Saturday, October 27, 2018

Software development - sources of help

So you do software development or you want to.  

What do you do when you forget something, haven't done something in a while, need to do something a bit different from what you normally do or just plain need to do something brand new to you?

Software development is a lifetime learning process and things change daily. You will never know it all or remember it all. With that in mind,there are lots of good sources of information on many of the of the technologies.

Here are some that I like - there are many more at your fingertips.

I am mostly using Java 8 right now but peek at Java 9+ every so often.  At the moment, Java 11 is the most current but for some reason I wasn't able to replace "8" with "11" in the link below like normal when looking for recent version specific API stuff.    


  • https://docs.oracle.com/javase/8/docs/api/overview-summary.html


Every so often I'll take a look at the Java language or VM specs. Good information but don't need it everyday.


  • https://docs.oracle.com/javase/specs/
And of course, there are all the standards for the multitude of Java technology items.  This is a good place to find upcoming Java related changes too.  
  • https://jcp.org/en/home/index 
I'm thinking I may end up spending more time at the openjdk site going forward.  I'm still trying to figure out what companies are going to do regarding Java development with the current licensing/upgrade model that Oracle is using. Pay the piper (Oracle) or stick with the open source openjdk or find/follow some other road.
  • https://openjdk.java.net
Note that there is a lot of innovation going on at the openjdk site too.  Value types are one that might help some performance/memory critical applications - it is still early yet see if the benefit is real (in my opinion).
  • https://openjdk.java.net/projects/valhalla/


If the above Java docs don't give you what you want or you have an issue with other programming languages/technology; Stackoverflow is probably the next most common one. This tends to come up in my general Java based searches the most.


  • https://stackoverflow.com/


If I want to see what new and innovative stuff is out there or look for guides on using something; I'll often look for stuff at DZone.


  • https://dzone.com/
In fact, as I was checking things I found an article on "being a better java developer" which included some Eclipse shortcuts.  I should print it out - I'll never remember these otherwise. 


I've been finding more search results to this site which is pretty good; I've learned a lot of new stuff from here (typically SpringBoot related but more than that is covered).
  • https://www.baeldung.com/

If you are looking for Spring related info; it never hurts to look at the source.. (ha, I think that is sort of pun'ish .. my kids would surely repeat the often said "ohh Dad"). The number of different Spring projects continues to increase.
  • https://spring.io/projects

If you are looking for Hibernate/JPA stuff; the main source is:

  • http://hibernate.org/orm/


For Oracle database stuff, I have a few sites I tend to find/visit when searching for that missing nugget of memory. Just do a google search and try links from these.

  • http://www.dba-oracle.com/
  • https://asktom.oracle.com
  • https://docs.oracle.com/en/database/
  • https://docs.oracle.com/database/121/SQLRF/statements_10002.htm#SQLRF01702
When googling for Oracle DB stuff, you have to be careful and confirm that the documentation is for the "correct" Oracle database type (and version).  Oracle has a handful or so of different database types along with the "regular" Oracle DB and sometimes you end up finding documentation for one of those others which likely isn't what you wanted - causing moments of confusion. 

At one of my jobs, I lived in the SQL reference (syntax) documentation since I worked on parsing SQL statements and such for a DB tool.  That was a long time ago though. The syntax diagrams and documentation are still very helpful in my opinion though. The 4th link in the list above is related to the syntax description. 

I'm not doing much with MongoDB but have been the "remote hands of the debugger" for a team outside of the US a few times which uses MongoDB. I need to continue to familiarize myself with MongoDB.

  • https://docs.mongodb.com/manual/

And who could forget the apache site itself. The number of different technologies represented is amazing. The only sad aspect to Apache is the times I go out to lookup something and find items I used, researched or thought might be worthwhile are now in "the attic" like Apache ACE, DirectMemory and Shale.
  • http://apache.org/
It is neat to just go out there sometimes and just see what new projects are starting up.  There is always something new and interesting.

Are you doing cloud stuff;  For Amazon Web Services (AWS) you can always start here:
  • https://aws.amazon.com/
They are constantly adding new services or features.  
Or maybe you are looking for more of a Paas (Platform as a service) like Cloud Foundry.
  • https://docs.cloudfoundry.org/
I really like Cloud Foundry; it is very easy to deploy a lot of services.  I know I am not using even close to all of the available functionality but I am still able to do quite a bit pretty quickly.  The only downside in my mind is you probably need a pretty decent crew of people to manage Cloud Foundry itself.  There are lots of features to turn on/off depending on your needs. There are lots of Spring things that integrate nicely in with Cloud Foundry (mostly from a Java perspective).  

I'm a creature of habit in some ways so I'll 99.99% of the time gravitate to Eclipse as my Java IDE. You can find a lot of stuff at the Eclipse site - they have a huge number of projects (outside of the IDE) too that cover a wide range of domains and a number of programming languages.  
  • http://www.eclipse.org/ 
I think IntelliJ is a top-tier IDE as well but I just don't see a reason to change most of the time.  Just in case you are looking for more info though..
  • https://www.jetbrains.com/idea/

There are so many other languages, technologies and related sites that it would be impossible to really scratch the surface. 

Maybe I will append some links later - certainly links for caching software and general sites with comparisons of competing technology are useful.  

Thanks for reading.
Scott


Proverbs 1:7 New American Standard Bible (NASB)

The fear of the Lord is the beginning of knowledge;
Fools despise wisdom and instruction.



Monday, October 22, 2018

Software security - is your application secure enough?

Let me start off by saying that there is no such thing as a 100% secure application - unless maybe it is only on a computer that is never turned on and it is the only copy.

I'll qualify that with - I don't have a degree is software security so you may ask why you might pay attention to anything I say? I've been in the software development field for many years and have experienced a number of the failings related to software security. I've worked through mitigating a few instances of those failings and recognize that certain choices make future security failures more likely.

I can't fix your security issues but there is simple advice that *may* help you deliver more secure software. A lot of security advice is pretty standard and I'm hoping to not repeat those items here.  

I'll do a spoiler for this post.

My advice is to at least minimally understand past and current security issues with the technology stack you are considering before fully committing. This doesn't mean read every known possible exploit but you should get to know general types and magnitudes of possible exploits across the stacks you are considering.

What?  Is that all?  How does that help me?

Lets say you have a number of Apache Struts applications as part of your intranet presence.  One day, management decides that there is a need for a great new wiz-bang public facing application.  So far, so good - we'll assume what they are asking for fits a real need and solves some problem.  

You and your team have Apache Struts experience so you decide to just go with Struts as the MVC framework along with other existing and new technology. By templating off of existing internal applications, you produce a nice app very quickly.

Ok, so what is the problem?  When management sees large companies with lots of IT knowledge failing in the area of security - they may ask you what the security implications are for the app. At this point, you become very thoughtful regarding what to say.  You may indicate that you and your developers are following all the best coding practices and therefore the risk is minimal.

This is where I ask - are you missing anything? You may be following all the best coding and deployment practices but in this day and age - nearly every application being built is done so with the help of tons of open source software. Please don't take what I am saying to mean that open source software is bad because it isn't  - but you need to understand each packages' security implications. Most open source software packages contain lots of features you don't need and may never use. Those features may enable attackers a level of unauthorized access to your systems through things like configuration mistakes or oversights. Evaluating current and past security history is a good way to start understanding what general types of things may be found in the future. 

For example, with Apache Struts - if you google for "struts 2 cve" you will likely find a link like:

https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html

This site maintains a list of known security vulnerabilities for a large number of software libraries, frameworks, packages, etc.  For Struts you will notice that the list of vulnerabilities is pretty long.

If this was 2015 and you made the decision to use Struts - you would have had the potential to be impacted by the items that WERE found after that - which included quite a few. Since it is now 2018, is Struts secure now? I only noticed 1 or 2 reports in 2018. In the end, you don't know what other security flaws are still unknown but based upon history I would wager that some exist.

Software security management is less about absolutes and more about a level of security and your risk tolerance. Some software is less prone to security issues than other software for various reasons.  Going back to example situation, if instead of struts you had considered JSF and reviewed the CVEs for it:

https://www.cvedetails.com/vulnerability-list/vendor_id-5/product_id-13552/SUN-JSF.html

There is only 1 item - https://www.cvedetails.com/cve/CVE-2008-1285/.  Does that mean that JSF it super secure - not necessarily.  It just means that few security flaws have been reported and show up at the Cvedetails site for this specific Sun JSF implementation.  If you do some googling around further on JSF, you will find additional concerns about JSF implementations regarding view serialization which should be considered. So we can't say that JSF is "secure" but we can say that there is a difference in the known quantity and scope of issues between Struts and JSF.

So what do we get out of this exercise?  Knowing current and past security flaws in potential stacks allows you to select a stack that matches the applications actual security needs. The selection will almost certainly be a trade-off of some sort.  Common trade-offs I have encountered included security, scalability, staff knowledge/experience, ease of use and maintainability.

When someone asks how secure your app is - you can report that the implementation stack and development practices were chosen to meet the actual security need. That doesn't guarantee that an app is secure but hopefully through the choices that were made the app will be less likely to experience a security issue.

In the scenario I described initially - a public facing app, I purposely left out some details to help demonstrate the idea.  If this public facing app was part of a kiosk that runs off a read-only DVD and isn't on a network - do I need to worry hackers on the internet?  No, not really.  Could someone hack a kiosk?  Maybe under some circumstances but is the risk or impact very high?  Doesn't seem like it.  So in this case, something like Struts is probably a fine choice if it meets other functional and soft requirements.  

Now, if the public facing app was related to internet accessible airline reservations with some ties to airline traffic control - I would stick with stacks that have a much smaller list of known security issues and likely significantly different other attributes.

The hard part is making decisions for applications that are in the grey areas. If moderate money, reputation and/or liability is involved - I'd lean towards stacks with fewer security issues unless overridden by stake holders or other requirements. In those cases, document the preferred stack and make note of why something else is chosen. 

Disclaimer: Please note that my example scenarios are intended for demonstration only. 

Thanks for reading.
Scott


Proverbs 19:2 New American Standard Bible (NASB)


Also it is not good for a person to be without knowledge,

And he who hurries [a]his footsteps [b]errs.


Proverbs 14:15 New American Standard Bible (NASB)

The [h]naive believes everything,
But the sensible man considers his steps.

Thursday, October 11, 2018

Buying a home - learn from others mistakes

If you read a number of my blog posts you likely read about various problems with the house we bought a bit over 1 year ago.  It has been a real money pit unfortunately - some of it expected but a large amount of unexpected needs to. I like our house but I would have offered significant less money if I had known about the type/extent of problems we would be facing.

Anyways, this is just a few words of wisdom for anyone looking for a house.

  • Don't use realtor recommendations for any of the services you need for the purchase.  Any bias in those that are recommended may result in you not getting the service you truly need/deserve. I'm not saying that anyone *will* outright cheat/steal/lie but you might not get a helpful opinion on something if there is any grey area. Examples where I think this played into our purchase are:
    • Home Inspector
      • There was some roof damage that was mentioned but was downplayed - "well, it might not be active".  I do think that the amount of damage and scope of it in the attic were probably big enough clues for someone that works in the field to make a reasonable call on this. I could be calling this one wrong but if I had hired someone of my choosing then I wouldn't have to question it.
      • There were statements that bathroom areas under the sinks were not fully investigated due to the "amount of homeowner belonging".  So basically, if stuff is in the way the home inspector won't move it. Ok, I can kind of see that - maybe.  Now in our case, I think the drain pipe in one particular spot was not "hidden" and when we moved in we found it had obviously been leaking for a long time. Again, I have to question whether the inspector should have noted this but recognize that if I had hired an inspector of my own I wouldn't wonder about any bias to make a sale more likely.
Hope these examples give you an idea of what you might run into. Even though it "was easy" to just go with the realtors recommendations it turned out more expensive in the end.

Have any pool inspected - especially an in-ground pool. Get an idea of how much lifespan remains before a big investment will be needed.  In-ground pools need resurfacing every so often. Pumps and filters need replacement.  

Another big one is in regards to the septic. If you buy a house that is on a septic system and not public sewer - do yourself a big favor and have the septic system checked out.  We didn't think of this and are now facing a "drain field failure" which might be very expensive. I don't think a septic inspection ever came up during the purchase process and I am pretty surprised in a way. We question whether the original owners were aware of the situation - I can see the potential for/against that.  I would like to believe they didn't but the fact is that they had to know about the large holes in the shed roof and floor that had been hidden so who knows regarding other stuff.

I won't bear any ill will toward them even if they did know. The wife had Alzheimer's disease and they appeared to be hurting a bit for money due to that. I do hope that my family isn't stuck in a bad situation because of this though. As is, I'm likely facing a job loss by late June 2019 due to outsourcing - so I really could have done without the need for a substantial home equity loan to cover all the home repairs.  Have to remind myself often that God is in control though. 

Hope this helps someone out there.  

Scott