The role of a product owner on mid-sprint changes


Since we deal with clients everyday and since they are the ones who give us requirements they need to understand certain work ethics. If they are our clients and if they are the ones who suddenly changes the requirements, we need to let them know, very gracefully, that these changes come with a cost.

I have been having a conversation in an online forum regarding change request and how we can incorporate them in a sprint and the following is just one of the replies that I had  from one of the experts. I thought his reply was amazing and it is worth sharing.

==============the reply starts here=============

The key is transparency, and making the costs apparent to the customer. Then they can decide if they want to pay or not.

Customer: I need X done right away.
PO: OK we can put it at the top of the backlog, and the team can start on it first thing next sprint. Do you agree it needs to go ahead of these other things here that are currently top priority?
Customer: No, I need work on this to start right away.
PO: let me get back to you in a little bit with a cost estimate for that.
PO (a little later) OK the team has scoped that work at 4 points, and I’m going to add another 4 points for disruption caused by introducing this change mid sprint since the team has to stop what they are doing and re-plan things etc. So if you need this right now, we need to agree on 8 points of pending stories to be removed from the sprint. Or would you rather put it on the backlog?
Customer: so wait, it’s going to cost me twice as much to do it right now as opposed to waiting a week?
PO: yep, that’s the cost of ‘changing horses midstream’ as it were. And we need to remove other work from the sprint to accommodate it. You need to be sure this is more important than these other things here. Do you need it that badly?

At this point the customer can make an informed decision. If not having this thing is going to cost him thousands per day, then he may still want to team to make it a #1 priority. Or he may decide that having it at the end of the next sprint is soon enough

It’s not ideal, but if something is badly needed right away, it’s pretty non-agile of the team to take the ‘following a plan’ line over ‘responding to change’.

Key things (IMHO):
1) Such change is never free, and this MUST be made apparent to the customer.
2) If in doubt, overestimate the cost of change, if you are wrong the team can pull in a story from the backlog should they discover they have capacity. Which is far better than the alternatives of unsustainable pace or undone work at the end of the sprint.
3) There MUST be work not yet started that is > the cost of the new work plus the overhead, otherwise even this is not really a viable option and your only choice would be to end the sprint early with that work undone (presuming the customer absolutely must have you drop everything and work on some dire emergency right away)
4) The customer must be involved in choosing what work is moved out of the sprint and back to the backlog, this is part of making the cost obvious and forces them to balance the priority of the new work vs what’s remaining in the sprint.

==========the reply ends here===========


Adapting to scrum

  • Being Open For Changes – Scrum framework is simple but not easy to implement unless there is an open minded people across the organization. Simple doesn’t mean easy. What sort of an open mind does it need? Well, First and foremost, be open for changes. Scrum requires radical changes as far as the process is concerned. Team needs to be independent, no one should baby sit the team, team should take control over things to be done. No one has the right to assign the team tasks, maintaining product vision by Product owner etc. Lots of them. This isn’t the case in traditional project management, You don’t have a complete project plan done with Microsoft Project! In Scrum, you take a small step towards the final goal and make necessary changes when your iteration completes at a certain time. Everything in Scrum is time bound.
  • Trust Towards Others – Senior management should trust the Scrum team. They can partially influence product owner for any changes needed in the product vision. Even the Product Owner can not assign tasks to the team. He just needs to maintain the vision and priorities for the project. He can be there during the sprint planning, sprint review meeting to see the progress and verify if the team is building the right things. How much to do in a sprint, how to do is all up to the team. That gives the complete ownership of the tasks to the team. No project manager drives the show. Scrum team together manages the show. This can just be done with trust.
  • Willingness To Understand Changes Required – Scrum framework is intended to handle frequent changes. Only during Sprint, things committed will not be changed. Before and after sprint, there is always changes proposed by product owner, management, team etc. Scrum encourages changes that refine the product. So, everyone needs to provide feedback and be ready for the changes.
  • Inspection and Adaptation – Scrum needs constant inspection, review process to understand the progress made. If anything needs to be changed, it has to be done. Team needs to adapt best practices as and when needed.
  • Honesty – Everyone in the Scrum team needs to be honest. Members need to take complete ownership and be responsible for the completeness. Members should be cross functional, non egoistic and honest in taking others work when needed. Since, no one assigns tasks, members should be pro-active in taking up responsibilities etc. Product Owner should do honest review of the progress, talk to customers and be up to date with their requirements. Scrum Master must do an honest attempt to help the team when they are in trouble. He needs to protect the team when additional changes come from upper management during sprint etc.
  • No Blame Game – Scrum Team members should not point fingers at each other. It is very important to maintain this during Sprint Review and Retrospective meetings. Members need to respect each other and be polite to each others. If we are rude in pointing mistakes, the team chemistry gets affected adversely. All these qualities in an enterprise is not easy to find. Management needs to do a considerable work to provide such environment in the first place. Company policies need to have changes to accommodate such things.

Source: internet.

How to get motherboard serial : JAVA


This is more like an extension to the my last post. The previous entry was regarding the extraction of S/N using VB script but this is for the java lovers. So here you go:


public class MiscUtils {
private MiscUtils() { }

public static String getMotherboardSN() {
String result = "";
try {
File file = File.createTempFile("realhowto",".vbs");
FileWriter fw = new;

String vbs =
"Set objWMIService = GetObject(\"winmgmts:\\\\.\\root\\cimv2\")\n"
+ "Set colItems = objWMIService.ExecQuery _ \n"
+ " (\"Select * from Win32_BaseBoard\") \n"
+ "For Each objItem in colItems \n"
+ " Wscript.Echo objItem.SerialNumber \n"
+ " exit for ' do the first cpu only! \n"
+ "Next \n";

Process p = Runtime.getRuntime().exec("cscript //NoLogo " + file.getPath());
BufferedReader input =
new BufferedReader
(new InputStreamReader(p.getInputStream()));
String line;
while ((line = input.readLine()) != null) {
result += line;
catch(Exception e){
return result.trim();

How to get motherboard serial number in VB script


The following is a code snippet, infact the entire code, that will echo(print) the serial number of motherboard of the machine it is running on. You might as why would it be necessary for one to know the serial number. Well, if you build a software which you do not want to run on multiple machines or do not want it to be installed in multiple machines then it is very useful. For example if you have built a software that is licensed and want it to expire after a time period and want to restrict it being installed again, then you might want to check some unique attribute of the machine it is being installed into. Here you go.

Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_BaseBoard")
For Each objItem in colItems
Wscript.Echo objItem.SerialNumber
exit for

Java Runtime.getRuntime().exec(…) will and will not work…


The class java.lang.Runtime features a static method called getRuntime(), which retrieves the current Java Runtime Environment. That is the only way to obtain a reference to the Runtime object. With that reference, you can run external programs by invoking the Runtime class’s exec() method.

There are four overloaded versions of the exec() command:

* public Process exec(String command);
* public Process exec(String [] cmdArray);
* public Process exec(String command, String [] envp);
* public Process exec(String [] cmdArray, String [] envp);

For each of these methods, a command — and possibly a set of arguments — is passed to an operating-system-specific function call. This subsequently creates an operating-system-specific process (a running program) with a reference to a Process class returned to the Java VM. The Process class is an abstract class, because a specific subclass of Process exists for each operating system.

Let me give an example:

Runtime r=Runtime.getRuntime();
Process p=null;

try {
String notepad = “c:\\windows\\notepad.exe”;
String wordpad = “c:\\windows\\regedit.exe”;

p = r.exec(notepad);
p = r.exec(wordpad);

}catch(Exception e) {

The example given above clearly shows how to invoke executable through the runtime. If you look carefully the exec() method is responsible for creating a new process for the executable, the parameter of which is a command or rather a location to the executable in this case. Look at the command carefully. Lets take one of the commands as example:


If you notice the backslashes are escaped using yet another backslash. What if there was a space in the command? For example, “c:\\Program Files\\someFolder\\some.exe”. If you try to print the string then the out would to exactly, c:\Program Files\someFolder\some.exe with the backslashes properly escaped and the space exactly where it should be. But the fact of the matter is that it wont be executed by the exec() method. An exception will be thrown suggesting that “c:\Program” cannot be found. Everything beyond the space has been omitted by the method. Therefore the spaces are not escaped by the exec() method which is bug posted in the Sun Developer Network ( There happens to be a workaround. Instead of assigning the command to a string object, if it was assigned to a string array, the exec() properly executes the command.

JAlbum, hop your way to a new gallery


JAlbum is a very simple yet very handy desktop application for creating album and publishing it on the web. It runs on JVM so it can practically run on any operating system. All you need to do is create an album and show the path to the directory of the photos and voila!!! You have your own gallery hosted on the web. Initially JAlbum will provide 30MB free space for hosting your picture gallery but space upto 10GB can be bought.

The software allows users to manage their photo collection, sorting photos into albums, performing basic digital editing and commenting (although not tagging) individual photos. The main focus is on producing HTML and Flash based galleries, for publishing online or distributing via other means. Users can customize the look and functionality of their photo galleries by using a small set of templates or skins that come with the program, or by choosing from over 100 skins available for free download. The community that has formed around Jalbum produces a variety of creative skins, offering galleries based on standard HTML designs, AJAX slideshows and popular Flash based image viewers.

The application is very intuitive, hence one can download it and start using it straight away. You can download the latest version from here.

Web Application vulnerabilities that we should not overlook


The following are Web application vulnerabilities that we’ve all likely overlooked yet we can’t afford to miss.

Files that shouldn’t be publicly accessible
Using a Web mirroring tool such as HTTrack, mirror your site(s) and manually peruse through files and folders downloaded to your local system. Check for FTP log files, Web statistics (such as Webalizer) log files, and backup files containing source code and other comments that the world doesn’t need to know about. You can also use Google hacking tools such as SiteDigger and Gooscan to look for sensitive information you may not have thought about. You’ll likely find more files and information using manual scans than Google hacks, but do both to be sure.

Functionality that’s browser specific
With all the standards that exist for HTTP, HTML and browser compatibility, you’ll undoubtedly witness different application behavior using different browsers. I see things like form input, user authentication and error generation handled one way in Firefox and yet another in Internet Explorer. I’ve even seen different behavior among varying versions of the same browser.

I”ve also come across security issues when using an unsupported browser. Even if you’re not supposed to use a certain browser, use it anyway and see what happens. So, when you’re digging in and manually testing the application, be sure to use different browsers – and browser versions if you can to uncover some “undocumented features”.

Flaws that are user-specific
It’s imperative to go beyond what the outside world sees and test your Web applications as an authenticated user. In fact, you should use automated tools and manual checks across every role or group level whenever possible. I’ve found SQL injection, cross-site scripting (XSS), and other serious issues while logged in as one type of user that didn’t appear at a lower privilege level and vice versa. You’ll never know until you test.

Operating system and Web server weaknesses
It’s one thing to have a solid Web application, but keeping the bad guys out of the underling operating system, Web server and supporting software is quite another. It’s not enough to use automated Web vulnerability scanners and manual tests at the application layer. You’ve got to look at the foundation of the application and server as well. I often see missing patches, unhardened systems and general sloppiness flying under the radar of many security assessments. Use tools such as Nessus or QualysGuard to see what can be exploited in the OS, Web server or something as seemingly benign as your backup software. The last thing you want is someone breaking into your otherwise bulletproof Web application at a lower level, obtaining a remote command prompt for example, and taking over the system that way.

Form input handling
One area of Web applications that people rely too much on automated security scanning tools is forms. The assumption is that automated tools can throw anything and everything at forms, testing every possible scenario of field manipulation, XSS and SQL injection. That’s true, but what tools can’t do is put expertise and context into how the forms actually work and can be manipulated by a typical user.

Determining exactly what type of input specific fields will accept combined with other options presented in radio buttons and drop-down lists is something you’re going to be able to analyze only through manual assessment. The same goes for what happens once the form is submitted, such as errors returned and delays in the application. This can prove to be very valuable in the context of typical Web application usage.

Application logic
Similar to form manipulation, analyzing your Web application’s logic by some basic poking and prodding will uncover as many, if not more, vulnerabilities than any automated testing tool. The possibilities are unlimited, but some weak areas I’ve found revolve around the creation of user accounts and account maintenance. What happens when you add a new user? What happens when you add that same user again with something slightly changed in one of the sign-up fields? How does the application respond when an unacceptable password length is entered after the account is created?

You should also check email headers in email sent to users. What can you discover? It’s very likely the internal IP address or addressing scheme of the entire internal network is divulged. Not necessarily something you want outsiders knowing.

Also, look at general application flows, including creation, storage and transmission of information. What’s vulnerable that someone with malicious intent could exploit?

Authentication weaknesses
It’s easy to assume that basic form or built-in Web server authentication is going to protect the Web application, but that’s hardly the case. Depending on the authentication coding and specific Web server versions, the application may behave in different ways when it’s presented with login attacks – both manual and automated.

How does the application respond when invalid user IDs and passwords are entered? Is the user specifically told what’s incorrect? This response alone can give a malicious attacker a leg up knowing whether he needs to focus on attacking the user ID, password, or both. What happens when nothing is entered? How does the authentication process work when nothing but junk is entered? How do the application, server and Internet connection all stand up to login attacks when a dictionary attack is run using a tool such as Brutus? Are log files filled up? Is performance degraded? Do user accounts get locked after so many failed attempts? Those are all things that affect the security and availability of your application and should be tested for accordingly.

Sensitive information transmitted in the clear
It seems simple enough to just install a digital certificate on the server and force everyone to use secure sockets layer (SSL). But are all parts of your application using it? I’ve come across configurations where certain parts of applications used SSL, but others did not. Low and behold the areas that weren’t using SSL ended up transmitting login credentials, form input and other sensitive information in the clear for anyone to see. It’s not a big deal until someone on your network loads up a network analyzer or tool such as Cain, performs ARP poisoning and captures all HTTP traffic flowing across the network – passwords, session information and more. There’s also the inevitable scenario of employees working from home or coffee shop using an unsecured wireless network. Anything transmitted via unsecured HTTP is fair game for abuse. Make sure everything in the application is protected via SSL – not just the seemingly important areas.

Possible SQL injections
When using automated Web application vulnerability scanners, you may come across scenarios where possible SQL injections are discovered when logged in to the application. You may be inclined to stop or not know how to proceed, but I encourage you to dig in deeper. The tool may have found something but wasn’t able actually verify the problem due to authentication or session timeouts or other limitations. A good SQL injection testing tool will provide the ability to authenticate users and then perform its tests. If the application is using form-based authentication, don’t fret. You can simply copy or capture the original SQL injection query and then copy and paste the entire HTTP request into a Web proxy or HTTP editor and submit it to a Web session you’re already authenticated to. It’s a little extra effort, but it works and you may be able to find your most serious vulnerabilities this way.

False sense of firewall or IPS security
Many times firewalls or intrusion detection/prevention systems (IPS) will block Web application attacks. Validating that this works is good, but you also need to test what happens when such controls aren’t in place. Imagine the scenario where an administrator makes a quick firewall rule change or the protective mechanisms are disabled or temporarily taken offline altogether? You’ve got to plan on the worst-case scenario. Disable your network application protection and/or setup trusting rules and see what happens. You may be surprised.

With all the complexities of our applications and networks, all it takes is one unintentional oversight for sensitive systems and information to be put in harm’s way. Once you’ve exhausted your vulnerability search using automated tools and manual poking and prodding, look a little deeper. Check your Web applications with a malicious eye – what would the bad guys do? Odds are there are some weaknesses you may not have thought about

Redmine, a free project management web application


Redmine is a free, open source project management/bug tracking web application similar to JIRA. The difference is that redmine is built using Ruby on Rails and ofcourse it is free. Redmine has not reached its maturity yet in order to be used for enterprise applications like therap but it works fine for small projects. Since it is built using RoR a few configuration needs to be done before being able to use it.

Some of the main features of Redmine are:
* Multiple projects support
* Flexible role based access control.
* Flexible issue tracking system
* Gantt chart and calendar
* News, documents & files management
* Feeds & email notifications.
* Per project wiki
* Per project forums
* Simple time tracking functionality
* Custom fields for issues, projects and users
* SCM integration (SVN, CVS, Git, Mercurial, Bazaar and Darcs)
* Multiple LDAP authentication support
* User self-registration support
* Multilanguage support
* Multiple databases support

If you want to go through the features of Redmine then goto the following link:

If you want to install redmine then goto the following link:


If you just want to try the online Demo then goto the following link:

Our Deepest Fear…


“Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness that most frightens us. We ask ourselves, Who am I to be brilliant, gorgeous, talented, fabulous? Actually, who are you not to be? You are a child of God. Your playing small does not serve the world. There is nothing enlightened about shrinking so that other people won’t feel insecure around you. We are all meant to shine, as children do. We were born to make manifest the glory of God that is within us. It’s not just in some of us; it’s in everyone. And as we let our own light shine, we unconsciously give other people permission to do the same. As we are liberated from our own fear, our presence automatically liberates others.”
— by Marianne Williamson