I’ve recently set up a site intended to be a broader mix of content and community at http://freelancepath.com. This is an extension and outgrowth of an earlier email group I ran based on audience members from my web development podcast.
If you’re a freelancer, I’d like to invite you to join my community for web freelancers. Interested in contributing a guest post to our blog? Register there, friend my profile, and send me a message with your idea. I’d love to have you guest blog about your freelancing experiences, tools, service reviews and more!
I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!
Things a web developer might need to know
I saw a post on reddit the other day, and answered there, but thought I’d clean up my response there for here, fleshing out a couple more ideas, and get your feedback as well.
The original question from was a 16 year old who’s been doing some basic CRUD apps, but is getting bored and wanted to move on to ‘real’ development. There were some good replies, but few went in to the depth of detail that I think beginners are even aware of. Granted, this might scare off some, but for others it might give them some ideas about what’s possible and what’s involved in professional web development. I know I’m going to leave off some topics, so feel free to add on!
Generally, in professional web programming gigs, the “programming” part is just that – a part of the job, and often not even a majority, unless you’re fast and loose with the definition of programming. I’m taking it to mean primarily one language – usually a server side tech like C#, PHP, Ruby, etc.
Version Control
Understanding the basics of version control – when, how and why to use it – is essential for professional software development. Git and subversion are probably the most widely used today – mercurial, darcs, cvs and others are either gaining or losing ground daily, but understanding the basics of git and svn (differing systems certainly) will stand you in good stead in 2012, 2013 and beyond.
Even working by yourself you really should be using it as well, but I frequently talk to solo developers who say “well, I don’t need it, because I just work on my own projects”. A few reactions I have to that sentiment are:
- Much like backups, you won’t really understand how much you need it until you need it.
- Branching opens up a whole world of possibilities in your approach to development, allowing you to work non-sequentially when necessary, that you’re only thinking with part of your brain without version control.
- Most professionals use some form of it. To work with anyone else, you’ll need it, and you may as well start now.
Ticket/issue systems
I don’t have a horse in this race specifically, and personally am not a 100% convert, but the more I work, the more I need things written down in a centralized place which others can use and modify, but that also allows me to hook in to with my code. Being able to commit code and indicate “this is for ticket #723″, and having that tie in to the ticket system so that I can see the code from the ticket system, is very powerful.
Go back to issues 6 months later, and see the code changes in context with the notes on the issue in question – it gives you a different (new?) perspective on how you write commit messages, what’s important to note, what’s not, and so on. Personally, I’m using redmine right now, but have used other tools in the past. Find something that works for you and/or your team and stick with it.
Testing
Unit, integration, load, performance, scalability, acceptance – there are loads of ‘types’ of testing, and you may lump some together, and your process may change over time. I’m less concerned with whether you have load/performance/scalability testing processes – those aren’t always considerations for projects. Unit and/or integration testing are generally useful regardless of the size/scope of the project.
Get comfortable with a testing tool (junit, nunit, phpunit, cucumber, rspec, etc).
Continuous integration
Hand in hand with testing is a way to automate the testing process. Every time you check in code, have a set of tests run and show you the results. Again, once you make this a habit, it can be very powerful.
Jenkins is the current standard in the Java world – there are probably others for other technologies – search for “<my tech language> continuous integration” for specifics.
Security
Along with other types of testing, you should be aware of security testing strategies to employ against your sites. Mess with URLs, try to POST bad data to your scripts, etc. Automate those tests. Find tools to do the same. sqlmap is a tool to automate SQL injection attacks against your site – using that is eye-opening.
Are you using prepared statements over raw SQL strings? Stored procedures? Various levels of access to your database(s)? There are a number of techniques to help avoid or reduce SQL injection attacks.
Learn about Cross-Site Request Forgeries (CSRF), and how to protect against them. Learn about Cross-Site Scripting (XSS) attacks.
SQL injection, CSRF and XSS still make up the vast majority of security holes in websites. Learn how to protect against them and you’ll be a long way towards being secured (but never take it easy!)
Performance
There’s a whole world of topics to cover under performance – code caching (do you write optimized and optimizable code?), data caching, page caching, HTTP caching headers (etags, etc), asset caching, compression, minification, CSS sprites, mobile-optimized sites.
As I said before, many of these may not be useful to all developers all the time – they may never rise beyond the level of ‘interesting’ at your current project/gig. Be aware that the tools, techniques and trends may change quickly as new tech and usage patterns emerge, so even if you ‘know’ this stuff, revisit it every so often if you’re not immersed in it day to day.
JavaScript/front-end
How good are you with JavaScript? Would you be able to write a full app in a browser using JavaScript only, making service calls to a back-end via SOAP or REST? There’s a whole world with toolkits and libraries like jQuery, Dojo, AngularJS, JavaScript MVC, templating systems and more. Are you able to selenium-test your front-end app? How about running browser-based tests via qunit or a similar testing tool?
Mobile
The rise of mobile – smartphones, tablets, etc – has opened up a new set of opportunities and challenges to be aware of. Data caps, optimized graphics, new UI controls for touch interfaces, and more. Understanding ‘best practices’ for mobile, and keeping up with them, will keep you busy for a while.
Other technologies
How good are you with search tools? Business dashboards? Data gathering and analytics creation, interpretation and action? There are a number of things that businesses need which don’t particularly relate to any one specific tech, but they’ll all need (quick way to search for data, generate reports, etc.) Find some common business problems in your current situation and look for some of the top packages out there that solve those problems that you can integrate (SOLR, Lucene and ElasticSearch on the search side, for example; Jasper Reports or Pentaho on business reporting options, etc.)
What language again?
Notice that I really didn’t focus on any language or particular tech. All of the above are skills that professional web developers need to have – or, if not possess 100%, be *aware* of. I’m certainly no master of web tech, but I keep up with it enough to know who the real masters are in various areas.
What surprises me some is students coming out of school, and sometimes with more than a couple years under their belt, who’ve never heard of some or many of these ideas. Perhaps I’m just meeting more than my fair share of true ‘code monkeys’ who copy/paste PHP/jQuery from 9-5, but I’d like to think, but that initial reddit post got me thinking a bit about this (that and some recent conversations with beginners and seasoned experts at a few regional meetups lately).
Won’t this all change?
Yes and no. The idea of continuous integration was certainly not popular when I started in software development …. 18 years ago. No doubt it was being done, but not by people I knew, nor in any popular literature I could find. Some of these ideas take hold, and some don’t; Test-Driven Development, ‘Agile’, etc may come to be seen as fads in a few years – I can’t say for certain. But… the fundamentals of communication and being aware of multiple aspects of a project (accuracy, speed, security) won’t go away. These are issues that *will* be addressed on a project eventually, either during the initial work when it’s under your control, or at 2am on a Saturday morning because everything’s broken or you’ve been hacked 
Gentle plug: if it’s before November 17, try to make it to indieconf, a conference for independent web professionals (and maybe just those that act like it!)
Side note: one of the upsides of freelance work is you often get to control the tools/processes for the work, and can pick/choose the tools you want. One of the downsides is that sometimes you end up working with a team who “doesn’t believe” in any of this stuff, and you end up wasting a lot of time fighting problems that continually get reintroduced because of lack of testing. I’m no saint on all this – I’ve done my share of skimping, and I speak from experience when I proclaim the value of using these sorts of tools.
I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!
Open Source LinguaFolio software project available
A couple of years ago I was asked to build a piece of software implementing the concepts of the LinguaFolio “formative assessment tool”. That’s education-speak for something that helps students and teachers understand how a student is doing. I was asked to build this by the state of North Carolina, and for the past two years they’ve been rolling this out to more students and teachers around the state.
The LinguaFolio tool is free for all students and teachers in NC, and is essentially free for others to use because it’s an open source software project. The main code is available to download and run anywhere. It’s a Java/Grails/MySQL web app which, while not as simple to set up and host as a PHP app, is still pretty basic. We’ve still got a lot of functionality to implement, and I’m slowly adding some new features over the next few months, but I thought I’d mention this here so people would know it’s available. As far as I know there’s only one other ‘online’ version of LinguaFolio, but it’s not open source or free or even available to test out. As more people become interested in using LinguaFolio, there may be more options, but right now, our elinguafolio project is picking up steam.
Now you may be thinking “hey, that’s great it’s open source, but I don’t know how to run any software like that!”. And you may be right. Just because something is open source doesn’t necessarily make it 100% useful to anyone out of the box – it’s more a case of giving you freedom to find the right vendor to work with (or change vendors if you’re not happy). If you’re interested in using LinguaFolio in your district or state, tell your vendor to grab the software and run it. They can reach out to me with questions (there’s an issue tracker on that site above) and, within reason, I can assist them in setting it up.
Or… you can simply hire me to do it for you. I can set it up and host it on servers I manage (and can give you access to as well) for a standard monthly price. You’ll have a version that is kept up to date, and you’ll be helping to fund the open source LinguaFolio which will continue to help more teachers and students over the coming years. If you’re interested, give me a call at 919 827 4724 to discuss how I can help.
I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!
Freelance to fulltime
NOTE – this is not autobiographical – I’m currently still a fulltime freelance/independent contractor and have immediate plans to make any changes in that status.
I’ve had a few friends and acquaintances recently go through periods of transition, shifting from contract and freelance work to something else. In some cases the transition was voluntary, sometimes not. I wanted to share some thoughts on what I’ve observed so far.
In more than a couple cases, friends looking out in to the job market – interviewing at companies and such – don’t have a good idea of the market rate for either their skills or the value they’d bring to a company. To whatever extent possible, survey your friends/colleagues in an area with similar skills, get ballpark estimates from then about what they’re earning, and try to get them to indicate salary vs benefits/perks. Money is a personal subject for many, and you may not get a full honest answer from someone. Ask them to just give you a range.
If there’s hesitation or a privacy concern, rephrase the question a bit – “if I was to apply for a job doing XYZ at your company, what should I expect as a salary?”. I don’t know too many people who would have a problem answering that – it allows them to give specifics without disclosing what they make personally, which may be higher than what they quote you based on other factors. Knowing that most people would be making about $80k doing mid-career PHP or Python development at companies X, Y and Z will help you when talking to company K, assuming they are of similar size/region/industry, and you’ll feel more comfortable if/when the money question comes up during an interview.
In some cases, this question comes up very early on, primarily as a screening tactic by HR departments. If they’re thinking $60k, but you’re thinking $150k, there’s no point in moving forward. Unfortunately, most HR departments I’ve talked with over the years are a bit too cagey, and demand a number from you first vs just giving you a range they have in mind. Bear in mind, if they have a range of $60-$75k, that doesn’t mean the company may not raise that range to meet you, but that usually won’t be a consideration until after a few interviews.
A freelance friend of mine recently landed his ‘dream job’ doing R&D work for a large company. I was sad to see him leave the freelance world, but I knew for him it was for the best. What worked for him? Hard to say if it was any one thing, but he was fairly ‘plugged in’ to the community at large – he’s blogged in public for years, spoken at many conferences, published magazine articles, and contributed some notable open source code to projects. Whether any of those specifically were factors in this particular job offer, I can’t say, and I’m not sure he could either. In my view, they all contributed to his profile. When new positions come open, they’re often floated by connections in personal networks first. Having a strong personal network, and letting people in that network know you’re looking for new options, is a very useful tool, but also one which you can’t get overnight.
The other side of personal networks – if someone reaches out to you with an opportunity, *acknowledge* them. I’m speaking from experience here. When I reach out to someone with a project or job I think would be a good fit for them, and they simply ignore me… they’re not on my good list any more. It’s not as if I hate them personally, but I won’t bother to go out of my way to spot opps or jobs I think would be beneficial for both parties.
This happens to me multiple times per year – I hear someone is looking for a new job, I forward some one or more opportunities, and *nothing* ever is responded to. This behaviour is just *odd*, and possibly may help explain why person X may not be happy in their current job or may be continuing to look for IT work when the current IT market is pretty hot. Few projects of mine have ever failed due to technical issues – many have failed or been derailed due to personality conflicts or communication problems. Bottom line – if someone is courteous enough to be thinking of you and your needs, reply to them acknowledging that you received the information. Even if the position isn’t necessarily what you’d consider a good fit, replying is just good manners.
Another friend recently transitioned from part time contractor to full time employee. After several years contracting for one department, he was offered an expanded role full time, which seems to be suiting him quite well. This one is not something you can easily plan for, and in his case certainly took me by surprise. Not because he’s not capable of the work, but I didn’t think the company was looking to expand their service offerings. Maybe they weren’t until recently – who knows? But an opportunity came along and he was ready to transition from freelance to full time.
Are you looking for a full-time gig? What’s worked for you? What have been the stumbling blocks? Let me know!
Are you freelancing, or considering it? I’ve got a web freelancer support group to help people who are getting started or looking to grow.
I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!
Postal service musings
The latest big deal in the US is that our postal service is losing money hand over fist, and may have to scale back or shut down. I don’t suspect shutting down forever will feasibly happen, but we’ll probably see a scaling back.
Email and internet are being blamed for much of the demise of the post office, and there’s a lot to be said about that angle. Yes, we send fewer items now than years ago, largely due to electronic stuff – invoices, contracts, billpay are all often done by the web or email.
And rural post offices are being singled out as largely unprofitable, losing the most money. And it makes some sense – small populations set far apart from each other, rising fuel costs, fewer people paying in to send mail, etc.
How to fix this?
Charge for receiving mail. Perhaps just in rural areas. People will quibble about what’s ‘rural’, and they’ll argue over price. I’ll throw this out to start with $29/year for home delivery of mail. In our area, this might not entirely cover the shortfall, but I’m sure it would go a long way towards helping out.
“But but but… that’s wrong!”. Well… it’s not really. We’ve already conditioned ourselves to pay for email, but for some reason we think we shouldn’t have to pay for USPS.
To send email, I have to have an account. True, some people get away with free webmail accounts at libraries and whatnot, but the overwhelming majority of people taking advantage of electronic billpay, invoices through email, etc – they’re all paying for an internet account. Often multiple times – many people have data plans on phones, home internet, and their employer pays for it at work. Internet providers are making a true killing at this, effectively offering almost ‘unlimited’ correspondence transmission, while the USPS struggles with ‘pay per stamp’ pricing.
I’m not suggesting we all pay a flat rate to mail stuff, but consider this. Someone drives bits of paper to my house every day – for free (yes, the sender paid something, but as we see, the USPS is losing money on this). I get home delivery for *free*. Now… if I want some privacy, I can *pay* for that same mail to stay in a PO box which I’d visit at my convenience. So… *pay money* to have the mail sit at a post office, or *drive* it to my house for free. Does that make much sense?
Charge me $29/year for home delivery – think of it as USPS “Prime” (ala Amazon), and keep my mail at a local PO box for free, but clear it out every 3 days.
This would change the economics in a hurry – many people wouldn’t opt for the home delivery, and they’d miss out on a lot of junk mail. Junk mailers may stop sending as much junk. The junk mail does help subsidize the USPS, but some of that would be offset by income from people paying for the home delivery.
I understand many smaller offices wouldn’t be able to provide boxes for everyone right away – it may have to be manual labor at the front desk for now – show your ID, get your mail. This would encourage people to get home delivery.
It’s not perfect – maybe a little crazy, even – but I’d like to see people coming up with better solutions to this. Certainly people don’t have a problem paying for delivery of stuff to their home – Fedex/UPS manage it – but I do think it’s high time we look at charging for rural mail delivery (perhaps all mail delivery at some point). If it cuts down junk mail, keeps service people on the road, and reduces losses (or helps make a profit) – what’s the downside? I’m sure there’s some, but I can’t think of any right now.
I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!
virus scanning as a service – looking for feedback
I’m looking for feedback on a project idea. This grew out of a project I did last year that involved a lot of user file uploads that are then downloadable by others. Virus scanning needed to be part of the process, but I couldn’t find a good service out that that offered this. I did find one, but they explicitly forbid commercial use of the service, which somewhat took it of the table.
So.. feedback please. Have you ever needed a service like this? Did you just roll your own, or perhaps just went without?
I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!
mind blowing security practice
Yeah, you read that right.
Kids, don’t try this sort of security in your own web apps. This is reserved for high-end financial institutions only.
I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!
indieconf 2011 call for presenters
Our indieconf 2011 call for presenters is open.
indieconf is the conference for independent web professionals – whether you’re a developer, designer or someone in between, if you’re an independent freelancer or small agency, indieconf is for you.
What are we looking for? Topics of direct or indirect interest to web freelancers – mobile development, server side tech, client side tech, workflow issues, client management topics, financial issues, legal issues, marketing, SEO and more!
indieconf will be held in Raleigh, NC on November 19, and we’ve got an early bird special of $99/ticket going on right now – get your ticket today!
I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!
Authorization by social graph
I’ve been kicking around an idea for a while now, discussed with some friends, but don’t have time to implement this just yet. I may use this at the core of a project early next year, but I wanted to get the main idea out there now. Perhaps others are already doing this, but I haven’t seen it anywhere (yet?).
Currently, many apps tie in with twitter/facebook/etc for authentication – a third party openid server indicates to the original app that you are who you say you are. In some cases, there’s even a degree of sharing of data or allowing of control of a remote app (posting tweets via oauth, updating facebook wall, etc). What I’ve not seen yet is something which allows for collaboration, with degrees of permissions defined by relations in your personal social graph.
For example, consider google docs. Rather than inviting and granting permission on specific docs to specific people, allowing anyone who is following me on Google Buzz or FriendFeed to have read access to my document would be useful. Take that a step further – anyone who I’m following back – a two-way relationship – would automatically have read *and* write permissions on that document.
This is a somewhat simplified example, but the notion of permissions being automatically granted/revoked based on position and status in my social graph seems relatively unique (if also a probably rather obvious evolution in the coming near term).
Are there examples of this behaviour out there already I’m not seeing?
I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!
asp.net oracle padding flaw – question?
By now many of you have heard of the ASP.NET Oracle Padding Flaw. There’s a number of posted workarounds, and MS will be issuing a patch soon to fix things.
From threatpost.com:
The problem lies in the way that ASP.NET, Microsoft’s popular Web framework, implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions. A common mistake is to assume that encryption protects the cookies from tampering so that if any data in the cookie is modified, the cookie will not decrypt correctly. However, there are a lot of ways to make mistakes in crypto implementations, and when crypto breaks, it usually breaks badly.
The issue here seems to be that there’s *anything* of value stored in the cookie beyond a generic token. This really does seem to be the case though. Watching the DNN exploit, it looks like the fact that someone is a superuser is encoded in the cookie value itself. This would seem to be an architectural flaw in DNN, but I get the feeling that most ASP.NET apps were/are trusting of the encyrption mechanism to hide whatever data they’re sending down in cookies. This seems to be a more fundamental flaw in design than any AES algorithm MS may have had an issue with.
I’m reminded of a company I worked for years ago which kept track of sessions by incrementing a counter in a DB, grabbing that counter, encrypting it, then using that value as the value in the cookie. This was thought of as ‘secure’ because encryption was being used. I tried to argue for random values as the cookie token, but was told that ‘random isn’t really random’. I pointed out that dozens of people (who no longer worked there) had access to the encryption key, and once I knew how to decrypt one token – which would give me a value, of, say 4554678, changing the value to 4554672 then reencrypting would be trivial and allow me to impersonate other users on the system. My concerns were dismissed because I wasn’t a ‘senior’ engineer, apparently I didn’t understand Java or cryptography enough to understand their level of sophistication. After all, ‘random isn’t really random’.
This approach of putting sensitive data in a cookie, then encrypting it, seems to be alive and well, and that scares me. But I have no real good way of opting out of such sites.
So my question (yes I had one) is… is my understanding of what ASP.NET apps are doing that make this flaw so dangerous an accurate understanding? Or have I missed something?
I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!
- Get better clients!
- Make more money!
- Avoid costly mistakes!
