Month: November 2019

Article originally posted on InfoQ. Visit InfoQ

Are you ready to uncover emerging trends, techniques, and tools in software development that will help you grow your career, build your network, and lead your team in 2020? Be part of QCon London, March 2-6, 2020, and join over 1,600 software leaders and their teams.

At QCon London you will meet peers from Apple, Udemy, Tessella, BBC, ING Bank, Spotify, Accenture, UBS, Orange, Ericsson, Webstep, Deutsche Telekom and VMware. You will also learn from expert practitioners working on a range of innovative projects, as they share their use cases, experiences, and recommendations to help you scale your projects and teams.

QCon is designed to help you meet with peers, share common challenges, and find solutions from the global software developer community. Join one of the technical sessions, participate in an informal “Ask Me Anything” (AMA) with speakers, or raise the topics you’d like to discuss in an Open Space session.

I think that after QCon I have a clear vision for at least 2 years about what is happening in IT. The vision includes technical aspects and human ones; some talks challenged even my convictions. I met my superstars ( I never thought I would be seeing Martin Thompson in reality, I was so excited to see Jessie Frazelle)

– Safa Mabrouk
Senior Developer @OCTOTechnology

The closing Keynote and an early preview of confirmed speakers

QCon London Closing Keynote: Richard Wiseman, Author of the Luck Factor

Richard Wiseman will present the closing keynote at QCon London 2020, titled “Shoot for the Moon“, in which he will discuss the history of Nasa’s Apollo space missions Richard Wiseman is the only Professor of the Public Understanding of Psychology in the United Kingdom. Scientific American described him as “… the most interesting and innovative experimental psychologist in the world today.” He has written several best-selling books and has given keynote addresses to The Royal Society, the Swiss Economic Forum, Google and Amazon.

Here are some of the other speakers who will be sharing their practical insights this March:

• Marc Brooker, Senior Principal Engineer @awscloud, talking about Distributed Systems
• Katie Gamanji, Cloud Platform Engineer @condenastint, talking about Kubernetes & Cloud Architectures
• Patrick Kua, Chief Scientist @n26, talking about how to build culture between organizations

Each curated “editorial” track is a collection of software topics chosen by a domain expert that focuses on key aspects in areas such as culture, data science, machine learning, front-end technologies, and architecture. Take a look at the QCon London 2020 hosts and tracks:

• Cindy Sridharan, Distributed Systems Engineer. Track: Leaving the Ivory Tower: Modern CS Research in the Real World
• Martijn Verburg, Principal Engineering Group Manager (Java) at Microsoft. ex CEO at jClarity (acquired by MSFT) & CxO / start-up mentor. Track: Evolving Java
• Anastasiia Voitova, Security Enthusiast & Product Engineer @cossacklabs. Track: Scaling Security, from Device to Cloud
• Nicki Watt, Chief Technology Officer @OpenCredo. Track: Streaming Data Architectures
• Cassandra Shum, Technical Director of Cloud Solutions and Partnerships @ThoughtWorks. Track: Full Cycle Developers: Lead the People, Manage the Process & Systems
• Greg Hawkins, Former Chief Technology Officer @starlingbank. Track: Growing Unicorns in the EU: Building, Leading and Scaling Financial Tech Start Ups
• Jay Alammar, VC and Machine Learning Explainer @STVcapital. Track: Machine Learning: The Latest Innovations
• Justin Cormack, Developer @Docker. Track: Modern Compilation Targets
• Thomas Betts, Lead Editor for Architecture and Design @InfoQ & Principal Software Engineer @IHSMarkitTech. Track: The Future of the API: REST, gRPC, GraphQL and More

Take a look at all our 2020 tracks and hosts

Registration is £1,565 (£425 off) for the 3-day conference if you register before Dec 14th.

Article originally posted on InfoQ. Visit InfoQ

This is the Engineering Culture Podcast, from the people behind InfoQ.com and the QCon conferences.

In this podcast, recorded at the Agile on the Beach New Zealand conference, Shane Hastie, Lead Editor for Culture & Methods, spoke to Michael & Audree Sahota about their work on helping leaders change to enable high performance

Article originally posted on InfoQ. Visit InfoQ

Kelly Shortridge from Capsule8 talked at the Velocity conference in Berlin about how using chaos engineering can help to integrate Infosec within a DevOps culture. Shortridge discussed how distributed, immutable, and ephemeral infrastructure, or the D.I.E. triad, is an organizationally friendly way to building security by design. With this triad, users can continuously raise the cost of the attack.

The D.I.E. triad is about the ability to be resilient and recover effectively, whether in the face of threats to performance or security. It’s a triad that promotes quality making systems more secure, helping Infosec to integrate with DevOps. Shortridge stressed that the infosec industry for decades had espoused this idea of building in security by design. The D.I.E. triad is an organizationally friendly way to do so because it supports the work the team does to have reliable systems.

D.I.E. is an acronym where D is for distributed, meaning that service outages like a denial of service are less impactful. I is for immutable, meaning that changes are more comfortable to detect in reverse. And E is for ephemeral, where users try to reduce the value of assets as close to zero from the attackers’ perspective. These system properties are what chaos security principles will help to build secure systems by design. Starting with the expectation that security controls will fail, and organizations must prepare accordingly. Then, embrace the ability to respond to security incidents instead of avoiding them.

Shortridge recommended using game days to practice potentially risk scenarios in a safe environment. Moreover, she recommends using production-like environments to have a better understanding of how things will work in a complex system. Also, Shortridge recommends starting with simple testing before moving on to more sophisticated testing. For instance, build tests that users can run effectively with accessible scenarios, something like phishing or SQL injections.

When talking about distributed systems, Shortridge mentioned that multi-region services are a way to mislead attackers. With load balancing in place, teams can rapidly redeploy services, can change the composition of how services look and where they’re set up. For instance, shuffling IP blocks and make them different regularly. Or, if using a service mesh, configure the mesh so that attackers are forced to escalate privileges, like the IP tables layer, to access and modify access control capabilities. The net result is to change the lateral movement game for attackers, how they move from resource to resource.

Then, Shortridge talked about how to continue applying chaos security principles with immutable infrastructure. Data can’t be stored on disk because they’ll disappear and come back like a phoenix, as Martin Fowler puts it. Immutable systems restrict the ability for teams to write or modify systems in any way. Ensuring immutability involves testing for unauthorized changes, then ensuring they’re being detected and reversed. Users are either preemptively shutting down under attack or are preemptively shutting down a performance failure. And as Shortridge puts it, this approach helps to make systems more resilient.

Shortridge also stated that the infrastructure that could die at any moment is a nightmare for attackers because it generates a formidable level of uncertainty when they persist. For instance, completely restrict shell access to servers. If shell access is disabled, it’s much harder for attackers to access or modify servers without being noisy in their operations.

Finally, Shortridge covered the ephemeral portion of the D.I.E. triad. Most security bugs are state related; if users get rid of the state, they get rid of the bugs and vulnerabilities. Ephemerality reduces the ability for attackers to persist in the system, and they don’t rely on persistent storage, which makes the window of opportunity for the attacker to seize data, minimal.

Chao testing ephemerality can include checks that the system doesn’t accept outdated resources anymore. For instance, a test can change API tokens to simulate the “sign out of all sessions” functionality in a browser. Then, by injecting old API tokens, users can confirm if the API is still accepting expired tokens. The result is to ensure the verification process is working and applications aren’t expecting old tokens, which would defeat the point of ephemerality.

Shortridge closed by saying that chaos resilience represents a natural home for Infosec. For Infosec to evolve from a silo model to embedded throughout the SDLC, responsibility, and accountability, have to be unified just as dev and ops had to go through the same evolution.

Article originally posted on InfoQ. Visit InfoQ

WebXR, the in-progress standard for virtual and augmented reality on the web, is now available in Chrome 79. After preliminary work on WebVR was superseded by WebXR, Chrome becomes the first production browser release supporting portions of the new standard.

Current Chrome support of WebXR focuses on the virtual reality portion of the WebXR standard, with the augmented reality portions of the standard remaining a work in progress. The GamePad API was also updated in Chrome to support controls within VR.

The Chrome team describes WebXR as the foundation for the immersive web, providing viable experiences using web technologies for games, 360° videos, traditional 2D or 3D videos presented in immersive surroundings, home buying, product viewing, art, and more.

As is common with other APIs like audio and video playing, a website or web app cannot leverage the WebXR API until the user interacts with the user interface. There are many key concepts to learn to leverage WebXR:

• WebXR sessions: Using feature detection, developers listen for an immersive-vr session and then create an XR-compatible WebGL canvas context.
• WebGL canvas: Drawing is done to this canvas via WebGL APIs, with various reference spaces available to describe the perspective of WebGL drawings.
• Frames: Frame loops and requestAnimationFrame get leveraged to animate over the canvas context to provide an immersive experience.
• Poses: Poses provide position and orientation of a thing in immersive space, to understand where the viewer is within the WebXR space.
• Views: XRView represent a full or partial display with information to render content positioned for the device and the viewer.

WebXR support in other browsers is under active development. Firefox retains support for the earlier WebVR proposal while working on efforts to support WebXR. Other Chromium-based browsers, including Edge, are expected to provide WebXR support soon.

Virtual and augmented reality is a substantial advancement for the web ecosystem, and getting support for WebXR is a high priority for all browser vendors. Support for the virtual reality portion of WebXR is expected to arrive in all evergreen browsers in 2020.

Article originally posted on InfoQ. Visit InfoQ

In a recent blog post, Google announced several new runtimes for the App Engine service on its cloud platform. These runtimes are Node.js 12, Go 1.13, PHP 7.3 and Python 3.8.

The previous month the tech giant made the App Engine standard environment Java 11 runtime generally available to allow developers to deploy any Java 11 application, web framework, or service in a fully-managed serverless environment – which now also account for applications written in Node.js 12, Go 1.13, PHP 7.3 and Python 3.8. That is, PHP 7.3 is generally available while the other runtimes will be in beta. 

Rishi Sharma and Morgan Hallmon, both on the App Engine team at Google, stated in the announcement blog post:

These latest additions to App Engine mean that you can build applications with your favorite tools, libraries and frameworks with today’s most popular languages.

Each runtime offers new features and optimizations in their latest versions ranging from multibyte strings in PHP 7.3 to lower memory footprint in Go 1.13. Furthermore, all runtimes are supported on the App Engine standard environment – container instances running on Google’s infrastructure. A container can be preconfigured with one of the runtimes. 

Furthermore, an application build in one of the runtime respective languages running in the standard environment has an instance class, which determines compute resources and pricing. The instance class is bound to the runtime generation – the latest runtimes are all second-generation runtimes providing memory per instance class up to 2048 MB memory and 4.8 GHz CPU.   

Currently, Google App Engine’s counterpart on the Azure Platform – App Service supports ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. The runtime versions of Java, Node.js and PHP App Service supports are similar or less than Google’s App Engine. Furthermore, the other prominent cloud provider Amazon offers AWS Beanstalk service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go. Again, the supported runtime versions of Java, Node.js and PHP are similar or less than the Google App Engine.

Note the listed language runtimes are supported on the respective native engines. Furthermore, App Service and AWS Beanstalk offer a similar concept of instances (infrastructure) to run applications with various memory and compute options.

Article originally posted on InfoQ. Visit InfoQ

Building a new native mobile app requires a lot of work since it is necessary to code it in Kotlin/Java for Android, and then again in Objective-C/Swift for iOS. In the past, Dropbox and Slack had been implementing a strategy to share code between platforms, building a shared library in C++, until recently, when they decided to get rid of this.

Recently, Eyal Guthmann from Dropbox and Tracy Stampfli from Slack explained why they decided to get rid of C++, focusing instead on the native languages of both platforms. Let’s explore the reasons.

In 2013 Dropbox adopted a pretty simple technical strategy to share code between Android and iOS: write once in C++, instead of Java/Objective C. The Dropbox team was relatively small, and they needed to ship lots of code on both iOS and Android.

According to Guthman, Dropbox abandoned that strategy due to the (not so) hidden costs associated with code sharing.

By writing code in a non-standard fashion, we took on the overhead that we would have not had to worry about had we stayed with the widely used platform defaults. This overhead ended up being more expensive than just writing the code twice.

That overhead led the Dropbox team to build frameworks and libraries, such as Djinni, which is a tool for generating cross-language type declarations and interface bindings; a framework for running tasks in the background vs the main thread, which is a trivial task when performed in Kotlin/Swift; the json11 for JSON (de)serialization; and nn, non-nullable pointers for C++.

Moving away from the platform’s default like Android Studio/Xcode was also a big overhead for the Dropbox team. Guthman mentioned a debugging experience in which a bug was causing a deadlock in a background threading framework, leading the app to randomly crash. It took weeks to get fixed because it involved debugging multi-threaded code running back and forth between C++ and Java.

Handling differences between the platforms was also a big overhead; even the execution of a task in the background or how to interact with the camera roll can become a problem. The team had to spend a lot of time integrating code into different platforms and writing platform-specific code, and sometimes that code ended up in the C++ layer itself.

Training, hiring and retaining developers is also a big challenge. Guthman said that at the beginning of the strategy they had a group of experienced C++ developers, and this group started the C++ project and trained other mobile developers. Over time, these developers moved on to other teams and other companies, and the engineers who remained did not have sufficient experience to fill the technical leadership gap. They tried to hire candidates with this very specific skill set (mobile/C++ developer) for over a year with no success, and in the end, mobile developers did not want to work in a C++ project and some of the talented mobile engineers left the project.

At Slack, the story is not so different; they built Libslack, a C++ library to encapsulate shared business logic, and to handle syncing and caching data. The initial plan was to use Libslack in desktop, iOS, Android, and Windows Phone clients, but due to some conflicting caching strategies, only iOS and Android really used Libslack.

According to Stampfli, at Slack as well as at Dropbox, there was overhead after Libslack. Slack added Libslack when its mobile apps were already mature, so it was replacing existing functionality, and it had to fit into two different established architectures. Before Libslack, every mobile client was shipped on a different schedule, and after Libslack, they shared the same release cycle. This brought problems such as determining what to hotfix, since most of the mobile engineers at Slack were not familiar enough with C++ and the processes for building and debugging Libslack to help fix issues in the library.

Many of the drawbacks Dropbox experienced with their shared library rang true for Slack as well. As described in our previous post about Libslack, there were certainly benefits to sharing code between client applications – a shared library increases consistency of behavior and prevents duplication of similar business logic in every Slack client, for example. However, there are also downsides to this approach.

Stampfli mentioned that just as Dropbox experienced, hiring mobile engineers with C++ experience is hard, which would have made it difficult to grow and sustain Libslack.

In the end, Slack decided that the overhead of developing the library outweighed the benefits and they therefore sunsetted the project, moving back to a native approach using the specific platform language to implement Libslack’s functionality separately in each client application.

You may be thinking, why they didn’t use frameworks like React Native, Flutter, Cordova, Ionic, or any other framework?

Well, in Dropbox’s case, when they started, Swift or Kotlin didn’t even exist. React Native and Flutter are relatively young frameworks, and even some companies such as Airbnb, who were using React Native, decided to sunset its use of React Native for a number of similar reasons, such as debugging problems.

Article originally posted on InfoQ. Visit InfoQ

The book Mastering Professional Scrum explores how using the Scrum values and focusing on continuous improvement can increase the value that Scrum Teams deliver. Stephanie Ockerman and Simon Reindl explain how professional Scrum teams can be focused and committed to delivering a Product Increment every Sprint, and how they leverage empiricism to improve themselves.

By Ben Linders, Simon Reindl, Stephanie Ockerman

Article originally posted on InfoQ. Visit InfoQ

At the recent Ignite conference, Microsoft announced several updates to their Azure Security Center offerings. These updates include enhanced cloud resource threat protection, Customer Lockbox extensions, the release of a Secure Code Analysis toolkit, additional support for Azure Disk Encryption, certificate management extensions, API automation and partner integrations.

Microsoft continues to make investments in Azure Security Center, regardless of the workload that customers are running. These workloads may include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), containers or partner solutions.  Gilad Elyashar, a principal group pm manager at Microsoft,  explains why this is important:

With Azure Security Center our goal is to protect every cloud workload and we have made progress to that goal with new support for containers, and SQL in virtual machines. We continue to focus on making sure you can maximize your valuable time addressing important security issues with new quick fix capabilities so that you can secure multiple items at once, far faster than before.

Azure Security Center provides organizations with a unified experience for managing cloud and on-premises security posture within the enterprise. While Microsoft provides many first party security services that plug into Azure Security Center, customers also leverage other tools provided by 3rd party vendors.  One of the new partner offerings in Azure Security Center, is integration with Qualys, which provides vulnerability assessments for virtual machines and its outputs are included in an organization’s secure score. 

Qualys is not the only 3rd party to introduce integrations with Azure Security Center. Elyashar explains:

You’ll be pleased to know that we now include Qualys vulnerability assessment for no additional fee in Azure Security Center standard edition so that you have a richer set of security recommendations.  We are further extending Azure Security Center to include partner recommendations from Check Point Cloud Guard, CyberArk and Tenable.

Secure score is a feature available inside of Azure Security Center that allows organizations to detect misconfigurations or assets that do not have the latest security patches applied. As part of these recent updates, Microsoft has simplified the scoring model to improve the reliability and visibility of calculated scores. In addition, support for custom assessments, created within Azure Policy, have been incorporated into the secure score.

Quickly responding to threats can limit the impact of a cyber breach. Microsoft provides APIs that enable automation and have recently created an API connector for Azure Logic Apps, their Integration Platform as a Service (iPaaS), that allows security analysts to subscribe to security events and then automate the triage of those events.

Customer Lockbox is a service that provides customers with more control on how Microsoft support engineers access their data, for support purposes. Microsoft has recently added more services that support Customer Lockbox, including Azure Storage, Azure SQL Database, Azure Data Explorer, memory dumps from Azure Virtual Machines and transferring Azure Subscriptions.

Microsoft is also providing organizations with tooling that allows them to build more secure applications by integrating analysis tools like Credential Scanner and Binskim into Azure DevOps continuous integration and delivery (CI/CD) pipelines. These analysis tools will look for viruses and malware on your build agent, detect unprotected secrets, certificates and provide recommendations for code readability and maintainability.

Azure Disk Encryption allows customers to provide their own keys that further safeguard their data. Initially, this capability was available for Azure Virtual Machine disks. Microsoft has recently provided preview support for disk encryption for services like Azure Event Hubs, Azure Managed Disks and Power Bi.

Lastly, Microsoft is simplifying how organizations manage certificates within their applications. Azure now provides TLS certificates at no cost to customers that can be added to custom domains hosted in Azure services such as Azure CDN, Azure Front Door and Azure App Service.