Notes from OWASP Helsinki chapter meeting 36

OWASP Helsinki chapter meeting number 36 was held 12.2.2019 at Veikkaus premises in Pohjois-Haaga. The theme for this meeting was about software security and the topic was covered with two talks and with a card game. Here’s my short notes.

What Every Developer and Tester Should Know About Software Security

The event started with “What Every Developer and Tester Should Know About Software Security” by Anne Oikarinen from Nixu. The main point was that information security isn’t something you can sprinkle over your applications – security needs to be baked in. Take security into account in every step of your software development process, focusing on design and development.

The talk was a great overview to software security and covered the topic from three perspectives: security requirements, threat modeling and security testing. It was nicely practical and theoretical and gave good tips to tools and how to approach the issue. The presentation slides can be seen on SlideShare.

#OWASPHelsinki meeting 36 at @veikkaus_fi started with “What Every Developer and Tester Should Know About Software Security” by @Anne_Oikarinen. Good practical overview to security requirements, threat modeling and security testing. Build security in. #infosec@OWASPHelsinki

@walokra
Building security in: start with security requirements and threat modeling
Venn diagram of building security in
Follow standards and best practices
Use tools for improving software security yourself

Security in Agile Development

Joakim Tauren from Visma continued the event with “Security in Agile Development”and told how they manage security in large scale. The sofware security team provides security as a service to produc teams and utilize OWASP SAMM to empower teams. The in-house built system to manage security maturity matrix was cool.

Next up at @OWASPHelsinki meetup was “Security in Agile Development” by @JoakimTauren from @Visma. Security as a Service. Empower teams. Transparency. In-house tool for security maturity matrix. Effective leadership of self-managing work teams. #infosec#OWASPHelsinki

@walokra
Security as a Service
Empowering teams
In-house built tool for managing security maturity index
You have tools to help you on the way

OWASP Cornucopia

The event was wrapped up with OWASP Cornucopia – a live card game session. The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories.

#OWASPHelsinki meetup 36 came to conclusion with a live game session of #OWASP Cornucopia: https://www.owasp.org/index.php/OWASP_Cornucopi …. Mechanism in game format to assist software development teams identify security requirements. @OWASPHelsinki had clever Star Wars themed system to audit. #infosec

@walokra

The game plays like card game with six suites and cards from one to ace like normal deck of cards. Cards have security themed questions and the players try to answer in the given context if the issue at hand is a problem to be look into. In this case the context was Death Star themed with given architecture diagram.

The card deck can be printed from OWASP site.

But what does cornucopia mean? In modern depictions, the cornucopia is typically a hollow, horn-shaped wicker basket filled with various kinds of festive fruit and vegetables. In this context it would relate to can of worms :)

OWASP Cornucopia in Death Star architecture

Monthly notes 37

January is turning over to February and Winter with freezing weather and lots of snow has enlightened our days. Here’s some reading for the moments when Winter wonderland is too much and warm mug of coffee and fireplace is the place to be.

Issue 37, 31.1.2019

Web and mobile development

PWAs on iOS 12.2 beta: the good, the bad, and the “not sure yet if good”
“The first beta of iOS 12.2: the first version since PWA support that responds to all the critics by offering solutions to the two biggest problems on PWAs on iOS.”

Hartington’s tweet’s thread has some information.

Microservices

Choose your tools wisely.

Tools of the trade

Lifehack.
“To test the flow of a potential scenario, storyboarding and comics can really add an extra dimension that your users can relate to (or not) and provide feedback on the types of activities, thoughts and feelings they would be experiencing along the way. “

Privacy and security


Something different

2018 Retrospective

The year has changed and it’s time for traditional retrospective of post done in 2018. By numbers 2018 was total of 23 articles which 11 articles were Monthly notes. I visited couple of conferences and some meetups, did software development and tested technology stuff. Business as usual and I presume that it’s going to continue this way also this year.

Monthly notes

It has been proved to be a good way to ensure that I keep reading what happens in software development and also think about it when I collect interesting articles to my Monthly notes series. The series continued with 11 posts.

Meetups

During the year I attended couple of meetups and if you follow me on Twitter you might have noticed that I went to more meetups than I wrote about. There are several interesting events in Helsinki you can attend almost monthly but you’ve to be quick to participate because usually events fill up quickly. But although the event seems to be full, there’s often spots left as some people don’t cancel if they can’t make it.

Information security related meetups are always interesting and I participated couple of OWASP Helsinki meetings.

OWASP Helsinki chapter meeting 34: Secure API told about “Perfectly secure API” and “Best friends: API security & API management”. The event gave good overview to the topics covered and was quite packed with people. Eficode’s premises were modern and there was snacks and beverages. And also a sauna.

Have you ever wondered how to become a bug bounty hunter or wanted to organize a bug bounty program? OWASP Helsinki chapter meeting 35: Bug Bounty programs told all about bug bounty programs from hacker and organizer point of views with topics of “Hunting for bounties in a web browser”, “How to become a bug bounty hunter” and “Running a successful bug bounty program”.

In August I attended React Helsinki August 2018 meetup at Smartly.io. Topics covered “Splitting React codebases for increased development speed”, “Making your own Ignite generator – for React Native” and “Use GraphQL!”. There are links to recordings of the presentations.

Meetups and conferences are also nice way to both freshen your thinking, hear how other’s do things, get new ideas and meet people working in the same field.

Conferences

Last year there was lots of interesting conferences in Helsinki. In the Spring there was React Finland 2018 conference which told what’s hot in the React world. The two day conference covered topics of React on day one and day two was React and React Native. The two conference days were packed with great talks and new information.

Where the React Finland was a conference from developers to developers, the opposite was Red Hat Forum Finland 2018 which was held at Finlandia-talo. The mainline was “Ideas worth exploring. Come with questions. Leave with ideas.” The event was divided to keynote and to four breakout sessions. I chose to get hands-on with OpenShift.

The developer conference theme continued in Autumn with GraphQL Finland 2018. The first of its kind event in Finland brought a day of workshops and a day of talks around GraphQL. The event was organized by the same people as React Finland and it showed, in good ways. The talks were interesting, atmosphere was cosy and after party was bookie. All of the talks were live streamed and they’re available on Youtube

Software development as usual

I managed to write couple of articles regarding software development and topics surrounding it.

Writing documentation is always a task which isn’t much liked and especially with diagrams and flowcharts there’s the problem of which tools to use. I wrote about generating documentation as code with mermaid and PlantUML as an alternative to crafty Draw.io. Using mermaid or PlantUML has the advantage that you can see the changes clearly in human readable text format and maintain source-controlled diagram.

Developing modern web applications you often come to around checking REST API responses and parsing JSON values. If you’re allowed to install extra tools or use Python then things get easier as you can use command line and combine jq and Python to extract JSON values. And a further note you can also use jp, command line interfacee to JSMESPath.

A more practical approach to visualize things was when I did a build monitor with Raspberry Pi and touch screen. Information is a great tool in software development and it’s useful to have easy access to it. Using build monitor to show continuous integration status and metrics from running services helps you notice problems and get them solved quicker.

And as we know learning and staying current in software development is important and expanding your horizons can be achieved with different ways. One good way I have used is following different news sources, newsletters, listening podcasts and attending meetups.

Awesome times ahead

Years change but the blog stays pretty much the same. Also this year plans are to continue as before, write about technology, collect interesting articles, learn new things about software development and of course ride mountain bike.

Stay tuned by subscribing to the RSS feed or follow me on Twitter. Check also my other blog in Finnish.


Monthly notes 36

Holiday season is soon here and it’s good to take a short break from work and maybe learn or code some new things while relaxing and enjoying the winter time outside. Here’s the monthly notes for December. Happy holidays!

Issue 36, 21.12.2018

Tips

How to Exclude an App From Dark Mode in macOS Mojave
“You can enable the old dark menu bar and dock look, you can also selectively exclude individual apps from dark mode.”

Learning

Tips of ppl who want to learn
ReaktorNow Development Discussion campaign shared some insights in the field of software engineering. “Always keep learning and expanding your skills, and remember to step out of your comfort zone.”

Beyond Cryptocurrencies
Intro to crypto talk at the a16z summit. (from @ljxie)

A novice’s guide to learning to code with CS50
“CS50 is the best learning experience I have ever had in my life.” Over 12 weeks you get two hour lecture to watch and a problem set for you to complete each week. Start with Scratch, continue on C and move to Python plus HTML, CSS, SQL, JavaScript, JQuery and JSON. (from @walokra)

Security

Taking Down an Insider Threat
Excellent story about pentesting from the inside. And of great digital forensics and incident response team and meticulously implemented security practices.

OWASP AppSec EU 2018 presentations
Presentations from OWASP AppSec EU 2018 are available from Youtube.

Software development

Everything about distributed systems is terrible
Hillel Wayne 38 minutes talk at Code Mesh LDN 18 titled “Everything about distributed systems is terrible” talks about TLA+, formal specification system designed by Leslie Lamport. The claim is that you can find bugs in your (distributed) system by model checking that could be practically impossible to find with testing or in production.

Learning and Staying Current in Software Development

Software development is one of the professions where you have to keep your knowledge up to date and follow what happens in the field. Staying current in the field and expanding your horizons can be achieved with different ways and one good way I have used is to follow different news sources, newsletters, listening podcasts and attending meetups. Here is my opinionated selection of resources to learn, share ideas, newsletters, meetups and other things for software developers. Meetups and some things are Finnish related.

News

There are some good sites to follow what happens in technology. They provide community powered links and discussions.

Podcasts

Podcasts provide nice resource for gathering experiences and new information how things can be done and what’s happening and coming up in software development. I commute daily about an hour and time flies when you find good episodes to listen. Here’s my selection of podcast relating to software development.

General

  • Software Engineering Daily: “The world through the lens of software” (iTunes)
  • Software Engineering Radio: “Targeted at the professional software developer. The goal is to be a lasting educational resource, not a newscast”. (feed)
  • ShopTalk: “An internet radio show about the internet starring Dave Rupert and Chris Coyier.” (iTunes)
  • Full Stack Radio: “Every episode, Adam Wathan is joined by a guest to talk about everything from product design and user experience to unit testing and system administration.” (feed)

Front-end

  • Syntax: “A Tasty Treats Podcast for Web Developers.” (iTunes)
  • The Changelog: “Conversations with the hackers, leaders, and innovators of software development.”
  • React Podcast: “Conversations about React with your favorite developers.”
  • Brainfork: “A podcast about mental health & tech”

In Finnish

  • ATK-hetki: “Vesa Vänskä ja Antti Akonniemi keskustelevat teknologiasta, bisneksestä ja itsensä kehittämisestä.”
  • Webbidevaus: “Puheradiota webbikehityksestä suomeksi! Juontajina Antti Mattila ja Riku Rouvila.”

Newsletters

Normal information overload is easily achieved so it’s beneficial to use for example curated newsletters for the subjects which intersects the stack you’re using and topics you’re interested at.

The power of newsletter lies in the fact that it can deliver condensed and digestible content which is harder to achieve with other good news sources like feed subscriptions and Twitter. Well curated newsletter to targeted audience is a pleasure to read and even if you forgot to check your newsletter folder, you can always get back to them later.

General

Mobile development

  • iOS Dev Weekly: Hand picked round up of the best iOS development links published every Friday
  • This Week In Swift: List of the best Swift resources of the week.
  • iOS Dev nuggets: Short iOS app development nugget every Friday/Saturday. Short and usually something you can read in a few minutes and improve your skills at iOS app development.

Java

Database

  • DB Weekly: A weekly round-up of database technology news and articles covering new developments, SQL, NoSQL, document databases, graph databases, and more.

HTML and CSS

  • HTML5Weekly: Weekly HTML5 and Web Platform technology roundup. Curated by Peter Cooper.
  • CSS Weekly: Roundup of css articles, tutorials, experiments and tools. Curated by Zoran Jambor.

Web development

  • Status code: “Keeping developers informed.” weekly email newsletters on a range of programming niches (links to JavaScript weekly, DevOps weekly etc.)
  • Web Development Reading List: Weekly roundup of web development–related sources, selected by Anselm Hannemann.
  • Versioning: “Daily knowledge devs and designers need to get ahead of the game.” SitePoint’s daily newsletter, which features the latest web development news.
  • Hacking UI: A weekly email with our favorite articles about design, front-end development, technology, startups, productivity and the occasional inspirational life lesson.
  • Scott Hanselman: Newsletter of Wonderful Things. Includes interesting and useful stuff Scott has found over the last few weeks and other wonderful things.
  • MergeLinks: Weekly email of curated links to articles, resources, freebies and inspiration for web designers and developers.
  • “How to keep up to date on: Front-End Technologies” page lists newsletters, blogs and people to follow.

JavaScript

  • JavaScript Weekly: Weekly e-mail round-up of JavaScript news and articles. Curated by Peter Cooper.
  • Node Weekly: Once–weekly e-mail round-up of Node.js news and articles.
    A Drip of JavaScript: “One quick JavaScript tip”, delivered every other Tuesday and written by Joshua Clanton.
  • SuperHero.js: Collection of the best articles, videos, and presentations on creating, testing, and maintaining a JavaScript code base.
  • State of JS: Results of yearly JavaScript surveys

User experience and design

  • UX Design Weekly: Hand picked list of the best user experience design links every week. Curated by Kenny Chen & published every Monday.
  • Sidebar.io: To satisfy your web aesthetics with list of the 5 best design links of the day. The content is manually curated by a couple great editors.
  • Userfocus: Monthly newsletter which shares an in-depth article on user experience.

Ops

  • DevOps Weekly: Weekly slice of devops news.
  • Web Operations Weekly: Weekly newsletter on Web operations, infrastructure, performance, and tooling, from the browser down to the metal.
  • Microservice Weekly: A hand-curated weekly newsletter with the best articles on microservices.

Twitter

Following fellow developers and other people and accounts on Twitter is good way to know what’s happening right now. Here’s a selection of accounts I (@walokra) follow. In no particular order.

Development

  • @ThePracticalDev: Great posts from the amazing dev.to community, with some opinion and humor mixed in.
  • @CommitStrip: The blog relating the daily life of developers. Official english account.
  • @baeldung: Author of restwithspring.com and learnspringsecurity.com, passionate about REST, Security, TDD and everything in between.
  • @martinfowler: Author and international public speaker on software development, specializing in object-oriented analysis and design, UML, patterns, and agile software development methodologies.

Infosec

  • @troyhunt: Pluralsight author. Microsoft Regional Director and MVP for Developer Security. Online security, technology and “The Cloud”. Creator of @haveibeenpwned.
  • @briankrebs: Independent investigative journalist. Writes about cybercrime. Author of ‘Spam Nation’, a NYT bestseller. Wrote for The Washington Post ’95-’09
  • @mikko: CRO at F-Secure ● TED Speaker ● Revɘrse Engineer ● Supervillain
  • @TinkerSec Infosec Hacker things
  • @Anakondantti: Mostly software security related, but occasionally other things too. I’m a white hat hacker at team ROT.
  • @SunTzuCyber: If Sun Tzu had written “The Art of Cyber War”, these would be his quotes.
  • @lennyzeltser: Advances information security. Grows tech businesses. Fights malware. // VP of Products @MinervaLabs. Author and Instructor @SANSInstitute.

React scene

  • @jevakallio: @FormidableLabs, React/Native engineer, comedian, speaker, writer, improviser, Twitter Developer Expert™. Artisanal small batch free range shitposting.
  • @bebraw: Award winning founder of @survivejs and @jsterlibs. I also organize @ReactFinland.
  • @ReactJSNews: The latest React news and articles.

Design / UX

  • @steveschoger: Designer for @TightenCo and @taylorotwell ❯ Maker of heropatterns , heroicons  and zondicons  ❯  ? Design Tips
  • @UX_Grant: ? Senior Designer @ booking.com . ? Creating, Learning, Sharing ? Maker: MakersMusic.co  ?
  • @jonikorpi: Making multiplayer games using the web platform, as @vuorodesign. Previously web design at @kiskolabs.
  • @lukew: Humanizing technology. Founded: Polar (Google acquired) Bagcheck (Twitter acquired) Wrote: Mobile First, Web Form Design, Site Seeing. Worked: Yahoo, eBay, NCSA.
  • @autiomaa: Helping people, with design & technology. Front-end development, visual design, photography. Learning something new every day.
  • @skrug: Best known as the guy who wrote Don’t Make Me Think (now in its 3rd edition!) and Rocket Surgery Made Easy.
  • @jnd1er: Don Norman. Design thinker, company advisor, professor, columnist, author, … Latest book: Design of Everyday Things, Revised and Expanded.
  • @mpietila: User experience etc. Occasional smart-assery & besserwisserism. I have a history of seeing what they did there. Head of design at @qvik.

Database

Miscellanous

Java

  • @mreinhold: Chief Architect, Java Platform Group, Oracle.
  • @jodastephen: Java Champion. Developer at OpenGamma. Occasional blogger and speaker. Best known for Joda projects and JSR-310

Technology News

Meetups

You can learn much from others and to broaden your horizon it’s beneficial to attend different meetups and listen how others have done things and watch war stories. Also free food and drinks.

Mostly Helsinki based

Tampere based

Community chats

Monthly notes 35

December is just around the corner but before that here’s monthly notes for November. More about leadership and stories, something about software development.

Issue 35, 13.11.2018

Frontend

CSS and Network Performance
What are best network performance practices when it comes to loading CSS? How can we get to Start Render most quickly? Good article of how your page will only render as quickly as your slowest stylesheet. And what to do about it. tl;dr; “Lazyload any CSS not needed for Start Render”, “Avoid @import”, “Be wary of synchronous CSS and JavaScript order”, “Load CSS as the DOM needs it”. (from @csswizardy)

A React job interview — recruiter perspective
Good questions if you’re doing React interviews or being the interviewee, “A React job interview — recruiter perspective”. (from @walokra)

Tools of the trade

jp – Command line interface to JMESPath
I’ve been using jq for manipulating JSON on commandline but there’s better, more logical, alternative. jp is a cli interface to JMESPath expression language for manipulating JSON. And there’s tutorial. (from @walokra)

Bash-it
Bash-it is a collection of community Bash commands and scripts for Bash 3.2+. (And a shameless ripoff of oh-my-zsh?). Includes autocompletion, themes, aliases, custom functions, a few stolen pieces from Steve Losh, and more.

Detecting Memory Leaks From a JVM Heap Dump (with JXRay)
Good article of learning about detecting memory leaks from a JVM heap dump and Garbage Collection. Unfortunately the tool used for analyzing heap dump is commercial and not open-source tools like Eclipse MAT or VisualVM. (from @java)

Security

Can’t approve payroll? Blackhat sysadmin when my paycheck is on the line!
Interesting story from the trenches of how and what happened when infosec guy found vulnerabilities on Basware Banking software (from 2015. tl;dr; Multiple unresolved vulnerabilities in Basware Banking/Maksuliikenne. Unbelievable story especially how it was handled by vendor and related parties
(from @walokra)

Leadership

Managing with the Brain in Mind
“Treat people fairly, draw people together to solve problems, promote entrepreneurship and autonomy, foster certainty wherever possible, and find ways to raise the perceived status of everyone”. Good read about SCARF. (from @walokra)

On Being A Senior Engineer
What makes for a good senior engineer? tl;dr; Be mature engineer. Good read for everyone regardless of the line of business.

  • Seek out constructive criticism of their designs.
  • Understand the non-technical areas of how they are perceived.
  • Do not shy away from making estimates, and are always trying to get better at it.
  • Have an innate sense of anticipation, even if they don’t know they do.
  • Understand that not all of their projects are filled with rockstar-on-stage work.
  • Lift the skills and expertise of those around them.
  • Make their trade-offs explicit when making judgements and decisions.
  • Don’t practice CYAE (“Cover Your Ass Engineering”)
  • Be empathetic.
  • Don’t make empty complaints.
  • Be aware of cognitive biases

The Ten Commandments of Egoless Programming
The Ten Commandments of Egoless Programming, as originally established in Jerry Weinberg’s book The Psychology of Computer Programming.

Something different

You work to live, not live to work
Remember, your job is not your life. You work to live, not live to work. Work on what makes you happy and not burn yourself out. Thread has good tips to recognize it and take control. (from @jevakallio)

Former CIA Chief Explains How Spies Use Disguises
Cool run down on the use of disguises by a former CIA Chief of Disguise.(from @TinkerSec)

Notes from OWASP Helsinki chapter meeting 35: Bug Bounty programs

Have you ever wondered how to become a bug bounty hunter or wanted to organize a bug bounty program? OWASP Helsinki chapter meeting number 35 told all about bug bounty programs from hacker and organizer point of views. The event was held 6.11.2018 at Second Nature Security (2NS) premises in Keilaniemi. Here’s my short notes.

Notes from OWASP Helsinki chapter meeting #35

“Hunting for bounties in a web browser” by Juho Nurminen from 2NS started the event talks and told about how to approach the issue and showed some findings in details. For the usual of understanding the technology and focusing on what you know, it’s beneficial to read up prior art. Is it repeatable bug? Reproduce it in other context. The talk presented cve-2018-6033 (extension code can execute downloaded files), cve-2018-6039 (XSS in DevTools, privileged API can be overwritten) and cve-2011-2800 (data leak across origins). tl;dr; pwn things, submit crbug.com, profit.

“#OWASPHelsinki 35 started by @jupenur hunting bounties in web browsers. Understand the tech (web, js, extensions, plugin API, devtools, NaCI, WebAssembly, etc.). Focus on what you know. Read up prior art. Nice examples of bugs found. @OWASPHelsinki meetup hosted by @2NS_fi.” – @walokra

Why web browsers?
Why web browsers?

CVE-2018-6033
CVE-2018-6033

In “How to become a bug bounty hunter” Iiro Uusitalo from Solita talked about bug bounty platforms and tips to be succesful. In short: POC or GTFO, recon, stay on scope, automate all the things, focus, report, wait, profit, join the community.

“How to become a bug bounty hunter, told by @iiuusit at @OWASPHelsinki meetup. Tips: poc or gtfo, recon, stay on scope, automate all the things, focus, report, wait, profit, join the community. #OWASPHelsinki” – @walokra

Bug bounty programs in Finland
Bug bounty programs in Finland

Tips for recon
Tips for recon

How to report
How to report

tl;dr;
tl;dr;

“Running a successful bug bounty program” by Thomas Malmberg from Hackrfi bug bounty program covered the topic from the “random dude from the other side of the table” point of view. “What really matters is finding bugs” but there’s a lot of things to manage. It comes to managing expectations of hackers and program owners. And remembering that hackers work for you (program owners) but they are not your employees.

Expectation management
Expectation management

“What really matters is finding bugs.” @tsmalmbe from @hackrfi told how to run a successful bug bounty program at @OWASPHelsinki meetup. Managing expectations of hackers and program owners. Remember: hackers work for you; hackers are not your employees. #OWASPHelsinki” – @walokra

The evening ended with a panel & discussion about bug bounty with Juho, Iiro and Thomas. There was lots of interesting questions asked and here’s some of them in short.

  • Hardware bug bounties, how to do if device not publicly available?
    • On premises hack days -> not so successful, too little time, concentrate on low hanging fruits.
  • How to choose [bug bounty] program?
    • Wide scope -> low hanging fruits.
  • What kind of reports of findings
    • OWASP Top 10 covers almost everything.
    • Everyone is scared of finding remote code execution.
    • Business impact findings.
    • Recon: who we are, what we do -> what has big business impact. Also where’s the legacy code?
  • Impact of how hacker and product owner sees findings? Owner will set the impact, how it should happen at both ends? how to define the final impact corresponding the value?
    • Always estimate, run some CVSS estimator.
    • Use Google’s approach.
    • Fairness and trust. Programs task is to create trust.
  • Awfraid of reporting found bugs when there’s no bug bounty program?
    • Program has rules which covers legal matters. Read the rules, ask.
  • Top 3 negative things?
    • Program runner went public, lots of bugs, hackers pwned whole system.
    • Communication issues.
    • Program runner: call on Friday night, database lost. bug bounty program to blame.
  • Bug bounty programs role, client and customer: public programs. -> ncss, cert-fi.
  • Pentesting vs. bug bounty?
    • Not competing.
    • You shouldn’t do bug bounty if you don’t have enough security maturity. Too many reports at start (duplicates, cost much, etc.), then nothing if you don’t pay.
    • Low hanging fruits are not interesting for good hackers
    • Pentesting last 30 days and result is report covering certain things.
    • Bug bounty concentrates on specific aspect.
  • Bug bounty and threat model? When program open, easier for black market to find vulnerabilities?
    • Threat model for users? Depends on product / service you are providing.
    • 0-day on some Finnish site selling on USA black market -> not much interest.
    • Pentesting should be done first.
  • How to improve process?
    • Educating the bottom of the pyramid. Hammer and nails.
    • Public programs generate lots of noice vs. private
  • Bug bounty in 5 years?
    • More automated things, scripts to detectivive things, AI
    • Bug hunter side: more professional all around the pyramid, more spam

Notes from GraphQL Finland 2018

GraphQL Finland 2018 conference was held last week (18-19.10.2018) at Paasitorni and the first of its kind event in Finland brought a day of workshops and a day of talks around GraphQL. The event was organized by the same people as React Finland and it showed, in good ways. The talks were interesting, venue was appropriate, atmosphere was cosy and after party was bookie. Here’s my notes from the event.

All of the talks were live streamed and they’re available on Youtube. I was lucky to get a ticket to the event and be able to enjoy the talks live. In overall most of talks were easy to comprehend although I only had some experience with GraphQL through experiments and what I had learnt couple of months ago at React Finland 2018 conference (my notes from day 1 and day 2).

“GraphQL is an open source data query and manipulation language, and a runtime for fulfilling queries with existing data. It was developed internally by Facebook in 2012 before being publicly released in 2015. It provides a more efficient, powerful and flexible alternative to REST and ad-hoc web service architectures. It allows clients to define the structure of the data required, and exactly the same structure of the data is returned from the server, therefore preventing excessively large amounts of data from being returned. – Wikipedia

Read also the organizer’s summary of the event and check out the photos.

Life is hard, GraphQL is easy
Life is hard, GraphQL is easy

Notes from the talks

(titles are links on Youtube to particular talk)

Adopting GraphQL in Large Codebases – Adam Miskiewicz
The event started with Adam Miskiewicz’s story from Airbnb and incrementally adopting GraphQL. It’s simple to start using GraphQL in your project but adding it incrementally and carefully in huge codebases powering large distributed systems is not quite as straightforward. The talk dived into how Airbnb is tackling this challenge, what they’ve learned so far, and how they plan to continue evolving their GraphQL infrastructure in the future. Towards GraphQL Native!

Going offline first with GraphQL — Kadi Kraman
Kadi Kraman from Formidable Labs talked about going offline first with GraphQL. She did a nice interactive demo with React Native and Apollo 2. Users expect your mobile app to work offline and the tooling in GraphQL makes it reasonably straightforward to get your React Native app working offline. Slides

“Do this as you go and offline comes almost as a side-effect”

Life is hard and so is learning GraphQL — Carolyn Stransky
Life is hard, without documentation. Carolyn Stransky presented her story of ups and downs when learning GraphQL and documentation’s role in it. The problem with GraphQL is that – because there’s no “vanilla” GraphQL – there’s no central hub for all of the information and tooling necessary to learn. It’s underutilized and scattered throughout our community. The talk touched on how to better enable GraphQL docs for learning and comprehension and slides pointed to good resources.

Database-first GraphQL Development — Benjie Gillam
Benjie Gillam from PostGraphile teached how database-centric approach to GraphQL API development can give your engineers more time to focus on the important parts of your application. Adhere to GraphQL best practices, embrace the power of PostgreSQL, and avoid common pitfalls. Interesting slides.

graphql-php — Christoffer Niska
Christoffer Niska gave some good tips for software development: Don’t over-abstract, test everything, use static type checking, follow best practices, don’t prematurely optimize.

(Un)expected use of GraphQL — Helen Zhukova
(Un)expected use of GraphQL talk by Helen Zhukova showed the benefit of single code base on client and server side. Partly live coded with i.a. CodeSandbox. The any DB in this case was MongoDB.

Mysterious closing keynote — Dan Schafer
The mysterious closing keynote was Dan Schafer talking about GraphQL history, present and future. “Strive for single sources of truth”. Still lots of things to do in the ecosystem. Slides.

Talks from the deep end

Some of the GraphQL Finland talks were quite deep in the content and as most of the talks were around 15 minutes, the pace was quite demanding. At the event I concentrated on topics which seemed most relevant and saved the rest for later. The sponsor’s lounge by Gofore and Digia provided nice relaxing space to get your thoughts together. Here are the topics I saved for later.

All work no play
All work no play (photo: Juho Vepsäläinen)

Makes you a dull boy
Makes you a dull boy (photo: Juho Vepsäläinen)

Emerging uses of GraphQL for rapid application development — Ellie Day
Many schemas simply mirror their RESTful counterparts, limiting their overall usefulness. The talk covers emerging patterns that enable rapid GraphQL-powered application development.

Building efficient, waterfall-free GraphQL applications — Jimmy Jia
Jia showed how in larger projects it’s easy to run into situations where requests wait on each other regardless of using GraphQL, to the detriment of user experience. He explored how these problems arise, and looked at strategies for mitigating these problems.

Building tools for GraphQL — Glenn Reyes
Using the right tooling helps development and Reyes talked about what can we do to improve DX and supercharge our GraphQL development.

End-to-end type-safety with GraphQL — Johannes Schickling
Talk dived deep into one of the most powerful features of GraphQL – its type-system. GraphQL can be used to enable end-to-end type-safety across any language, making your application architecture more resilient and easier to evolve.

Real-time GraphQL with Event Sourcing — Andrew Rhyne
Thirty-thousand foot overview of event sourcing and how naturally it fits with GraphQL and subscriptions. And what it enables at Gatsby.

Hidden gems of GraphQL query — Ivan Goncharov
GraphQL has a few useful features that are typically overlooked. The talk contained spoilers from GraphQL Specification.

Reason and GraphQL — Nik Graf
Using Reason’s type inference you can create GraphQL servers with 100% type coverage. And Reason shines even more so on the client. Send one quick introspection request and you get full autocompletion on your schema right in the browser.

Writing a realtime GraphQL backend as a compiler in Haskell — Tanmai Gopal
The talk went over the key architectural decisions, programming constructs and the unforeseen implementation pitfalls Hasura ran into while building a high-performance GraphQL backend. It also covered tools from the Haskell ecosystem that made this possible.

Where art thou, my error? — Eloy Durán
Error metadata.

Afterwords

The last chance to practice your Finnish was the Afterparty ? at Gofore office!

Monthly notes 34

Autumn is well on it’s way and winds are bringing rains and clouds to the sky. Autumn also means that meetups are awaken and interesting stories from the field are presented. Here’s monthly notes for September. Start with writing readable code, continue to build React app with TypeScript, read how hacker puzzles can be solved and improve your designs with tactics instead of talent. Also use smarted command line tools and listen a Kubernetes security journey.

Issue 34, 29.9.2018

Software Development

10 practices for writing readable code
Writing readable code may seem subjective but there are core elements within all code which make it readable. Follow these 10 practices. Although I don’t quite agree with removing comments ?
(from @walokra)

Software disenchantment
“As engineers, we can, and should, and will do better. Have better tools, build better apps, faster, more predictable, more reliable, using fewer resources”. But on the other hand people won’t pay for efficiency. They buy solutions to their problems. (from @walokra)

JavaScript

Fullstack Express-React App With TypeScript
Have you thought about starting a React app with TypeScript and integrating it with Travis CI and Heroku? Read this definitive guide and check the source of a starter kit for a full stack express-react app. (from @walokra)

Solving the Disobey 2018 puzzle
Great writeup of solving the Disobey.fi 2019 hacker ticket puzzle. Shows you some tools and techniques you can use to progress with these kind of puzzles. Contains spoilers, so steer clear if you want the fulfilment and bliss that comes from solving it. (from @walokra)

This talk is about you [React Native Developer] (video)
Life of a React Native developer? Jani Eväkallio talks about you at React Native EU 2018. When building software products we’re focused on “how” but should ask also “what” and “why”. Not just be happy when tickets move from left to right side of the screen. (from @walokra)

Microservices

Kubernetes Security Journey (video)
Jerry Jalava talked at Kubernetes Finland about Kubernetes and security. (from @walokra)

Design

7 Practical Tips for Cheating at Design
“Improving your designs with tactics instead of talent.” Every web developer inevitably runs into situations where they need to make visual design decisions, whether they like it or not. There are a ton of tricks you can use to level up your work that don’t require a background in graphic design. Here are seven simple ideas you can use to improve your designs today.

Tools of the trade

CLI: improved
Command line is powerful tool but the common tools can be improved. Remy Sharp wrote his current list of improved CLI tools.

Jaeger
Open source, end-to-end distributed tracing to monitor and troubleshoot transactions in complex distributed systems.

Something different

How-To: Reduce iPhone screen brightness beyond stock levels (video)
Looking to reduce iPhone screen brightness beyond stock levels without resorting to jailbreaking? This handy accessibility tip will cause your eyes to thank you when reading in dark places.

How to Design for the Modern Web
Best Practices of Modern Web Development. “You are now also certified and ready to apply for top ranking sites like Reddit and Medium”. (from @walokra)

Notes from Red Hat Forum Finland 2018: Ideas worth exploring

Red Hat Forum Finland 2018 was held 11.9.2018 at Finlandia-talo and it’s mainline was “Ideas worth exploring. Come with questions. Leave with ideas.” The event was divided to keynote and to four breakout sessions. The four breakout sessions were: 1. Automation – Ansible 2. Journey to Cloud-Native Applications with OpenShift 3. Business & Solution track 4. Half day Executive discussions and round tables. I chose to get hands-on with OpenShift but also Ansible would’ve been interesting. Here’s my notes from the event.

Red Hat Forum Finland 2018: Ideas worth exploring

Red Hat Forum 2018 Helsinki started with keynote session by Michel Isnard from Red Hat and in “Digital transformation & the open organization” he talked about open source and how Red Hat embraces it. “Open source is collaborative curiosity, a culture with a desire to connect and the technologies to do it. Yet what draws our attention isn’t the technology alone; it’s what we can do with it. It gives us the platform for imagination, a focal point to collectively push for new possibilities.”

Be courageous, be open and innovate in the open.

Keynote: Ideas worth exploring
Keynote: Ideas worth exploring (@walokra)

Next there was customer reference by Markku Reinikainen from SOS International. He told us about their open innovation platform and how they have modernized their applications and moved to the mobile world.

SOS International: Open innovation platform
SOS International: Open innovation platform

Journey to Cloud-Native Applications with OpenShift

The main content of the Red Hat Forum event were the breakout sessions. I chose the full day hands-on workshop which showed how to modernize an existing legacy monolithic application by applying microservice architecture principles, using modern lightweight runtimes like WildFly Swarm (Thorntail.io) and Spring Boot, and deploying to container-based infrastructure using OpenShift Container Platform. The material and slides are available on GitHub.

Hands-on OpenShift
Hands-on OpenShift

The lab was split into four scenarios, going through the process of understanding how a developer can most effectively use Red Hat technologies in deploying a monolith to OpenShift, wrapping it with a CI/CD pipeline, developing microservices to start replacing functionality in the monolith, and integrating it all together to form the beginnings of a complete modernization of an existing app. The last scenario was about using Istio to prevent and detect issues in a distributed system.

The session started with Red Hat Application Migration Toolkit (RHAMT) and migrating (lift & shift) Java EE monolith app on WebLogic to run on JBoss EAP and OpenShift in the cloud. Crafty tool which fixed poor and non-standard choices done in legacy app.

Hands-on: Red Hat Application Migration Tool
Hands-on: Red Hat Application Migration Tool (@walokra)

The breakout session had also a talk from Red Hat partner. “Shift to a Cloud-First Core” talk by Capgemini told how they are approaching OpenShift projects. Different options, some are easier depending of legacy technologies. Retain, retire, migrate: lift & shift, new layers, new apps.

Shift to the Cloud-First core
Shift to the Cloud-First core (@walokra)

OpenShift hands-on session continued with developer introduction which was about live synchronization and changes, deploying to different environments, Jenkins Pipeline, Continuous Delivery and approval steps.

Hands-on: introduction to OpenShift
Hands-on: introduction to OpenShift (@walokra)

Third and fourth scenarios were about strangling the monolith with transforming it to microservices architecture with and without Spring Boot. Splitting up monolith to domain specific applications and connecting them. Lots of things that goes over the hill and seems magic if you’re not familiar with them. You just click click click, done, profit. Some technologies used were Spring Boot and Spring Cloud, Snowdrop, Feign and Hystrix.

Strangling the monolith
Strangling the monolith

The last and most interesting part of the hands-on session was Istio and resilient apps and due time schedule Red Hat guy clicked and talked it through. It gave good overview to visualization, monitoring, metrics, fault injection, traffic shifting, circuit breaking, rate limiting and tracing. Time was limited so much things left to be read.

Hands-on: Istio, resilient apps
Hands-on: Istio, resilient apps (@walokra

All the OpenShift scenarios used Katacoda which made the hands-on experience with just a few clicks. Crafty tool for this kind of sessions and although you just clicked through with relative fast pace. For example “Developer Introduction to OpenShift” estimated time 45-60 minutes and the lab had 23 minutes. The limited time made the hands-on experience somewhat superficial but you got the point what the possibilities are and how OpenShift works.

And last Red Hat talked about OpenShift and their services regarding application modernization. Modernization of legacy applications is in high demand and there are different paths to achieve that.

One point regarding monoliths vs. microservices was that as Martin Fowler wrotes in Monolith First.: “you shouldn’t start a new project with microservices, even if you’re sure your application will be big enough to make it worthwhile.”

Monolith first
Martin Fowler: Monolith first

Red Hat OpenShift Application Runtimes product architecture showed the blocks in the OpenShift context.

Red Hat OpenShift Application Runtimes
Red Hat OpenShift Application Runtimes

Red Hat Application Migration and Modernization Program
Red Hat Application Migration and Modernization Program

Summary

Red Hat Forum Finland 2018 was nice event and the content was interesting. The hands-on session was fast paced but you got the point and ideas worth exploring. Will look into Istio. The WiFi network had some problems but got better when more access points were added. After the official program there was some networking and drinks. Some food other than hemp snacks and vegetable chips would’ve been nice but Woolshed provided in that regard. Thanks for Red Hat for organizing the event and good talks.

To continue with OpenShift topics you can check learn.openshift.com which has similar material as in hands-on and use Katacoda but different topics. The hands-on material can be read from GitHub and for listening there’s DevNation Podcasts.

Red Hat OpenShift Pale Ale
Red Hat OpenShift Pale Ale