devObjective 2015 Day Two Notes

devObjective 2015

Notes taken from sessions attended at the devObjective 2015, day two (14th May 2015)


Rethink Async with RXJS

Presented by Ryan Anklam

Reactive Programming

Iterator: a pattern for accessing the elements of a collection without exposing its underlying representation

Observer: an object, the Subject, has one or many observers, that are notified of any state changes

Observable

Benefits over another Async approach:

Map - Transforms each element in a collection. The original collection is unchanged.

Filter - Narrows collections.

Reduce - turns an entire collection into a single value.

Zip - combines two collections.

Thinking Functionally

Flattening patterns - managing concurrency

Learn More

http://github.com/jhusain/learnrx

https://github.com/Reactive-Extensions/RxJS

https://rxjs.codeplex.com/


Multiply like Rabbits with RabbitMQ

Presented by Luis Majano

https://www.rabbitmq.com/

Problems with RPC

How can we decouple knowledge and apply messaging patterns to our apps?

Messaging (EMB)

Producer

Messaging Bus - Broker

Consumer(s)

Benefits of Messaging

Patterns

Protocols

AMQP

Advanced Messaging Queuing Protocol

www.amqp.org

Uses standard binary protocol

Has a number of implementations, but lets look into RabbitMQ

RabbitMQ

AMQP Messaging Broker with wrappers available in a number of different languages

Accepts and forwards messages

Think of it like the post box, post office AND postman rolled into one.

Learn More

RabbitMQ

Rabbit Simulator - http://tryrabbitmq.com/


Who Owns Software Security? You Do.

Presented by Tim Buntel

Do you scan your apps for cybersecurity vulnerabilities before making them available? 40% of people said NO.

How much do you budget towards securing mobile apps built for customers? 50% of people said $0.

Time to market is an issue - under pressure to release new apps faster due to:

New Tools

(RSA Conference 2015)

Quality Today

Doing it right is actually quicker in the end!

Good software is secure. Secure software is good software.

Four Step Plan

  1. Study successes

    • https://www.bsimm.com - describes software security initiatives at 67 well-known companies
    • study failures (not just successes)
    • OWASP
  2. Inventory yourself

    • Know your tech stack
    • Know your app and how it works
      • store a password
      • login a user
      • upload a photo
      • display user contributed content
      • concatenate strings
    • What is secret? What data is moving where?
  3. Make it agile

    • Agile Quality = Agile Security
    • Add security to your "definition of done"
    • Tools help scale the process
  4. Drive the culture

    • even a little security is better than none. Don't wait for a big initiative.
    • security should not be a "special event"
    • get trained!
    • have a plan for when something does go wrong

W3C Content Security Policy & HTTP headers for Security

Presented by David Epler

X-Content-Type-Options

X-Content-Type-Options: nosniff

X-XSS-Protection

X-­‐XSS-­‐Protection: 1; mode=block

0 = disable XSS protection

1 = enable XSS protection

1; mode=block = enable XSS protection & block content

1; report=URL = report potential XSS to URL (Chrome/Webkit only)

X-Frame-Options

DENY Prevents any domain from framing the content

SAMEORIGIN Only allows sites on same domain to frame the content

ALLOW-FROM URL Whitelist of URLs that are allowed to frame the content

X-­‐Frame-­‐Options: SAMEORIGIN

Browser support varies on value.

HTTP Strict Transport Security (HSTS)

Instructs the browser to always use HTTPS protocol

Helps prevent:

Does not allow a user to override the invalid certificate message.

// Require HTTPS for 60 seconds on domain
Strict-­‐Transport-­‐Security: max-­‐age=60

// Require HTTPS for 365 days on domain and all subdomains
Strict-­‐Transport-­‐Security: max-­‐age=31536000; includeSubDomains

// Remove HSTS Policy (including subdomains)
Strict-­‐Transport-­‐Security: max-­‐age=0

Learn More

HTTP Headers

HTTP Strict Transport Security

Content Security Policy

comments powered by Disqus