Best Practices Blog

The Best Practices Blog is a place where we share our insights into web application development with our clients, potential clients and any person or group who may be interested in, or currently involved in, developing an application for the web.

New tax reporting requirements bad for business

Typically, I’ve used this blog as a forum for sharing insights into developing custom software. Today, I’m deviating from that and asking you to take action in another way to help your business and all businesses.

With the passage of the health care reform act (H.R. 3590), there was a hidden bit of legislation tacked onto the bill. Section 9006 changes tax reporting requirements for all businesses in the U.S. This requirement will force companies to request W-9s and to produce and file a 1099-Misc for all expenses equal to or greater than $600 per year, cumulatively, with any vendor or retailer.

This would not just include the standard contract laborers, but all providers of services or goods. That includes Staples, Sam’s Club, Delta Airlines and FedEx for example. This would increase the amount of 1099s to be filed by many, many times for all businesses.

I feel–as I hope many of you do–that this requirement is excessive and especially hurtful to small business at a time when businesses are struggling to recover in a still-ailing economy.

Click here to read more about the possible effects of this new legislation.

Then, I encourage you to take action to prevent this before it goes into effect beginning in 2012.

U.S. Rep. Dan Lungren from California submitted House Resolution 5141 The Small Business Paperwork Mandate Elimination Act, which proposes to remove section 9006 of H.R. 3590.

By going to this site, you can find a contact form for your congressman. Please write your local representative and include the following text:

Congressman Name:

I am concerned about a portion of the recent health care reform bill pertaining to additional requirements for 1099 reporting for businesses. Section 9006 of H.R. 3590 will require businesses to request a W-9 and produce a 1099 for all vendors and retailers with which they spend $600 or more per year. I’m concerned that this will require more time and expense for businesses–and will be particularly hurtful for small businesses–at a time when businesses are still struggling. The requirement would take effect in 2012. H.R. 5141: Small Business Paperwork Mandate Elimination Act has been introduced in the House and has been referred to the House Committee on Ways and Means. I support passage of this bill and would appreciate your support of this bill and your support of small businesses.

Thank you,
Your Name

Please feel free to customize it as you like and spread the word.

How custom development can improve your bottom line

With complex custom projects, we hold one or more meetings with our client to help the client–and us–visualize the current work-flow and the new work-flow as it will be with the new custom application.

This is a fairly simple and painless process. And often, something the client has never done. But, having even the most simple visual representation of how a company gets from point A to point Z in any process creates the possibility of analyzing and tweaking those processes.

Without a concrete visualization, processes can seem fuzzy, abstract and are often understood differently by those within the organization. Many times, one person or group may not be fully aware of how another person or group is accomplishing a portion of that very same process and how it relates to other portions.

At this stage, we haven’t even gotten to the application and we can already see where bottlenecks and unnecessary and redundant steps can be eliminated. The bottom line is improving already, because the client can see what’s happening and streamline the process, improving efficiency and, ultimately, lowering the cost of operation.

Then–enter the application–and we begin to eliminate redundant data entry across multiple applications; automate tasks like invoicing, data import, report generation, packing lists, shipping labels, web site updates and electronic file and mail distribution; and, endless other possibilities.

Often, for less than the cost of a new hire, a custom application or suite of applications can make your existing staff more productive and free them up to take on other tasks.

The long-term savings may even make it possible to bring in new hires as the organization grows. And, with a concrete visualization of the new work-flow and training materials for your application in place, new hires are up-and-running faster.

Developer best practices at heart of application security

In a recent article at, Andy Gutmans, CEO of Zend—The company behind PHP—echoed one of the fundamental points I’ve been trying to make with this blog. That is that best practices, by the developer or development company, are at the heart of building a secure application:

“PHP, like all development languages, is only as secure as the code people write in it,” Gutmans said. “The important thing developers have to know is that when they deploy a Web application -- whether it’s written in PHP or in any other language -- they’re deploying into a hostile world.”

The article, discussing some non-critical security issues identified in PHP, states that "Among the reported issues are some that may be considered items that developer best practices can help to eliminate."

‘Best Practices’ may be misrepresented by some, still valid

In a recent article at, Zephrin Lasker suggests that the phrase "Best Practices" has become meaningless, that practices labeled as "best" are often wrong.

Lasker is speaking from his experience in the advertising industry. While I can’t speak to that discipline, I can speak for my own. In the Web Development world, there are many ways to go about completing a project. Some of those methods are better than others. Some are shortcuts, shortchanges or just plain wrong.

However, invoking the phrase "Best Practices" is a promise to our clients and potential clients. A promise that we will find and adhere to those better methods. After all, this industry is not regulated. Yes, there are standards for various aspects of our work, but they are not enforced.

To us, "Best Practices" are hard earned. Even though we’re not required to do so, we maintain certifications, read widely, look to the experts, attend conferences, seminars, et al. They are not simply a concocted list we’ve labeled "Best".

Lasker is right in his base assumption. There are those who have invoked the phrase in a meaningless way, but this does not make the phrase irrelevant. Just as those who would impersonate a police officer do not make the police irrelevant.

Lasker would better serve his industry, and others, to call out those who’ve exploited the phrase rather than calling for the demise of “Best Practices".

The other viral media

As the internet has grown, many new business models and marketing strategies have come into existence. Terms like "viral marketing" are now commonplace for small business, non-profits and large corporations.

But, there’s another type of viral marketing that has become big business.

Using an arsenal of computer viruses, less-than-scrupulous companies are turning our home computers, our office work stations and our web servers into zombie robots that will do their bidding. In many cases, we don’t notice the discreet applications that are performing brute-force attacks on other web applications, denial of service attacks on servers, propagating themselves and distributing spam email.

Viruses long ago graduated from the bedrooms of the disgruntled and settled-in to the cubicle. In other parts of the world, developers are being paid salaries with benefits to develop better viruses. The companies that hire them are selling their services to anyone willing to engage in spamming, identity theft or electronic terrorism.

Any web application can be a target for these folks. They don’t care about your company or who you are. They don’t care if you’re a celebrity or not; a large corporation or a small business; or a philanthropic organization. They’re just looking for a weakness in your web application that gives them enough access to get a tiny file on your server. Once done, they get the access they need to install a host of other malware (malicious software).

For myriad reasons, there are developers and development companies that continue to be naive about this. Shortcuts, quick turnarounds and increased profit margins seem more important than security.

I was reminded of this recently when I was asked to look at a potential client’s site and assess the possibility of incorporating some existing application components into a new development project.

As soon as I connected to the server and saw the directory structure, I knew best practices had been ignored. Files for a file sharing application were stored in the wrong place.

As I started the file transfer to my development machine, my heart sank. My virus scanning software found four malware files in the first few minutes. I wasn’t worried for my sake. My network was protected. But, the potential client was a victim and their previous development partner had let them down.

What can be done?

As it goes with our personal health and biological viruses, so it goes with our web applications. Prevention is the best medicine. Regular check-ups and immunization go a long way toward thwarting unwanted invaders.

  • Ensure that your application is built the right way. Choose a development partner that uses best practices for application security.
  • Choose a hosting partner for your application that uses best practices, as well. Hosting companies should provide regular updates, virus scanning and activity monitoring. Many do–but some don’t–as evidenced by my recent experience with the potential client’s application.
  • Open Source PHP projects are a prime target for these attacks. If you’re using WordPress, Magento, Drupal or any OS PHP project for your development project, make sure that you, your company or your development partner (someone, anyone) is responsible for regularly installing updates from the open source project.
  • If you are the victim of an attack–or, suspect that you are–report it to the OS PHP community project you’re using, your development partner, or contact us to take appropriate action. The application can be restored from back-up and–in many cases–patched to prevent further attacks. In worst cases, the application can be shut down and a place-holder page put in it’s place until the issue can be resolved.
  • Back-up your application, server or hosting account regularly. Some hosting companies offer complimentary back-ups. If they do not, you or your development partner may be responsible for backing up. If you do not back-up, there is nothing to restore. And, cleaning an infected server might not be safe, realistic or even possible.
  • Have a security assessment done on your existing application. Contact us to find out more.
  • Always use secure passwords for your application. Generated or memorable, make sure that it is a combination of upper and lower case; uses punctuation, numbers and symbols; and that it is 8 or more characters long (preferably, 16 characters).