Saturday, August 29, 2009

Know Your FizzBuzz

Software engineering companies often give a prospective hire a test to see if they know how to code. There are a lot of applicants who cannot figure out or over-think how to write a simple program like FizzBuzz. Before looking at the code below, take the test yourself, see how you do! This took me about 3 minutes; where most of the time was spent setting up a project in the Eclipse IDE and typing in the source. If you are not familiar with Java, this can be easily implemented in any language. Be sure to read the article and comments for this Jeff's blog post, it is quite interesting.

CodingHorror Blog ( http://www.codinghorror.com/blog/archives/000781.html ) quotes the problem concerning the lack of competent programmers trying to obtain jobs very nicely,

"Most good programmers should be able to write out on paper a program which does this in a under a couple of minutes. Want to know something scary? The majority of comp sci graduates can't. I've also seen self-proclaimed senior programmers take more than 10-15 minutes to write a solution." - Jeff Atwood


Now its your turn to try it! Here are the rules:

"Write a program that prints the numbers from 1 to 100. But for multiples of three print "Fizz" instead of the number and for the multiples of five print "Buzz". For numbers which are multiples of both three and five print "FizzBuzz"." -CodingHorror.com


public class FizzBuzz {

  
public static string fizzbuzz(int i) {
      
if(i % 3 == 0 && i %  5 == 0) {  // or i % 15 == 0
          
return "FizzBuzz";
      
}
      
else if(i % 3 == 0) {
          
return "Fizz";
      
}
      
else if(i % 5 == 0) {
          
return "Buzz";
      
}
      
else return Integer.toString(i);
  
}
  
  
public static void main(string[] args) {
      
for(int i = 1; i <= 100; i++) {
           System.out.println
(fizzbuzz(i));
      
}
   }

}

Paros Proxy and The Prime Directives

When testing web applications for vulnerabilities, it is necessary manipulate the data sent to and received from the server. Paros Proxy is one of the top applications to do this. It allows you to edit HTTP headers, spider websites, create fake client certificates in order to perform man in the middle attacks and it supports the ability to scan for XSS (cross-site scripting) and SQL injection vulnerabilities. Paros Proxy is an open source Java application that will run cross platform and requires minimal configuration to get it up and running.

Open source projects are typically done over long distances. The reason the open source paradigm works and works so well is explained in great detail in Eric Raymond's essay "The Cathedral and the Bazaar" http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ and I highly recommend reading it.

Companies who develop proprietary software have internal methods of measuring the success of their products. In open source we have The Three Prime Directives. The Three Prime Directives of Open Source Software facilitate developer and user communication thus producing more effective applications. This is a useful standard that all open source projects should employ to measure their level of success in the Bazaar.

Prime Directive 1: The system accomplishes a useful task.

Paros Proxy accomplishes its task and goes beyond that. It offers a suite of tools to test the security of your web application that would take many smaller, more specialized tools to replicate. While the amount of features surmounts to a broad range of applicable testing, the specific capabilities of Paros Proxy lack the detailed intricacy that specialized applications are designed for. This is not necessarily a bad thing, as specialized tools should be used solely for their purpose and not fall into a destructive path of feature bloat.

Prime Directive 2: An external user can successfully install and use the system.

Paros Proxy comes ready to run. There is also a PDF that a user can download that explains the setup and how to use the program in layman's terms located on the download page ( http://www.parosproxy.org/download.shtml ). The directory includes an EXE that executes a JAR file on Windows. On Linux, I executed the JAR file directly. When compiling from source all you need to do is run Ant. To test MITM (man in the middle) attacks, I configured Firefox to connect through Paros Proxy on localhost:8080. I went to a few websites and watched HTTP Headers and source code. I was able to edit cookies and change data on the fly with minimal effort. The user interface was simple to use and navigate (see below for screenshot).

Prime Directive 3: An external developer can successfully understand and enhance the system.

Paros Proxy is constructed using the MVC (Model-View-Controller) design pattern. If you understand MVC then it is simple to get involved immediately. If you don't understand the MVC a quick reference to http://java.sun.com/blueprints/patterns/MVC-detailed.html will be of great assistance. The code is not thoroughly commented but methods are labeled in a fashion that is helpful to the developer. One downfall is there is no developer documentation that I could find, so if you want you to get involved, just dive in.

http://sourceforge.net/projects/paros/
http://www.parosproxy.org