Tweets and Retweets from Week #46

In: Tweets and Retweets

18 Nov 2012

As always I am behind on my blog posts… currently I am busy building a new kitchen and work too is taking its’ toll. Anyway it does feel good to get some stuff out of the way and get some tweets processed.

On the topic of always being behind schedule or having some sort of debt. The first link refers to a system I was presented to, while in Stockholm some weeks ago. It can help you identify several different metrics, such as duplication and feedback from static analyzers. It looks very interesting, unfortunately it does not seem as if it has any Perl integration at this time.

If I dig something up I will let you know.

@jonasbn: Sonar – “Put your technical debt under control” http://t.co/Ja7CYckT

It the other end of the scale you have somebody like Etsy. Statistics, metrics and drawing graphs is a fairly new hobby of mine. These guys do it a lot and it is very inspiring and the quote from their blog post made me laugh out loud.

@jonasbn: “Sometimes we’ll draw a graph of something that isn’t moving yet, just in case it decides to make a run for it.” http://t.co/l1jfyHjk

In relation to metrics, static analysis is very interesting. This next tweet is on code analysis for Javascript, something I am going to dig more into in 2013, but this might prove a start.

@jonasbn: Bringing JavaScript Code Analysis to The Next Level // Speaker Deck http://t.co/RXWJg6Ha

And finally, yet another interesting presentation from @patrickdebois. This time on puppet and chef.

@jonasbn: “Code but not as we know it – Infrastructure as code” http://t.co/aApRvTKm by @patrickdebois

Enjoy,

jonasbn

Tweets and Retweets from Week #45

In: Tweets and Retweets

18 Nov 2012

This post was delayed by a week, but luckily the Internet is not as forgetting as me.

Lots of good tweets and retweets in week #45, but I decided to assume the theme of conferences, workshops and meet-ups.

Some years ago when I attended the Nordic Perl Workshop in Reykjavik in Iceland, I heard about FSCONS for the first time. FSCONS takes place just across the border in Gothenburg, Sweden. I have never been able to attend and this year I also totally forgot to go. Conferences are great chance for meeting people whom you are only acquainted or follow via twitter or other social media.

In the past I have attended a lot of tech events, particularly Perl related, but attending other sorts of conferences have really broadened my perspective on technology and society and I really hope to be able to attend FSCONS in a foreseeable future. Anyway FSCONS sounds like the kind of conference I would enjoy – especially with attendees like Gabriella Coleman (@biellacoleman) and Henrik Chulu (@chulu).

@jonasbn: Feel like I am missing out on something when I am not attending @fscons and both @BiellaColeman and @chulu are there… #pplifollow

On the topic of conferences I use Lanyard quite extensively for following conferences and meet ups. Lanyard is a site coupled to Twitter and requires a twitter account, it relies on crowd-sourcing, but it does provide a magnificent overview of what is going on in your neighborhood or in relation to topics of your interest.

Lanyard allows you to tweet from the site to your follows, but that is the least part I think. “Internetdagen” is the Danish equivalent of “Internetdagarna” in Stockholm, it is smaller, but nonetheless quite interesting and you should consider attending.

@jonasbn: I’m attending #Internetdagen 2012, 22nd November 2012 in Copenhagen http://t.co/XTVKOqlF the schedule looks very promising… #id2012

One of the local user-groups I have attended in the past, even though I am not a Ruby programmer is the Copenhagen Ruby Brigade. They promote all of their events via Lanyard. It is quite educational even though my language of choice is another.

@fabricius: Exited about @copenhagenrb meeting tonight. Four Øredev speakers will be there, and I think the @Podio meeting room will be packed :)

Øredev is another local Software Developer conference with very prominent speakers I would like to attend in the future.

In relation to the Copenhagen Ruby Brigade, I have also attended meetings the local Javascript user group Copenhagen.js. I was however never able to locate a Python user group in my local area, on my Stackato presentation tour, but this tweet from @kgeishirt (whom I now through the local Linux User Group) did catch my eye.

@kgeisshirt: Interesting in #python in #dk: http://t.co/ptx38jmr

So there are plenty of events to choose from big and small, meaning plenty of opportunities to meet people you are acquainted with via social media like twitter.

Keep (re)tweeting,

jonasbn

Tweets and retweets from Week #44

In: Tweets and Retweets

4 Nov 2012

I have decided to migrate my tweet and retweet posts from my open source blog to my company blog. The truth else is that now much would not happen here and the contents of the posts are not necessarily open source related.

After reading David Golden’s (@xdg) excellent blog post on putting your social media on cruise control I decided to give a go and registered for Tumblr, IFTTT and Buffer.

Following David’s guidelines I swiftly got workflow up and running and I have been using it all week.

This weeks tweets and retweets do bear some indication of this, since it took me some time to get my processes going. The setup works marvelously, it is simply the human element – me.

So some of the tweets should have been retweets, but my interaction with the new setup, meant that this fact got lost, since I interacted with Tumblr/IFTTT/Buffer via the browser and the Tumblr/Buffer plugins and not directly with twitter. I have however now installed a Chrome plugin for twitter, meaning I can retweet in a more correct manner, without loosing history.

At the same time I have started digging through my backlog so many of my tweets are dated, but I find that quite a few of them are still relevant and interesting. Most of them does not originate from Twitter from some of all the blogs I follow – and believe me I have a long backlog of articles and stuff I need to process.

But lets get started, with a nifty little utility for assisting in development using JSON, a basic CLI tool named ‘jq’

@jonasbn: Interesting JSON commandline tool ‘jq’ http://t.co/btCnedjM

In additition to the above tool, ‘JSTerm’ might prove interesting:

@jonasbn: Better JavaScript Development With ‘JSTerm’ for Firefox | Webmonkey | Wired.com http://t.co/ZgBttOr1

The next part will have a theme to it: ‘Coding Style’, this is a coincidence, but nonetheless very interesting to evaluate more somewhat related resources at once, so I decided to surpass the ceiling for these post on 4 tweets to give a more interesting overall set of resources on a the topic of coding style.

I will start out by pointing to a presentation by Volker Dusch (@__edorian), the presentation gives a perspective on the value of code and why it is important to do code right and not spend time on all sorts of other activities, which are part of software development, but are more in the field of project activities, I might revisit this presentation and parts of it in the future, since it holds many interesting aspects.

@jonasbn: Really interesting presentation: ‘Stop wasting-time-by-applying-clean-code-principles’ http://t.co/w8S5Wx9t” #cleancode #tdd #pragmatism

Very much down the same line is a blog post by Jakob Skjerning (@mentalizer), again a hard approach to coding, but again some very interesting aspects on the core of software development, coding.

@jonasbn: RT @mentalizer: “Doing things right isn’t optional” – Making it Right: Technical Debt vs. Slop http://t.co/XVJHa5qR

Also in the past week I feel over a link to the Google coding guidelines for various of the languages used (C++, Objective-C, Python, HTML/CSS, JavaScript, XML and R) at Google for their open source projects. Is it me or is Dart missing???

@jonasbn: google-styleguide – Style guides for Google-originated open-source projects – Google Project Hosting http://t.co/DrrJa1fN

I program primarily in Perl, so the following blog post was interesting to me, it holds some good arguments on why a certain Perl practice can be considered harmful and all in all it fits in on the topic of coding style.

@jonasbn: Why I Dislike Autodie « Laufeyjarson writes… http://t.co/PaF7cEIP

Last but not least Michael O. Church from a very long blog post, which I could address in a dedicated blog post and I might do, but for now I will just mention it here. It is not directly relevant to the topic of Coding Style, it is more on the topic of developer mentality and management of developers, but since Coding Style is very much a developer perk, I would just list it here, for you to put things into perspective – I do not agree with Michael on all accounts, but his blog post is interesting and can at least be interesting reading for managers, and for self-reflection for developers.

@jonasbn: What Programmers Want « Michael O.Church http://t.co/ubtIKqp8

Keep (re)tweeting,

jonasbn

Stackato, part 1 – a micro-cloud from ActiveState

In: Articles

19 Oct 2012

This post will be the first in a series of blog posts on Stackato from ActiveState, I will try to lay the foundation for a better understanding of what role a micro-cloud like Stackato can play in your platform by documenting the road map I have been following in my evaluation and use of Stackato.

But let’s start at the beginning.

Everything started with me scanning the web for cloud solutions for Perl, I came across something named ‘Phenona’, which looked really promising, it was just promotional, but it did list some promising features and some of the buzzwords and technologies used seemed like sensible choices..

I am by no means a first mover and I got distracted by other activities. Apart from my day job as a Perl programmer I do a lot of hobby projects using Perl and therefor a cloud solution would be very interesting for easy deployment of these. Anyway time went by and when I looked again ‘Phenona’ had been acquired by ActiveState.

I have known ActiveState for many years for their work in the field of keeping porting and shipping a Perl interpreter to the Microsoft Windows platform and for development of the Komodo IDE, which I use on a daily basis for programming.

Out of all of this came Stackato and I signed up to become a beta-tester. Early in the process of the initial beta-testing, I could see the benefits of Stackato and how it could benefit our platform at work and I decided to outline some key points, that Stackato would have to be able to address in order to be considered for playing a serious role in our system.

  • Support for Mojolicious, all of the examples on Github was using Mojolicious::Lite and I really wanted to see a full blown Mojolcious application
  • Support for Catalyst, some of our services at work are implemented use Catalyst
  • Access to Oracle database using DBI and Oracle::DBD, we use Oracle and it is not a standard service in Stackato
  • Deployment of custom components, own libraries etc. apart from what is in the application and used from CPAN, own libraries should be able to be deployed with the application or similar
  • Use of cryptographic components, this issue came later, but it is listed here to give a complete overview
  • Central logging to a subsystem using Syslog, this is a general requirement to platforms and services at my workplace
  • Service integration using PostgreSQL, one of my hobby projects is designed to use PostgreSQL
  • mDNS/dynamic DNS, this also an issue, which came alone, I will it explain it in detail later

This was pretty much a basic checklist of stuff I wanted Stackato to be able to handle. I also evaluated Stackato on some other accounts, but these are more difficult to measure so I will touch on these topic where it fits in.

My enthusiasm with Stackato has resulted in me giving presentation on it at:

  • Open Source Days 2012 in Copenhagen/Denmark
  • Nordic Perl Workshop 2012 in Stockholm/Sweden

To:

  • Copenhagen Perl Mongers on 2 occasions, the local Perl user group in Copenhagen/Denmark
  • CopenhagenJS, the local Javascript user group in Copenhagen/Denmark
  • Copenhagen Ruby Brigade, the local Ruby user group in Copenhagen/Denmark

Slides for these presentation are available on Slideshare.

I am collecting my notes on Stackato in a Wiki, these are pretty rough for now, these blog post will be an attempt to polish these notes for better readability and hopefully to get them to make sense to others. Stackato is evolving and some of the notes might not even make sense anymore, I will try to take this into account in the blog posts.

#GOTOCPH Day 1, Design Never Stops: UX throughout development

In: Events

26 May 2012

Adrian Howard (@adrianh) from Quietstars

Design Never Stops: UX throughout development

I know Adrian Howard from the Perl community and as the person behind the marvelous testing module Test::Class. So I was a bit surprised to see him do a talk on design and UX. I guess well are do a plethora of things in our jobs, I myself is not solely doing Perl programming.

Adrian did a talk on design and UX. He started by eliminating the notion of UX and design in general as something you just to or apply when all the other stuff is completed.

UX and design has to be deeply integrated into our development culture to give the most benefit. Adrian outlined some implementation flows following bad practices of neglecting design and usability and pin-pointing this, you can see that it is pretty obvious, unfortunately this is not always the case.

Adrian then went on to outline 6 key principles to follow:

  1. be a missionary not a dictator
  2. beautiful all the way down
  3. design does not stop
  4. pretty pictures must die!!
  5. get out of the bunker
  6. steal other people’s tools

To briefly explain them. Be a missionary about good design instead of dictating. Beauty comes in many forms and shapes, let beauty take shape in all parts of your product. Design does not stop, it should be a natural part of the iteration and should be revisited, considered and refined – it is not just putting pretty pictures in relation to your product. Get out and communicate, cultural differences and values can be a problem, talk over delivering artifacts, communicating solely via artifacts and deliverables is harmful and isolation is bad. Steal other peoples tools to gain perspective, knowledge and practices.

In the end Adrian gave an example of ‘happy path’ a quite interesting practice. The idea is to create a strict path through the application so you can let the GUI elements and controls handle this. The test suite and code base is then loaded with constraints to harness the flow, so if any new elements are introduced in addition to the ones implementing the ‘happy path’ the test suite fail. This results in a very strict application flow and you don’t see crazy add ons being introduced without consolidation with the existing application and ‘happy path’.

(cross posted from logiclab.jira.com)

#GOTOCPH Day 1, Fast, easy usability tricks for big product improvements

In: Events

25 May 2012

Fast, easy usability tricks for big product improvements

Chris Nodder (@uxgrump) / http://www.questionablemethods.com/

Within this year I will take on a huge project of designing and developing a web site for the place where I work. We have an existing system, but we want to re-implement this for a number of reasons. The project started out as being primarily technically driven, but the idea has rooted itself in our organization and the project has also given a lot of attention to our current user experience and issues with usability.

With all this on my agenda I decided to follow some of the UX talks at the conference to hopefully pick something up. Another reason was that another of the speakers in the track was Adrian Howard, whom I know from the Perl community, more on this in another post.

First speaker I had scheduled to listen to was Chris Nodder.

Chris made a very ambitious promise in the title of his talk. The entry point to this complex topic was however quite simple as Chris proposed a 5 step process to creating/improving your usability or user experience.

5 step proces:

  1. find some users
  2. interpret what they tell you without bias
  3. create actionable product ideas
  4. turn your ideas into designs
  5. run a user test

I will briefly go over the process based on my notes, Check the slides for a more in-depth understanding.

Looking at this in isolation does not do much, but the basic idea is to have a process doing an analysis of your UX requirements by identifying your users, collect data on how they work. Analyze and refine the data. Transform the data to a prototype UI and finally test run it with your users.

Here follows my take of Chris presentation, based heavily on the tips given by Chris throughout the presentation and of course my interpretation, I will probably not do Chris presentation any favors, but I hope you will check out his presentation and other resources.

1: find some users

You need a very well-defined understanding of who your users are, if you are not able to define this group very clearly you will have issues later on and you might need a clearer product definition. Observe how the users work, what do they do not what do they say they do. Identify what are their tasks etc. Focus groups should be avoided they suffer from the same issues as multiple choice surveys, your users will focus on solving the task of being in a focus group instead of their actual task, which we are interested in.

If you can identify more user types, pay at least 3 visits per user type. During visits do hand-written notes, no video. Video ruins observation, you will observe acting not working. And finally, ask open-ended questions. Get the users to talk, it is not a conversation, it is an interview. You can always identify a good interviewer (particularly on TV), when they are able to get their guests to talk instead of boasting about themselves.

If you know your problem area well enough, it should be possible to pin-point the goals/tasks beforehand, looking at how the users complete the them are however still important, since we want to observe pathways not actual completion. Identify the tasks, not how software could be used, existing or new.

2. interpret what they tell you without bias

Remember, observe neutrally. Do not get the users to speculate on future and most importantly do not start to sell them your system or change their habits to accommodate your idea of how they ought to do their work.

3. create actionable product ideas

Create personas from your users, identify goals of the tasks they complete. Identify conflicts and issues with their tasks and work. Outline important quotes and isolate attributes. All of the above are interesting candidates for possible elements in our prototype.

I think this is the hardest part. It will require some practice to master this, but this fact emphasizes the importance of more observers being involved to obtain more varied data and more creative and varied analysis of the collected data.

Pair to write stories based on observations. All stories go on a wall as sticky notes, see the slides for examples.

4: turn your ideas into designs

Turn your design into drawings, mock-ups, sketches, what ever you call it. DO NOT USE COMPUTERS. And remember it is not an art exhibition and not a competition. Some people are more visual or creative than others, but everybody can participate, we aim for ugly not to be enthralled by the authority and beauty of something, which looks complete – time box if necessary.

Vote on designs using dot votes, base the votes on user stories and your analysis, remember these are sketched candidates for a a paper prototype. If you prototype does not work you have to iterate and you will have to go back to step 1, 2 or 3 depending on your success rate. Remember there is no failure at this point, since we are building a prototype, not the final product.

For the prototype, cut down on the ‘Lorem Ipsum’, users do not read ‘Lorem Ipsum’ and we are not interested in layout as such, but interaction and usability. We need users can understand our prototype so they can navigate, to the best of their ability.

Using scissors and sticky-tape you should be able to build a very flexible prototype of paper. Get and idea of the overall navigation to complete the tasks and identify some assignments for the next step.

The more finished your prototype is, the less flexibility you will be able to offer to the user and at this point changes are practically coming for free, compared to later in your actual project.

5: run a user test

We now have to find out if we are going in the right direction. As I wrote in the previous section, be prepared to bail or skip parts if they do not work and remember we test the prototype not the users. The user test should be based on assignments aimed at solving tasks using the prototype, obtaining goals. Again focus on the tasks, not the software use, we are using a prototype we can still accommodate to the pattern of solving tasks instead of the pattern of how software “normally”” works.

Hopefully your prototype project should be able to give you a very good idea of how you best shape your user interface, experience and your usability. The latter should be a natural fit, since you are founded in actual user behavior and you can iterate over step 4 and 5 until everybody are happy. Step 5 can with luck be video filmed in an un-intrusive way, remember we are testing the prototype not the user.

At the conference I later talked to Chris and we talked about kids, he informed me that if you are doing this with kids the last step should not last longer that 10 minutes and should should not be using office chairs that can spin or roll.

Chris convinced me, check out his book project Evil by Design and this beautiful sketch note by @micheleidesmith.

(cross posted from logiclab.jira.com)

#GOTOCPH Day 1, Using monitoring and metrics to learn in development

In: Events

23 May 2012

Talk by Patrick Debois (@patrickdebois) from Atlassian

Patrick works for my beloved Atlassian, I have for a long time been a customer with Atlassian on their hosted Jira platform and it really suits my needs and they are always helpful. I had however not observed that Atlassian was attending the conference so I was happy to see find them presenting at the conference. Patrick was not the only Atlassian employee speaking, I will get back to that in a coming blog post.

Patrick wrote a chapter in the Web Operations book from O’Reilly and he writes a lot of blog posts on interesting topics in the area of development and operation and in particular in relation to the topic of his talk on metrics and measurement.

Patrick is highly active in the area of development and operations and very interested and knowledgable on the topic of monitoring and data collection with the intent of metrics production. He started out by giving a helicopter viewpoint the state of monitoring and sort of concluded the segment with pointing to a project/organization on Github named monitoringsucks (https://github.com/monitoringsucks).

Patrick did a sort of break-down of the cultural aspects of monitoring and metering and emphasizing the concepts of establishing a culture where metrics gathering and measurement is automated and data/metrics are available throughout your organization. The pattern, which is often observed is one where the different silted departments are keeping their data, metrics and tools to themselves. This is not necessarily out of egoistic or malicious intent, but simply due to the assumption that nobody else is interested or would be able to get value out of what you have.

Patrick suggested the crazy idea of formulating a new methodology named: ”monitoring driven development”. Where the driver would be to create a monitor check before implementing a feature, sort of a TDD hybrid, just feeding into your monitoring pool instead of your unit-test suite.

Patrick mentioned quite a few interesting projects, these were the ones i jotted down, please go over his slides for a complete overview:

And a few people you might want to look up/follow on Slideshare or twitter:

  • Mike Brittain (@mikebrittain) on Slideshare
  • John Allspaw (@allspaw) on Slideshare

What I read from Patricks presentation is that monitoring tools are not quite there yet. There are plenty of tools out there, both commercial and open source, they are good, but currently they all have shortcomings.

In general information silos are bad, development and operational departments are often acting as silos, but we also observe silos inside tools, so one really important feature of (monitoring) tools should be openness and the ability to share and mash-up data and metrics, so silos can be eliminated.

We use Nagios at my place of work and I am going to see whether we can do some more with this existing system, which is currently only used by the operations people.

(cross posted from logiclab.jira.com)

#GOTOCPH Day 1, What Sucks About SCRUM

In: Events

22 May 2012

Alexander Grosse (@klangberater) from SoundCloud

Alexanders talk on SCRUM, was more in line with what I would expect at GOTO Copenhagen, lots of methodology and theory, at least that was my experience and impression from attending last year.

The title of Alexanders talk had intrigued me anyway working in an organization considering SCRUM as one the methods to be used for future projects, so getting some practical advice seemed like a good idea.

Alexander stated quite early that the idea of SCRUM is evil depends on the eye of the beholder. He does however not regard SCRUM to be totally evil nor an agile methodology. More like a repetitive waterfall model and moving away from SCRUM to a more agile approach seemed like a good idea for Alexander and his colleagues.

Seeing Alexanders point on SCRUM is quite easy if you read (or re-read) the agile manifesto and it’s principles.

Alexander did however not want to bash SCRUM, just high light some of it’s good and bad features or lack of. Alexander mentioned the following good things about SCRUM:

  • visibility (SCRUM board)
  • backlog concept
  • focus on delivery, risk and budget
  • less barriers
  • sprint retrospective is important for addressing technical debt
  • the role of the product owner (critical according to Alexander)

Alexander have experienced success with a mix of Kanban, agile principles and continuous delivery to get to where his organization was today. Kanban had proved magnificent at visualizing (and limiting) a multitude of concurrent ”work in progress” tasks.

He did also question the role of the SCRUM master and he mentioned the concept of self-organizing teams (preferably a-teams), where the role of SCRUM Master can be eliminated, letting responsibility rest on team members for activities like removing impediments.

SCRUM suffers from the lack of software engineering practices, so believing that SCRUM alone can address your software development issues is naive. SCRUM has some features and quirks, which does point to a more siloed and therefor less agile methodology.

Alexander provided a very simple way of determining the agility of a given methodology, focussing on the key principle of continuous delivery. If a can support this and your organization can do it – you might be truly agile. The issue here with SCRUM is the sprint reviews, since these block for continuous delivery.

(cross posted from logiclab.jira.com)

#GOTOCPH Day 1, Keynote on Dart

In: Events

21 May 2012

Again this year I am attending the GOTO Copenhagen Software Developer conference. From my prior experience I am to anticipate 3 days overloaded with information and I will try my best to get as much information propagated onto my blog as possible.

After the first welcome and initial introduction to the conference, the program started with a keynote on Googles Dart language by Kasper Lund from Google.

Kasper was one of the engineers behind Google’s V8 Javascript engine, now involved with the development of the Dart language.

The dart teams unofficial goal is to: ”awesome the web”. What the real goals behind the Dart project are unclear to me and I have not been following Dart development at all. Many new languages have been popping out of the woodwork over the last years and I find it hard to keep up with just the frameworks for the languages you work on on a daily basis. Anyway just being seated and fed with a break down of some of the key factors and features in a new language like Dart is always welcome and one of the aspects of going to conferences I really enjoy – so I just kicked back and listened to Kasper.

The evolvement and more serious use of Javascript might be one of the reasons why Google is developing Dart. Kasper mentioned the speed increase in Javascript execution in modern browsers (source: http://iq12.com/blog/as3-benchmark/) and Javascript popularity in general with projects like V8, Node.js, (based on V8) and jQuery.

Dart aims to be able to run on both server- and client-side. This is currently done on the client side either by compiling to Javascript or using the Dart virtual machine, which currently is only supported in Googles own browser Chrome (or Dartium). This part was a bit unclear to me and it took some time before I understood that both sides were targeted.

One of the reasons for Google developing might be the nature of Javascript. Javascript does not make it easy to write large applications for the web and Javascript has many issues. Kasper outlined some basic examples of Javascript behavior where the language does not seem completely consistent. In Kasper’s words Javascript is full of surprises, considering his background I pretty much take his words for it.

Examples given by Kasper was on data types and basic operations like addition etc. and out of bounds checking for arrays. Javascript is very forgiving and goes to great length to get a piece of code to execute. All of the issues addressed in Dart.

At the same time Dart seems to copy a lot of Javascript behavior. Kasper would probably be able to give even more concise examples and make a much more compelling case for choosing Dart over Javascript. Some of the key features mentioned by Kasper was, the client/server site support. The optional static type handling, which gives highly readable source code. The client-side integration is still fuzzy to me, but it seemed possible to integrated with existing Javascript and Dart is in some parts mimicking jQuery.

Dart supports incremental development and it seemed really easy to get started using the available toolchain, which includes:

Kasper also mentioned an interesting test method using a headless browser, where you inspect the DOM render tree. This seems to be doable by using some of the accessibility hooks in Chrome, but I am not sure and I have not dug further into the topic.

Dart is very intriguing and so much more that just: ”curly braces and then some…”

(cross posted from logiclab.jira.com)

OWASP meeting featuring Jim Manico

In: Events

14 Mar 2012

Monday evening I attended a local OWASP chapter meeting. The guest speaker was Jim Manico. Jim Manico is the person behind the OWASP Podcast and is an extremely knowledgable on the topic of security in conjunction with security for web development.

Jim started out with turning the whole problem of security around, instead of talking about top 10 threats, he wanted to present a set of top-10 defenses for web applications, emphasizing the importance of talking about remedies instead of threats.

The most important remedy is query parameterization (prepared statements with bound parameters), this addresses the number one threat and one of the most destructive go threats, also known as SQL-injection. Jim mentioned the OWASP Query Parameterization cheat sheet dedicated to this topic. The remedy is very basic, but the problem of SQL-injection does not seem to go away. On a note OWASP also has a cheat sheet dedicated to SQL-injection prevention.

Next point Jim started listing a lot of threats, which had all had the common denominator: XSS. After this followed a nice matrix of defenses. Each of the different XSS threats would exploit different vectors/vulnerabilities in primarily Javascript, the matrix did however give a nice overview of what to look for and how to defend your application.

Some basic examples of attack vectors could be:

  • session hi-jacking/cookie theft: dokument.cookie and window.location
  • defacement: document.body.innerHTML

Again Jim emphasized that this is hard to get and some of the more prominent and talented developers does not even see all these issues.

Jim mentioned a resource recommending: Element.setAttribute, which has several issues, due to its power.

See also:

Next up was CSRF, defenses mentioned were:

  • double cookie submit
  • Single Origin Policy
  • randomized tokens

Jim spoke well for the randomized tokens model, where I tend to the double cookie submit model – perhaps a combination of all the defenses would be optimal. Also considering Jim himself mentioned theft of entropy based tokens using empty HTML form, so I do not see the randomized tokens model standing alone if it just have the least weakness in its implementation it is useless.

OWASP even has a cheat sheet.

Jim repeated over and over again that attacking is easy, defending is hard. An example was doing a key logger is as easy as listening for key-down/key-up events in Javascript.

Jim’s take on input validation surprised me a bit, but I could follow him. If you have your general defenses in place, input validation is actually more about data sanitization than security. Jim mentioned that handling your output is more important. Which leads me to something I have heard mentioned earlier, that you cannot trust your back-end either since you cannot be sure, how the data has been inserted/injected in the first place, so result sets for example from a database should be regarded with equal mistrust. The issue is really that the malicious data, does not do any harm until it reaches a browser again.

Jim mentioned a defense of using type strictness. I understand the concept, since it is often used in regular defensive programming and is not specific to security, but it does require developers using dynamic languages like me to think about implementing this sort of type checking as part of the application since it is not necessarily a part of the language itself – this does lead back to input validation and data sanitization, so this sort of defense does require strict handling of input data.

Jim gave some overall recommendations:

  • do not let users define style (CSS), allow only pre-defined themes
  • do not rely on client site defenses (javascript in browser)
  • be care full with WYSIWYG editors like tinyMCE these might use plain HTML

The later does require that you parse your HTML vigorously (see also: OWASP DOM XSS cheat sheet).

On the topic of parsing, the most widely spread way of deserializing JSON is by using eval. Do use JSON parser instead.

I often see a tendency in the security community to think highly of frameworks, but with all of these new and spiffy Javascript frameworks and their plugins I really hope some of the developers to take the time to evaluate and assert the security of these.

Next up was the largest of the topics Jim covered and I think one of the topics which interests him the most currently: Access Control Design Theory.

Jim grouped the attacks in this category into the following groups:

  • Vertical Access Control Attacks
  • Horizontal Access Control Attacks
  • Business Logic Access Control Attacks

Jim stated that the access control component has to be introduced early, deeply and globally in your system. Implement a mapping of features, policies and a central point of access.

Vertical access control attacks are you regular attacks where privilege escalation is attempted obtained. Horizontal access control attacks I guess are related to ‘Insecure Direct Object References’, which is listed on the OWASP top-10. This is where the attacker is able to obtain access to data related to other entities, by exploitation of a role-system or the like.

Jim listed some anti-patterns, many of which I see on a regular basis:

    • Hard-coded role checks in application code
    • Lack of centralized access control logic
    • Untrusted data driving access control decisions
    • Access control that is “open by default”
    • Lack of addressing horizontal access control in a standardized way (if at all)
    • Access control logic that needs to be manually added to every endpoint in code
    • Luckily Jim also presented some good patterns:
    • Code to the activity, not the role
    • Centralize access control logic
    • Design access control as a filter
    • Deny by default, fail securely
    • Build centralized access control mechanism
    • Apply same core logic to presentation and server-side access control decisions
    • Server-side trusted data should drive access control

A good example of handling of operations on valuable data, was Amazon.com. If you want to:

  • change credentials
  • changes to entity references, like email, mobile phone number etc.

You have to re-authenticate.

One interesting problem related to the horizontal access control, which Jim shed some light on was the multiple tenants setup. This is the concept with hosted solutions or similar where you have multiple groups of users using the same system, but working on separate sets of data in a system.

I see the same challenge in regard to regular users vs. administrative users, this is an aspects with coincides very well with my ideas around use of public and private PaaS to separate deployments dedicated to regular use vs. administrative use.

Jim finished the presentation with a discussion on the problem area of passwords and the time had come to talk SSL. Jim stated that: SSL only gives us integrity, authenticity, confidentiality and repudiation. SSL is good, but SSL alone does not keep you safe. According to W3C the GET method leaks and you use it with consideration.

In general you have to formulate a set of password policies and Jim gave some recommendations:

  • Allow 10-15 retries, not only 3-4, we are fighting machines not people
  • At 10 bad attempts, notify user
  • Utilize out of band channels: token/SMS/email
  • Avoid session fixation, anonymous vs. authenticated session, do not re-use session identifiers since the unauthenticated session might already have been hi-jacked, when the user authenticates
  • <input AUTOCOMPLETE=”Off”

User lock-out can be useful, but it can be straining on your resources, so you need to provide your users with ways to unlock just as you provide functionality for handling the case of forgotten passwords.

OWASP provides a forgotten password cheat sheet with more details on the topic of retrieval of forgotten passwords

I am in a position were I am designing an access control sub-system, so timing could not be better, so the evening was a blast and I am drowning in notes.

Older Entries

About this blog

This is the corporate blog of logicLAB. A software development company based in Copenhagen, Denmark

Categories

Archives

May 2013
M T W T F S S
« Nov    
 12345
6789101112
13141516171819
20212223242526
2728293031  

Copyright © 2007 - logicLAB - is proudly powered by WordPress | Log in

Compositio Theme is created by: Design Disease brought to you by PremiumThemes.com