CFUnited Day 3

Managing CF projects start to finish (Shlomy Gantz)

Get all resources set up in advance (bug tracker, SVC)
Storyboarding, wireframes, and prototypes
Personas and scenarios
Simplied documentation, like a wiki
What does "success" mean to the finished product
-Common mistakes
Assuming you understand the client, they understand you, or that they won't change their mind
-Plan
Write down everything, communication protocols, risks, test plans, backup and recovery plan
-Iron triangle, fast, cheap, or everything you want, pick two
-Common mistakes in planning
Too much detail
Not enough detail
Project and product summaries need to be written plainly
Clients don't read/react to: UML, diagrams, specs
Clients DO read/react to: screenshots, prototypes
Project plans in constant flux
Record ANTI-requirements, things you don't want people to do
-Waterfall, suited for massive projects because there is so much design time in the beginning, but smaller projects are more fluid and specs will change more often
-Rapid Application Design (RAD), iterative development, cutting the project into mini projects, but reduces some features
-Rational Unified Process (RUP), very well organized, but meant for larger development teams
-Extreme Programming, pair programming, continuous process, test driven development, values communication, simplicity, feedback, courage, and respect, efficiency
-Agile, continuous conversation between developer and client, providing software rather than documentation
-FLiP, Fusebox Lifecycle Process
Project site to manage documents, issues
Put in comments before writing any CF code -Meetings, must have agenda sent in advanced, enforced start and end time, one person to write and communicate notes
-Buy vs build
-Automate build and deployment, with ant

ColdFusion Application Security (Adam Wayne Lehman)

OWASP - monitors security holes in the web and publishes the top 10

10 - failure to restrict URL access,create an access control, matrix, mapping to every url and function, don't secure only the presentation layer
9 - insecure communications, use ssl after the user is logged in
8 - insecure storage, protect sensitive information, encrypt data, hash() (password), encrypt() (credit card)
7 - broken authentication and session management getting around authentication or hijacking someone's session enforce complexity in passwords, limit login attempts when changing password, always be sure to require the old password, never send the password in clear text through email
6 - information leakage and improper error handling error messages must include a meaningful information for users, can have diagnostic info to the site admin, but NEVER have it show code or tables to the user
5 - cross site request forgery, using your session on the next site you use, only use POST method
4 - insecure direct object reference, URL and form parameters, verify authorizations, like be sure that editUser.cfm can only edit yourself
3 - malicious file execution running files uploaded by the user
2 - injection flaws, SQL injection is a big one, use cfqueryparam, validate data types, attack on the app backend, user CF sandboxes to lock down any functionality that you're not using
1 - cross site scripting, attack on other users, two types of it, stored and reflective, this.scriptProtect = [none | all | comma-delimited list of scope] HTMLTrans() on cflib

Older hacks:
Denial of services, make smaller sessions, minimize database calls, cfc creation, error handlers (like if it sends an email)

Flex Charting Explained (Rob Rusher)

Two types of charts, polar and cartesian
4 layers of a chart, axes, annotations, data, and background
SeriesInterpolate, SeriesSlide, SeriesZoom
best practice: use mx:CaresianChart, rather than specifying BarChart, etc
http://demo.quietlyscheming.com/ChartSampler/app.html
dataTipFunction, HitData type, can use a string (rendered into HTML) to be displayed.

The Fundamentals of Good Usability (Doug Ward)

Looking at bad websites is always fun

Real life objects have a known effect when they're not done properly, like you know when a door didn't close all the way. Computers, not so much.
Cognitive friction is "the resistance encountered by a human intellect when it engages with a complex system or rules that change as the problem changes". Maybe a button moves on the page, or the admin screen is totally different than the rest of the app.
Implementation model, product is designed based on the underlying technology.
Solutions is to make things user-centric
Using conventions (keyboard, hyperlink styling)
No one reads happy text
Good page structure, like how a newspaper is laid out, it's what people are used to
Visited websites with obvious problems