Tag Archives: rant

Further update on SAP Gateway CSRF token farce

So an update on recent rant about CSRF protection that isn’t needed on SAP Gateway.

The folks in the very attentive HCI team have just added functionality into their solution, so if you configure an OData call to an onPrem system via SAP HANA Cloud Connector, it will automatically do the GET with a fetch for the CSRF token for you whenever you configure a data update operation.

That’s kinda cool, but all it does is sweep the offending rubbish under the rug.

https://www.flickr.com/photos/bruce_krasting/7695348682 - Sweep under the rug, credit Bruce Krasting

https://www.flickr.com/photos/bruce_krasting/7695348682 – Sweep under the rug, credit Bruce Krasting

So now we have logic built into an integration platform that is needlessly slowing our integration flow because of a superfluous system requirement. An extra round trip for no reason.

In this case it is truly superfluous, because the original PUT that I was using had the user credentials as part of the header. That alone should make the CSRF token not required.

What this does show, is how SAP Cloud solutions like SAP HCI are able to update and fix stuff far faster than their onPrem partners. Even if it is a work-around to a problem that shouldn’t exist.

Security in depth – or a bug waiting to happen? – CSRF protection on SAP Gateway

What's that - It's the dragon that guards the locked door, we feed people who ask silly security questions to it

What’s that? – It’s the dragon that guards the locked door, we feed people who ask silly security questions to it.

<rant>

So I’ve got my knickers in a twist again. Recently I was playing around with sending some OData to my SAP server when it refused me. Now, I didn’t like that, but at least it was kind enough to tell me why. Apparently I hadn’t fed it a CSRF token. OK, so I looked in the headers of the GET that did work, and lo and behold there was a CSRF token there. I fed that into the POST I was doing, and bingo it worked.

Now it seems to me that many many people have hit the same thing and found the same solution. Indeed, I asked around some people I knew and they told me: “Get over it Chris, it’s in the header of your GET, it lasts all session, just use it!” But me being me, no, I wouldn’t accept that!

Slight aside – they also mentioned “Damnit, I remember when that patch came in, it buggered up my custom Gateway app and I had no warning that it was coming, took me ages to figure out why it wasn’t working.”

 

So I thought – OK? Why? Why do we have CSRF protection in the first place, what on earth is it?

CSRF protection – Cross Site Request Forgery protection, according to the websites I read is supposed to protect against the case where unknown to a user a cookie in the browser used for authentication allows a malicious site to alter data on your system. (And in the case of gateway, your SAP system).

So to send a PUT or POST or DELETE (the verbs that can change data) from a browser without user knowing is going to involve 1 of 2 things.

a) An injection of HTML on the page adds either a form that is going to POST some data (typical type of attack  CSRF protects against) or a link e.g. img tag which GETs data.

b) An injection of some script, e.g. JS on page that is going to do the PUT/POST/DELETE

In the case of (a – POST) the payload will be malformed and Gateway isn’t going to accept that as valid OData – so no security worries anyway. And for (a – GET) CSRF protection isn’t even applied.

In the case of (b) well if I can embed JS, I can just as easily embed a GET pull the header and then do an update with the CSRF token. Indeed the sites that advocate for the CSRF token approach make it clear that it cannot protect you in the case you have malicious Javascript.

In the case that the script is running on a page from a different domain, then CORS will kick in and stop the access – but if somehow the injection is on my own domain, I don’t see how we’re protected.

So I was at a loss. What protection does CSRF actually offer Gateway?

I further researched:

There’s a great explanation, which does better than I have at:

Play Framework

It is recommended that you familiarise yourself with CSRF, what the attack vectors are, and what the attack vectors are not. We recommend starting withthis information from OWASP.

Simply put, an attacker can coerce a victims browser to make the following types of requests:

  • All GET requests
  • POST requests with bodies of type application/x-www-form-urlencoded,multipart/form-data and text/plain

An attacker can not:

  • Coerce the browser to use other request methods such as PUT and DELETE
  • Coerce the browser to post other content types, such asapplication/json
  • Coerce the browser to send new cookies, other than those that the server has already set
  • Coerce the browser to set arbitrary headers, other than the normal headers the browser adds to requests

Since GET requests are not meant to be mutative, there is no danger to an application that follows this best practice. So the only requests that need CSRF protection arePOST requests with the above mentioned content types.

Since Gateway does not support POST requests with bodies of type application/x-www-form-urlencoded,multipart/form-data and text/plain (or if it does there’s your problem right there!) there is no need for CSRF protection.

I then had a fun conversation on Twitter with Ethan

The great thing about chatting with Ethan is you always come out having learnt something.

He makes a good point, and I’ll paraphrase him:

“The best security is deep and many layered and protects not only against the things that you know may happen, but also against those that you’re pretty sure won’t.”

I was wrong –  “to send a PUT or POST or DELETE (the verbs that can change data) from a browser without user knowing is going to involve 1 of 2 3 things. With the third being:

An exploitation of a hitherto unknown browser bug that allows it.

So now I’m confused. Is it worthwhile implementing the hassle that is CSRF protection, including the potential slowdown in speed of response from the solution (a paramount concern in a mobile app) for a situation that might happen.

When I’m writing ABAP code, I’m happy to trade away performance of the code for ease of maintenance. I don’t use pointers (field symbols) to loop over data that I do not intend to change, because some fool could come along later and accidentally do just that. If I instead use a work area, there isn’t that risk.

So in some respects I already do work that makes the solution slower to ensure lower risk, so shouldn’t I just do the CSRF thingy?

However, it is the reason for the risk – I don’t trust that the people maintaining the code after I leave will understand what I have done in my implementation of CSRF protection and won’t make a mistake. Even if I’m using UI5 in my application to update my SAP system, will they remember to call the refreshSecurityToken method every time before a PUT, POST or DELETE? Will they test it? Will they let the session expire in the testing so that they actually need to call the refreshSecurityToken method? I really hope so, but I doubt it. I see applications going into error and data not being updated when it should have been, because of “needless” CSRF protection.

weighing Dodgy Code vs Browser Bug risks

weighing Dodgy Code vs Browser Bug risks

So what I see is this: Security in enterprise is paramount, Gateway is enterprise software, it needs to be secure. So SAP made it so, even if it hasn’t really made a big difference or fixed any known security holes. But, “just in case”. However, custom code (and even standard code 😉 ) will have bugs, ones that rely on sessions timing out are particularly hard to test and will get through. The risk to your Gateway based mobile app is greater by having CSRF protection enabled than it is to your data being maliciously hacked through zero-day exploits. But I guess it depends on what that data is 🙂 .

</rant>

OK, one final bit…

<rant>

Given that I might not actually be using my Gateway for a UI app but for machine to machine transactions, would it PLEASE be possible that if I provide a valid authentication header in the PUT/POST/DELETE that we ignore the CSRF thingy? If I can somehow come up with a valid auth header, then we aren’t protecting anything with a CSRF token, we’re just making transactions slower by requiring multiple round trips that shouldn’t be needed.

</rant>

I feel better now. 🙂

 

Read how this discussion unfolds over at SCN…

http://scn.sap.com/community/gateway/blog/2014/08/26/gateway-protection-against-cross-site-request-forgery-attacks#comment-611490

P.S. my last post from SCN comment thread as I think it’s an important summary:

The thing is, by not implementing CSRF protection, we aren’t making our services insecure. There are no known ways to use CSRF against Gateway currently.

There is the case of protection against unknown attacks, but is that worth the cost, risk, effort?

Not using CSRF protection does not mean you are making your service insecure. It just trading “just in case” against real life complexity, risk and cost.

Depending on the data concerned, that “just in case” might be worth it. It won’t always be.

Architects have a responsibility to their companies to balance these risks and decide. We have the responsibility to inform them clearly and not just pretend that security is the only and overwhelming factor to consider.

Sometimes we put security on a pedestal and everything has to be done to address it. But we should remember that everything should have a risk/reward curve and sometimes NOT coding for a security risk is actually less risk than coding for it.

 

 

Intangibles, appreciating your employees motivates, performance ratings processes don’t

Sorry, here I go again. I just read Steve Hunt’s post: http://www.tlnt.com/2014/08/04/performance-management-we-wont-fix-the-problem-by-ignoring-it/

And of course I’m all worked up. Why? Two reasons.

Firstly, I strongly disagree on the premise that performance management actually achieves improvements for the employees that are being “managed”. This is using Steve Hunt’s own definition of performance management:

Standardized and defined processes used to communicate job expectations to employees, evaluate employees against those expectations, and utilize these evaluations to guide talent management decisions related to compensation, staffing and development.

This has nothing to do with motivating and improving employees. It’s all about figuring out what is the smallest amount you can get away with paying your staff.

A process that can actually help employees improve is by working with them to find out their interests, find out what they want to do and shape their work around that. This isn’t the world of Gen-X and Boomers any more. People are far more interested in making work part of their life and life part of their work. Will they do that if there is a regimented process that is going to measure them against the cookie cutter mould? No, they won’t. Because no employee is exactly alike and no employer that wants to get the best out of their employees is going to manage that by trying to shape an employee to the employers expectation. We need instead to understand the great whole of the employee’s values and use that to motivate them. An employee that is doing what they feel is valuable and feels that the company supports them in this is far more likely to perform well than one that does not.

We have the tools (in a creepy big brother kinda way) to be able to analyse far more than just our employee’s achievement of our stated corporate goals, but also the interests, engagements, networks and influences of our employees. By better understanding our employees, and then aligning our business goals with their goals, we stand so much more chance of motivating and retaining talent.

Remunerate at the market rate for the skills that the employee possesses, if they gain more skills then pay more. Or if those skills have nothing to do with your business, don’t try and hold on to someone who would be happier elsewhere. Likewise, if the desires of the employee do not align with your corporate goals, don’t attempt to force the employee to comply, you are both better off without each other. Have the frank discussion that their desires and your goals don’t align at all. If their goal is to sit and eat chocolate and drink coffee all day and you don’t have a coffee and chocolate tasting role in your company, then it’s probably not going to work out. But it is good to know this – it’s time to move this employee on. Not because they don’t do what they are supposed to do, but because they have no desire to be doing it. Be frank, you can’t get rid of them if they are doing a reasonable job, but they will never be stellar unless _they_ want to do the work.

Now, I’m sure that this approach isn’t going to work in many, if not most, industries. If you have a load of jobs that people will only do if they are paid enough to suffer through, then this approach will not work. In this case fall back on Steve’s approach, just realise you’re very unlikely to develop or retain any talent.

However, if you are in an industry where people (or at least some of them) work because they love doing the work and are enthused about being the best, then I think my approach has some real advantages. Of course you will get and hire bad apples. This is where I believe performance management comes in. You now attempt to manage that person out of the company and ensure that you are not at legal risk by following a clear process. I’m sure there are risks in only performance managing those you’d rather have leave the company, but there are certainly rewards too.

And now to my second point of why I’m unhappy with this article. It was written by someone with the job title Senior Vice President of Customer Value at SuccessFactors/SAP Cloud HCM

If this is what SuccessFactors believes will drive more customer value, then I’m very worried that innovative and alternative approaches to making talent management work are not likely to get a great reception.

I strongly agree with Steve that we need to find out and measure how well our people are doing, but that does not need to be against a defined set of company goals, but against an slightly less well defined set of individual personal goals that the company can hopefully align with and benefit from. I believe that the next step for talent management solutions like SuccessFactors is to help employers with the analysis of who their employees are and what they want. Then use that information to help align both the business’s needs and the employee’s desires. It’s a huge technical challenge but we have to start somewhere. By at least acknowledging that there might be better ways of doing things rather than just dismissing them, we’d be making a first step in the right direction.

Companies that start to embrace the holistic view of the employee rather than the company centric one will, I believe, start to reap the rewards.

I could well be just dreaming, but at least I’ll be dreaming with some of the most motivated and enthusiastic people around who are all trying to achieve their goals in my company.

 

 

On being a dodgy international business empire

Recently I got an email from a company that I hadn’t heard of with an invoice for a month of electronic fax services that I had supposedly signed up for.

Now normally these sort of emails go directly to my spam folder and never see the light of day. But this one rang a bell and also they claimed to have my credit card details and were going to debit automatically!

You see, I had signed up for a service similar to the one mentioned (the ability to send faxes via email) but I certainly hadn’t agreed on any sort of monthly service fee. What I had signed up for was a pay-per-use fax service. If I needed to send a fax, I sent an email, and the cost of sending the fax would be debited from my credit card. But that wasn’t this company, or the service I was being billed for.

A trawl through the unread emails in my inbox found another email from the company now trying to bill me. It seems that they had purchased the small Australian company that I had previously made an agreement with, and had “upgraded” my account to one with a monthly service fee.

So unilaterally they had changed the terms and conditions of my agreement, and only given me notice of this through an email (that very much looked like spam marketing.) It seems that they also had sent another email which came from the company I had an agreement with, but had spoofed the from address – so I had assumed it was spam.

The biggest problem – the company I had originally had an agreement with had passed on my credit card details to this mega-corporation ( just type email fax into your favourite search engine, they’ll be at the top – and probably own the other top ten results too, it seems they are pretty much cornering this business.) So now they had my credit card details and were going to bill me.

Fortunately for me, the credit card I had used for the original service has been cancelled for some time – somewhere along the line, its details were stolen and it was used fraudulently which HSBC thankfully informed me about and I cancelled the card.

So I’m now having a nice email exchange with mega-corp asking them kindly to stop invoicing me for services I did not sign up for and have no intention of paying for. Also asking them to immediately and retrospectively cancel any service that they believe I have signed up for. Whilst they keep asking me for new credit card details (like that’s ever going to happen!) I’ve read on other forums that they can get pretty nasty about this, bringing in debt collectors and the like whilst not cancelling the service and invoicing more and more. So we’ll see what happens.

This said, the nice lady I spoke to when I phoned their customer service department was quite helpful in apparently arranging cancellation of my account. We’ll see how this pans out.

This raises for me some concerns. How is it that a company can be purchased and the new owner is able to make unilateral changes to existing contracts? Surely that is illegal? If not – it should be!

How can an email sent from a different domain than the purported sender (in this case an email from support@faxmate.com.au was sent from cpro30.com) 1) not automatically be assumed to be spam marketing/phishing 2) allow or justify unilateral contract modification.

Should it be legal that a company that purchases another automatically has access to all the purchased company’s records including customer credit card details? I guess to a certain extent that this has to be the case, but in the case where an Australian company is purchased by an international shouldn’t there be some protection about our personal details suddenly being transferred overseas?

I’m glad my credit card was already cancelled, but I’m sure there are many others out there right now in Australia who are trying to figure out whether or not to just pay a few dollars or fight this seriously dodgy business process.

 

 

Stack ranking, one of the worst ways to approach an already flawed idea

There’s a pattern here, Vijay posts up something on HR and I feel compelled to reply but end up writing far more opinionated rubbish than I should…

http://andvijaysays.com/2013/11/26/stack-ranking-it-doesnt-have-to-be-evil/

Nice post Vijay! But I will disagree.

Comparative employee rating (also known as stack ranking, vitality curves, rank and yank…) does not IMNSHO lead to useful or helpful results. In the case where enough employees are available to make bell curves a statistical likelihood (which I think would mean a huge number of employees and a huge variation in management and employee prowess which would most likely indicate a failed recruitment process, rather than a diverse company) then the likelihood that it would be possible to accurately compare one employee with another is very limited, Stack ranking only (doesn’t) works when it is possible to compare the employees. Which means the employees likely know each other, which means it’s probably in their own interests to screw each other’s performance. Check out the well publicised story at Microsoft – http://www.vanityfair.com/business/2012/08/microsoft-lost-mojo-steve-ballmer – under heading “The Bell Curve”.

“If you were on a team of 10 people, you walked in the first day knowing that, no matter how good everyone was, two people were going to get a great review, seven were going to get mediocre reviews, and one was going to get a terrible review,” said a former software developer. “It leads to employees focusing on competing with each other rather than competing with other companies.”

As I have previously mentioned I think the whole idea of performance reviews and ratings does nothing to help the employees, rather it just helps identify where good and bad management is occurring in the organisation. When we start linking review scores to payment, it gets even worse. Why? Because employees then start linking (even more strongly than they do already) their salary with their perceived self worth. Then when for whatever reason a large pay increase is not possible, the employee values themselves less. In the worst cases of this I have come across organisations where the employee contracts state that a performance review rating of 5 equates to n% of salary bonus payment, whilst a 4 is slightly less, and so on. The organisations have fixed salary/bonus budgets, so in order to pay out, they adjust the employees’ performance rating down (very rarely up!) so that the budget is met. Excellent employees are told that they are just “good” because there isn’t the budget to pay them if we tell them that they really are excellent.

I believe that there is a place for strongly objective reviews of employees, it’s the dark side of performance management. It’s that work that you need to do to be able to fire a disruptive or underperforming employee without having your arse hauled through the courts for unfair dismissal. Probably not an issue in the US I hear, but certainly a consideration in countries where the law is a little more friendly to employees. However, to drag all employees through a similar procedure when you don’t intend to fire them in the end, is not ideal methinks.

crystal ball

 

Peering into the future, short and longer term

Given my thoughts (and of course I haven’t a lot to back that up) that the only real positive value of current performance reviews is to evaluate the effectiveness of the management teams, I suggest that we remove the soul crunching and mainly pointless reviews and replace them with alternative ways of checking manager effectiveness. Google appears to have been doing a good job of this with its Project Oxygen and 360 reviews of managers – read the excellent HBR article http://hbr.org/2013/12/how-google-sold-its-engineers-on-management an excerpt which quotes one of the Google manager which illustrates the value of the program is below:

“I was surprised that one person on my team didn’t think I had regularly scheduled one-on-one meetings. I saw this person every day, but the survey helped me realize that just seeing this person was different from having regularly scheduled individual meetings. My team also wanted me to spend more time sharing my vision. Personally, I have always been inspired by Eric [Schmidt], Larry, and Sergey; I thought my team was also getting a sense of the company’s vision from them. But this survey gave my team the opportunity to explain that they wanted me to interpret the higher-level vision for them. So I started listening to the company’s earnings call with a different ear. I didn’t just come back to my team with what was said; I also shared what it meant for them.”

This approach appears to be working at Google. Perhaps too well! A Google full of managers rather than leaders would be almost as bad a place to work as Yahoo for me. However, the concept of 360 reviews providing actionable areas for improvement, I think, is something that isn’t quite so blue sky. This is an idea we’d be better off implementing right now. I think there is a clear difference between “management” telling you that you could do better in areas compared to the team that you manage telling you that you could improve.

Looking to the longer term, I think it will not be far off where we can use data that we would not have considered analysing previously (social network graphs, semantic and sentiment analysis of work communication, external to enterprise group and social sentiment, etc.) to give us hints as to whether employees are more or less productive, motivated, stretched, likely to leave, etc. What is more, predictive analytics will improve in the HR space (hello HANA and comparing huge sets of data across multiple organisations available due to SaaS set up of the HR tools and therefore comparable data sets). We should start to be able to get that data and the predictions about how an employee is going to act in time to do some real time/preventive management (hopefully). This is going to be far more valuable than the formalised soul destroying performance appraisal process happening once every n months.

I’d go as far as to suggest formal reviews only exist because we have this feeling that we need to have something “objective” to use to manage our people. However, in reality the best/happiest/most productive workplaces are going to be those where the subjective views of the employees are that they are being well and fairly treated. I think we can do an awful lot more in our workplace to help our employees be happy and productive. And most of that improvement isn’t going to come from paying our employees more or telling them where on a scale of 1 to 5 they scored this year. Perhaps we like to think that an objective review feeds a subject view, I don’t think it does (or if it does, it’s rarely going to be positive.)

Edit – to try to clarify a few points here I wrote yet another post  To rank or not to rank, ‘cos that won’t work in the real world will it?

 

Lies to Children – Simplification for the sake of easy explaination

simplicityI was so close to tweeting this:

The earth & sun orbit around their combined centre of gravity. simply explanation isn’t the same as accurate, just a lot easier to explain

It even fits in 140 characters, but I don’t think it does justice to the point I wanted to make.

Michael wrote:

and I commented:

Michael replied:

I lol’d.

However, it raises a point I’d like to address, we often hear some very compelling stories about how thing are. One of those stories is about the earth orbiting the sun. If you look closely at the details, what the earth orbits is the sum total of gravitational influence in the solar system. It happens that sum total is pretty much smack bang centered on the sun, but it certainly isn’t always.

The simple story is compelling, and it may even be true for most use cases, but were I trying to calculate the trajectory of an asteroid potentially on a collision course with earth it wouldn’t be.

Likewise if Michael took my story about SaaS meaning the end of upgrades to his business it would be a very compelling and simple one. After all, someone else is managing that in a SaaS world aren’t they?

Look into the detail however and you might find things like APIs that you’re using for integration getting depreciated over time, certainly you’ll hope to find that the UI/UX changes, and so your training documentation will need updating. New functionality will come along and you may well adopt it.

Beware any simple and seemingly logical statement – especially if it comes from someone trying to sell you something.

because:

 

Keeping it real

Anti-Social social media

As many of you who might read this know, I like social media. I spend a reasonable amount of my spare time following and trying to keep up with the information that is available about SAP, cloud and HCM topics. Many of these social media discussions (a majority I’d suggest) take place over twitter. Now recently I’ve found a few tweets that have really got me irritated. But before I explain what got my back up, it’s probably worth pointing out that there is a simple option for me, and it’s put the phone/tablet down and walk away. This really isn’t that serious! Secondly, don’t ask me to name names, I won’t and I don’t think it’s helpful anyway, and I’ll get to why not later.

What’s wrong?

I’ve seen two types of behaviour that I’ve disliked. Firstly has been where people have been using social media as a tool to strike up a conversation. But rather than continuing with the conversation, just make a couple of snide remarks and tried to spark up a fire. In some cases these have been extreme storm in the teapot scenarios, where some information misunderstood, or not at all researched or understood has been used to derive wild scenarios that are great link-bait but do not actually help drive the conversation forward. Conversations are two-sided, if you refuse to engage in a manner that engenders discussion then you don’t have a conversation, you have a battle. In battles the only people that win are the arms manufacturers.

The second type of behaviour is where people represent themselves as “individuals” but start broadcasting what can only be described as advertisements for the products that the company that they work for sells. Now this is a fine line as you’d expect people to be interested in and excited about the products that they company that they work for sells. But when it is done across a whole group of employees and sometimes with a common message/format  then it really starts to smell bad. Even worse when people start tweeting info and then add link to some sales website or their company twitter handle when the content of the tweet isn’t about that! It’s like they are branding their tweets! But when they then refuse to engage on the marketing type tweets to clarify details (possibly because some of the marketing bs is actual bs?) it gets really irritating.

The problem.

Well my real issue is that the response I want to give the tweets of the second type would just make me an asinine tweeter of the first type. Keeping it real and respecting myself involves not walking either of these two paths. And that’s tricky. Not to mention frustrating! This is why I don’t what to name, it’s just behaving like a spoilt brat and isn’t doing anyone any favours. Don’t be evil!

My solution – not “the” solution

I believe that I shouldn’t take myself too seriously, it’s one of the reasons I still keep the ridiculous twitter image that I have whilst pretty much all those that I engage with have sensible portraits. To remind myself not to think overly of my skills, abilities or influence, as I’m just a silly looking guy who’s biggest achievement was becoming a father. Remembering what is important and valuable to me then drives my behaviour. Yes I’ll post this up to vent a little, but the anti-social social media that winds me up, hopefully you won’t see that coming from this direction. 🙂

Seriously, don’t take yourself too seriously. Photo was taken at my son’s 1st birthday party.

ABAP Code Naming Conventions

Ok, you can probably guess that I’m not the most conventional person. I probably don’t fit the mould of the stereotypical developer either. I’m certainly not what one would call an introvert.

So please take this with the necessary pitch of salt. (especially if you’re one of the people who writes the code naming conventions that I have to follow from time to time 😉 )A pinch of salt required

<rant>

Why on earth does every SAP project I go to insist on such inane naming standards for the code? The SAP editor is a wonderful IDE (caveat I did not say it was the best IDE) that allows you to see the definition of any variable with a simple double click – so why on earth are you so worried that I should prefix all my local variable definitions with an ‘l’? What on earth potential benefit can this have on the code readability? Perhaps it helps if you’re still one of my nemesis developers who are passing all your variables between methods through the use of global variables and/or singletons. Perhaps one needs to look at a piece of code, see lots of l’s and that gives satisfaction? The use of Hungarian Notation in ABAP code seems to be universal, although never it seems implemented in the same way.

Then when I define a structure, I must prefix it with a “S” just so you can be sure that it isn’t actually a table or a single field, or so help me, a woolly mammoth. When I look in the IDE view of the package I am developing, all of these different things are arranged in a tree so you can easily tell one from the other. Again a single double-click can bring me to the definition if it is ever referred to in a piece of code. Perhaps it might save some time looking at a variable definition to see if it is a table, a structure, object reference or a variable – but if I’m in the code, it should be pretty damn obvious! If I’m appending or inserting into it, it’s a table. If I’m referencing a sub-field of it, it’s a structure. If I’m assigning a value to it it’s a variable, if I’m creating an instance of it, it better be an object reference. There again may be cases of my nemeses developers still using tables with header lines and confusing the heck out of me. But I’m hoping that the code inspector might weed at least that out.

Searching outside of the SAP world the use of Hungarian Notation within code is not universally disliked, but with such a clear list of disadvantages and such luminaries as Uncle “Bob” Martin and Linus Torvalds against it, you’d have to proclaim yourself a pretty die-hard supporter of “doing it the old way” not to just think a little – “is this really useful? Or is it even potentially bad?”.

Then there comes the requirement that every object should reference the area of use it is intended for. Thus the forth and fifth characters of the object name must be “HR” or “PA” or “XX” or whatever. The use of Positional Notation for implicit metadata about a component is, however not something I’ve seen outside of SAP projects except for the COBOL example given in the linked Wikipedia page. At this point when reading the naming convention guide, I casually check if there is any mention of packages and package hierarchies and hope upon hope, package interfaces. When there isn’t, I sigh again and just bite my tongue again. Because SAP has provided a wonderful way of helping us see what use a component is put to – as every component must belong to a package, and that package can (and should) have an application component defined. And to give even more clarity, the package can have a super-package, thus grouping all like component together, whatever types they are and where ever in their object names they have a ridiculous two character code. The package interface can even tell you if the object is safe for use outside of the package. What a great concept!

So instead of spending time thinking about whether the components we are building are truly reusable, and what the scope of that reuse is. We spend hours checking if we have the first n characters of our our objects correct according to the development standard book.

</rant>

One day someone will be silly enough to let me do it my way, I’ll confuse the bejeebers out of all the guys who’ve only been coding ABAP badly for the last 10 year and the project will potentially fail because I’ll spend my entire time looking for enough of a development team that can understand that following a rigid way of doing things isn’t always the best way to do it…. <sigh>

Personal link shortening and tracking

<RANT>

Is it really required to use link shortening services everywhere? In twitter or other places where space is premium – sure, I’m happy. But where it doesn’t matter, the only reason they are being used is so that the publisher of the advice about the endpoint can track the number of clicks that they are getting.

I’m not particularly happy about this sort of tracking. To the extent I’ll use a search engine to find the content rather than click the link. Also I’d prefer not to click on the link if it’s just going to take me to a press release – which is obvious when you see the URL, but not so much when it’s hidden by a click counter (oh I mean link shortening service).

Perhaps I should just get over it and let those people who want to crow over the number of clicks their posts are getting get high on their own self importance. I’d rather just share than worry about that and that should be enough.

</RANT>