OWASP Helsinki Chapter held a meeting number 34 last week at Eficode with topics of
“Perfectly secure API” and “Best friends: API security & API management”. The event gave good overview to the topics covered and was quite packed with people. Eficode’s premises were modern and there was snacks and beverages. And also a sauna. Here is a short recap of the talks.
Perfectly secure API
Matti Suominen from Nixu talked about perfectly secure API and things related to get there. Can API be secure? On gut feeling APIs seems to be rubbish and have problems. He covered the topic from three view points: security, risks and defense. Good starting point is to read OWASP resources like ASVS, Top 10 and Security cheat sheet. Also implement security centrally, involve business in design and DIY never works out.
Antti Virtanen from Solita talked about API security and API management and how we’ve traveled from dark ages to modern times. You can do API security with tools like Amazon AWS API Gateway but the main point was to step further with API management. Use some already made products like Apigee and open source alternative Tyk.io. Slides are available in Slideshare.
React Finland 2018 conference was held last week and I had the opportunity to attend it and listen what’s hot in the React world. The conference started with workshops and after that there was two days of talks of React, React Native, React VR and all things that go with developing web applications with them. The two conference days were packed with great talks and new information. This is the second part of my recap of the talks and my notes which I posted to Twitter. Check out also the first part of my notes from the first day’s talks.
React Finland 2018, Day 2
How React changed everything — Ken Wheeler
“Best part of React is the community”
Get started with Reason — Nik Graf
The keynote also touched Reason ML and Nik Graf went into details kicking off with the basics and going into how to leverage features like variant types and pattern matching to make impossible states impossible.
Making Unreasonable States Impossible — Patrick Stapfer
Based on “Get started with Reason” Patrick Stapfer’s talk went deeper into the world of variant types and pattern matching and put them into a practical context. The talk was nice learning by doing TicTacToe live coding. It showed how Reason ML helps you design solid APIs, which are impossible to misuse by consumers. We also got more insights into practical ReasonReact code. Presentation is available on the Internet.
Conclusion about ReasonReact:
More rigid design
More KISS (keep it simple, stupid) than DRY (don’t repeat yourself)
Forces edge-cases to be handled
Reactive State Machines and Statecharts — David Khourshid
David Khourshid’s talk about state machines and statecharts was interesting. Functional + reactive approach to state machines can make it much easier to understand, visualize, implement and automatically create tests for complex user interfaces and flows. Model the code and automatically generate exhaustive tests for every possible permutation of the code. Things mentioned: React automata, xstate. Slides are available on the Internet.
“Model once, implement anywhere” – David Khourshid
The talk was surprisingly interesting especially for use cases as anything to make testing better is good. This might be something to look into.
Compelling use case for state machines is: model code & automatically generate exhaustive tests for every possible permutation of the code. @DavidKPiano and surprisingly interesting talk of Reactive State Machines and Statechart at #ReactFinland. "Model once, implement anywhere" pic.twitter.com/v5iynBA4te
After theory heavy presentations we got into more visual stuff: React VR. Shay Keinan presented the core concepts behind VR, showed different demonstrations, and how to get started with React VR and how to add new features from the Three.js library. React VR: Three.js + React Native = 360 and VR content. On the VR device side it was mentioned that Oculus Go, HTC Vive Focus are the big step to Virtual Reality.
“Virtual Reality’s possibilities are endless. Compares to lucid dreaming.” – Shay Keinan
WebVR enables web developers to create frictionless, immersive experiences and we got to see Solar demo and Three VR demo which were lit 🔥.
World Class experience with React Native — Michał Chudziak
I’ve shortly experimented with React Native so it was nice to listen Michał Chudziak’s talk how to set up a friendly React Native development environment with the best DX, spot bugs in early stage and deliver continuous builds to QA. Again Redux was dropped in favour of apollo-link-state.
Work close to your team – Napoleon Hill
What makes a good Developer eXperience?
GraphQL was mentioned to be the holy grail of frontend development and perfect with React Native. Tools for better developer experience: Haul, CircleCI, Fastlane, ESLint, Flow, Jest, Danger, Detox. Other tips were i.a to use native IDEs (XCode, Android Studio) as it helps debugging. XCode Instruments helps debug performance (check iTunes for video) and there’s also Android Profiler.
React Finland App – Lessons learned — Toni Ristola
Every conference has to have an app and React Finland of course did a React Native app. Toni Ristola lightning talked about lessons learned. Technologies used with React Native was Ignite, GraphQL and Apollo Client 👌 App’s source code is available on GitHub.
Have a designer in the team
Reserve enough time — doing and testing a good app takes time
Test with enough devices — publish alpha early
React Native Ignite — Gant Laborde
80% of mobile app development is the same old song which can be cut short with Ignite CLI. Using Ignite, you can jump into React Native development with a popular combination of technologies, OR brew your own. Gant Laborde talked about the new Bowser version which makes things even better with Storybook, Typescript, Solidarity, mobx-state-tree and lint-staged. Slides can be found on the Internet.
How to use React, webpack and other buzzwords if there is no need — Varya Stepanova
Varya Stepanova’s lightning talk suggested to start a side-project other than ToDo app to study new development approaches and showed what it can be in React. The example was how to generate a multilingual static website using Metalsmith, React and other modern technologies and tools which she uses to build her personal blog. Slides can be found on the Internet.
Doing meaningful side-projects is a great idea to study new things and I’ve used that for i.a. learning Swift with Highkara newsreader, did couple of apps for Sailfish OS and played with GraphQL and microservices while developing app with largish vehicle dataset.
Two days full of talks of React, React Native, React VR and all the things that go with developing web applications with them was great experience. Days were packed with great talks, new information and everything went smoothly. The conference was nicely organized, food was good and participants got soft hoodies to go with the Allas Sea Pool ticket. The talks were all great but especially “World Class experience with React Native” and “React Native Ignite” gave new inspiration to write some app. Also “ReactVR” seemed interesting although I think Augmented Reality will be bigger thing than Virtual Reality. It was nice to hear from “The New Best Practices” talk that there really is no new best practices as the old ones still work. Just use them!
Something to try and even to take into production will be Immer, styled components and Next.js. One thing which is easy to implement is to start using lint-staged although we are linting all the things already.
One of the conference organizers and speaker, Juho Vepsäläinen, wrote Lessons Learned from the conference and many of the points he mentions are to the point. The food was nice but “there wasn’t anything substantial for the afternoon break”. There wasn’t anything to eat after lunch but luckily I had own snacks. Vepsäläinen also mentions that “there was sometimes too much time between the presentations” but I think the longer breaks between some presentations were nice for having a quick stroll outside and have some fresh air. The venue was quite warm and the air wasn’t so good in the afternoon.
The Afterparty at Sea Life Helsinki was interesting choice and it worked nicely although there wasn’t so many people there. The aquarium was fishy experience and provided also some other content than refreshments. Too bad I hadn’t have time to go and check the Allas Sea Pool which we got a free ticket. Maybe next time.
Thanks to the conference crew for such a good event and of course to my fellow Goforeans which attended it and had a great time!
React Finland 2018 conference was held last week and I had the opportunity to attend it and listen what’s hot in the React world. The conference started with workshops and after that there was two days of talks of React, React Native, React VR and all things that go with developing web applications with them. The two conference days were packed with great talks and new information. Here’s the first part of my notes from the talks which I posted to Twitter. Read also the second part with more of React Native.
React Finland 2018: Day 1
React Finland combined the Finnish React community with international flavor from Jani Eväkallio to Ken Wheeler and other leading talents of the community. The event was the first of its kind in Finland and consisted of a workshop day and two days of talks around the topic. It was nice that the event was single track so you didn’t need to choose between interesting talks.
At work I’ve been developing with React couple of years and tried my hands with React Native so the topics were familiar. The conference provided crafty new knowledge to learn from and maybe even put to production. Overall the conference was great experience and everything went smoothly. Nice work from the React Finland conference team! And of course thanks to Gofore which sponsored the conference and got me a ticket.
I tweeted my notes from almost every presentation and here’s a recap of the talks. I heard that the videos from the conference will be available shortly.
The New Best Practices — Jani Eväkallio
First day’s keynote was by Jani Eväkallio who talked about “The New Best Practices”. As the talk description wrote “When React was first introduced, it was ridiculed for going against established web development best practices as we knew them. Five years later, React is the gold standard for how we create user interfaces. Along the way, we’ve discovered a new set of tools, design patterns and programming techniques.”
The new best practices were:
Build big things from small things
Write code for humans first: flow, Typescript, storybook
Stay close to the language:
helps i.a. linters
Always prefer simplicity
Don’t break things:
Facebook makes React API changes easy to upgrade, depreciation well in advance, migration, documentation. it’s a flow, not versions. Use codemod.
Keep an open mind
You ask “what new best practices”? Yep, that’s the thing. We don’t need new best practices as the same concepts like Model-View-Controller and separation of concerns are still valid. We should use best practices which have been proved good before as they also work nicely with React philosophy. Eväkallio also talked why React will be around for a long time. It’s because components and interoperable components are an innovation primitive.
Declarative state and side effects — Christian Alfoni
“Get Rich Quick With React Context” lightning talk by Patrick Hund didn’t tell how good job opportunities you have when doing React But how with React 16.3 the context API has been completely revamped and demonstrated a good use case: Putting ad placements on your web page to get rich quick! Other use cases are localizations. Check out the slides which will tell you how easy it is to use context now and how to migrate your old context code to the new API.
There’s always a better way to handle localization — Eemeli Aro
“There’s always a better way to handle localization” lightning talk by Eemeli Aro told about how localization is a ridiculously difficult problem in the general case, but in the specific you can get away with really simple solutions, especially if you understand the compromises you’re making.
Styled Components, SSR, and Theming — Kasia Jastrzębska
Takeaways from this talk was that CSS in React app can be written as you always have or by using CSS-in-JS solutions. There are several benefits of using styled-components but I’m still thinking how styles get scattered all over components.
Universal React Apps Using Next.js — Sia Karamalegos
Every user’s hardware is different and processing speed can hinder user experience on client-side rendered React applications and so Sia Karamalegos talked how server-side rendering and code-splitting can drastically improve user experience. By minimizing the work that the client has to do. Performance and shipping your code matters. The talk showed how to easily build an universal React apps using the Next.js framework and walked through the concepts and code examples. Talk slides are available on the Internet.
There are lots of old (mobile) devices which especially benefit from Server Side Rendering. Next.js is a minimalistic framework for universal, server-rendered (or statically pre-rendered) React applications which enables faster page loads. Pages are server-rendered by default for initial load, you can enable prefetching future routes and there’s automatic code splitting. It’s also customizable so you can use own Babel and Webpack configurations and customize the server API with e.g. Express. And if you don’t want to use a server Next.js can also build static web apps that you can then host on Github pages or AWS S3.
State Management in React Apps with Apollo Client — Sara Vieira
Apollo Client was one of the most mentioned framework in the conference along with Reason ML and Sara Vieira gave energetic talk how to use it for state management in React Apps. If you haven’t come across Apollo Client it’s caching GraphQL client and helps you to manage data coming from the server. Virieira showed how to manage local state with apollo-link-state.
The talk was fast paced and I somewhat missed the why part but at least it’s easy to setup: yarn add apollo-boost graphql react-apollo. Have to see slides and demo later. Maybe the talk can be wrapped up to: “GQL all the things” and “I don’t like Redux” :D
Detox: A year in. Building it, Testing with it — Rotem Mizrachi-Meidan
One thing in software development which always gets developers to argue over stupid things is code formatting and linting. Andrey Okonetchnikov talked how “with a wrong workflow linting can be really a pain and will slow you and your team down but with a proper setup it can save you hours of manual work reformatting the code and reducing the code-review overhead.”
The talk was a quick introduction how 🚫💩 lint-staged a node.js library can improve developer experience. Small tool coupled with tools that analyze and improve the code like ESLint, Stylelint, Prettier and Jest can make a big difference.
What is DevSec, how to use Docker securely, why developers leak credentials? All those questions were answered at OWASP Helsinki chapter meeting #31 which was held 13.6.2017 at Solita premises. Here’s my short notes from the event. I’ll add links to presentations when they’re available.
DevSec – Developers are the key to security
DevSec is a emerging trend to move developers closer to security experts, akin to DevOps. Antti Virtanen from Solita talked about DevSec and how they do it (slides, pdf). As talk’s title tells us developers are the key but often buying one cybersolution is easier (giving out money) than peoples’ time. But if we look at the return of investment, passive defense is more effective.
Docker is currently experiencing very high adoption rate and people are deploying on Docker without considering the security landscape. Mika Vatanen from Digia told us about Docker Security (slides, pdf), possible attack vectors, how Docker handles security and what recommendations we should use when using it.
Leaking credentials – a security malpractice more common than expected
Bogdan Mihaila from Synopsys talked about Protecode and research of leaked credentials (slides, pdf).
Upcoming: DevSecOps “mini-hackathon”
Last topic was introduction to upcoming “mini-hackathon” by Pekka Sillanpää from OWASP Helsinki. They are planning a hands-on event in August for familiarizing and investigating some nice open source tools, including: OWASP Dependency-Check, ZAP Proxy, OWASP DefectDojo, DevSec hardening framework and Clair. See more info from OWASP Helsinki page.
Agile software development to the cloud can be nowadays seen more as a rule than exception and that’s also what this year’s first Nebula Tech Thursday’s topics were about. The event was held 2.3.2017 at Woolshed Bar & Kitchen alongside good food and beer.
The event consisted of talks about “Building a Full Devops Pipeline with Open Source Tools” by Oleg Mironov from Eficode and “Cloud Analytics – Providing Insight on Application Health and Performance” by Markus Vuorinen & Jarkko Stråhle from Nebula. The presentations were a bit high level and directed more to the business level people than developers but there was some new information how different tools were used in practice.
Overall it was nice event to hear how things can be done and to talk with people. Here’s my short notes from the event.
Cloud Analytics – Providing Insight on Application Health and Performance
Markus Vuorinen & Jarkko Stråhle from Nebula talked about how to gather data to Elasticsearch, make it accessible and visualize it with Kibana and make actions based on that. The ELK-stack (Elasticsearch – Logstash – Kibana) is commonly used and the presentation showed nicely how to utilize it with cloud.
Building a Full Devops Pipeline with Open Source Tools
Oleg Mironov from Eficode showed the building blocks of how to build a Devops pipeline with Open Source Tools and demoed it. Nothing really special if you don’t count Rancher and Cattle. Just put your code to Git, use Ansible, run Jenkins jobs, build docker images, use RobotFramework for testing, push artifacts to Artifactory and deploy with Rancher.
Development and operations, DevOps, is in my opinion essential for getting things done with timely manner and it’s always good to hear how others are doing it by attending meetups. This time DevOps Finland went Mobile and we heard nice presentations about continuous delivery for mobile applications, mobile testing with Appium and the Robot Framework and efficient mobile development cycle. Compared to developing Web applications mobile brings some extra hurdles to jump but nothing that’s not solvable. Here are my short notes about the meetup.
The meetup was hosted by Zalando Technology at their new office here in Helsinki. Zalando is known to many as that online store that sells shoes, clothing and other fashion items but things don’t sell themselves and behind the scenes they have lots of technologies to keep things running. For the record I think they said that the meetup had 65 attendees of the 100.
They didn’t arrive to the final setup straightforward and it was iterative approach with how Git is used, code merged and releases done. Using Fastlane for all tedious tasks, like generating screenshots, dealing with code signing, and releasing your application made automating things easier. Interesting note was that their build server slaves are ansible managed Mac Minis on Rami’s desk. They had solved the problems nicely but testing is still difficult.
DevOps and rollbacks don’t work together, you roll forward.
Mobile testing with Appium and the Robot Framework
Mobile testing can be done with different tools and one option is to use Robot Framework just like for Web applications. Elmeri Poikolainen from Eficode demoed how to use Appium and run Robot Framework tests on real device. It has some limitations and I think with native applications it could be better to use native test tools like what Xcode has to offer.
Development and Operations, DevOps, is one of the important things when going beyond agile. It’s boosting the agile way of working and can be seen as an incremental way to improve our development practices. And what couldn’t be a good place to improve than learning at meetups how others are doing things. This time DevOps Finland meetup was about container orchestration with CoreOS and it was held at Oppex’s lounge in central Helsinki. The talks gave a nice dive into CoreOS, covering both beginner and seasoned expert points of view. Here’s my short notes about the presentations.
CoreOS intro for beginners, by beginners
The first talk was practically an interactive Core OS tutorial by Antti Vähäkotamäki and Frans Ojala. Their 99 slides showed how to get started with CoreOS on Vagrant step by step and what difficulties they experienced. Nothing special.
The more interesting talk about CoreOS was “CoreOS in production, lessons learned” by Vlad Bondarenko from Oppex where he told about their software stack and how they’re running it. In short, they’re running on baremetal with CoreOS Nginx for reverse proxy, Node.js for UI and API and RethinkDB and SolrCloud clusters. Deployment is made with Ansible and makefiles and Ship.it is used for Node.js. Service discovery is DNS based with docker-etcd-registrator component and they’ve also written their own DNS server. For Node.js config management with etcd they’ve made etcd-simple-config component. With Docker they use standard images with volumes and inject own data to the container.
CoreOS seemed to work quite well for them with easy cluster management, running multiple versions of 3rd party and own software and having zero downtime updates or rollbacks. But there were some cons also like maturity (bugs) and scripting systemd.
The last talk was about CoreOS war stories in Kontena by Jari Kolehmainen. The slides tell the story of how they use CoreOS on Kontena and what are the pain points. In story short it comes to configuration management and issues related to etcd.
For bootstrapping they use CloudInit which is de-facto way to initialize cloud instances and Integrated to CoreOS. The hard parts with etcd are discovery, security (tls certificates), using central services vs. workers and maintenance (you don’t do it). Now they run etcd inside a container, bind it only to localhost and overlay network (Weave Net) and master coordinates etcd discovery. With automatic updates they use the best-effort strategy: If etcd is running, locksmith coordinates the reboots; Otherwise just reboot when update is available.
Presentation’s summary was that the “OS” part is currently best option for containers and etcd is a must, but a little hard to handle. For the orchestrator they suggest that pick one which hides all the complexities. And automate all the things.
Couple of weeks ago at Tampere goes Agile the question was what’s beyond agile and partial answer was DevOps. I’ve read about DevOps before and tried to introduce it to use in my daily job but new things move slowly. So, it was good time to hear more about DevOps and how others are using it at DevOps Finland meetup about ApiOPs and Test Automation. The meetup was held at GE Healthcare building in Vallila and organized by Eficode. Delicious coffee and sandwiches were from Warrior coffee. Here’s my short notes about the topics discussed.
The talk was more about mindset related to developing APIs than tools but Swagger was mentioned for representing your API and SoapUI for testing. For API management Moilanen talked about APInf which is an API management platform.
Test automation with Robot Framework
Eficode guys talked about Test automation with Robot Framework which is a generic test automation framework for acceptance testing and acceptance test-driven development (ATDD). It’s originally developed in Nokia Networks 2005 and open sourced in 2006. Robot Framework uses keyword-driven testing approach and it’s capabilities can be extended by test libraries implemented either with Python or Java. Robot Framework is quite big in Finland but to get the work forward and more known worldwide there’s now Robot Framework Association put together by Eficode, Omenia, Reaktor, Eliga, Knowit, Qentinel and HiQ.
After some technical difficulties with projector we heard intro to Robot Framework with Selenium2Library and saw video about using it. Selenium is a suite of tools to automate web browsers and with Selenium2Library you can use it with Robot Framework to easily implement and maintain automatic browser testing of your web application. Another use case which I find interesting is for testing REST APIs.
You can use Robot Framework in many was as we saw with the demo of a machine for automating payment terminal testing which Eficode had built (slides, blog post in Finnish). It was a Shapeoko 2 CNC milling machine where Arduino parsed g-code sent over terminal bus, payment terminal was captured with Tesseract OCR and it was controlled by Robot Framework running in Raspberry Pi. They had extended Robot Framework with new libraries for communicating over serial bus and reading images from Raspberry Pi camera.
What you can do with Robot Framework is up to you as the framework doesn’t limit you.
Future of DevOps Finland
The last talk of the meetup was about the future of DevOps Finland. DevOps Finland was started in 2013 by Erno Aapa and now the load is distributed over new planning team to keep things active. Sharing is caring and so we were encouraged to share our experiences and war stories about DevOps by talking in some future meetup.
Some possible future themes for the meetup were also discussed.
e.g. Coreos, Mesos, Kubernetes, AWS tools, Rancher.
DevOps on Windows
PoweShell and Azure.
DevOps without computers
AWS lambda, heroku, dokku, aws beanstalk, Google app engine, IBM Bluemix. (DevOps as a service).