creating Block. A block is a piece of code that is contained in a single JavaScript file (.js) that provides methods for user generated code to invoke.

On the left side, there are existing blocks that are used for the Mashup. We can search for something (eg "google") related in the search box, then drag and drop into the BLOCK creator page.

On the top right hand corner, click on Save to save your block.

Books and References

Popfly books