You are currently browsing the archives for the Web category


Why do no almost no web frameworks come with any authentication/authorization functionality?

This is likely a controversial stance to take, and I’ll very likely get bashed as “no idea what I’m talking about” by people much cleverer than me.  With that said…

Why do almost no web frameworks provide any default authentication/authorization functionality, with default examples of best practices for common use cases.  The standard response I’ve gotten for years was/is “well, everyone’s needs for authentication are different”.

No, they are not. A (very?) large majority of web applications (which is what most web frameworks are used to build), require some form of user login and authorization management, and often self-registration, dealing with lost passwords, etc.

Yet somehow, everyone’s essentially forced in to writing their own user login and management from scratch. This leads to potentially loads of security holes from people writing insecure code.

So many frameworks promote their routing and database layers, configuration management, etc.; those are all things that one could argue people might need to function “differently” – in many cases, the default code is configurable enough to handle many edge cases. In rare cases when the stock code can’t handle things, you can override it with custom code.

But with authentication/authorization, everyone is left to fend for themselves.  Every.  Single.  Time.  And they *often* get it wrong (sensitive info in a cookie, unencrypted passwords, etc).

Put another way, when left to fend for themselves, developers need to learn a lot of concepts.  Every decision point is a point that can be made wrong (or poorly).  Making a poor decision about your CSS colors or URL structure or JavaScript helper library might be painful or annoying, but will likely not have any major repercussions.  Making a poor decision about authentication can be devastating.   Yet, somehow, this is one of the prime areas in the web framework world where users are not given anything out of the box (in most cases, at least) and are left to ‘educate themselves’ (with quite a lot of bad, wrong or outdated information floating around).

If you’re not going to ship some basic authentication/authorization functionality with the rationale that not everyone’s needs are 100% the same, perhaps you should stop shipping routing, forms management, database libraries and more – after all, someone might want to do it their own way.  Not everyone’s queries are the same, don’t you know.

I titled this post “almost”, because I’ve got a hunch there may be a few that I don’t know about.  With that said, what web frameworks do you know of which ship with authorization/authentication out of the box?  My own experiences indicate:

In the PHP world, it looks like Symfony2 ships with an ACL component, and the recommended ‘default bundle’ distributions ships with Authorization and Authentication components out of the box.   Zend Framework ships with an ACL component as well, but in both cases (ZF and Symfony) there is no default way of allowing users to register/login/reset passwords, etc.  FWIW, the Symfony approach of distributing recommended bundles of packages which (from what I can tell) could be updated independently if and when need be might be the best middle ground I’ve seen so far.  “Decoupled but packaged”.

The Rails community seems to (nearly) universally rely on Devise, but it’s not shipped by default, and many people end up ‘rolling their own’ (probably very often with bad and possibly even hard to spot flaws).

Grails users often rely on the Spring Security plugin, but again, not a default plugin.  To its credit, there is a basic user/role management screen with searching, account disabling, and other maintenance functionality, and the basic system allows for user login and ‘lost password’ pretty much out of the box (self register is a bit more work).    But again, not shipped with the base, and people may be tempted to roll their own (although a default ORM means people are far less likely to be susceptible to SQL injection vs building SQL by hand).

ASP.NET ships with a membership system (though it’s been a long time – my memory may be out of date), with web controls for user login, registration, lost password, etc.  Whether it’s necessarily the ‘best’ security approach is not really the point here – it’s a standard that is provided, and more than likely has prevented people from (re)writing code in an insecure manner.

What am I missing?

UPDATE: One thought is that no one wants to be even remotely possible for providing out of the box security because they’re afraid they’ll be a target for a lawsuit.  I suspect that’s not really a factor, but perhaps it is in some cases?


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

Tech partisanship doesn’t help much

I shared a small rant at a local web meetup the other day, and thought I’d recap it here.  It was triggered by sitting in on an interview with a local developer for an idea-stage startup I’m counseling.

The startup in question has had some false starts on an MVP before, once in ASP.NET, and once in PHP (or maybe twice).  What’s come out of this was an understanding that the particular tech chosen is less important than finding sharp people who can see the project through to the first phase being functional.  I helped write a Craigslist ad to that effect, it was posted, and we’ve sifted through some of the applicants and did a couple interviews.

What’s been interesting to me is that many of the people applying are .net developers.  I’ve nothing against .net, but typically, you don’t find too many looking to jump in to the entrepreneurial space; it’s very much a corporate-enterprisey sort of thing.  I know .net-startups exist, but they’re a small fraction compared to the number of web startups based on dynamic languages (php, python, ruby, etc).

So we met with someone, and he asked what the site was written in.  My friend explained there’s no current site, but an early draft had been done in PHP.  The .net-dev grimaced.  “PHP is just not capable, it just won’t work for some things, it’s not efficient, there’s things it can’t do, C# is much better technology,” and so on.  This was not a 5 minute diatribe, I’ll grant you, but it was long enough, and … ill-informed enough to make me question his judgement skills on other things.

I can expect this sort of tribalism from someone just starting out in development.  I don’t expect it from someone with 15 years of experience.  I would expect that you’d mature to the point where you understood that almost all tech out there is suitable for a wide-range of applications, and that the language itself is rarely a bottleneck (compared with database servers, network latency, etc.)  And yes… I expect this because I’ve seen these attitudes diplayed out over many colleagues, but also definitely in myself.

I’m ashamed of some of the partisan writings I posted back 10 years ago; I was wasting huge amounts of time arguing pointless stuff that had no real impact.  Perhaps that’s half the purpose of internet forums in general, but it took me a while to realize the emptiness in those pissing matches, and regret much of what I contributed all those years ago.  But it does help give me a sense of perspective, as does my shifting tech skills:  I’ve gone from MS/VB/Access to Notes to Perl to PHP to ASP to PHP to Java with a bit of C# thrown in over the years.   After you’ve done this long enough, you realize that there’s enough change in tech that few of the skills from 10 years ago really matter, which is another way of saying that little of what you’re learning now will have much utility in 10 years.

I’ve got another rant on reusing software coming up soon; stay tuned (or come back, or subscribe to the RSS) to have a read.


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

Things a web developer might need to know

I saw a post on reddit the other day, and answered there, but thought I’d clean up my response there for here, fleshing out a couple more ideas, and get your feedback as well.

The original question from was a 16 year old who’s been doing some basic CRUD apps, but is getting bored and wanted to move on to ‘real’ development.  There were some good replies, but few went in to the depth of detail that I think beginners are even aware of.  Granted, this might scare off some, but for others it might give them some ideas about what’s possible and what’s involved in professional web development.  I know I’m going to leave off some topics, so feel free to add on!

Generally, in professional web programming gigs, the “programming” part is just that – a part of the job, and often not even a majority, unless you’re fast and loose with the definition of programming.  I’m taking it to mean primarily one language – usually a server side tech like C#, PHP, Ruby, etc.

Version Control

Understanding the basics of version control – when, how and why to use it – is essential for professional software development.  Git and subversion are probably the most widely used today – mercurial, darcs, cvs and others are either gaining or losing ground daily, but understanding the basics of git and svn (differing systems certainly) will stand you in good stead in 2012, 2013 and beyond.

Even working by yourself you really should be using it as well, but I frequently talk to solo developers who say “well, I don’t need it, because I just work on my own projects”. A few reactions I have to that sentiment are:

  • Much like backups, you won’t really understand how much you need it until you need it.
  • Branching opens up a whole world of possibilities in your approach to development, allowing you to work non-sequentially when necessary, that you’re only thinking with part of your brain without version control.
  • Most professionals use some form of it. To work with anyone else, you’ll need it, and you may as well start now.

Ticket/issue systems

I don’t have a horse in this race specifically, and personally am not a 100% convert, but the more I work, the more I need things written down in a centralized place which others can use and modify, but that also allows me to hook in to with my code.  Being able to commit code and indicate “this is for ticket #723”, and having that tie in to the ticket system so that I can see the code from the ticket system, is very powerful.

Go back to issues 6 months later, and see the code changes in context with the notes on the issue in question – it gives you a different (new?) perspective on how you write commit messages, what’s important to note, what’s not, and so on.  Personally, I’m using redmine right now, but have used other tools in the past.  Find something that works for you and/or your team and stick with it.

Testing

Unit, integration, load, performance, scalability, acceptance – there are loads of ‘types’ of testing, and you may lump some together, and your process may change over time.  I’m less concerned with whether you have load/performance/scalability testing processes – those aren’t always considerations for projects.  Unit and/or integration testing are generally useful regardless of the size/scope of the project.

Get comfortable with a testing tool (junit, nunit, phpunit, cucumber, rspec, etc).

Continuous integration

Hand in hand with testing is a way to automate the testing process.  Every time you check in code, have a set of tests run and show you the results.  Again, once you make this a habit, it can be very powerful.

Jenkins is the current standard in the Java world – there are probably others for other technologies – search for “<my tech language> continuous integration” for specifics.

Security

Along with other types of testing, you should be aware of security testing strategies to employ against your sites.  Mess with URLs, try to POST bad data to your scripts, etc.  Automate those tests.  Find tools to do the same.  sqlmap is a tool to automate SQL injection attacks against your site – using that is eye-opening.

Are you using prepared statements over raw SQL strings?  Stored procedures?  Various levels of access to your database(s)?  There are a number of techniques to help avoid or reduce SQL injection attacks.

Learn about Cross-Site Request Forgeries (CSRF), and how to protect against them.   Learn about Cross-Site Scripting (XSS) attacks.

SQL injection, CSRF and XSS still make up the vast majority of security holes in websites.  Learn how to protect against them and you’ll be a long way towards being secured (but never take it easy!)

Performance

There’s a whole world of topics to cover under performance – code caching (do you write optimized and optimizable code?), data caching, page caching, HTTP caching headers (etags, etc), asset caching, compression, minification, CSS sprites, mobile-optimized sites.

As I said before, many of these may not be useful to all developers all the time – they may never rise beyond the level of ‘interesting’ at your current project/gig.  Be aware that the tools, techniques and trends may change quickly as new tech and usage patterns emerge, so even if you ‘know’ this stuff, revisit it every so often if you’re not immersed in it day to day.

JavaScript/front-end

How good are you with JavaScript?  Would you be able to write a full app in a browser using JavaScript only, making service calls to a back-end via SOAP or REST?  There’s a whole world with toolkits and libraries like jQuery, Dojo, AngularJS, JavaScript MVC, templating systems and more.  Are you able to selenium-test your front-end app?  How about running browser-based tests via qunit or a similar testing tool?

Mobile

The rise of mobile – smartphones, tablets, etc – has opened up a new set of opportunities and challenges to be aware of.  Data caps, optimized graphics, new UI controls for touch interfaces, and more.  Understanding ‘best practices’ for mobile, and keeping up with them, will keep you busy for a while.

Other technologies

How good are you with search tools?  Business dashboards?  Data gathering and analytics creation, interpretation and action?  There are a number of things that businesses need which don’t particularly relate to any one specific tech, but they’ll all need (quick way to search for data, generate reports, etc.)  Find some common business problems in your current situation and look for some of the top packages out there that solve those problems that you can integrate (SOLR, Lucene and ElasticSearch on the search side, for example; Jasper Reports or Pentaho on business reporting options, etc.)

What language again?

Notice that I really didn’t focus on any language or particular tech.  All of the above are skills that professional web developers need to have – or, if not possess 100%, be *aware* of.  I’m certainly no master of web tech, but I keep up with it enough to know who the real masters are in various areas.

What surprises me some is students coming out of school, and sometimes with more than a couple years under their belt, who’ve never heard of some or many of these ideas.  Perhaps I’m just meeting more than my fair share of true ‘code monkeys’ who copy/paste PHP/jQuery from 9-5, but I’d like to think, but that initial reddit post got me thinking a bit about this (that and some recent conversations with beginners and seasoned experts at a few regional meetups lately).

Won’t this all change?

Yes and no.  The idea of continuous integration was certainly not popular when I started in software development …. 18 years ago.  No doubt it was being done, but not by people I knew, nor in any popular literature I could find.  Some of these ideas take hold, and some don’t; Test-Driven Development, ‘Agile’, etc may come to be seen as fads in a few years – I can’t say for certain.  But… the fundamentals of communication and being aware of multiple aspects of a project (accuracy, speed, security) won’t go away.  These are issues that *will* be addressed on a project eventually, either during the initial work when it’s under your control, or at 2am on a Saturday morning because everything’s broken or you’ve been hacked :)

Gentle plug: if it’s before November 17, try to make it to indieconf, a conference for independent web professionals (and maybe just those that act like it!)

Side note: one of the upsides of freelance work is you often get to control the tools/processes for the work, and can pick/choose the tools you want.  One of the downsides is that sometimes you end up working with a team who “doesn’t believe” in any of this stuff, and you end up wasting a lot of time fighting problems that continually get reintroduced because of lack of testing.  I’m no saint on all this – I’ve done my share of skimping, and I speak from experience when I proclaim the value of using these sorts of tools.


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

Code testing

The TriJUG last night had a speaker cancellation, and someone from the group presented an ad-hoc talk on testing – outlining various types, pros/cons, some metrics and code samples he uses, etc.  Overall it was useful for a topic, and I hope he polishes it up and presents it next year as a fuller talk more fleshed out.

I’d interrupted a couple times with my own questions and experiences, but there was one I wanted to share which I didn’t last night.  He was talking about the justification for testing (unit and integration primarily), and couched it in terms that developers would be familiar with.  “Without tests in place, you can’t be confident that your changes won’t break anything!”.  It’s true, and for some audiences (last night’s) it makes sense.

Let me preface this by saying that I do not do enough testing myself in my projects – this is a ‘do as I say, not as I do’ post, somewhat, but hear me out.  :)

There’s a more fundamental reason to ‘do testing’, as it’s often referred to by non-techies (and even some techies I know).  In fact, you can’t *not* test, which is the fundamental point I was going to make last night.  Testing *happens*.  *When*, *where* and *how* you test is totally up to you.  You can have testing procedures before changes are pushed out, have a test suit to give a sense of confidence to the team, and so on.  Or… you can just push code to production servers.  It’ll get tested with real world data by real users, with often real (bad) consequences.

Again – *testing always happens*.  Testing on your own terms, with defined procedures, steps, processes, etc. is better than testing ‘fixes’ at 2am on a Thursday morning.

“But there’s no time to test!” is what I often get as push-back from people I present to (and, yes, I use it myself sometimes on myself!).  Let’s just say, for argument’s sake, ‘testing’ (writing tests, defining them, checking them, etc) will take 100 hours on top of ‘development’ (as if they’re somehow distinct entities!)  If you skip those 100 hours, you’ve only shifted them around.  You’ll spend *at least* 100 hours cleaning up stuff after the code has gone live, and in the process you may damage the reputation of your department, company or yourself in the process.  No amount of time (100 hours?  1000 hours?) can replace the damage that’s done by lost orders, lost money, privacy exploits, security breaches or worse.

So to reiterate – the testing *will* happen.  Under what circumstances do you feel most comfortable testing?  In non-public controlled situations?  Or out in public where your customers and competitors can see and exprerience your mistakes?

Check out the conference for web freelancers while you’re here…


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

a dumb programming mistake

I had a couple of dumb development mistakes come and bite me in the butt this week, and I thought I’d share them here – well, at least one for now.

Without going in to the type of data too much here – the specifics aren’t important – the system I’ve got needed to show a list of data to a user.  Initially we just showed all the data to the one user.  Later, we added other user types.  However, my controller code (MVC-style) simply defined different views to use based on user type, but never changed the query.  So, whether you were an admin, or an area user, or a distinct individual which should only have seen a few items from the list, your view was passed all of the data.  The views simply filtered out which ones to display during a loop.

Stupid?  Yes.  Noticeable?  Not at all.  I looked at this code yesterday and remember thinking at the time “yeah, I’ll go back and make this better later” – I was planning on overhauling the user/role system, and I’d fix it all later.  That never happened, and over the past couple years, this has become slower and slower.

Fast forwards to yesterday, and we had 80 processes each being handed *290,000* objects ina view, in most cases to filter and display, say, 60.  Even getting new updated software on the server today was a pain, because we were continually hitting loads of 40-70 (unix loads, 15 min avg of 60 was where we were at most of today).

This came to a head the past couple days because our usage patterns changed – user load spiked both because of timing in the month and the user base has grown.  It was a perfect storm, and I was caught in the middle.  The upside is that I found this major issue and it’s resolved.  The downside is that it took almost 2 days (mon and tue) because I was finding other things I thought were the culprits; they were issues, but had no major impact given the 800lb gorilla in the room.

Lessons learned?  I’m not immune to even basic stupid oversights.  The moment I saw this code, I knew the issue, but I’ve not looked at it in… 3 years?  There was no need to, so I never went back to audit for stupid code.  Perhaps I need to budget more time for stupidity audits?

Any major faux pas you care to share or admit to?


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

indieconf 2012 open for registration

indieconf 2012 is open for registration.  The early bird pricing of $79 is available through August 15.  We’re still putting together our schedule – it will be finalized by the end of August.

indieconf is the conference for web freelancers, solopreneurs, and others who make their living working for themselves on the web.  Developers, designers and everyone in between are all welcome.  Sessions cover more of the business side of freelancing – legal, financial, business, marketing, etc – vs technical (although we’re planning some technical sessions as well).

At the site above, we’ve got 4 videos from last year’s event (possibly more coming shortly) – here’s two examples from that site embedded here to give you an idea of the types of sessions we’ll have this year.

 

 

Referrals: Interested in earning affiliate referrals fees for the conference?  Register with eventbrite and earn a referral fee for each ticket you sell!


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

Working your network

I presented a session on freelancing at Codestock 2012 – there were actually quite a few of them (4, I think).  I’d wanted to see Michael French’s session, as he sat in on mine, gave me good feedback, and mentioned some areas of freelancing that I don’t discuss in mine (or certainly not enough) – cash flow and insurance. Alas, I didn’t get to see his, but I suspect it went well.

On to the topic of this post.  I got to recapping some of my talk to a smaller group of people in an open spaces segment, and the subject of “how do you find work” came up.  “Grow your network, work your network” was the crux of my answer, and someone rightly challenged me on what “work your network” actually *means*.  Good catch, and I wanted to outline some concrete examples of what you can do to “work your network”.

1.  Find someone in your network who’s better at X than you, and take them to lunch for a short tutorial on X to get you better.  This is one case where you’ll actually be spending time on a technical subject, but the goal is not specifically that.  Getting some one on one time with someone better than you in a tutorial/teacher scenario is generally good – you give them the ability to hone their presentation/explanation skills, and let them know you’re genuinely interested in topic X (you have to be sincere about the request and the topic).  You will learn something new, but also have deepened a connection with someone.  If/when they have a work referral, you’ll be closer to top of mind for that person.

2.  Go to user groups and actively mingle.  Invite friends to join you, or ask someone in your network what groups they go to that you don’t know about, and ask to join them during their next meeting.  Have that person introduce you to a few people there.  You’re actively growing your network, but also positioning your friend in their network as someone who is a connected person with fun/interesting/useful connections.  That means you have to be fun, interesting or useful to people at some point.  :)

3.  Take #1, but invite other people, and turn it in to a small group “lunch and learn” session.  “Lunch and learns” are often used inside companies, but doing some ad-hoc ones among small groups of people will associate you with that group as someone who makes things happen and brings people together.

4. Related to number 3, but don’t bother with having someone make a technical presentation – just invite a small group of people who you know but that you know don’t know each other directly.  Go to lunch – have a good time.  Again, your reputation in this group will become one of someone who knows people, has connections, and can mix with people of multiple backgrounds.

In any of these above, asking people to bring others you don’t know is probably a good idea, but you may want to hold off on that from day 1 if you’re on the shy/introverted side.  You can build up to that, and practice these skills with colleagues/friends first.

All of these sound like I’m trying to make you in to a socialite vs a technical worker, and … in some ways that’s true.  I have to assume that you already have some technical chops to be working as a freelancer already, or that you can get those chops quickly.  The problem many have, especially when first starting out, is finding projects. The primary way to get around that is to have a network of people who feel comfortable calling on you when they have work.  They’ll feel more comfortable knowing that you’re someone who will not embarrass them when they introduce you to people on their team or in their network.  That is probably the most key aspect that tech people sometimes forget or ignore.  Most people really really really don’t care if you have the best technical chops – in some cases they don’t really even want to be outshone, but they do need someone who can get the work done without causing them embarrassment.  Helping them meet their goals of work done while making them look good is paramount.

How many projects have you been on that failed because you didn’t know how to write to a file, talk to a database, send output to a browser or take input from a form?  I bet that number is 0.  Projects fail because of communication between client and dev, or amongst the team.  Likewise, people don’t necessarily hire you just because of your skill.  Indeed, they may keep someone on a project *despite* the person’s skills, because they have no choice in the short term.  In the long term, they’ll get rid of that person if they’re poisonous to the project/team, even if the replacement is less skilled.

In short, “working your network” involves being social with other people.  That may be a stretch outside your comfort zone – many developers like working with computers vs people.  However, the technical skills you have now with PHP, C#, Java, Ruby, Python, Perl, whatever… – those may change, or become irrelevant if you change industries.  Being comfortable talking to people in social situations is a skill that will never go out of fashion, and you can learn and practice this skill in controlled situations by creating social settings with your current network, and at the same time grow that network with new and interesting people.

I hope this helps give you some ideas about how to manage and grow your network.  Are you in violent disagreement with that I wrote above?  Let me know :)


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

Freelance to fulltime

NOTE – this is not autobiographical – I’m currently still a fulltime freelance/independent contractor and have immediate plans to make any changes in that status.

I’ve had a few friends and acquaintances recently go through periods of transition, shifting from contract and freelance work to something else.  In some cases the transition was voluntary, sometimes not.  I wanted to share some thoughts on what I’ve observed so far.

In more than a couple cases, friends looking out in to the job market – interviewing at companies and such – don’t have a good idea of the market rate for either their skills or the value they’d bring to a company.  To whatever extent possible, survey your friends/colleagues in an area with similar skills, get ballpark estimates from then about what they’re earning, and try to get them to indicate salary vs benefits/perks.  Money is a personal subject for many, and you may not get a full honest answer from someone.  Ask them to just give you a range.

If there’s hesitation or a privacy concern, rephrase the question a bit – “if I was to apply for a job doing XYZ at your company, what should I expect as a salary?”.  I don’t know too many people who would have a problem answering that – it allows them to give specifics without disclosing what they make personally, which may be higher than what they quote you based on other factors.  Knowing that most people would be making about $80k doing mid-career PHP or Python development at companies X, Y and Z will help you when talking to company K, assuming they are of similar size/region/industry, and you’ll feel more comfortable if/when the money question comes up during an interview.

In some cases, this question comes up very early on, primarily as a screening tactic by HR departments.  If they’re thinking $60k, but you’re thinking $150k, there’s no point in moving forward.  Unfortunately, most HR departments I’ve talked with over the years are a bit too cagey, and demand a number from you first vs just giving you a range they have in mind.  Bear in mind, if they have a range of $60-$75k, that doesn’t mean the company may not raise that range to meet you, but that usually won’t be a consideration until after a few interviews.

A freelance friend of mine recently landed his ‘dream job’ doing R&D work for a large company.  I was sad to see him leave the freelance world, but I knew for him it was for the best.  What worked for him?  Hard to say if it was any one thing, but he was fairly ‘plugged in’ to the community at large – he’s blogged in public for years, spoken at many conferences, published magazine articles, and contributed some notable open source code to projects.  Whether any of those specifically were factors in this particular job offer, I can’t say, and I’m not sure he could either.  In my view, they all contributed to his profile.  When new positions come open, they’re often floated by connections in personal networks first.  Having a strong personal network, and letting people in that network know you’re looking for new options, is a very useful tool, but also one which you can’t get overnight.

The other side of personal networks – if someone reaches out to you with an opportunity, *acknowledge* them.  I’m speaking from experience here.  When I reach out to someone with a project or job I think would be a good fit for them, and they simply ignore me… they’re not on my good list any more.  It’s not as if I hate them personally, but I won’t bother to go out of my way to spot opps or jobs I think would be beneficial for both parties.

This happens to me multiple times per year – I hear someone is looking for a new job, I forward some one or more opportunities, and *nothing* ever is responded to.  This behaviour is just *odd*, and possibly may help explain why person X may not be happy in their current job or may be continuing to look for IT work when the current IT market is pretty hot.  Few projects of mine have ever failed due to technical issues – many have failed or been derailed due to personality conflicts or communication problems. Bottom line – if someone is courteous enough to be thinking of you and your needs, reply to them acknowledging that you received the information.  Even if the position isn’t necessarily what you’d consider a good fit, replying is just good manners.

Another friend recently transitioned from part time contractor to full time employee.  After several years contracting for one department, he was offered an expanded role full time, which seems to be suiting him quite well.  This one is not something you can easily plan for, and in his case certainly took me by surprise.  Not because he’s not capable of the work, but I didn’t think the company was looking to expand their service offerings.  Maybe they weren’t until recently – who knows?  But an opportunity came along and he was ready to transition from freelance to full time.

Are you looking for a full-time gig?  What’s worked for you?  What have been the stumbling blocks?  Let me know!

Are you freelancing, or considering it?  I’ve got a web freelancer support group to help people who are getting started or looking to grow.


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

Lack of fundamentals in web programming education

Wasn’t sure what to name this entry, but have had a few discussions with some people over the past month or so about their experiences.  All of them were finishing up “web development” degree programs (under somewhat different nams) at institutions in the area, and all were talking about looking for jobs.

I was dismayed (but not necessarily shocked) at how little understanding they had about the basics trade skills that are necessary for most real world webdev work.  Now, I’m obviously passing my own judgement here, but bear with me.

Task/project breakdown – the idea of taking a project requirement and breaking it down in to written steps – whether inline documentation, external ‘requirements’ doc, or tracking in an issue database.  This was not something that any of these people indicated was covered in their classes or coursework.  Whether you’re working alone or on a team, this is a fundamental basic skill that is missing in most jr devs I meet – loading an editor and starting to code is the default mode.

Version control – none of the people I spoke with had any version control in their class work.  One knew *of* version control, but his internship mentor didn’t feel it was useful because there was just two of them working, and they could easily schedule time to edit the same files on an FTP server without stepping on each other’s changes.  I don’t expect someone to be an svn master or git guru – the specific technologies may change.  One company may use clearcase, another MS TFS, another git, and so on.  The nuances of each will be different, and the dynamics of the projects will be different.  But the core value of using version control, even on projects for yourself, isn’t even being mentioned in some of these courses.

Testing – this is going to be different based on the project, of course, but a ‘web degree program’ that doesn’t expose students to some testing tools – selenium being the one I’d default do – is doing a poor job of equipping these students to be proficient in their craft.  Put another way, students from a degree program that exposes them to testing concepts will produce better, more desirable/employable students.  However, if *no* programs do this, then the bar is uniformly low across the board.  Exposing students to the concept of unit testing their code – xUnit style – and understanding that code is more testable when it has fewer hard coded stuff in it – these are things that should be being taught.
Note that, excepting for a ref to selenium, I’m not really advocating a particular technology (and not really even in that case), but concepts.  The need for Android developers may be gone in 5 years (at least, Android as we know it know).  The need for “PHP5 developers” may be radically lower in 5 years.  The need for Ruby3 developers may be through the roof in 5 years, and there’s not even any degree programs *talking* about Ruby3, because it doesn’t exist yet.  The need for developers who understand testing and version control will definitely be strong in 5 years.  It was strong 10 years ago, although the tools were different.  It will be strong 10 years from now.

These universal lifelong skills that are *fundamental* to the practice of good software development are not seeming to be taught in software development courses at a college/university level.  Some programs will have an emphasis on data structure and algorithms – certainly nothing *wrong* with them – they’re universal truisms too.  But there seems to be an ignoring of the realities of day to day work.  And I’m not just talking about the 4 year ‘big league’ schools – local community colleges that traditionally have a more practical emphasis on ‘vocational skills’ are seemingly ignoring this.

I don’t remember any of these skills being in course descriptions 20 years ago in my university, and I’m not seeing much reference to the few colleges I searched about for recently, and certainly not getting this from talking to people about to graduate from “web developer” degree programs.  Is this your experience too?  Or am I just getting a statistically skewed sample?


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

ning user subscription service

I’ve been working with a local chap investigating the feasibility of adding paid user memberships to ning.com sites.  We’d settled on one model which will work for him, but is a bit manual.  I’ve got another approach in mind which would be fairly automatic.  Essentially it involves a service in the middle which sits between the ning system and an external billing service such as paypal or spreedly, and uses the APIs of each to manage account access.  If a user’s paid subscription status lapses, there’s an API call on ning which disables the account.

I used to have a ning site (actually, I think we’ve still got a small family one I’m paying for too) but have not done much with ning since 2006/2007.  They’ve changed their focus a lot since the very early days where they’d let you run your own PHP code on their servers, and have shifted to a more locked-down API approach.  There seems to be a small but loyal set of ning network managers, and it seems to me that paid monthly subscriptions is a service many ning network owners are looking for.

So… are you interested?  Drop me a line if so and you can be part of the first set of test users.


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook