Cloud Security : One mistake that can close down your cloud operations in few minutes

By   |

Few days back, I was in a discussion with a senior person. Our discussion was centred around cloud and security. We talked about lots of common and obvious processes and measures we can take for security of our applications on different platforms including but not limited to Amazon EC2, Azure and Google Cloud.

Cloud Computing Security

After discussion, I thought that I should write about most important thing in cloud security, which if not considered in your security plan, can be the reason of closure of your company in few minutes if not seconds.

I will talk more about this single thing but first let me give you some background about a security point when cloud concept was not around.Installing two operating system on same hard drive was a genius thing in those days.

Computer security was also a big problem in those days. There were lots of things, we were doing to secure our computers. We made an authentication system, we implemented better file system permissions. We even implemented application level securities policies, only certain application were allowed to specific people. Even hardware resources were bound to specific users only.

Lets consider this hypothetical situation, You prepared a system with all standard security practices. Implement best policies to protect your data. One morning, when you reach your office, your computer is missing from the table, a thief just came and stole your computer. He does not care about your data, he just formatted your hard drive, erase your data and sold your computer in grey market.

I want to make a point that no matter what kind of security policies you are making or implementing, if physical damage can be done to your data then no security will come to help you. So in those old days, I always suggest securing your hardware first then go for implementing security policies.

Now, coming back to cloud, security has become a major challenge. Physical access was needed to get your computer and then delete data. Nowadays, with cloud your data is accessible to anyone with a just a userid/password combination.

Anyone who can access your cloud account at amazon or any other service, can do damage to your infrastructure within minutes. No matter which kind of backup or security policies you are following, if you loose access of your main account to someone else, then you are gone.

What can be done to counter such situation? First of all try to create different accounts with different level of permissions, this will mitigate the chances of leak point of information in your process. two factor authentication is also useful. One of major thing which is needed is second account backup.

You should take backup of such system in a separate account whose access is quite difficult or available to very senior persons only. Amazon recently has started giving such facility where you can take backup from different account, I will suggest if you can please keep a copy of your data offshore or on a different data centre.

So, Please protect your main account, take backup to a different account, so you can restore in case of need.

How to handle checkout when we are selling unique products?

By   |

Checkout process for unique product has to be handled in different way than products which are available in quantities. Products with one quantity are unique product. Paintings, concert tickets, hotel rooms, flight tickets ( when you choose a specific seat) are unique products. Old household items are also unique items.

We have two types of process for processing any purchase. In first type, we can do cart based checkout where a user usually add more than one product to their cart. In the end of shopping process, user do checkout process for all products in his or her cart. In  second type of process, it is items based, user is forwarded to checkout process as soon as “Buy Now” button is pressed.

In this article, we will try to handle second situation as most of eCommerce websites which handles unique products handles checkout through that process only. We will discuss cart based process in another article in future.

First, let’s create list of challenges we have with unique products checkout.

1. As product is unique, we need to avoid over selling. Unique products have only ONE quantity. We cannot sell it to more than one user.
2. Payment stage in checkout process took some time as most of the time users will be redirected to a third party payment gateway.
3. Users leave the checkout process in middle.
4. A payment gateway does not reply in time or any other technical event may prevent us from getting payment processing information in time.
Before we go further, we need to identify the intensity of probability of duplicate orders. If you have really high demand for your unique products, then you have a big business opportunity. Instead of going into simple eCommerce checkout, you should introduce “Auction” model. This model works best for unique items like paintings for famous painters.


Lets assume 3 different situations. I will try to propose solution according to those situation.

1. Very high demand.
I will really recommend an “Auction” Model for this portal. You have customers and you SHOULD  monetize them for sake of your business.

2. Moderate demand
Mark product unavailable as soon as a user start checkout process. Set a timeout of specified minutes. Inform user about this time frame. We cannot tolerate slow users . Those will be handled in next situation.

3. Low Demand
Mark product unavailable as soon as a user start checkout process. Set a timeout of specified minutes. Refresh this timeout after every page refresh for user. By refreshing timeout with every request, we can handle very slow users. In my view, every eCommerce system at least cover this situation.

Now big question, How new users will be handled while an old user is in checkout process?

It depends on one very big factor, Are you using cache or indexer based search for your site? If you are not using any cache or indexer, you can simply make product unavailable.

In case of cache or indexer, we need adopt a different approach. I will  recommended leaving your cache or indexer system unchanged. Whenever a user tries to purchase an item, we need to put an extra check for checking “availability” of product for smooth transaction. If product is unavailable, we need to inform user.  WE may/can also show a waiting window to this user if timeframe is few minutes. In waiting window, A message like “We are checking availability of this product, this may take few minutes, Please stand by” can be shown. After specified time, if product is still available we can proceed with checkout or we can say sorry to that user and show other relevant products to him or her.


One thing more, do not forgot to record incidence of purchases where user did not finish payment process. You may contact them to know why they left process in the middle. This may be vital for your business.





In defense of QA team: Who is responsible for errors in any software or website?

By   |

Consider this hypothetical situation.

Something very precious was in a building. Building was being guarded by a guard who was responsible for the safety of precious item. A thief using his intelligence and luck stole that precious item from building. At a later stage, thief was caught but he claims that only security guard can be prosecuted for theft, in fact he demands that his act should be rewarded as a skill.

What is your first reaction? Impressed with thief’s arguments? Feeling angry with security guard? Or laughing on the irony? It can be anything, but I am going to ask a fundamental question, should we stop prosecuting thief for theft?

In my view, a thief is still a thief, no matter who was ultimate responsible person in this case.

Now, let’s apply this situational story on software development. An error ( I am not using the word ‘Bug’ intentionally) was found in software or website, who will be held responsible?

In my view, as far as responsibility is concerned, it lies with QA team, but development team is still responsible and can’t be absolve of that error.

Before we continue, lets me clarify my definition of error and bug in context of this article. A bug is an un-intentional behavior of application while an error is simply a failure of one feature. For example, broken login form is an error, but slowness of login system or successful login without correct details is a bug.

IN any software development process, basic testing of functionality has to be done by development team only. Even in our constitutional and parliamentarian laws, we have a term ‘merchantability’ … which gives an implied warranty in any purchase of product or service we bought from seller. So basic ‘merchantability’ has to be incorporated in any product or service. A pencil doesn’t need a documentation or purpose statement. Pencil is always expected to write on a paper.

Lets be more specific, suppose there are two buttons on a page, which supposed to do some specific task when user click on them. Those buttons don’t work and even cause a crash in application. Unfortunately, It went through to production.

Who is responsible? As I said, responsibility still lies with QA(Quality Assurance) team, but we cannot release development team from responsibility as they fail to test buttons for merchantability.

In my view, if we only held QA responsible for this situation, development team will be relaxed (… and lax) in their work as they know they do not own any responsibility in trials.

A thief is still a thief… A guard deserves his share of punishment and prosecution, but thieves still deserve to be punished, so they have some fear. Imagine a situation where thief will never be prosecuted because a security person has failed in securing valuables.

A clear line has to be created between errors and bugs, for any ‘error’ in merchantability, development team must be primary responsible party while bug falls under QA team

Your projects are not your real baby, you may need to dispose them

By   |

“This project is my baby, I don’t want to see it perform badly, I will give everything to protect it”, Does this sentence sound familiar to you? You may have heard it from your colleague or may have said it yourself.

In my view, ‘Like my baby’ is a metaphor which is over used and abused by many persons. What you will do when you found a really bad architecture based application whose programmers are just treating it like a baby? They love it, but afraid of losing it also.

Bad architecture happens, not just because someone was incompetent, bad things also happens due to things which were beyond control or unimaginable at the time of conceiving an idea or plan. But few people refused to understand that project may be like your baby, but they are not your real baby.

In real world, when we have a baby with different abilities, we try to help them to grow in different directions, we are supposed to support them in every sphere of life. We want to be with them, always; after all they are our babies.

Almost one year ago, I was discussing some serious flows in one of the application to his lead programmer who was also part of architecture and in fact was only “subject expert” available at time of idea conceiving and execution.
When I point out issues with architecture, he become little defensive and used the metaphor that a child cannot run from his first day. Things will improve with time. I tried to use the opportunity to tell him than if a child is born with bone disease, we cannot prepare him to run to fastest 100 meter run. He was really hurt with my statement. He was behaving like someone has pointed fingers at his own real child.

We need to understand that treating your projects like your real baby is a way to disaster. Projects got some specific objectives. If those objectives are not being met and current architecture does not support any way out, then we may need to discard them. So, we can start fresh. It may be difficult but only viable option for future use.

Love your projects, care for them, but understand that your projects have a purpose. … And this ‘purpose’ is the ultimate reason. Care for it.

Categories: Personal Tags:

2 things you should never do as a programmer

By   |

You will find lots of guides and articles on the internet about what you should do to be a good programmer. A lot has been written on what we should do to excel in any field.

In my view, its not only what we do which make us good in our profession. It mostly depends on what we should not do which make us excel at our work.

In this article I am making short list of two things which any programmer should not do.

1. Stop Reading about new things

If you think you know a lot about programming because you are an expert in one of the so called mother language, then you are making a big mistake. Even languages which were marked as stable and labelled as mother languages like c and c++ are changing a lot. At least new libraries and being added to them. So you should never stop reading about new things. Subscribe to few good magazines or journals, even if you do not have time to read all articles and magazines. You will be at least aware of what is going on around.

2. Coding before architecture

Never start coding before deciding on the architecture of your application. Its a huge mistake many new comers as well as so called experience people do. I can tell you from my experience in projects, its architecture which makes a project success or failure. Starting code before taking decisions and making plan for project execution is like going for ride when you really dont know where to go. Read about design patterns. They are documented solutions for common problems. Try to use them.

Categories: PHP Notes, Resources List Tags: