Archive for March, 2008

JavaScript, RIA, Security

Upcoming Talks

I’m busy preparing for three talks that I’ll be giving in April.

The first will be at MinneWebCon, a web conference at the University of Minnesota.This is their first time putting on this conference, and even were I not speaking at it I would probably attend. The sessions on user experience, social networking, and online video look interesting, and I read today that there will be unconference sessions, too. My talk will be an introduction to JavaScript. The MinneWebCon organizers don’t expect the audience to be hardcore developers — a glance at the sessions makes that clear — so I’m keeping it basic but still trying to make it useful and get across important ideas. I always try to stress a few concepts whenever I talk about JavaScript:

  • The importance of unobtrusive JavaScript — playing nicely with web standards and writing JavaScript that injects itself into a page to layer on behavior.
  • JavaScript is not a toy language. It’s frequently dismissed as a cute little trinket, but its importance in web apps nowadays argues that although it has its warts, it has a certain quiet strength. I deal with a lot of Java developers who eschew JavaScript as “nothing like Java” but who then make the mistake of writing JavaScript code as if it were Java Lite. JavaScript is not a less powerful Java: it is best used on its own terms.
  • Security. JavaScript is so ubiquitous and it is so easy to make security mistakes, I would be remiss not to discuss security. Especially since I’ll be bringing in a little Ajax.

We’ll be looking at JavaScript from the perspective of introducing basic enhancements to page behavior, illustrating those three concepts along the way. In an hour can’t get too deeply into JavaScript syntax, especially for non-programmers, but I will be showing how to leverage libraries, especially jQuery.

The next two sessions will be at the annual IT conference for Minnesota State Colleges and Universities. (There’s not a good link right now, sigh.) This is a gathering of IT staff from our colleges across the state, staff development, networking, and so on.

The first session is on software security principles. In the years that I’ve been working with developers on software security — coaching, training, giving talks at conferences like this — I’ve focused a lot on common flaws and vulnerabilities: how to test for them, how to prevent them through early design analysis and development techniques. It’s become clear, though, that there’s something fundamental missing. Understanding of vulnerabilities and their exploits is incomplete unless a developer also understands basic principles of software security. Until a developer — or architect, or project manager — has a foundation in the core principles that guide secure software development, they are likely to make the same sorts of mistakes that lead to security problems, even if specific vulnerabilities are planned for.

Basically, I don’t want to keep finding myself in arguments about whether or not it’s worth doing input validation. So I’ll cover principles like “input is evil,” least privilege, defense in depth, secure failure, that sort of thing. Since an hour of theoretical mumbo-jumbo isn’t likely to do anything except put people to sleep, I’ll be sure to explore how these principles play out in the software development process, and how common vulnerabilities such as the OWASP Top Ten can be addressed by keeping the principles in mind.

Yeah, I get a little ambitious.

My second session at the MnSCU IT conference is called “Beyond Ajax.” When I first conceived of the talk, it was more along the lines of “Why Your Software Sucks.” (I had an angry few months, what can I say?) It then morphed into an exploration of rich internet application technologies starting to rise to the fore: Flex, AIR, Silverlight, even JavaFX. Then, thinking about the two sessions that I’ve outlined above, I realized that I didn’t have enough time to learn Flex and Silverlight well enough to do a kick-ass presentation. Besides, for an audience that for the most part is maybe just now getting into Ajax development, I need to develop more background of what’s driving the adoption of non-Ajax RIAs.

So instead, the talk will be about why creating a well-designed Ajax app has proven difficult or unsatisfying:

  • We’re still stuck with the limitations of browser user interfaces.
  • Writing cross-browser code is still hard.
  • Creating compelling cross-browser UIs is even harder.
  • Many developers don’t understand JavaScript like they should.
  • Security has grown more complex.
  • Ajax accessibility is still largely unknown and misunderstood.
  • Although the client-side part of an app can now do more (and be more complex!), without a lot of work application workflows have not changed much and are still hampered by HTTP.
  • Architecture of data flow between client and server is a significant challenge, often falling victim to the fallacies of distributed computing and resulting in a degraded user experience.
  • There is a strong inclination to use Ajax to create non-browserlike experiences, often to the detriment of the user.

I don’t know yet whether I’ll bring mobile devices into the picture.

Into this setting come Flex, AIR, Silverlight, and so on. I can’t get too deeply into them, much as I’d like to. Still, the focus of the talk is on rich internet apps — mostly why, not so much how. Look for that next year. :)

I also hope to spend a few minutes (lightning talk style?) discussing parallel industry trends that will have impact on in RIA development in the near future: cloud computing, approaches to concurrency, non-relational data stores, and a panoply of new languages and platforms to address these concerns. This is all stuff that’s been rolling around in my head for the last year or two, and I’m tempted by a bit of self-indulgent examination of how it’s all connected.

Like I said: I get a little ambitious. That last bit is likely to get cut as not contributing to the core message.

So if you don’t hear from me for the next month or so, know that I am busy. But I am having fun.


Last In, First Out: Mike Janke’s blogging

Mike Janke has blog. About damn time.

When I fled the dark days of human resources (don’t ask) and joined IT, one of the best things about my new job was that I got to work for Mike. (No, I no longer do.) I can’t tell you how many times I’ve heard someone ask, “what the hell is he doing working for the State?” He not only knows his shit, he thinks deeply about it.

He has written some of my favorite email ever.

Yesterday was a rather disappointing day.

It appears as though a large number of highly paid, competent ITS professionals succumbed to the ID10t factor, and clicked on an instant messenger worm. The IT staff who got the message with the worm were asked by their desktop if they wished to run the virus. Most of them said yes & ran the executable code.

It gets better than that, but I really shouldn’t share the good bits.

He’s also responsible for something that still makes me laugh whenever I think of it.

During a bit of a crisis last fall, a few of our network and server admins were gathered around the phone on a support call with Microsoft.

“Sorry if we don’t do this right,” I heard one of them say. “We’ve been a Novell shop for 20 years and have never had to call tech support. We don’t know how.”

His inaugural post, Tethered, is one reason I’ve been hoping he would start a blog. Without calling out the Sun slogan by name, he explores how the network is the computer and where the iPhone and the Zonbu fit in. Zonbu, you ask? So did I. It’s pretty damn cool. If you go read the post, I promise I’ll get off my ass and finally write a response.

Later posts will appeal to the systems management dorks among you. (<cough>Coté</cough>).

I mentioned to Kiara that Mike’s blogging. She’s met him maybe once or twice. Her response? “About damn time.” Yeah.