TonyBibbs^2.0

In a rare moment when Twitter was up Ivo Jansch put me on to one of his recaps of php|tek and I was particularly interested in a presentation by Terry Chay. If you haven't heard Terry talk there are two things you will leave with:

1. Your quota for the f-bomb. I know it may sound unprofessional but he does manage to use it to draw attention to the things that really deserve it. Truth told, though, he does simply enjoy cussing.
2. A bunch of web programming goodness particularly around web development and PHP

In Ivo's recap one thing that stood out for me was his declaration that when developing an application it is important to consider Stability, Scalability, Speed and Security and handling them in that order. Those four S's aren't anything new to me but the assertion that they had to be in a specific order was and it is one I couldn't disagree with more (for the right reason's I promise). So why do I disagree?

In truth I only partially disagree. If your job is more one with an eye toward engineering the next great, viral application then he's absolutely right. Twitter is learning this the hard way, whereas Digg, Facebook, Yahoo! and others successfully figured this out. Then there is me, the government IT worker not focused on any one site, rather, building a large number of smaller sites. Now you could argue that states like California, Florida, Texas, etc have enough of a population base to justify the same Chay philosophy here but generally my experience is that for government the order really ought to be Stability, Security, Speed and Scalability. Why?

1. Stability - Let's face it, if the application isn't stable the other three S's don't matter. Using my own original Chayism a secure, fast and scalable piece of sh*t is nothing more than that. An over-engineered piece of sh*t. Terry and I seem to agree here.
2. Security - In government, securing the data of citizens and businesses is paramount. That's not to suggest it isn't for the more Web 2.0, virual, social networking type sites but nearly every government system I've touched has had a strong focus on security. It's not just the usual stuff like SQL injections, XSS and CSRF but also the notion of feature-based security. By that I mean we apply our MVC model to only expose certain features to the public internet. A common example of this is to limit administrative features for use on our Intranet. Other considerations that move the security issue up the priority chain in government include watchdog groups and media outlets that thrive on good government scandals and mishaps. In Terry's defense (not that he needs it) one of the arguments I could see him giving is that it's pretty trivial to secure a stable, scalable and fast application.
3. Speed - After stability and security Speed is next in line. Not to further stereotype a state with plenty already out there, Iowa's sheer population suggests that the need to massively scale an application is going to be a rare issue. Serving as many requests per second, however, does come in to play. A great example why this is so is the Iowa Sex Offender Registry. From time-to-time some high profile sex offender cases have been covered on various media outlets across the state and this can cause short periods of high volume traffic. Making the code run as fast as possible allows us to meet these rare spikes. If we were unable to do this reliably we'd then have to turn to our last S...Scalability
4. Scalability - Again, don't get me wrong, I can see where scalability has it's place and I have heard talks on both trivial and more complicated ways to achieve this whether it be database replication, sharding a database, implementing memcached, etc. In fact we even use a few of these techniques in our Java environment which is the only platform we current support to scale horizontally. To PHP's credit, for Iowa's needs it performs well enough out of the box we often avoid having to put much thought into scalability. The big gain here is we spend less time on engineering concerns and more time focusing on customer requirements and trying to commoditize software delivery.

All that said, there is a lot to learn from people like Terry as I don't doubt that some day an application will come across my IDE that will require me to rethink the order of Stability, Security, Speed and Scalability. One thing that can be learned is that no matter what application you are working on, the analysis process and resulting requirements had better make it clear what that order should be.