SANS Hack Challenge 2016

Ok, time for something new now. For the past 2 years I’ve been doing (rather irregularly) security assessments. It’s quite a new thing to me, compared to the 14 years I’ve spent doing software engineering. Still I’ve already learnt a lot and got some great results and huge customer satisfaction in my security related assignments.

This year, just as last year, I took part in the SANS holiday hack challenge: . The SANS team spent a lot of effort creating a whole browser game, combining graphics, music, gameplay and hacking. It turned out great!
Since the challenge is over, I can now publish my writeup.
The plot of the challenge is that someone kidnapped Santa, so you have to find Santa and the villain who did it. As a starting point you get a Twitter and an Instagram handle: @SantaWClaus
Eventually you will need to find 7 mp3 audio files, which are stored on various hosts, and complete the challenges from the browser game.

Continue reading

Time and Material Projects

Last time I’ve written about fixed price projects, and was quite negative regarding them. In this article I’ll look at another type – the time and material project. Here the client is invoiced regularly for the hours and expenses for the development.

You’ll spot a problem with it right away – the provider will have an incentive to make the project as long and as costly as possible, as that guarantees more revenue.
Another negative aspect for the customer – you keep paying your invoices every month, but that doesn’t mean you also have a software you can use, nor that you ever will. At some point you may decide the project is no longer feasible, but the money is already spent. So all you’re left with is a big hole in your budget. At least with a fixed price project, the provider has the contractual obligation to deliver something, at a defined deadline.

As to the advantages for the client, you have more flexibility with regards to the scope, as you are not tied to a rigid contract. You can change your mind, re-prioritize the features and add or drop features without all the hassle of a fixed scope.

Of the two described methods, as the provider, I prefer time and material. It is crucial though, to have a good, trust-based relationship with the customer. How do you achieve that? Through previous projects, but that’s a chicken and egg problem. Communication and transparency are vital here, and using an iterative/agile project methodology helps a lot in that regard.

The client needs to be able to see what has been done, what is being done, and how much is there left to do. What are the risks, what are the challenges, what will we implement in the next sprint/iteration? The customers needs to be a central part of that. You think a task will go over budget? Communicate that as early as possible, don’t just hope it’ll even out. All this goes towards building a trust relationship with your customer. Which means your project will have a much greater chance of succeeding.