Interview Questions for a Software Architect

0

just because this makes a really nice SEO friendly headline..

However, this post is not so much about specific questions and answers but rather pertains to the technical vocabulary, acumen and architectural thinking with abstractions. Without getting into the dogmatic differences between a solution architect, system architect, and an enterprise architect, I’d define software architect in terms of Simon Brown as a master builder; a software architect who codes or a software developer who understands architecture. A software architect is essentially a seasoned senior developer with experience in enterprise architecture, good communication/people skills and excellent problem solving capabilities.

When evaluating a software architect (or if you are the one getting evaluated for the role), I'd start looking at these questions and then customize accordingly. Normally over the early screening, one should gauge the breadth of technical knowledge (depth will be accessed in person), comfort-level with ambiguity and software craftsmanship (I know, it's a bit vague to quantify). Look for essential technical vernacular (but differentiate from buzz words) such as known architectural templates and enterprise architecture patterns which helps one distinguish between a practitioner as compared to a stereotypical ivory tower architect.

Being technology specific isn’t the right approach unless you have a very specific version of Wasabi to support. Instead of asking the candidate if they know WCF datacontract serialization parameters by heart or MVC3 Authorize attribute syntax, give them a scenario and look for the vocabulary. For instance

 

How would you architect/maintain consistency in a large scale payment processing system?

For a large scale distributed payment processing system, how should one keep the balance consistent across multiple data stores? See if he (or she) understands the architectural concepts of geographical separation of data-stores, latency, transaction management, atomicity, consistency, idompotency and durability concerns. If the candidate knows about ACID vs BASE, it’s a big plus. Ask the candidate about B2B integration with a 3rd party service in the same scenario and see if candidate worries about shadow-copy of data, ownership, race conditions and consistency with source.

 

How did you implement X non-functional requirement (scalability, security) in your last project? If you didn't, how would you have?

For scalability, look for architectural thinking across multiple tiers; from UI (CDN) to serverside code (web farm, HA cluster, distributed cache) to service layer (atomic services, distributed, state-less) and database (RI constraints, SQLvs.noSQL, sharding, always-on) etc.
For security, look for keywords like input validation, white vs blacklist, network layer vs app-layer differences, cross site scripting, cross site request forgery, secure cookies, secure configuration and above all, ask about what is defense in depth. Knowledge of PCI/HIPAA/DSS, OWASP top 10 and static code analysis is always good to have and essential in most regulated industries.

 

How would you (have you?) implement Distributed Session Management?

For a large scale web application, how would you solve the distributed session management problem (see if the candidate knows what it means before elaboration on a server farm)? Listen to see if candidate is aware of what are different technologies available to solve this problem (inproc sessions, state server, cookieless sessions, memcache, cookie based sessions, appfabric etc.). Extend the question by asking about distributed cache and CDN's to see if he has ever implemented one and what are the pros/cons. May be delve into DNS resolution / propagation to see how strong is the candidate when it comes to OSI fundamentals.

 

Considering C# is your primary language, how would you test a simple addition method with the signature int Add(int a, int b)? 

Look for the candidate’s acumen for C# language as well as unit testing; does he talk about edge conditions like int.Max + int.Max will be overflow and can't fit the return int. Does his unit test have -ve conditions, zeros, floating point values / data type checks, int.Min checks etc. Extend this question by asking about what attributes you would use ([TestMethod], [TestClass] and what is the purpose of Assert (used for testing like Assert.AreEqual(expected, actual). Also inquire about measuring the code coverage.

 

Technical vocabulary test: (what is/are, how do you feel about) Single Responsibility Principle, inversion of control, dependency injection, idempotency, HTML5 web workers and web sockets, CSS sprites, service governance, SOA tenants, enterprise library, channel factory, service discovery, static code analysis, code coverage, enterprise service bus (why would you use one?), messaging patterns (fire and forget, duplex, request response), performance monitoring (how to?), MVP vs MVC vs MVVM, design patterns, OO attributes, mocking, continuous integration (familiarity with modern branch-merge source controls), BDUF, SOLID.

HTH. Happy Coding!

Share

Study Notes for 70-486 - Developing ASP.NET MVC 4 Web Applications

0

After the 70-480 Programming HTML5 and CSS 3 Exam, I finally got around to taking 70-486 - Developing ASP.NET MVC 4 Web Applications which gets me 2/3 towards the destination for MCSD: Web Applications. Following are the set of notes I used along with MCT material which may help those preparing for the exam. The topic-by-topic breakdown is courtesy of a colleague and friend Frank Liao.

[link link link]

Design the Application Architecture

  • Plan the application layers.

    • This objective may include but is not limited to: plan data access; plan for separation of concerns; appropriate use of models, views, and controllers; choose between client-side and server side processing; design for scalability

  • Design a distributed application. [link]

    • This objective may include but is not limited to: design a hybrid application (on premise vs. off premise, including Windows Azure) [link link]; plan for session management in a distributed environment; plan web farms

  • Design and implement the Windows Azure role life cycle. [link link link link]

    • This objective may include but is not limited to: identify and implement Start, Run, and Stop events [link link];identify startup tasks (IIS configuration [app pool] [link], registry configuration [link], third-party tools [link]) [link]

  • Configure state management.

    • This objective may include but is not limited to: choose a state management mechanism (in-process and out of process state management, ViewState); plan for scalability; use cookies or local storage to maintain state; apply configuration settings in web.config file; implement sessionless state (for example, QueryString) [link]

  • Design a caching strategy.

    • This objective may include but is not limited to: implement page output caching (performance oriented); implement data caching; implement HTTP caching

  • Design and implement a Web Socket strategy. [link]

    • This objective may include but is not limited to: read and write string and binary data asynchronously (long-running data transfers); choose a connection loss strategy; decide a strategy for when to use Web Sockets

  • Design HTTP modules and handlers. [link link]

    • This objective may include but is not limited to: implement synchronous and asynchronous [link link] modules and handlers; choose between modules and handlers in IIS [link]

Design the User Experience

  • Apply the user interface design for a web application.

    • This objective may include but is not limited to: create and apply styles by using CSS; structure and lay out the user interface by using HTML; implement dynamic page content based on a design

  • Design and implement UI behavior.

    • This objective may include but is not limited to: implement client validation; use JavaScript and the DOM to control application behavior; extend objects by using prototypal inheritance; use AJAX to make partial page updates [link]; implement the UI by using JQuery

  • Compose the UI layout of an application.

    • This objective may include but is not limited to: implement partials for reuse in different areas of the application [link]; design and implement pages by using Razor templates (Razor view engine) [link link]; design layouts to provide visual structure; implement master/application pages [link]

  • Enhance application behavior and style based on browser feature detection. [link link link link]

    • This objective may include but is not limited to: detect browser features and capabilities; create a web application that runs across multiple browsers and mobile devices; enhance application behavior and style by using vendor-specific extensions, for example, CSS

  • Plan an adaptive UI layout.

    • This objective may include but is not limited to: plan for running applications in browsers on multiple devices (screen resolution, CSS, HTML); plan for mobile web applications [link]

Develop the User Experience

  • Plan for search engine optimization and accessibility.[link]

    • This objective may include but is not limited to: use analytical tools to parse HTML; view and evaluate conceptual structure by using plugs-in for browsers [link]; write semantic markup (HTML5 and ARIA) for accessibility, for example, screen readers [link link]

  • Plan and implement globalization and localization. [link link link link link]

    • This objective may include but is not limited to: plan a localization strategy; create and apply resources to UI including JavaScript resources; set cultures; create satellite resource assemblies

  • Design and implement MVC controllers and actions.

    • This objective may include but is not limited to: apply authorization attributes [link] and global filters [link link]; implement action behaviors [link link]; implement action results [link]; implement model binding [link]

  • Design and implement routes. [link link link link]

    • This objective may include but is not limited to: define a route to handle a URL pattern [link]; apply route constraints [link link]; ignore URL patterns [link]; add custom route parameters [link]; define areas [link]

  • Control application behavior by using MVC extensibility points.

    • This objective may include but is not limited to: implement MVC filters [link link] and controller factories [link link]; control application behavior by using action results [link link], viewengines [link], model binders [link], and route handlers [link]

  • Reduce network bandwidth.

    • This objective may include but is not limited to: bundle and minify scripts (CSS and JavaScript) [link link]; compress and decompress data (using gzip/deflate; storage) [link]; plan a content delivery network (CDN) strategy, for example, Windows Azure CDN [link]

Troubleshoot and Debug Web Applications

  • Prevent and troubleshoot runtime issues.

    • This objective may include but is not limited to: troubleshoot performance, security, and errors;implement tracing, logging (including using attributes for logging) [link], and debugging (including IntelliTrace) [link link]; enforce conditions by using code contracts [link link]; enable and configure health monitoring (including Performance Monitor) [link]

  • Design an exception handling strategy. [link link]

    • This objective may include but is not limited to: handle exceptions across multiple layers; display custom error pages using global.asax or creating your own HTTPHandler or set web.config attributes; handle first chance exceptions

  • Test a web application.

    • This objective may include but is not limited to: create and run unit tests, for example, use the Assert class, create mocks; create and run web tests

  • Debug a Windows Azure application.

    • This objective may include but is not limited to: collect diagnostic information by using Windows Azure Diagnostics API Implement on demand vs. scheduled; choose log types, for example, event logs, performance counters, and crash dumps [link]; debug a Windows Azure application by using IntelliTrace [link] and Remote Desktop Protocol (RDP) [link link]

Design and Implement Security

  • Configure authentication.

    • This objective may include but is not limited to: authenticate users; enforce authentication settings; choose between Windows [link], Forms [link link], and custom [link] authentication; manage user session by using cookies [link]; configure membership providers [link]; create custom membership providers [link]

  • Configure and apply authorization. [link]

    • This objective may include but is not limited to: create roles; authorize roles by using configuration; authorize roles programmatically ; create custom role providers [link link]; implement WCF service authorization [link link]

  • Design and implement claims-based authentication across federated identity stores. [link]

    • This objective may include but is not limited to: implement federated authentication by using Windows Azure Access Control Service [link]; create a custom security token by using Windows Identity Foundation [link]; handle token formats (for example, oAuth, OpenID, LiveID, and Facebook) for SAML and SWT tokens [link link link link]

  • Manage data integrity. [link]

    • This objective may include but is not limited to: apply encryption to application data [link]; apply encryption to the configuration sections of an application [link]; sign application data to prevent tampering [link]

  • Implement a secure site with ASP.NET. [link]

    • This objective may include but is not limited to: secure communication by applying SSL certificates; salt and hash passwords for storage [link link]; use HTML encoding to prevent cross-site scripting attacks (ANTI-XSS Library) [link link]; implement deferred validation [link] and handle unvalidated requests [link], for example, form, querystring, and URL [link]; prevent SQL injection attacks by parameterizing queries [link]; prevent cross-site request forgeries (XSRF) [link]

Share

On Entropy Depletion & Related Links

I had to dig these up in the context of a conversation around the (in)security of currency regimes such as BitCoin where presumed ownership of currency is built solely upon asymmetric cryptography. You may find some of these links to be of interest as well.

Textbook RSA is insecure
   and other interesting observations...

http://crypto.stanford.edu/~dabo/courses/cs255_winter00/RSA.pdf

Hardware Security for FPGAs using Cryptography
   contains a great overview of different kinds of sideband attacks on cryptography
https://www.escrypt.com/fileadmin/escrypt/pdf/Hardware_Security_for_FPGAs_using_Cryptography_Microsemi_Huettemann.pdf
Acoustic cryptanalysis: on nosy people and noisy machines
   seeing through The Matrix isn't really that hard if you know how to look at it
Disk encryption may not be secure enough 
   ye olde standard cold boot attack
On Entropy Depletion
   Running out of randomness can hurt, bigtime.
http://www.educatedguesswork.org/2008/10/on_entropy_depletion.html
Researchers Crack RSA Encryption Via Power Supply
   Invasive sideband attack.  
Blue Pill - Machine Virtualization for Fun, Profit, and Security
   Virtualization attacks.  Epic turtles.  
via David Lazar.
Share

Presentation on Exploring 'Distributed' in DDoS

Exploring Distributed in DDoS - Social Engineering aspects of an 'Anonymous' style DDoS attack
Recorded 24 April 2013.

Abstract:

With the proliferation of social media and mobile devices to masses, protecting against distributed denial of service attacks has become an arduous technical challenge. Even though we expect much more sophistication, research reports show that majority of anonymous style hacktivist attacks originate from distributed denial of service. During analysis of the largest-known hacker forums with roughly 250,000 members, impervia's hacker intelligence report states that social networks today pose a major interest for hackers. In this talk we discuss the technical challenges and potential remediation of such denial of service attacks. The presentation will elaborate on key tenets of defense in depth, web application security and do's and outline potential threats for financial application domain.

The Cultural Knowledge Consortium (CKC) is a joint and inter-agency effort established to provide a Socio-cultural Knowledge Infrastructure (SKI) to help provide access and connect multi-disciplinary, worldwide, social science expertise and support collaborative engagement efforts in support of Combatant Command (COCOM) socio-cultural analysis requirements. CKC supports and complements the alignment and synchronization of DoD analytical efforts, operational information requirements, and training programs

Share

Hacking Web Apps - Book Review

Hacking Web Apps - Detecting and Preventing Web Application Security Problems - by Mike Shema is a contemporary guide on web application security. Mike's labor of love, as he likes to call this book, contains very relevant and distilled information on modern day web application attacks. The book is different from your garden variety web-application-top-n-style verbose texts with template vulnerabilities and hello-world solutions; Hacking web apps is a book with strong personality which shows in the eight chapters covering diverse topics from HTML5 security, XSS, CSRF, platform weaknesses to browser and privacy attacks.

hacking-web-apps-detecting-and-preventing-web-application-security-problems

 

Starting with HTML5, author discussed security issues surrounding "new" DOM, CORS, web sockets, web storage, web workers in a concise and concrete manner. This first chapter, however brief, makes this book quite unique since very few books in my knowledge have dealt with security issues pertaining to HTML5. The book provides a nice knowledge upgrade to exploits and vulnerabilities when it comes to web 2.0 technologies. Packed with tips, epic failures and notes providing security anecdotes from the real-world, this text keeps you involved and entertained throughout. Going beyond usual CWE-SANS/OWASP top x vulnerabilities, author elaborates on design issues and draw parallels on how to apply these issues to other similar problems. The text tends to be language agnostic and code samples are in multiple languages (python, php etc) but I do miss the examples with specifics of libraries such as AntiForgeryToken in ASP.NET MVC.

Since I have not read any of Mike's previous books, I cannot comment on how much is shared between his writings but for any web and server side developer interested in security, I'd highly recommend reading this book.

Share

Cloud Computing and CQRS Resources

MSDN Blogs: Cloud Architecture Series - CQRS Part 1 (Bruno Terkaly)

MSDN Magazine: CQRS on Windows Azure (Mark Seeman)
http://msdn.microsoft.com/en-us/magazine/gg983487.aspx

Book: Exploring CQRS and Event Sourcing: A journey into high scalability, availability, and maintainability with Windows Azure (MS Patterns & Practices)
http://www.amazon.com/Exploring-CQRS-Event-Sourcing-maintainability/dp/1621140164
And a few backgrounders:
CQRS - a new architecture precept based on segregation of commands and queries (Marco Heimeshoff, Philip Jander)
http://www.h-online.com/developer/features/CQRS-an-architecture-precept-based-on-segregation-of-commands-and-queries-1803276.html

CQRS Starting Page (Rinat Abdullin)
http://abdullin.com/cqrs/

The Best Way to Learn CQRS, DDD, and Event SOurcing (Rinat Abdullin)
http://abdullin.com/journal/2010/9/10/the-best-way-to-learn-cqrs-ddd-and-event-sourcing.html

MSDN: CQRS Journey Project
http://msdn.microsoft.com/en-us/library/jj554200

Slides: CQRS: Command/Query Responsibility Segregation
http://www.slideshare.net/brianritchie1/cqrs-command-query-responsibility-segregation

Slides: CQRS and Event Sourcing, An Alternative Architecture for DDD (Dennis Doomen)
http://www.slideshare.net/dennisdoomen/cqrs-and-event-sourcing-an-alternative-architecture-for-ddd

When to Avoid CQRS (Udi Dahan)
CQRS is Too Complicated (Rob Ashton)
"I think the main problem with DDD and CQRS is that they are misappropriately used.  The vast majority of systems do not  need this level of sophistication. What is more worrying is that .NET has adopted CQRS as their new and shinny. 
I shudder at people using either for CRUD but I suspect it does happen."
--Paul Cowan
courtesy of David Lazar
Share

Writing High Quality Code in C# by Svetlin Nakov

 

This is an excellent presentation by Svetlin Nakov of Telerik which I thoroughly enjoyed and decided to share it via my blog. Following is the abstract.

The author introduces the principles of high-quality programming code construction during the software development process. The quality of the code is discussed in its most important characteristics – correctness, readability and maintainability. The principles of construction of high-quality class hierarchies, classes and methods are explained. Two fundamental concepts – “loose coupling” and “strong cohesion” are defined and their effect on the construction of classes and subroutines is discussed. Some advices for correctly dealing with the variables and data are given, as well as directions for correct naming of the variables and the rest elements of the program. Best practices for organization of the logical programming constructs are explained. Attention is given also to the “refactoring” as a technique for improving the quality of the existing code. The principles of good formatting of the code are defined and explained. The concept of “self-documenting code” as a programming style is introduced.

Share

Slides from 11th Annual SecureIT conference- “OWASP Web Services Security - Securing your Service Oriented Architecture”

I recently spoke to 11th SecureIT conference on "OWASP Web Services Security - Securing your Service Oriented Architecture". This annual event was hosted by UC San Bernardino at Sheraton Fairplex Hotel.

This SecureIT Conference conference provides focus and opportunities to higher education staff meeting the challenges of providing a secure information technology environment for campus communities. The event was well attended with distinguished speakers, including Pradeep Khosla, UC San Diego’s chancellor, Michael Montecillo, IBM Security Services Threat Research and Intelligence Principal and Eric Skinner, VP of Mobile Security for Trend Micro.

The slides of my presentation can be found below.

Share

Quantum Computing & Entanglement with Dr. John Preskill @ Caltech

Last night I had the privilege to listen to Dr. John Preskill in Beckman Auditorium here at Caltech with fellow Quantum aficianado David Lazar. John Preskill is the Richard P. Feynman Professor of Theoretical Physics at Caltech. This was definitely one of the most accessible lecture on this topic of general audience which was very well received. Dr. Preskill is definitely a teacher and a communicator; as Feynman chair, he effectively summarized 50+ years of Quantum research and development into a one hour lecture. Quantum frontiers has some of the recorded lectures which readers may find interesting.

image_2

Dr. Preskill is also involved with IQIM, Institute for Quantum Information and Matter, at Caltech. Here is an IQIM Promotional video which was shown towards the end of the session.

The lecture addressed the opportunities and challenges in quantum computing, entanglements, speculation  about future trends, quantum error correction and quantum information science.

 

image

image_6


image_5

image_4

Caltech - John Preskill: Quantum Entanglement and Quantum Computing

John Preskill: Quantum Entanglement and Quantum Computing

Couple of his detailed lectures can be seen below.

Share

The Clairvoyant Load Balancing Algorithm for Highly Available Service Oriented Architectures

Abstract: Load balancing allows network devices to distribute workload across multiple processing resources including server clusters and storage devices. This distribution helps maximize throughput, achieve optimal resource utilization, minimize response time and help use hardware effectively in multiple data-center locations. As a meta-heuristic enhancement to Psychic Routing[1], researchers present early work in a novel algorithm Clairvoyant for optimal yet unrealizable distribution of traffic.
Among many earlier works including [5, 4], the main inspiration of this algorithm is the RFC 1149, i.e. a standard for the Transmission of IP Datagrams on Avian Carriers. Study of literature suggests that earlier work by [7, 2] on internet protocol over xylophone players (IPoXP) also has a huge impact on classical OSI network model. A typical application load balancing is based on techniques including round robin, weighted round robin, least connections, shortest response, SNMP, weighted balance, priority, overflow, persistence, least used, lowest latency, and enforced traffic flow [6]. Researchers propose that Clairvoyant, by utilizing the ensemble of anomalous cognition, ESP, remote viewing and psychometry, can provide a high performance yet irreproducible load balancing approach. The Clairvoyant load balancing algorithm helps the system administrator fine-tune how traffic is distributed across connections in a psychic manner. Backed by parapsychological research[1], each load balancer is equipped with an enterprise grade channeling medium with features to fulfill potential special deployment requirements. Building upon the techniques proposed in RFC 5984, using extrasensory perception to achieve "infinite bandwidth" in IP networks, Clairvoyant can achieve negative latency as well as negative transmission time difference with appropriate parameters, unachievable by traditional methods[6, 3]. The algorithm uses claircognizance to redirect traffic to one of the unused or even non existent nodes. Clairaudience allows setting up the connection priority order, however early experiments suggest that using 0x8 spherical surfaces also achieve the same level of performance when compared using ROC/AUC.
Although irreproducible in most non-REM environments, the researchers see the potential of using this load balancing algorithm in most high performing service oriented architectures allowing the packet forwarding that will provide unsurpassed end user performance regardless of link capacity, distance, and number of hops. Detailed algorithm and findings will be published in The Journal of Irreproducible Results by 4/1/2014.

References

[1] Jonathan Anderson, Frank Stajano. Psychic Routing: Upper Bounds on Routing in Private DTNs. , 2011.

[2] R Stuart Geiger, Yoon Jung Jeong, Emily Manders. Black-boxing the user: internet protocol over xylophone players (IPoXP). Proceedings of the 2012 ACM annual conference extended abstracts on Human Factors in Computing Systems Extended Abstracts:71—80, 2012.

[3] David R Karger, Matthias Ruhl. Simple efficient load balancing algorithms for peer-to-peer systems. Proceedings of the sixteenth annual ACM symposium on Parallelism in algorithms and architectures:36—43, 2004.

[4] KM Moller. Increasing Throughput in IP Networks with ESP-Based Forwarding: ESPBasedForwarding. , 2011.

[5] C Pignataro, G Salgueiro, J Clarke. Service Undiscovery Using Hide-and-Go-Seek for the Domain Pseudonym System (DPS). , 2012.

[6] Sandeep Sharma, Sarabjit Singh, Meenakshi Sharma. Performance analysis of load balancing algorithms. World Academy of Science, Engineering and Technology, 38:269—272, 2008.

[7] Emily Wagner, Yoon Jeong, R Stuart Geiger. IPoXP: Internet Protocol over Xylophone Players.

 

Share
Go to Top