Forem: Anton Frattaroli

A Different Kind of War

Anton Frattaroli — Mon, 28 Jan 2019 20:05:53 +0000

I came across the following twitter thread and wanted to respond, but it's a bit more complex than can fit in a tweet:

Jen Simmons

@jensimmons

It’s beginning to feel like the HTML-CSS-JS vs JS-JS-JS war is a class war. If your project has a budget of millions, “of course” you should use a complex build process and a JavaScript framework that handles everything (according to the folks who believe this). The pressure…

19:48 PM - 27 Jan 2019

291 910

Jen Simmons

@jensimmons

The pressure to re-architect the web itself to conform to these ideas, and abandon the original design principles (HTML as a base, super robust, works with *all* devices; CSS for styling on top of that, with a cascade; JS for bonus fanciness) is fierce. Feels like a class war.

19:48 PM - 27 Jan 2019

78 358

Jen Simmons

@jensimmons

Rich vs poor.

Massive teams vs everyone else.

Building a web that works for everyone vs a web that only works for those with expensive new devices and no disabilities.

Architecting a web that favors massive corporations and pushes out less-powerful voices and ideas.

19:48 PM - 27 Jan 2019

66 382

Jen Simmons

@jensimmons

It does feel like a war. A war for the future of the web. When I read “the standards bodies don’t care about web developers” I see someone wielding a weapon in this war — pushing to get rid of the design principles that made the web for everyone. To give the powerful more power.

19:48 PM - 27 Jan 2019

59 340

It immediately reminded me of a section of a fantastic analysis by Mark Nutter from a couple years ago. He inferred that Google's deep ties to the web (and standards bodies) make the web, as a platform, a risk that Facebook does not want to be exposed to. He says that React is a step toward abstracting away the browser.

Gramshackle follows up on the Google/Facebook relationship and outlines what he believes would need to take place for Facebook to usurp Google. He identifies React Native as a way to add an abstraction layer over mobile platforms, and GraphQL as a replacement for REST. They may even be targeting HTTP itself, which is a frightening thought given how fundamental it is to the world.

I find that to be entirely plausible and even likely. JS-JS-JS vs HTML-CSS-JS is only about abstracting the browser as a result of one corporation trying to thrive in an ecosystem dominated by an actor who isn't them.

So I agree, it feels like a war for the future of the web, with standards bodies used as weapons (note: GraphQL and JSX are standards, but not W3C), but not targeted towards web developers and not based on team size (we're just caught in the middle). But it's a war we've seen before. Mac or PC? What came about is the browser abstracting away the OS, and other form factors contributing to the success of the browser as a platform. Google won that war. Now Facebook is using a similar playbook in our latest round of tech wars.

If you're unaware of Facebook's intentions, it can be absolutely frustrating how they stomp all over years of web platform evolution. And the current lack of an alternative to the web can make it seem like they're just a bunch of crazies.

But something I've noticed with the most recent generation of tech is the amazing documentation and ease of use, which I believe is there because creators really, really want you to use their stuff. Take GatsbyJS and their amazing tutorial series. I'll admit that the underlying complexity is oppressive, but it's made so that a single person can grasp the tools and use them effectively.

I think everything that is going on is narrowing the gap between large and small teams, and am glad to see the industry moving in that direction.

Do You Have a Good Job?

Anton Frattaroli — Sat, 08 Dec 2018 02:52:43 +0000

Its not easy to recognize the value of your job when all you have to compare it to are your past jobs. Bad past jobs will make an employee over-value their current job. A lack of experience can lead to under-valuing a job. The definition of a good job hasn't always been the same but the responsibility of making jobs good has always lied with managers. A good manager knows what makes a job a good one.

Individual Attention From Your Manager

Being successful in your job is a responsibility shared by you and your manager. If you're not getting regular one-on-one face time with your manager then you're not being respected as an employee. Having successful one-on-one meetings is a widely discussed and marketed topic in management. Even if you have some trouble communicating in a one-on-one situation, your manager should have some tools and tactics to start and keep you improving. Your manager should make you feel heard and not forgotten.

Career Progression

Dramatic changes in markets are commonplace today. Because of that companies can't guarantee lifelong employment for good employees the way they used to. In response, companies should be striving to instead guarantee increased employability. When you've outgrown the demands of your current position you should have the skills and training you need to take that next step. In an ideal world, you and your manager would agree on when that is and the company should be lifting you up on your way out having been fully prepared for your departure.

Transparency and Engagement

Do you understand and agree with the reasons behind the work that gets done? Nothing hurts your chances for success quite like being given partial information, or being told "just do it." If the "why" of the work isn't communicated, understood, and agreed with then its importance will be lost on those contributing - leading to poor contributions.

Professional Communication

Does your company have a common way of discussing professional interactions and approaches to work? Many systems come across as goofy personality tests but are meant to provide a common language for team building. It might take a leap of faith to hop on board but if used appropriately they can enhance your team's ability to communicate and empathize with each other.

Developer experience

Many have argued that user experience is priority number one. It acts like an emotional safety net for when things go wrong. Are there obstacles standing between you and digging into the meat of your work? Leaders will be looking for ways to improve the process so that your ability to produce is as uninhibited as possible.

Single-discipline Teams

When you work in a team of people practicing your same craft, opportunities to collaborate, learn, and share are readily available. Your manager can focus on a deep knowledge of managing one type of employee rather than spreading themselves thin playing catch-up to understand how to develop employees of various disciplines.

Team Performance

Your team needs to agree on a simple way to collectively measure their performance and how your manager can work with the team to improve quantity and quality metrics over time. Working together for these shared goals helps you understand what your role in the company is providing and its place in the greater scheme of things.

Regular Team Meetings

Collaboration and continuous improvement doesn't happen unless you make the time for it. This time can also be used to refresh the reasons why the work is important work, to reinvigorate and motivate the team.

Your Work

Just because you know [insert legacy tech here] doesn't mean that you took the job to work on that. Your manager should make it a priority for you to be working on either your core responsibilities or branching out into areas you want to explore. And when you succeed in doing the work you like, you deserve to be recognized for your accomplishment.

Inter-team Teamwork

It can be a pain point for a team to depend on another team for progress even if they're responsive. Your manager should be working to replace dependencies on other teams with greater cooperation. If a team of developers is regularly asking a security team for new service accounts, let the developers create their own service accounts while introducing a method to allow the security team to audit the accounts for compliance.

Benefits

Health, Dental, Vision, 401k; holidays, vacation, and sick leave: pretty standard benefits. Are executives making some effort to provide more? Flexible (Health) Spending Accounts, 401k matching, bonuses (profit sharing, stock options), flexible working hours and remote opportunities, gym access, and maternity/paternity benefits are some areas where companies can do more to award their employees for their contributions. Human Resources should always be asking "at this point, can we commit to doing more?"

"People leave managers, not companies."

It's your manager's job to make sure your position is a good job. I believe that a good job doesn't need to excel in every category, but at least address each one and aim for continually improving on that. In a truly good job, you'll always be getting more out than you put in.

What happens when you type 'google.com' into a browser and press Enter?

Anton Frattaroli — Thu, 19 Jul 2018 15:10:23 +0000

My most favorite interview question I've come across yet was "You type 'google.com' into a browser address bar and hit <Enter>, what happens afterwards?"

Someone could talk for days on end trying to answer that with some form of completeness. How deep will they go? Strictly for fun, I'm going to put my answer here. When I was asked this in an actual interview, I rambled on for a good 10 minutes before they stopped me. And then I kept remembering things I forgot to include even after the interview finished.

I'm going to keep this formatted as a wall of text because that's how it felt to answer this question in conversation.

So What Happens?

The browser is going to analyze the input. Usually if it has a ".com" it won't think you're typing search terms. And once it decides it must be a URL, it'll check that it has a scheme, if not, it'll add "http://" to the beginning. And since you didn't specify a number of HTTP protocol features, it'll assume defaults, like port 80, GET method and no basic auth.

Then it'll create an HTTP request and send that. I'm not confident in my low level networking knowledge but if I was I'd say something about the MAC address, TCP packet transfers, dropped packet handling. But anyway, a "google.com" DNS lookup will happen, and if it's not already cached a DNS service will reply with a list of IP addresses, because "google.com" doesn't just have a single IP address. Browsers will pick the first one by default I believe. Not sure if they're regional or how the list works, but I know it's there.

So the HTTP request jumps from node to node until it gets to the IP address of google.com's load balancer. It wouldn't last long, Google would respond that you need to be using HTTPS - assuming with a 301 permanent redirect. So it would go all the way back to your browser, the browser would change the scheme to HTTPS, use the default 443 port and resend. This time the TLS handshake would take place between the load balancer and the browser client. Not 100% on how that works but I know the request would tell Google what protocols it supports (TLS 1.0, 1.1, 1.2) and Google would respond with "Let's use 1.2". Then the request gets sent with TLS encryption.

I think the next thing Google would do is put it through web application firewall rules on its load balancer to see if it's a malicious request. When it passes, the secure connection has probably been terminated (because PCI-DSS regulations say you don't need to encrypt internal traffic) and the request would get assigned to a pool in their CDN, and the google-side cached homepage will be returned in an HTTP response. Probably pre-gzipped.

Google's response header would be read by the browser, cached according to the response header caching policy, then the body would be un-gzipped. And because it's google it's probably ultra-optimized: minified, likely a lot of pre-rendered content, inlined CSS, JavaScript and images to reduce network requests and the time-to-first-render. But that request will trigger a cascade of other requests, all concurrent because it should be running HTTP/2. While those requests are being made, JavaScript would be parsed, probably not blocking because they used the defer attribute on their tags - or async, I never did read about what those did individually.

But the browser has probably already rendered the search box and is working on the toolbar at the top, which is going to take some extra network requests - I probably already have a cookie or maybe local storage with an OAuth token - or maybe I'm using Chrome and it already knows who I am, and that request with auth gets sent to their Google+ API that tells the Google search page application who I am.

Another request would be sent to get my avatar image. At this point they've already browser-sniffed to see if I wasn't using Chrome, in which case they would have popped-in a tooltip to tell me that Chrome is awesome and I should be using that instead of anything else.

I think it would quiet down at that point. All taking place in a fraction of a second.

What is observably different?

Let's lookup the DNS:

I know I had previously seen google.com coming back with multiple IP addresses, but that doesn't seem to be the case anymore. Seems that they used to use round-robin but don't anymore. This StackOverflow question covers it. I had forgotten it was called round-robin.

Network Layers...

In a formally structured answer, you'd probably reference the OSI Model, which I know of but am not well versed in. After looking it up, I take it network layering maps like this:

Application - The logic initiating requests
Presentation - HTTP
Session - TLS
Transport - TCP
Network - packet routing (IP)
Data link - frames (which seem to be packet containers)
Physical - bitstreams

I missed that in TLS they exchange certificates after agreeing on a protocol.
Networking isn't my strongest arena.

Open google.com in my browser, disable cache:

I missed the host name canonicalization - which was a 301.
The correction from HTTP to HTTPS is a 307 Internal Redirect.
It then downloads fonts, the logo images, and my avatar image. Without an API call, which means they shoved my profile information in the page and bundled that with the return - so they're doing actual data retrieval when you hit google.com and not just serving cached assets.

The Response

Above is a file comparison of the IE 11 and Chrome responses - both logged out.

Not terribly different between IE11 and Chrome. But it means they're user-agent sniffing server-side and not client-side. Could have mentioned this in my answer.
Unexpectedly, the Chrome response is larger by 22kB. I wonder if it's the search-by-voice feature, which is visibly absent from IE 11. IE11 probably needs polyfills and the Chrome advertisement but it's all obfuscated and I'm not going to torture myself any further.
Even after I clear my cookies in Chrome, it still sends cookies on first request. It does not do that in IE 11.

Lets dig into that rendering!

That pic above is the first screenshot Chrome will give you.

There aren't any async or defer attributes on the script tags, just nonce attributes. I'm learning about nonce as of this minute, and it seems to be security related. I guess they want those blocking scripts. I'm sure they fiddled around with/without async/defer at some point and decided against it.
Note to self: Full response is a mess of mixed JavaScript, CSS, and HTML. They aren't following any rules governing their placement in regards to separation.

What about the question itself?

You know what? Maybe it's not that great of an interview question for a developer since the answer has so much networking involved. It's the format of the question I like, something open ended, that includes some guessing. That gives the interviewer the opportunity to follow up with questions like "How do you think TLS is established?" to see how the candidate thinks, see how creative they are, see what their limit is (how patient?).

What's your favorite interview question?

Quick and Dirty Web Accessibility

Anton Frattaroli — Mon, 09 Jul 2018 04:20:43 +0000

Why

Legal Reasons: "equal opportunity", "reasonable accommodation"
Government contracts
SEO... sort of.

How Long

Shouldn't take long.

How

Use semantic HTML

Use the semantic HTML5 elements - header, footer, nav, main,
dialog (w/polyfill), article, section, aside. They double as ARIA
landmarks so you won't need to deal with those. Also use semantic HTML4 elements, like label on input fields.

Skip navigation link

You need:

a. A screen-reader only class:

.sr-only {
    position: absolute;
    width: 1px;
    height: 1px;
    margin: -1px;
    padding: 0;
    overflow: hidden;
    clip: rect(0, 0, 0, 0);
    border: 0;
}

b. A link after your body element:

<body>
    <a class="sr-only" href="#main" tabindex="0">Skip to Main Content</a>

c. Give your main element that ID:

<main id="main">

WAVE Accessibility Checker Browser Extension

Why this one? Because there's a WAVE Accessibility Checker extension for both Firefox and Chrome, and that covers 99% of the people I know.

None of the accessibility checkers do a particularly good job. Clear out the errors, ignore warnings and manual checks. Common errors are missing alt attributes on images and empty headings.

Keyboard Navigation - tabindex

In this step you'll be adding tabindex to everything "interactable" - anything a user might click on like a link or a text input field. Don't worry about text sections, people who actually know how to use screen readers will be able to manage that.

There are only two values for tabindex:

0: can tab to this element.
-1: can't tab to this element.

Tabbing should follow the DOM order, which is why we only use 0. Hidden stuff like menu items should have -1. Install the ChromeVox screen reader browser extension to test this - it's free and it does the job.

Other Stuff

You're probably going to have some keyboard navigation one-offs, like 'Press enter to open the menu and the arrow keys to navigate the menu items'. Tell the user that with the aria-label attribute.

If you have content that updates without user interaction, like notifications, use the aria-live="polite" attribute and value on it. That will tell the user something happened.

If you have links that only say "Click Here" you're doing it wrong.

If you have a hover event handler or CSS pseudo-class, then make it do that same thing on focus, too.

If you have a click event handler, you're going to want to add the same handler for keypress against event.key === 'Enter'.

Good Enough?

Good enough to argue in court that you made an effort.

Not Good Enough?

The idea is that all users have an equivalent experience with the website.
Reach out to a consultant, they have the expensive screen readers.
Enlist actual disabled people to assist with testing.

Notes

Ganked image from Google Image Search's 'labeled for reuse' tool. Originally on https://yoast.com/http-503-site-maintenance-seo/

OAuth Tips for the Uninitiated

Anton Frattaroli — Thu, 05 Jul 2018 18:43:52 +0000

Devs are hyped to unload the identity management parts of their apps onto an OAuth provider(s). You know OAuth is a good thing, but you don't have a good grasp on what the impacts will be to your organization. Here are some tips that'll get you comfortable with it.

Decoupling Authentication and Authorization

Customers/employees are now typing their usernames and passwords directly into your websites. If they are inactive for 15 minutes, they get logged out automatically and need to provide their usernames and passwords again to get access. When a user registers, they're creating an identity that is authorized for that website, and that website only.

An OAuth service alone doesn't do much. It needs identities - so it gets hooked up to one or more identity providers. Users will type their usernames and passwords into an identity provider's form to authenticate. That identity provider is handling the authentication part for the OAuth service.

The OAuth service allows users to authorize (registered) applications to use their identity (and possibly other information). Once the user has authenticated with the identity provider, the OAuth service gives the user a token for use on those authorized applications. The token is proof that the user is who they say they are. Your website offloads authentication to the OAuth service (through the OAuth service's identity provider(s)), and only requests authorization to use the identity. With the OAuth service handling authorization and the identity provider handling authentication, authentication and authorization become decoupled.

The internal features of your applications are still under your control, independent of the OAuth service (unless you want them to be).

Short-lived Tokens

Once a token is given out, it can't be taken away (as long as you're using standard JSON web tokens). That's a good thing and a bad thing. Good because it means you don't have to worry about it after you've given it out. Having to track all of those tokens would be a significant amount of overhead you don't need. The bad part is that if someone else gets a hold of that token, they can use it too.

That's why tokens need to have a short lifetime. Say, 20 minutes max until expiration. If someone else gets it, they have at most 20 minutes to do damage.

Refresh Tokens

But you don't want your users re-authenticating every 20 minutes. So when they authenticate the first time, they get two tokens - the Access Token (the 20 minute one) and the Refresh Token. Refresh Tokens are used by your website to say "Hey OAuth provider, my user is still using our services so they need to refresh their Access Token". And the OAuth provider hands out a new Access Token and everyone is happy. The OAuth provider is tracking those refresh tokens, and because of that they can last a long time - a six month or more lifetime on a refresh token is considered reasonable.

That does mean more coding for your website. If services start giving "Unauthorized" errors, the access token probably expired and needs to be refreshed.

Security Process Impacts

It's nice that today, you only need to flag a user account and their authentication quits working, and they can't use your systems anymore. But remember we decoupled authentication from authorization, so you need to have a plan for revoking their refresh tokens, too.

Moving Forward

And then, now that your authentication endpoints are consolidated, maybe you could look into multi-factor authentication and really nail the user experience of the "Forgot Password?" functionality.

Notes

This article is intended as a response and complement to this super-high quality article:

Dancing with OAuth: a step by step guide

anabella ・ Jul 4 '18

#oauth #authentication #explainlikeimfive #beginners

Ganked image from Google Image Search's "labeled for reuse" tool, illustration by Bauke Schildt

Can't Wait for Windows: Cypress

Anton Frattaroli — Wed, 23 Aug 2017 02:31:37 +0000

When I first saw Cypress a couple years ago, I watched a demo video from the creator and nearly cried tears of joy. I signed up for early access, but never got accepted. I bothered them in their team chat once. I clicked the Watch button on the github project and waited - with an eye on this particular issue: Windows support?

Some are still waiting on Windows support, but I can't wait any longer. Luckily there is a breadcrumb in the github issue: When someone attempts to run Cypress on Windows the error message is supposed to show: You can use Cypress if you install a Linux VM using something like VirtualBox.

VirtualBox

Never heard of it. My virtual machines have always been VMWare. Googled. Downloaded. Installed.

Pretty straightforward. There's a dropdown to choose my operating system. My last experience with Linux was back in 2009 when Windows Vista was out and everyone hated it and Ubuntu was the Linux messiah. I tried it out at the time, only to remember there's no Visual Studio for Ubuntu and abandoned any further effort to switch. Ubuntu is in the VirtualBox list of OSes, and I selected it.

Ubuntu

... FATAL: Could not read from the boot medium.

You mean I have to install Ubuntu myself? Weak. Why the dropdown? Whatever. Googled. Downloaded. Mounted.

... This kernel requires an x86-64 CPU, but only detects an i686 CPU, unable to boot.

I don't know what you're detecting but it isn't an i686. Googled. Oh I have to create a new VM and choose the 64-bit Ubuntu from the dropdown... There's no 64-bit option. Googled. Oh, I need to change my BIOS settings to enable "Virtualization Technology", fine.

Installed Ubuntu. Alright, now we're talking! What's all this Office software? Is this why the ISO took forever to download? Get rid of that desktop trash real quick. Now time to follow the Cypress installation guide.

I need node installed. Googled. sudo apt-get update

Oh, no, no internet. Googled. I have to change Ubuntu settings to work with the host's Cisco AnyConnect VPN. VBoxManage modifyvm "Cypress.io" --natdnshostresolver1 on Baffles me that it has to be run on the virtual machine and not the physical machine, or in VirtualBox Manager. Again, whatever. Let's go.

Node and NPM

sudo apt-get update
sudo apt-get install nodejs

And although it's not mentioned in the Cypress docs, they use the npm command and I know that's separate - not that I've ever used it, must have learned that by osmosis.

sudo apt-get install npm

Fantastic. Let's get the cypress-cli.

~~npm install -g cypress-cli~~

Error. Can't connect. I can browse the internet otherwise... does it work on my physical machine? Oh, no, registry.npmjs.org is blocked by the corporate proxy under the category "internet-communications". First off, that category doesn't make sense, and second, I take offense to npm being blocked. That's like telling hundreds of thousands of people their collective work isn't to be trusted. File a support ticket with NetSec... unblocked.

~~npm install -g cypress-cli~~

Nope. That didn't work. Need to install nodejs-legacy.

sudo apt-get install nodejs-legacy
npm install -g cypress-cli

~~cypress install~~

Didn't work. Need git.

sudo apt-get install git
cypress install
cypress open

Hooray. I can log in with GitHub? Cool, I have one of those. Installing Cypress docs covered, now on to Writing Your First Test... "Open up your favorite IDE". Ouch, 2009 coming back to punch me in the face. At some point I'll be checking this into source control, so better make sure I have something that supports TFS. Googled. Thank you blog from 2010 for your solution to my 2009 problem.

Eclipse

Googled. Looks like I need Java 8 first. One step forward, two steps back.

sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java8-installer

Got that. Download Eclipse. Extract. Double click an icon to install - that would be nice if it were Windows but at this point I'm expecting to use the command line.

Team Explorer Everywhere... Googled. I read that there is also a plugin for IntelliJ, and I have read that many people prefer IntelliJ over Eclipse. Too late for that now, I want my automated testing.

Download Source...

Cypress

Add folder... New Cypress project... Copy/paste/gut example test file. Within a half hour I had a test to log in to a site using OAuth:

  describe('Log On Test', function() {

    it('Logs On www.mysite.com', function() {

      cy.visit('https://www.mysite.com')

      cy.get('.landing-login-panel .mdl-card__supporting-text:last a').contains('Log In').click()

      if (cy.url('host') === 'login.domain.com') {

        cy.get('#domain-id').type('username')

        cy.get('#password').type('********')

        cy.get('.submit').click()

      }

  cy.wait(2000)
  cy.get('.user-nav-menu').click()
  cy.get('[for="UIMenu-99"]').should('be.visible')
  cy.get('[for="UIMenu-99"] a[href="/MyProfile"]').click()
})



})

Satisfaction

Plowing ahead without letting obstacles get in your way. That's a skill I has. It certainly was an odyssey to set this up, but it was a morning well spent.

Maybe once I recreate the regression test suite I'll work on integrating it into the CI workflow. I'm sure QA and devops will love that.

And one day, Windows Support will come to Cypress, and I'll force it upon my co-workers.

I still use Firefox

Anton Frattaroli — Wed, 21 Jun 2017 02:21:24 +0000

Chrome is really popular. I'm pretty sure everyone knows it. Chart confirmation. I still use Firefox.

Side Tabs

A good side tabs extension is the primary reason I use Firefox. A row of tabs on top is the worst thing ever. Lists are great:

I use the "Tab Tree" extension (thank you Sergey Zelentsov). Chrome has a handful of side tabs extensions, but I don't consider them usable.

That's It

Side tabs is the only reason I use Firefox.

What's different?

Since I'm using Firefox on my laptop, I'd like everything to sync to my phone so I don't have to retype all my passwords. I like Firefox for Android's tab screen better than Chrome. That's the only difference I notice so that works out pretty well.

I'm in the dev tools quite a bit throughout the day, and I find the Firefox dev tools more intuitive. Chrome can take it's 'Elements', 'Sources', 'Application' tabs and shove it - I prefer 'Inspector', 'Debugger', 'Storage'. Honestly it's not a big difference to me. Some people feel strongly about dev tools.

Should I ever be debugging a cross-browser issue, my other (more popular) browsers are clean installs. Nice to have.

Firefox doesn't support integrated windows authentication. That's alright by me.

I don't understand why more people don't demand side tabs.

IT Roles and Responsibilities

Anton Frattaroli — Fri, 17 Mar 2017 04:19:18 +0000

Increasing growth and complexity brings about distinctive roles in an organization. Let's take a tour of an established information technology division's roles:

Business Analyst

The end users have an idea of what data they want to input and what they want either coming back or going out another end. A business analyst assists end users in defining exactly what those inputs and outputs are and strives to describe the interactions with completeness and consistency.

Infrastructure

The infrastructure team provides places for inputs to go to. It starts with physical machines that need to run in a temperature and humidity controlled environment. Sizing the data center and redundancy are primary concerns. And then they put a layer on top of all that, so that hardware resources can be divided or shared as they please.

Networking

A network engineer makes sure the places that inputs are going to can be gotten to. They logically divide the data centers into layers of connectivity. It's closely tied to security - the data center having it's own firewall, and each division of the data center having an internal segmentation firewall. Publicly exposed HTTP endpoints may also be placed behind a web application firewall. Certain network segments may be accessible via a VPN connection.

Developer

A developer writes instructions to take in input data and turn out output data. Usually transforming the data along the way. That's pretty difficult to do with a stream of 1's and 0's, so developers added layers of abstraction and automation and established shared standards. Layers upon layers, increasing productivity and efficiency. And then rewriting it all.

Operations

Events need to be triggered at certain times, in a certain order, at regular intervals - that's enterprise workflow. The operations team is known for having to make late night calls to support teams when processes fail to complete. They need to structure the workflow responsibly, so that the company isn't overwhelmed when multiple teams want their jobs running at exactly midnight and they all fail. There aren't too many enterprise workflow software suites out there - BMC's Control-M, Automic's UC4, IBM's Tivoli Workload Scheduler, and CA's Workload Automation are the big ones.

Update: In response to feedback I'd like to clarify that by "Operations" I mean a team of Operators and not the more general term "IT Operations" that, at best, has a nebulous definition.

DevOps

The DevOps team drops the developer's input/output instructions into the places that the infrastructure team set up. They set up build servers, integrate with source control, set up deployment scripts. As builds pass inspection they get promoted, eventually to production. It's like development, it's like operations, but it's not either.

Quality Assurance

A quality assurance analyst will get a series of inputs and ensure that the outputs are what is expected. They need to get inputs that cover all use cases, as well as inputs that are known to be invalid, to verify that the product they're testing delivers the proper outputs. It's important for the analyst to be able to judge what is appropriate coverage when testing to balance testing efficiency against the release changeset.

Security

Security has applications at all levels. There is physical security, for example meeting PCI (credit card processing) standards with a locked, 24/7 monitored data center. There are tools that are placed on the network so that the only inputs and outputs that happen are the ones that are there on purpose. There is additional application security and encryption standards, and then there are users. Users and social engineering traps are believed to only be combated by education. The security team focuses on risk management - danger level and probability - and work towards minimizing risk.

Data

All the data being put into IT needs to be saved for later retrieval. Saved data needs secured, backed up, made to be redundant, processed regularly, adjusted for performance, moved around, archived, extracted, transformed and loaded. It's a full time job.

Data Analytics

Who needs a visionary leader when you have predictive analytics? Applying statistics to large data sets can reveal previously unknown behavioral patterns (that you can profit from). This really makes academics irate because it doesn't prove causation. But that isn't a concern for the data analyst because randomized controlled trials are a) expensive and b) take too long.

User Support (Level 1)

With some tools, training and a knowledge-base, a first-responder user support team can address the majority of support incidents from users. With time, a user support technician develops relationships and becomes a go-to person for many users, who find that a personal understanding of their level of computer knowledge greatly enhances the efficiency of IT.

Application support

Internally and externally developed applications need maintained and supported.
Application support technicians, in comparison to level 1 user support, have greater permissions and working knowledge of specific applications. Should the technician be unable to solve an issue, they become the contact team member for the vendor (or development team) that can ultimately repair or extend the application.

Media Support and Production

In the case where the company wants to produce a video and stream it to dozens of conference rooms - Media Support and Production can handle this. Admittedly, it's likely less frequent of a request than producing a polished video or supporting a microphone system, but an exciting opportunity nonetheless. They have expensive equipment and they know how to use it.

UX designer

There are some smart people out there who will tell you that user experience means everything. A user experience (UX) designer could be employed anywhere in the company with great effect, but in terms of IT their focus is on a product's interface and workflow. If the product isn't a pleasure to use, it needs work. They focus on intuitive design, human-computer interactions, information architecture.

Designer

The only time aesthetics can be overlooked is when you plan for no one to ever see it. Graphic design is a joy to practice and challenging to master, and a regular task for the designer. The real challenge is getting the company to follow a consistent aesthetic strategy that can enforce brand identification, and produce assets for consumption across all forms of media.

Compliance (Legal, Accessibility)

Compliance can tell you what the boundaries of the law are, and whether or not you're outside of them. Frequently, they need the help of security to ensure compliance, but will cover many topics outside of security - privacy policies, service level agreement (SLA) contracts, acceptable use, user agreements, do-not-disclose (DND) contracts. There are grey areas, and in that case they stress that you show good intent. Do you ever see the legal disclaimers at the end of an email? Not enforceable, but show intent.

I don't want to miss mentioning accessibility. A lot of work goes into support for blind/low vision, deaf, amputees, paralyzed users and others - and those users' participation in the process is greatly appreciated. Compliance can be the driving force behind accessibility support.

Architecture

Responsible growth planning, exploitation of synergies and mapping business needs to IT solutions are the architect's bread and butter. They want a high level view of what is going on to ensure business needs are met while avoiding reinventing the wheel, having efforts duplicated, or starting something now that will be obsolete before it's finished. Depending on the scope of the architect, they may be tackling enterprise-wide problems like "the digital workplace" or looking to extend an existing solution to benefit a separate business unit.

Change Control

Change control is said to be like herding cats, at times. Disparate yet highly integrated teams need to communicate changes to avoid collisions and conflicts and Change Control establishes a structured venue for that to happen. Like many aspects of IT, this is a process for risk management. Has it been tested? Will there be downtime? Is there a communication plan after the change is made? We want to know what is happening in the organization ahead of time, why emergency changes take place, and how we can avoid them in the future.

Project manager

A project manager is another cat herder, who needs to track all of the moving parts of a big change and stay one step ahead to pull the stops that would otherwise halt progress. They like estimates, burn-downs, Scrums and time tracking software. With that high level view of progression comes an obligation to manage morale as well.

IT Manager

IT Management primarily looks after people - people who need tools, budgets, career progression, and to work with other people on the same team and with other teams. In some ways they're like an architect, one eye to the horizon and the other on today. Often they'll be the final say on how work is prioritized, and be able to tell you who needs help when.

Honorable mentions

Language translation services - frequently outsourced or outside of IT, but kudos to those who translate resources files or JSON in the IDE.
Product Owners - who are the final say in a Business Analyst's grey area, are welcome in the IT division, but have at least one foot firmly planted in the business side.
Content Managers - They may as well be members of the IT department, setting up analytics and social media campaigns and having thorough knowledge of content management systems.

Thank You

I'd like to personally thank the people who fill these roles - Thank you. I apologize if I missed anyone, misrepresented your role or lumped your responsibilities in with someone else's.

Hi, I'm Anton Frattaroli

Anton Frattaroli — Thu, 16 Mar 2017 00:20:08 +0000

I have been coding for 22 years.

You can find me on Twitter as @AntonFrattaroli

I live in Michigan.

I mostly program in these languages: JavaScript, HTML, CSS, C#, SQL.

Nice to meet you.