Do it yourself usability design for developers

Usability
Learnabilty- how long to learn first simple task
Efficiency - how long for experienced user with difficult task
Memorability- how long for experienced user who's been away and is coming back to complete difficult task
Errors - how many errors and recovery time,
Satisfaction - feel good factor

The curse of knowledge is what to tell users to train them. Not too much nor too little.
Can't really see ui from user perspective. They get stuck.

Process and tools
Look at other crafts. Painting create sketches, study posture. We should take same approach.
Two curves: complexity (start low) and parallelism (start with many designs and eliminate)
Don't g et attached to design, easier to take feedback if have several versions in parallel.
Sketches important. As many as you can think of of. 5,6 8. 5 mins, 6-8 sketches. Get into flow.
Paper prototype. Create all the screens. One person plays user, another the computer swapping screens.
Lofi prototype. Wireframe designs. Or powerpoint, make interactive, only good for simple though. Can be used by many.
Simplified app with very little logic is an alternative.
Lofi can leave you frustrated.
Hifi prototype. Usability questions should be answered. Not all functionality.

Ux techniques
Field study. Watch users doing tasks. Check out competition or manual workarounds.
Persona. A description of a user group, a typical representative. Used to answer questions. Have empathy for character. Difficult to create.
Proto-persona. Ad-hoc persona that you keep improving. A guess.
Empathy map. (diagram)
Heuristic evaluation. Colleagues from another team or project. These experts do tasks and they report on heuristic. Visibility, match between system and real world (same terms?),user control and freedom - recover from errors. Report on most important heuristic. Can provide false positives. Low cost.
Usability test - mics and cameras. Usually out of reach because of cost. Alternative is screen recording or screen sharing. Participant should have never seen app before. Craig's list. Important to stress app is being tested not participant. Stuck good. No help during test. Ask to think out loud. Whole team should evaluate. 3-5 participants is enough, fix, another round.

Rich HTML5 Web Apps: Typesafe Edition 2

Java web framework errai.

Web design vs web development. What's the overlap?
Jsps hard to deal with.
Angular.js also mixes logic and design.
Take plain html and attach behavior with java.

@templated @page annotated class
@datafield textbox, button
@eventhandler for click event

Java class same name as html template.
Id html attributes line up with java members

Compile source files twice., javac, and gwt to get runnable js
Java to js compiler
Cross browser
Up front optimizations
Client and shared folder contents are compiled to js.

Security, cdi, jpa, mobile support, databinding, page navigation

Vertical repetition: code duplication between client and server.
Horizontal repetition: code duplication in client.

Can use jax-rs annotations

Can debug.

@RestrictedAccess for security. Can be constrained for roles.

Habits of Highly Effective Technical Teams

JClarity

Social interactions at the fore.
Communication key.
Loss leads to fingerpointing, loss of collaboration.
Needs lots of interactions every day, standup, etc.
No more than 150 people.
No boy's clubs, all inclusive.
Lone coder in corner vs tiger team
Collaboration much better.

Strong leadership throughout
Each member makes autonomous decisions in own realm.
Most junior devs should be 100% responsible. Let them make mistakes. Do not get tied to leadership role.
Leaders != managers
Servant leadership, remove crap out of dev's way.

Empowerment vs control
Orgs tend to create structure but it becomes inflexible.
Bad in fast moving market.
People are promoted to level of incompetence.
Devs make poor managers.
Let people make technical decisions.
No ivory tower architects making decisions
Make your colleagues faster.
Empower down the line.

Shared goals.
Specific, measurable, attainable, relevant, time bound.
Everyone has individual goals.
Have team come up with goals.
Some giant companies have competing products.

Respect and trust
Respect is an unassuming resounding force.
It is the stuff that equity and justice are made of.
Trust should be there from the start.
Does the whole team have prod access.
Performance is measurable.

Common culture
Can be very difficult. Ethnicity, generation, gender, etc.
Not the company motto or table tennis table.
Need inclusive culture with shared values, e.g. never screw customer.
Tech Fridays, team members presentations at lunch.

Automation and tools
Setting up environments wastes time.
Use emerging tools.
Jenkins, Chef, puppet, vagrant, maven, gradle.
Automate away time wasters, timesheets, etc. Anything not core to development.

Encourage debates
We all think we're right. Arguments are disruptive and can destroy a team.
Many people fear conflict.
Many cultures avoid conflict.
Assumptions need to be challenged.
Debates can lead to arguments.
Set up a debate framework. No shouting or bullying. Breaks. Empirical bets intuition. Leave no one behind. Everyone should have their say.
blackberry crushed debate.

Measuring subjective decisions
Set out criteria
Make weightings.
Run the numbers.
Prototype the top two, use hardest requirement.

REST Assured: Hypermedia APIs with Spring MVC

Pivotal

Hateoas hypermedia as the engine of application state.
Hyperlinks in response
State navigations discoverable

How to represent links in json? _links {} HAL is option.

Spring-hateoas github project, library.
ResourceSupport adds links node.
Resource.add(new Link())
Facility to create absolute url

Annotation to enable HAL _links comes with spring hateoas.

Book, rest in practice

We should look at that git project.

Java in the Cloud: The Good Parts

And other Google cloud innovations for developers.

Google cloud Platform

Cloud allows you to iterate quickly, fail fast, low cost of entry.
Don't want to manage clustering and security. It takes teams to focus on that.

Google, amazon, heroku, pivotal cloud foundry, ms azure all support java.
Not java EE. Meant to offer services in a container. A bunch of apis, some of which don't work in a cloud, e.g websockets.
May take web profile and expand to cloud or repackage.

NoSQL DB + Memcache + stateless front instances

Focus on services. Ask for and be given instantly fully configured. E.g. DatastoreFactory.

Injection. Spring > Guice (@inject) > Dagger

Jetty 9 in Google app engine.
Since 2008.
Small footprint, scales well, modular (important).
Java EE scanning in cloud wastes resources, has latency issues, and security issues (unknown jars).

Demo.
Jetty quickstart 800ms startup vs 3secs. 500ms tweaked. Web.xml 500 lines, a lot of stuff. All discovered bits, context params, initializers, annotations and classes, tlds, listeners, servlets all pre-parsed.

Glassfish 12ms, tomcat 5sec, jetty < 1sec.

Now no longer deploying a war but rather a docker container including app and slim linux.
Add to web.xml app engine params.
Docker file is an image.
Same app in google app engine ran in 1.7sec

New and Noteworthy in Jersey 2

Oracle Application Server Group

2.13 released

Reactive Client:
Describes data flows and dependencies.
E.g. travel agency, travel to new destination, get recommendations, forecast and cost.
Orchestration layer handling various rest calls and creating result. AgentResponse.
1st option is synchronous. Slow and can be done in parallel.
Async using callback is alternative. More complicated, callback hell. .async in call chain
Better is Observable (java 8)
Best is .rx() and .flatmap() in call chain.

Security
oath2
get access token from 3rd party.
Openid int.
2012 for client, still not in server-side
SimpleOAuthService

Monitoring and Tracing
Default is info log level and exceptions not logged.
jdk.logging properties
Response headers.
ServerProperties variable tracing set to "all". System variable. Also onDemand using request header.
Another system property for monitoring, access using jmx console.

NASA Mission Software Development on the Eights: Java 8, JavaFX 8, and NetBeans 8

a.i. solutions

One of the drone guys + his colleagues. 30 aerospace missions daily.

All java development. Flexible, agile, new talent, lifecycle bang for the buck.

Move to 8 seamless, worked out of the box.

Benefit to customers: modern, latest talent.

Demo of NetBeans Platform app.
Javafx3d globe scene satellite tracking.

Dscovr - Deep space climate observatory
Going to L1.
Had to use STK (jni), matlab (java). Made extensive use of NetBeans wizards. Plugins architecture helped.
Demo of app.
Using WorldWind.

Research software exploring Jupiter and moons gravity wells. Very complex. Lots of data.
Lots of visualizations.

Contact Analysis Visualization Tool
Demo
Nimbus dark L&F
Javafx scatter chart
Worldwind was swing in java fx app using lookups

Deep Space Mission Design
Going to Saturn's moon, calculate trajectory.
Demo
Using javafx Tasks to not block GUI.

Spring 4TW!

Josh Long, Pivotal /Spring

Spring.io website
Guides section important
4.1.1 just released.
Baseline: Java SE 6 and Java EE 6 (servlet 3.0)

New:
@Autowired, @Lazy
Ordered injection
Construct beans with no default constructor.

Also supports Java EE 7 and Java 8

Spring Boot demo

Spring boot is  simplification of all spring apps.
@EnableAutoConfiguration
@DBRef  MongoDB
@Service
@Bean
@RestController - drop @ResoonseBody
UriComponentBuilder as rest method arg to build url
ResonseEntity.created()
Embedded tomcat or jetty container.
Thymeleaf - jsp templating engine
@EnableWebsocketMessageBroker

Configure boot
HealthIndicator example.

Productive JavaFX 8

Adam Bien

MVP model view presenter.
Afterburner apache project fw. giving Inversion of code.
FXML comes with javafx

Coding demo from scratch.
WYSIWYG gui editor in netbeans.

Presenter works like controller, injected with widgets designed in FXML.
Private members need @fxml annotation, public get for free.

Model holds state, service talks to backend, both pojos.
Everything injected is singleton.

Lambdas supported.

Creating Our Robot Overlords: Autonomous Drone Development with Java and the Internet of Things

Quadcopters with Rick Astley in the background. Could it get any better?

Agenda:
Autonomous flight
Anatomy of a quadcopter
Raspberry pi
IoT
3D flight sim
Self aware drone

Autonomous flight:
Choosing a drone with api, $300.00
Brain, raspberry pi
Power
Making it all work

Parrot AR.Drone 2.0
Good community
Java, parroteer api

Raspberry pi model B
2 wifi adapters
16Gb sd card
10 minute battery default, switched out with larger
Pi was wireless access point

Power supply for pi onboard, added weight. Couldn't power thru quadcopter power supply.

Key is firmware controller on drone
Pi had usb mobile phone charger, ethernet cable
Keeping connection took tweaking.

IoT on netbeans.
MQTT broker, pubsub messages.
Drone provides data back, navigational, error, etc.

Demo!

Downward camera detects orientation rondel, target, to set home. Then records and report deltas based on motor use and tilt to give vector.

3D simulation
Mesh of tie fighter.
Lambda function.
Duration and power based actions.
Stage demo with tie fighter.

Self-aware drone: more sensors, more power and weight, maybe new platform.

Coding for the Future: The IDE (R)evolution for the Next Generation

Coding for the future
Director of netbeans engineering

The road to here:

• Ide wars in the 2000s
• Soon two horse race with netbeans and eclipse
• Most moved to build eclipse plugins.
• Intellij commercial
• Then an evolution occurred that took project data from ide and stored them in ant maven, hudson,etc. Devs can now use ide of source on shared project.

Recent trends:

• Polyglot world, outside java. 
• Code completion, debugger, etc.
• JavaScript big player, difficult to tool.

Is java tooling mature:

• Debugger, compiler, error handling, etc now popularly available.
• Mostly enhancement requests now.
• Wysiwyg where possible.

Web ide

• Code editor in browser
• Orion is e.g.
• Combination of editor and cloud platform
• Mostly for web client technologies. Easy to tool to run in browser.
• Feature set in web ide lower and so is expectation's.
• How to integrate with back end.
• Lose performance compared to standalone ide.
• Offline mode a problem.
• Not a replacement.

Opportunities for growth:

• Interacting with managed systems, clouds.
• Much different than deploying war to local server.
• Amazon, google, mbaas.
• Hard to emulate on local machine.
• Really only write custom code, rest provided.
• Will always need it people which is a wall.
• Tools don't allow for easy debugging

• Combination with developer services
• CI + code analysis + git
• Rule based propagation
• CI + indexing with maven a problem. Stop indexing libraries.
• Run code analysis on git repo. Should have find refs etc. Warnings on stable code etc.

• Configuration Management
• Setting up dev env locally.
• Painful
• Changing projects can become expensive.
• Encapsulate dev and execution envs. One click setup.
• What to use for encapsulation? 
• VMs? Gets expensive for multiple users. Local ide with remote source can be problem in some ides.
• Containers on hosted cloud service. Is it the same env?security. Local ide remote source problem.
• Containers not really isolated
• Locally downloaded containers. Same source problem.
• Container density limited if using big systems like weblogic
• Docker improving.

Who is well positioned to deliver?

• Difficult to charge for browser based ide.
• Primary value is cloud integration.
• Have own cloud or partner with one.
• Amazon and google integrating their own small infrastructures.

Netbeans pitch

• Split ui from logic
• Run in multi tenant server
• Core libs as services.
• Oracle dev cloud service
• Tailwind code editor
• Various cloud services

Jump-Starting Lambda Programming

Stuart Marks
Principle member of technical staff
Java platform group, oracle

Intro level lamba coding and Streams api

Example Person.java
Application robocall()
Forloop over list of persons

Change code to also check age > 18 or 17, etc.
Use parameter age

Parameterization is key.

Change to also check minimum age. Refactor with age range.

Now also need males only in some cases. Hard to parameterize. Nulls can mean don't care or don't know.

After a while, value parameterization becomes a problem.

Caller wants to determine whether to robocall.
Library needs those parameters.

This is a function, takes person, returns boolean.
It's like an anonymous inner class.

Let's create PersonPredicate function takes Person returns boolean or from person to boolean. Uses comparator to determine if should be called based on input and return types.

Pass PersonPredicate as arg to robocall

Caller has to create a PersonPredicate which is ugly. Anonymous inner class.

Passing behaviour before java 8.

Lambda can replace.

robocall(p -> p.getage() >= 16)

Equates to PersonPredicate or compile error. No need to declare types.

Lambda is abbreviation for anonymous inner class.

There are expression lambda that have no return. Also statement lambda with return statement.

Zero args must have ().
Two or more args must be as (a,b)

Method reference Person::tostring
Same as p -> p.tostring

Need another parameter to say what to do with selected persons.
PhoneNumberConsumer with accept()
Now have two function interfaces.

New requirement: multiple numbers.
Create another behaviour parameter.
PhoneNumberFromPerson with apply() takes Person returns number

Now 3 arg lambda expressions or 3 single-method interfaces. Called functional interfaces. You get instance of interface as param but think of it as a function. Lambda can be used where ever functional interface can be expected.

If robocalling want home number, if texting mobile.

Can genericize functional interfaces.

A lot are provided in java.util.function.
@FunctionalInterface not requires but good idea. 
Adds javadoc, compiler checking,

Chain togeher: Source - filter - mapping - foreach (last 3 are lambdas)

List of Person as Stream then filter then map or transform then foreach and operation.

New stream method on list.

New language feature default method. In java 8 interfaces can now have static methods. Default impl also provided. Subclass overrides default impl normally. Class wins over default method impl in interface. A functional interface has an abstract method.

Stream uses builder pattern or pipeline. New streams api.

Streams:

• 0or more values
• No storage
• Not ordered
• Like iterator
• Allows serial or Parallel processing

Stream pipeline:

• A source
• 0 or more intermediate operations
• A terminal operation at end.

.skip(3,8) to sublist
.limit(5)
.sorted() overloaded to take comparator
.distinct() drops dupes
.flatmap() Takes in an element and return a different number of elements

A source, 0 or more intermediate operations, a terminal operation at end. 

Stream sources:

• Stream.empty
• Stream.of
• Arrays.stream(arr,2,6)
• Stream.generate() calls forever must use cutoff like limit()
• Stream.iterate
• Stream.range
• "String".chars().foreach( ch -> sysout) ints so use string.valueof(ch) to output strings
• Files reader.lines()
• Splitasstream

Terminal ops:

• .collect(tolist)
• .toarray(n -> new string[n]) or string[]::new
• .count()
• .anymatch() short circuits
• .findfirst after filter returns new first element returns Optional possibly containing a result.

Optional:

• Might contain result
• Also OptionalInt, etc
• .get()
• .orElse( value)

Parallelism:

• Add .parallel()
• .foreach becomes jumbled
• Lambdas must not interfere with stream source. Like ConcurrentModificationException.
• AtomicLong can be used in parallel ops but contention so long
• Better is reduction, sum by adding plus between each. Mathematically it doesn't have to be done in order.
• .reduce()
• .sum() as convenience

Collector:

• Deals with immutable objects, e.g ArrayList.
• Works intermediately with temp lists then aggregated
• .collect(Collectors.toList()) also tostring
• Huge family in library.

What's Next for the WebSocket API?

Pavell Bucek, Oracle

Websocket 1.0:

Websocket protocol, 2011, two way communication, better resource allocation. uses http then upgraded to websocket then only websocket frames.

Ajax practice long polling has one open connection. Requests are much larger than a small message. Wastes resources.

Websocket frames are very efficient with good size to data ratio.

Annotated and programmatic way to deploy and access web socket endpoints.

Event driven. @onopen, OnMessage, onerror. Also more complicated programmatic api.

Encoders, decoders, cdi, path query params, header interceptors.

Websocket 1.1, aug 2014 in Jdk8

Session.addmessagehandler
Whole and partial subinterfaces.

Some things that might be introduced in java ee 8. Not guaranteed to be there, speculation.
Cdi issues, @requestscope, sessionscope, applicationscope, convesationscope
Httpupgradehandler not covered in cdi scope.

Low level frame support not yet complete. Filers and interceptors too (only change headers).

Not a real good presentation. The guy next to me fell asleep. Talked about possible future of websockets.

The Anatomy of a Secure Web Application Using Java

Themes:

• Simplicity
• Common sense
• Household analogy

5 security layers

• Java secure socket ext
• Java ee sec
• Spring sec - locks on door
• Web app fw - household permissions turn on tv
• Db functions - what channels can child watch

Tutorial online, canonical app. Fortressdemo and fortressdemo2 on github.

Tomcat server, turn on https connector in server.xml, provide keystore

Java ee container, add to web.xml, do you have role to not y/n
Policy decision point file.
Use openldap sentry rbac controls 0- 3.

3 std interfaces

• 1 admin
• 2 review
• 3 system

Encryption,, openldap uses open ssl

Spring security, mappings between pages and roles.

Web framework
Wicket e.g passing page and role

Db access object
check access in dao
Encryption
MySQL, openssl

Demo

Fortress suite for rbac, was openldap hosted now apache. Includes audit.

Paas (?)
Pivotal Cloud Foundry
Platform as a service
You manage vm, has provided scaling.
Upgrade app to use cloud if easy. Cloud foundry's idm out of scope
Ldap not in cloud
Cloud Foundry vm warden container, Servlet container, war.
5 areas of cf security to reconfigure.

Different context, you don't setup tomcat, Cloud Foundry does. So ssl termination is at cloud. Only one cert needed for all transactions.

Mysql connection same. No jdbc. Injected at runtime.

Jee realm config and j2sse trust store, install build packs in Cloud Foundry (stack).

Linux containers, Warden container isolation of mult. processes. Shell, environment, pids independent of other apps. Chroot on steroids. Multiple vms per warden.

Cloud Foundry can install on laptop.

A very fast presentation with a lot of diagrams = hard to take notes on. But the idea was very interesting, security at every layer and a freely available presentation (from Oracle somewhere) and github projects. Not sure if Cloud Foundry is free or not but even the non-cloud application security part was good enough. I wonder if the github project will have a link to the presentation.

Let's Talk JAX-RS.next!

Marek Potociar
JAX-RS specification lead
Oracle, Cloud Application Foundation
Also does Jersey

What to expect in JAX-RS in Java EE 8.

JAX-RS:

• Improvement over servlets for web services.
• Started 2008.
• JAX-RS 2.0 released in Java EE 7

Next in Java EE 8:

• Performance
• Better integration in container
• Hypermedia improvements

Server-sent events - standard http connect, server push stream async.
Ajax long polling - not standard but is technique. Manual reconnect.
Server-sent events - standard api and format. Html5 compliant. Seamless reconnect.
Websocket- new http protocol. Decouples request and response.

Server-sent events :

• Streaming async. Events
• Same infrastructure
• Fits ajax and html5

Async http request / response cycle: Client connects, invokes resource, async response. On invoke, can respond, pass response stream info.

In Jersey new SseBroadcaster, constructs with and return EventOutput with info.
New Outboundevent (uses builder api)
Broadcaster.broadcast(event)

Client: EventSource javascript api, override onEvent receives event with data. Also have pull model.

Non-blocking I/O:

• Servlet 3.1 leveraged.
• Register callback in which you respond to data.
• Must be backward compatible.

Reactive programming model:

• Customer logs in and gets destination suggestions, weather, etc. Orchestrated.
• Can be resource intensive. To solve, get cust details, async get concurrent destinations, weather, etc.
• Hard to read and maintain, callback hell
• Best is Reactive client composing dataflows. E.g Rxjava, java 8, guava.

Declarative security:

• JAX-RS has no security. Planned for Java EE 8. Oauth 2 used a lot now.
• Looking for decoupled declarative annotation based. @denyAll at controller level and @rolesAllowed on methods.

MVC integration:

• Controversial. Different flavors in mvc
• Separate spec.
• Write mvc in view response. Spring mvc popular, action oriented with templates.
• New framework will build on JAX-RS, probably facelets. @template(name=page.jsp) on resource method.

Jsonb binding

• Object mapping.
• Still jsr

Context Dependency Injection (CDI) alignment:

• Java EE context and injection alignment.
• Will take time, JAX-RS older than CDI.
• Runs outside Java EE container.
• Want to run on small devices.
• CDIi making changes, eg modular, portable.

Securing Java: Track Opening Presentation

Milton Smith, 
Senior Principle Security Program,
Java Platform Group

Security remediation, features, highlights.

Threat landscape, defensive measures, security features.

Remediation:

• Critical patch update (CPU
• Security alert hotfix, can't wait.

Security features highlights:

• New java 7 features. 
• Disable java. 
• Best before date to update. 
• Security slider, secure vs risk. Exploits so remove low and custom security level. 
• Signing for sandboxed apps with privileges separate. 
• Standardize CRLs revocation. 
• Repurposing Jars so lock jars to specific servers. 
• Java malware so whitelisting for enterprise and partners using deployment ruleset. 
• Warning when jre out of date, with disabling. 
• Improved uninstaller. 
• Malware so code-signing default for applets. Consumer based support for legacy applets.

• New java 8 featues: 
• all 7 
• TLS1.2 as default transport encryption. 
• Enhanced revocation services with caching. 
• Static analysis tool for dependencies (3rd party analysis). 
• Type annotations, @readonly, etc. String tainting tool. 
• TLS extension for cloud use, 1 IP to multiple servers.

"Iron Clad Java" book from oracle.

Common security myths or misnomers:

• Slow to upgrade or patch best for production. Exploiters have patched vulnerabilities.
• Hackers need your code. Not true, probably would be confusing.
• Attackers are gifted. They're like engineers, some gifted, some not.
• Never a security incident = secure. Need to know threat landscape. Fix ones that matter.
• Security and compliance same.
• Security is impossible. Do your best.

Oracle working with MS to update java.

Upcoming CPU: October, 2014.

Hybrid Analysis Mapping: Making Security and Java Developer Tools Play Nice Together

Dan Cornell,

Denim Group

Toolkits for testers and devs based on open source OWASP (Open Web Application Security Project), ZAP, Threadfix and eclipse.

Security spans multiple disciplines:

• Infomation security - can't fix problem, wrong skillset
• Audit and compliance - healthcare, financials
• Risk management - same
• Software developers - write code, have to take on tasks.

New disciplines:

• Physical security - old
• Information security - relevant
• App security - new discipline but immature metrics. New tools, codescanning, etc.

Scale of problem:

• Legacy code
• Quantity of apps
• Not a lot of qualified devs
• Must automate.

What to do:

• Gather data - Compare money spent on infrastructure vs dev
• Communicate with stakeholders
• Automate
• Repeat

App vulnerability management:

• Automated static and dynamic tests as well as manual.
• Vulnerabilities can persist.
• No easy way for teams to work together.

Threadfix:

• Site has metrics on vulnerability remediation, e.g. where time is spent, making sure not to break code, confirmation, environment setup high.
• Open source. Load and normalize data and interact teams. Findbugs, jira, many more.
• webbased.
• Shows apps with most vulnerabilities, hotspots.
• Divide vulnerabilities into teams and apps.
• Loads scan, does diff to see change tracking, and produces stats. Can mark false positive. Identifies vulnerabilities caught by multiple scans.
• Slice data into technologies, e.g show only vulnerabilities found by 2 scanners or only cross-site scripting vulnerability.
• Single view for security analyst.
• Load via rest, cli and Jenkins plugin. Can be automated. 
• Creates a consolidated view, allows you to prioritize, and translates into dev tools. Manage security tasks in jira.

Unique vulnerability:

• Common weakness enumeration (CWE), relative url - directory misconfiguration
• CWE, relative url, injection pt - sql injection
• Injection pts - get put params, cookies
• CWEs - OWASP top 10 good.

Top-down obvious apps + custom + mobile + cloud = Attack Surface Model

Some apps matter more. Allocate resources. Compliance is a high consumer.

App test:

• Dynamic (running) and static (code) analysis.
• Eg Dataflow analysis
• Automated scanning, static analysis, manual app and static testing.
• E.g. authenticated vs not authenticated tests
• Breadth first, automation key, base-testing of all. Has limitations.
• Results are diffed, normalized and false positives identified.

Hybrid Analysis Mapping of static to dynamic scanning results. 

• Take friction out of process. See dynamic vulnerability, match changed code. E.g. HP Fortify to IBM Appscan example.
• Dynamic - Spider to enumerate attack surface. Fuzz to identify vulnerabilities based on e.g. request/response. 
• Static - Tainted input, source of sql injections. 
• Standardize vulnerability types. Match dynamic and static. Improve static parameter parsing.
• Info used: git url. Framework type e.g. jsp and/or spring. Extra if available.

Endpoint DB available of framework element to vulnerability to code. E.g, jsp getParameter calls or spring stuff. Smarter scanning and merging.

Attack Surface Model can know things dynamic scanner does not. Plugin for OWASP ZAP to connect to server, give baseurl then import results in Eclipse-based app. Fuzzing can find other potential vulnerabilities.

Prioritize:

• Filters can show by type, fix time, etc. 
• Ship data to defect tracker, e.g. jira (attach to application). 
• Can create multiple defects. 
• ThreadFix will poll status. P
• ushed to dev teams. 
• Map to line of code, load code, open Threadfix view to see vulnerability per line.
• Benchmark against other organizations. See stats and make decisions on technologies.

Threadfix.org.

My thoughts:

• A very good presentation with no marketing hype. 
• Well-evolved software process.
• Might be of more use if we used Findbugs more consistently but creating Jira tasks from Findbugs reports sounds do-able.

Flowers in my Hair