Monthly Notes 38

Warm weather and cold Northern winds just call for a warm mug of cacao and something to read by the fireplace. Here’s monthly notes for February with topics from testing to software development project guidelines and from microservices to tips and tools. Also learning React App.

Issue 38, 19.02.2019

Testing

How to stop hating your tests
I’m not a fan of extensive ui tests. I think they should be mostly about seeing that the whole system functions when all systems are integrated and functional. This talk makes a good case out of it. If you want to skip right to this subject, it starts around at 18:50 or so.

Software development

My Opinionated Setup for Web Projects
“During the past few years, I have worked on multiple smaller and larger projects. In this blog post I explain my default project setup for a typical web frontend project.”

Project Guidelines
“While developing a new project is like rolling on a green field for you, maintaining it is a potential dark twisted nightmare for someone else. Here’s a list of guidelines we’ve found, written and gathered that (we think) works really well with most JavaScript projects here at elsewhen.”

Microservices

Introduction to Kubernetes
Introduces you to Kubernetes.

Building Microservices: Designing fine-grained systems (pdf)
“Distributed systems have become more fine-grained in the past 10 years,
shifting from code-heavy monolithic applications to smaller, self-contained microservices. But developing these systems brings its own set of headaches. With lots of examples and practical advice, this book takes a holistic view of the topics that system architects and administrators must consider when building, managing, and evolving microservice architectures.”

Microservices vs The World
“In the last 5 years microservices have been pretty much the topic on every architectural conversation. The idea is great, small, independent, cohesive, services that can be implemented, tested, maintained and released individually without much impact on the rest of the system. Microservices are then the holy grail of architectures all positives and almost zero negatives. If that is the case, why in the last 2-3 years our holy grail is getting bad press? Some engineers even suggest that a monolith is better. How can a monolith be better? Well, it all comes down to pros and cons and how the business is structured.”

Microservices architecture on paper sounds amazing but unless the business as a whole is not committed to it, then your department will end up with low morale, low productivity, and tones of code debt.

Microservices vs The World

Tools of trade

DockStation
“Application for managing projects based on Docker. Instead of lots of CLI commands you can monitor, configure, and manage services and containers while using just a GUI.” See running containers in histogram-type grapsh, monitor stats, connect with ssh to remote hosts, start/stop containers.

Scrolling inside Screen
Disable the alternate text buffer in the xterm termcap info inside screen so that you can use the scroll bars (and mouse wheel) to scroll up and down. 

~/.screenrc. # Enable mouse scrolling and scroll bar history scrolling termcapinfo xterm* ti@:te@ 

Learn

Learn React App
The goal of this tutorial is to quickly get you off the ground with React concepts. This tutorial has hands-on exercises which I consider to be the most important part of this tutorial.

Something different

MTB Trails Finale Ligure
I wish I was there shredding.

Notes from OWASP Helsinki chapter meeting 36

OWASP Helsinki chapter meeting number 36 was held 12.2.2019 at Veikkaus premises in Pohjois-Haaga. The theme for this meeting was about software security and the topic was covered with two talks and with a card game. Here’s my short notes.

What Every Developer and Tester Should Know About Software Security

The event started with “What Every Developer and Tester Should Know About Software Security” by Anne Oikarinen from Nixu. The main point was that information security isn’t something you can sprinkle over your applications – security needs to be baked in. Take security into account in every step of your software development process, focusing on design and development.

The talk was a great overview to software security and covered the topic from three perspectives: security requirements, threat modeling and security testing. It was nicely practical and theoretical and gave good tips to tools and how to approach the issue. The presentation slides can be seen on SlideShare.

#OWASPHelsinki meeting 36 at @veikkaus_fi started with “What Every Developer and Tester Should Know About Software Security” by @Anne_Oikarinen. Good practical overview to security requirements, threat modeling and security testing. Build security in. #infosec@OWASPHelsinki

@walokra
Building security in: start with security requirements and threat modeling
Venn diagram of building security in
Follow standards and best practices
Use tools for improving software security yourself

Security in Agile Development

Joakim Tauren from Visma continued the event with “Security in Agile Development”and told how they manage security in large scale. The sofware security team provides security as a service to produc teams and utilize OWASP SAMM to empower teams. The in-house built system to manage security maturity matrix was cool.

Next up at @OWASPHelsinki meetup was “Security in Agile Development” by @JoakimTauren from @Visma. Security as a Service. Empower teams. Transparency. In-house tool for security maturity matrix. Effective leadership of self-managing work teams. #infosec#OWASPHelsinki

@walokra
Security as a Service
Empowering teams
In-house built tool for managing security maturity index
You have tools to help you on the way

OWASP Cornucopia

The event was wrapped up with OWASP Cornucopia – a live card game session. The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories.

#OWASPHelsinki meetup 36 came to conclusion with a live game session of #OWASP Cornucopia: https://www.owasp.org/index.php/OWASP_Cornucopi …. Mechanism in game format to assist software development teams identify security requirements. @OWASPHelsinki had clever Star Wars themed system to audit. #infosec

@walokra

The game plays like card game with six suites and cards from one to ace like normal deck of cards. Cards have security themed questions and the players try to answer in the given context if the issue at hand is a problem to be look into. In this case the context was Death Star themed with given architecture diagram.

The card deck can be printed from OWASP site.

But what does cornucopia mean? In modern depictions, the cornucopia is typically a hollow, horn-shaped wicker basket filled with various kinds of festive fruit and vegetables. In this context it would relate to can of worms :)

OWASP Cornucopia in Death Star architecture