This document discusses strategies for migrating legacy PHP code to a more modern test-driven development approach. It begins with an introduction to legacy code and the agenda. It then discusses typical problems with legacy PHP projects, such as spaghetti code and lack of testing. The document provides strategies for introducing test-driven development practices like writing tests first, refactoring, and using fixtures. It emphasizes incremental changes over a full rewrite to safely evolve the code over time.
Korelayon yöntemleri, bunların SIEM ürünlerindeki uygulamaları ve avantaj/dezavantajları
ile birlikte QRadar, SureLog, Splunk gibi uygulamalardaki kullanımları nelerdir?
IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area the used operating systems are summarized with the term firmware. The devices by themself, so called embedded devices, are essential in the private, as well as in the industrial environment and in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection. With EMBA you always know which public exploits are available for the target firmware. Beside the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more. EMBA is an open-source firmware scanner, created by penetration testers for penetration testers.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://troopers.de/troopers22/agenda/tr22-1042-emba-open-source-firmware-security-testing/
SIEM ürünlerinin en önemli özelliği korelasyon özelliğidir. Korelsayon, fazlaca oluşan “false positive” leri ( yanlış bulgu) ortadan kaldırır. Kesin sonuca ulaşmak için pekçok farklı log’a bakar ve korelasyon sağlayarak doğru sonuca ulaşır.
Korelayon yöntemleri, bunların SIEM ürünlerindeki uygulamaları ve avantaj/dezavantajları
ile birlikte QRadar, SureLog, Splunk gibi uygulamalardaki kullanımları nelerdir?
IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area the used operating systems are summarized with the term firmware. The devices by themself, so called embedded devices, are essential in the private, as well as in the industrial environment and in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection. With EMBA you always know which public exploits are available for the target firmware. Beside the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more. EMBA is an open-source firmware scanner, created by penetration testers for penetration testers.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://troopers.de/troopers22/agenda/tr22-1042-emba-open-source-firmware-security-testing/
SIEM ürünlerinin en önemli özelliği korelasyon özelliğidir. Korelsayon, fazlaca oluşan “false positive” leri ( yanlış bulgu) ortadan kaldırır. Kesin sonuca ulaşmak için pekçok farklı log’a bakar ve korelasyon sağlayarak doğru sonuca ulaşır.
Micro Focus is uniquely positioned to help customers maximize existing software investments and embrace innovation in a world of hybrid IT—from mainframe to mobile to cloud.
We are one of the largest pure-play software companies in the world, focused from the ground up on building, selling, and supporting software. This focus allows us to deliver on our mission to put customers at the center of innovation and deliver high-quality, enterprise-grade scalable software that our teams can be proud of. We help customers bridge the old and the new by maximizing the ROI on existing software investments and enabling innovation in the new hybrid model for enterprise IT.
We believe that organizations don't need to eliminate the past to make way for the future. Everything we do is based on a simple idea: The quickest, safest way to get results is to build on what you have. Our software does just that. It bridges the gap between existing and emerging technologies—so you can innovate faster, with less risk, in the race to digital transformation.
Bu sunumda Web Uygulama Güvenlik Duvarları'nı (WAF) atlatma tekniklerinden bahsedilmiştir..
In this presentation, evasion and bypass techniques of Web Application Firewalls (WAF) are discussed.
Beyaz Şapkalı Hacker CEH Eğitimi - Parola Kırma SaldırılarıPRISMA CSI
Bu sunum, Prisma tarafından verilen “Uygulamalı Beyaz Şapkalı Hacker Eğitimi v1” de anlatılan bir üniteye aittir.
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
Bu doküman, alıntı vererek kullanılabilir ya da paylaşılabilir ancak değiştirilemez ve ticari amaçla kullanılamaz. Detaylı bilgiye https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr bağlantısından erişebilirsiniz.
Pentest ekiplerinin kullandığı Kali dağıtımı ile Linux dünyasına giriş dökümanıdır. Bu döküman; güvenlik alanına giriş yapmak isteyen insanların Türkçe kaynak problemini gidermeyi amaçlayarak hazırlanmıştır. Bu açık kaynak projesine katkı sağlamak isteyen gönüllü linux kullanıcıları ise bize ulaşabilirler. Yazım hatası, anlam karmaşası, yanlış bilgi veya iyileştirmeler için mehmet.ince@intelrad.com adresine mail atabilirsiniz. İyi çalışmalar.
오픈소스 모니터링 알아보기(Learn about opensource monitoring)SeungYong Baek
오픈소스 모니터링 알아보기
Learn about opensource monitoring
Grafana, Prometheus, Graphite
넷앱 스토리지 성능 모니터링
NetApp storage performance monitoring with grafana and graphite
ONTAP performance monitoring with grafana and graphite
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
Penetration testing of current embedded devices is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify, optimize and automate the complex task of firmware security analysis.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://forum.defcon.org/node/242109
Daten anonymisieren und pseudonymisieren in Splunk Enterprisejenny_splunk
Es gibt unterschiedlichste Gründe, warum Maschinendaten vor unberechtigten Zugriffen geschützt werden sollten. Interne und Externe Compliance Vorgaben sowie "Privacy by Design" Strategien zur Verbesserung der Sicherheit oder als Teil einer Risiko-Minimierungsstrategie werden für Unternehmen im Big Data Bereich immer wichtiger.
In diesem Webinar erfahren Sie, wie Sie Ihre Maschinendaten auf unterschiedlichen Ebenen schützen:
- in Motion: sichern Sie die Verbindungen von und zu Splunk Enterprise ab
- Datenintegrität: stellen Sie die Datenintegrität der in Splunk gespeicherten Daten sicher
- At Rest: verschlüsseln Sie alle Daten, die Splunk auf Disk schreibt
- Einzelne sensible Felder in Ihren Maschinendaten anonymisieren / pseudonymisieren
Refactoring, Agile Entwicklung, Continuous Integration – all diese für nachhaltigen Erfolg wichtigen Vorgehensweisen setzen Erfahrung mit Unit Testing voraus. Abseits von den üblichen "Bowling"-Beispielen möchten wir gerne einen Crashkurs inkl. Best Practices für das erfolgreiche Unit Testing durchführen. Anhand eines Beispielprojekts auf Basis des Zend Frameworks werden wir nach der Installation von PHPUnit auf allen Notebooks gemeinsam eine kleine Applikation aufbauen, die durchgehend Test-driven entwickelt wird.
After a short theoretical introduction into the Extreme Programming (XP) and Scrum, the two major flavours of agile development, we will work on an example web project using Extreme Programming. The workshop will cover the whole development cycle - from planning through setting up a continuous integration server with test framework, up to developing and shipping a web application with PHP. We will add new features incrementally in a test-driven way, covering the application with unit and acceptance tests, keeping it integrated and fully functional all the time. While working, we will exercise all main practices of XP, starting with Pair Programming, Simple Design, Test-Driven Development, Refactoring and finishing with Continuous Integration and Small Releases.
Micro Focus is uniquely positioned to help customers maximize existing software investments and embrace innovation in a world of hybrid IT—from mainframe to mobile to cloud.
We are one of the largest pure-play software companies in the world, focused from the ground up on building, selling, and supporting software. This focus allows us to deliver on our mission to put customers at the center of innovation and deliver high-quality, enterprise-grade scalable software that our teams can be proud of. We help customers bridge the old and the new by maximizing the ROI on existing software investments and enabling innovation in the new hybrid model for enterprise IT.
We believe that organizations don't need to eliminate the past to make way for the future. Everything we do is based on a simple idea: The quickest, safest way to get results is to build on what you have. Our software does just that. It bridges the gap between existing and emerging technologies—so you can innovate faster, with less risk, in the race to digital transformation.
Bu sunumda Web Uygulama Güvenlik Duvarları'nı (WAF) atlatma tekniklerinden bahsedilmiştir..
In this presentation, evasion and bypass techniques of Web Application Firewalls (WAF) are discussed.
Beyaz Şapkalı Hacker CEH Eğitimi - Parola Kırma SaldırılarıPRISMA CSI
Bu sunum, Prisma tarafından verilen “Uygulamalı Beyaz Şapkalı Hacker Eğitimi v1” de anlatılan bir üniteye aittir.
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
Bu doküman, alıntı vererek kullanılabilir ya da paylaşılabilir ancak değiştirilemez ve ticari amaçla kullanılamaz. Detaylı bilgiye https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr bağlantısından erişebilirsiniz.
Pentest ekiplerinin kullandığı Kali dağıtımı ile Linux dünyasına giriş dökümanıdır. Bu döküman; güvenlik alanına giriş yapmak isteyen insanların Türkçe kaynak problemini gidermeyi amaçlayarak hazırlanmıştır. Bu açık kaynak projesine katkı sağlamak isteyen gönüllü linux kullanıcıları ise bize ulaşabilirler. Yazım hatası, anlam karmaşası, yanlış bilgi veya iyileştirmeler için mehmet.ince@intelrad.com adresine mail atabilirsiniz. İyi çalışmalar.
오픈소스 모니터링 알아보기(Learn about opensource monitoring)SeungYong Baek
오픈소스 모니터링 알아보기
Learn about opensource monitoring
Grafana, Prometheus, Graphite
넷앱 스토리지 성능 모니터링
NetApp storage performance monitoring with grafana and graphite
ONTAP performance monitoring with grafana and graphite
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
Penetration testing of current embedded devices is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify, optimize and automate the complex task of firmware security analysis.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://forum.defcon.org/node/242109
Daten anonymisieren und pseudonymisieren in Splunk Enterprisejenny_splunk
Es gibt unterschiedlichste Gründe, warum Maschinendaten vor unberechtigten Zugriffen geschützt werden sollten. Interne und Externe Compliance Vorgaben sowie "Privacy by Design" Strategien zur Verbesserung der Sicherheit oder als Teil einer Risiko-Minimierungsstrategie werden für Unternehmen im Big Data Bereich immer wichtiger.
In diesem Webinar erfahren Sie, wie Sie Ihre Maschinendaten auf unterschiedlichen Ebenen schützen:
- in Motion: sichern Sie die Verbindungen von und zu Splunk Enterprise ab
- Datenintegrität: stellen Sie die Datenintegrität der in Splunk gespeicherten Daten sicher
- At Rest: verschlüsseln Sie alle Daten, die Splunk auf Disk schreibt
- Einzelne sensible Felder in Ihren Maschinendaten anonymisieren / pseudonymisieren
Refactoring, Agile Entwicklung, Continuous Integration – all diese für nachhaltigen Erfolg wichtigen Vorgehensweisen setzen Erfahrung mit Unit Testing voraus. Abseits von den üblichen "Bowling"-Beispielen möchten wir gerne einen Crashkurs inkl. Best Practices für das erfolgreiche Unit Testing durchführen. Anhand eines Beispielprojekts auf Basis des Zend Frameworks werden wir nach der Installation von PHPUnit auf allen Notebooks gemeinsam eine kleine Applikation aufbauen, die durchgehend Test-driven entwickelt wird.
After a short theoretical introduction into the Extreme Programming (XP) and Scrum, the two major flavours of agile development, we will work on an example web project using Extreme Programming. The workshop will cover the whole development cycle - from planning through setting up a continuous integration server with test framework, up to developing and shipping a web application with PHP. We will add new features incrementally in a test-driven way, covering the application with unit and acceptance tests, keeping it integrated and fully functional all the time. While working, we will exercise all main practices of XP, starting with Pair Programming, Simple Design, Test-Driven Development, Refactoring and finishing with Continuous Integration and Small Releases.
Choosing the right software architecture for your project is very important. Besides the framework decision there are many other key issues you need to take into account and which have an impact on such things like maintainability, scalability and also the frequency of possible deployments. In this session you will to learn how to avoid the common pitfalls and traps during your project.
Caching, sharding, distributing - Scaling best practicesLars Jankowfsky
The german travel meta search engine Swoodoo was hit by heavy load spikes due to TV advertisments. Learn about the successful caching, hosting and database strategies we've implemented, and which did not work well. Covering file-based Caching, APC, memcached and sharded database layouts on to our experiences with fully virtualized hosting.
Dynamic Languages In The Enterprise (4developers march 2009)Ivo Jansch
Slightly more generic version of my 'Enterprise PHP' talk, adjusted for the 4developers conference's 'dedicated languages' track that features developers with different backgrounds.
A few tips on how to go to the next level in PHP web application development. Tells about SCM, code convention, code testing, DRY, etc. Targeted towards the new PHPers who have worked for around 6-12 months.
Dev Ops is hard and can seem like another language. This talk given at WordCamp Belfast hopes to help new developers, project managers and agency owners a chance to improve the WordPress Dev Ops Workflow
Fine-tuning your development environment means more than just getting your editor set up just so -- it means finding and setting up a variety of tools to take care of the mundane housekeeping chores that you have to do -- so you have more time to program, of course! I'll share the benefits of a number of yak shaving expeditions, including using App::GitGot to batch manage _all_ your git repos, App::MiseEnPlace to automate getting things _just_ so in your working environment, and a few others as time allows.
Delivered at OpenWest 2016, 13 July 2016
This talk will try to cover the most important techniques and best practices used when creating Django web application.
Overview of the topics covered:
- development general principles and goals
- python/django project initial setup - project layout, git&venv&pip&shell, settings
- central project shell command - contains all commands to manage project
- "IDE" - editor & shell
- edit/run/test cycle
- deploy/test-remotely cycle
Disclaimer: techniques and practices presented are current AUTHOR'S optimal choice used for usual django project.
Code Coverage for Total Security in Application MigrationsDana Luther
So the time has come to take the leap and upgrade your application to a new major version of the underlying framework, or, perhaps, to an entirely different framework... how do you ensure that none of your functionality or usability is impacted by a potentially drastic rewrite of the underlying systems? How can you move forward with 100% confidence in your migrated codebase? Testing, testing and more testing. Using a combination of unit, functional and acceptance tests can give you the certainty you need. In this talk, we will go over key strategies for ensuring that you begin with full code coverage and move forward with confidence.
Beautiful code instead of callback hell using ES6 Generators, Koa, Bluebird (...andreaslubbe
Avoid the callback hell and improve on promises in node.js and JavaScript by using the new ES6 generators.
This presentation will show you before and after code examples that will illustrate the full benefit of using this new syntax.
A very good presentation that has been used by a couple presenters of the SDPHP group, including myself. Takes you from the very basics of PHP to more advanced ideas like OOP.
Similar to Theory and practice – migrating your legacy code into our modern test driven development world. (20)
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Theory and practice – migrating your legacy code into our modern test driven development world.
1. Theory and practice – migrating your
legacy code into our modern test
driven development world.
Hartmann, Jankowfsky, Rinne
2. Legacy Code?
Wikipedia says „Legacy code is source code that
relates to a no-longer supported or
manufactured operating system or other
computer technology. The term can also mean
code inserted into modern software for the
purpose of maintaining an older or previously
supported feature“
Jankowfsky, Rinne – Mayflower/swoodoo
3. Agenda
- Where are we now, and why?
- Ammunition!
- Refactor!
Bad News? -> Workshop
Jankowfsky, Rinne – Mayflower/swoodoo
4. Who we are
Lars Jankowfsky:
- CTO and (Co)Founder swoodoo.com
- (Co)Founder of OXID eSales. Refactored OXID eShop during 1.5
years with 10 developers.
Thorsten Rinne:
- Senior Developer & Team Lead at Mayflower GmbH
- Founder and main developer of phpMyFAQ
Johann Peter Hartmann:
- CTO and Founder of Mayflower GmbH
- CEO and Founder of SektionEins GmbH
Jankowfsky, Rinne – Mayflower/swoodoo
5. Who are you?
- What‘s your profession?
- Sofware company or agency?
- What‘s your team size?
- Using MVC?
- Who does other languages, too?
- Using agile methods?
- Using continuous integration?
- Using unit tests?
Jankowfsky, Rinne – Mayflower/swoodoo
6. What about your projects?
- What‘s your average project lifetime?
- Is there PHP code more than 5 years old?
- How many lines of code?
- How many change requests per year?
- Has there been a specification?
- Were all features in the first released version
implemented like they‘re specified in the
specification?
Jankowfsky, Rinne – Mayflower/swoodoo
7. Typical problems?
- Typical legacy applications
- Started some years ago with PHP 4
- written in Spaghetti code
- half procedual, half object-orientated
- „PHP 4“ OOP
- using old, unmaintained libraries like PEAR::DB
Jankowfsky, Rinne – Mayflower/swoodoo
8. PHP, made in 2000
- no coding standards
- no PHPDoc
- no Design Patterns
- few separation of concerns
- has been changed a lot
- no refactoring, because „it worked“
- updated to run with php 4 in 2003
- updated to run with php 5 in 2006
Jankowfsky, Rinne – Mayflower/swoodoo
9. Big ball of mud
http://en.wikipedia.org/wiki/Big_ball_of_mud
A Big Ball of Mud is a haphazardly structured,
sprawling, sloppy, duct-tape-and-baling-wire,
spaghetti-code jungle.
These systems show unmistakable signs of
unregulated growth, and repeated, expedient
repair....
Jankowfsky, Rinne – Mayflower/swoodoo
10. Enough Ammunition?
- change requests get more and more expensive
- bug rate is increasing
- clearly a dead-end street!
- team motivation decreases
- hard to bring in new members into the team
- deprecated functions cause problems in future
PHP releases
Jankowfsky, Rinne – Mayflower/swoodoo
11. Enough Ammunition?
Ever heard things like this?
„Only X can fix that.“
„It will take ages to fix it.“
„Changing this button will take two weeks.“
„I don‘t want to work for this project.“
„I don‘t want to touch this code.“
„I don‘t know how this bug could reappear.“
Jankowfsky, Rinne – Mayflower/swoodoo
12. Enough Ammunition?
60-80 % of all development effort is maintenance
http://elearning.tvm.tcs.co.in/SMaintenance/SMaintenance/6.htm
http://www.bitpipe.com/detail/RES/1138902960_291.html
Jankowfsky, Rinne – Mayflower/swoodoo
13. What you should never do!
Please don‘t try a complete rewrite!
- Too expensive
- Takes too long
- the old codebase is used, tested & bugfixed
- Developers love to rewrite:
new code is more fun, code is easier to write
than to read
Jankowfsky, Rinne – Mayflower/swoodoo
14. Remember?
Netscape 6? Rewrite....
dBase for Windows? Rewrite....
Quattro Pro? Rewrite....
Access refatored...
Excel
Jankowfsky, Rinne – Mayflower/swoodoo
15. joel in 2000
„When you throw away code and start from scratch, you are
throwing away all that knowledge. All those collected bug
fixes. Years of programming work.“
http://www.joelonsoftware.com/articles/fog0000000069.html
Jankowfsky, Rinne – Mayflower/swoodoo
16. Test Driven Adoption
1. Unit tests for existing code with PHPUnit
2. experience of confidence in own code
3. Insight: Tests are easier if written before
software
4. Insight: Tests help documenting the code
5. Insight: Tests define the real API
Jankowfsky, Rinne – Mayflower/swoodoo
17. PHP and Unit Testing
- Layout & UI code is hard to unit-test,
acceptance-test instead
- test maintenance costs:
- unit test work fine with stable APIs
- high change rate in PHP results in API changes
- tests need to be changed, too
- slows down development, increases initial
development costs
- ... but your software survives more than 4 years
Jankowfsky, Rinne – Mayflower/swoodoo
18. Refactoring?
- Modifying code without changing it‘s behaviour
- „cleaning up“
“Refactoring is the process of changing a software system
in such a way that it does not alter the external behavior of
the code yet improves its internal structure.” (Martin Fowler)
Jankowfsky, Rinne – Mayflower/swoodoo
19. Team?
- experience in Test driven Development?
- „know how vs. understanding“
- In PHP? It‘s different to the Java World!
- Developers are conservative. They do not like
any changes. How much use still vi or emacs?
- Courage? - You need to make sure
that everybody
understands TDD before
you start.
Jankowfsky, Rinne – Mayflower/swoodoo
20. Let‘s start.
- Identify the nastiest, ugliest and...
- probably most important piece of code and
let‘s start with this one.
- if you take the easy files you won‘t solve the
critical issues and...
- move the risk to the end.
Jankowfsky, Rinne – Mayflower/swoodoo
22. Modifying without... ?????
- if you refactor you need tests to proove that
you did not break any functionality
- Have tests first. Then change code.
- legacy code ? There are no tests!!
Jankowfsky, Rinne – Mayflower/swoodoo
23. And now ?
- Write tests first.
- You will need to refactor your application while
writing tests.
- Write selenium tests for
your application. - no :(
Jankowfsky, Rinne – Mayflower/swoodoo
24. While refactoring ...
- adjust coding style
- add missing documentation
- remove redundant code / copy & paste-code
- remove unused(!) code
- maintain a list of future todos with priorities
Jankowfsky, Rinne – Mayflower/swoodoo
25. Spaghetti Code?
- Very old code, maybe developed in
the last PHP 3 century
- a lot of redundant copy-paste code
- missing separation of concerns
- No or just minor separation of code
and layout
- No use of libraries like PEAR, Zend
Framework or eZ components
- No or outdated documentation
- No tests at all
Jankowfsky, Rinne – Mayflower/swoodoo
26. Spaghetti Code?
function getThema($id, $lang)
{
global $db, $PMF_LANG;
$result = $db->query(sprintf(quot;SELECT thema FROM %sfaqdata WHERE
id = %d AND lang = '%s'quot;, SQLPREFIX, $id, $lang));
if ($db->num_rows($result) > 0) {
while ($row = $db->fetch_object($result)) {
$output = htmlentities($row->thema);
}
} else {
$output = $PMF_LANG[quot;no_catsquot;];
}
return $output;
}
phpMyFAQ 1.3.x 2002/2003
Jankowfsky, Rinne – Mayflower/swoodoo
27. Spaghetti Code - strategy
- Identify recurring code parts and implement
classes
- Use of standard libraries like Zend Framework
or eZ components
- Add inline documentation
- Fix your coding styles!
- Add unittests for the new, refactored backend
- Add Selenium tests for the frontend
Jankowfsky, Rinne – Mayflower/swoodoo
28. „Half procedual –halb
object-orientated“
- Code with different quality
- Just a few documentation
- Maybe some tests ... maybe ...
- „the typical current PHP 4 project“
- Found everywhere! Really everywhere!
Jankowfsky, Rinne – Mayflower/swoodoo
29. „Half procedual –half object-
orientated“ - strategy
- Add inline documentation for all classes and
methods
- Improve the re-using of duplicate code
- Add unittests and Selenium tests
- Improve every code part with PHP 5 functions,
for example using file_put_contents()
instead of fopen(), fwrite(), and
fclose().
Jankowfsky, Rinne – Mayflower/swoodoo
30. PHP 4 OOP
- Application was developed using „object-
orientated“ PHP 4
- Using of
- PHP 4 references
- Re-declaration of $this
Jankowfsky, Rinne – Mayflower/swoodoo
31. PHP 4 OOP - strategy
- Maybe you‘re lucky and there are no problems.
Maybe.
- If you see problems, they are fatal errors like
- Objects are referenced by value
- $foo =& new Foo();
- Solution:
- Implement unittests
- UsestandardAPIs
- Fix the PHP 5 problems
Jankowfsky, Rinne – Mayflower/swoodoo
32. Global Problems
- OOP, Public, Private ?
- Globals ?
- Super Globals...
- Session
- Cookies
Jankowfsky, Rinne – Mayflower/swoodoo
33. Proxy for testing protected methods
public function getProxy($superClassName)
{
$proxyClassName = quot;{$superClassName}Proxyquot;;
if (!class_exists($proxyClassName)) {
$class = <<<CLASS
class $proxyClassName extends $superClassName
{
public function __call($function, $args)
{
$function = str_replace('protected_', '_', $function);
return call_user_func_array(array(&$this, $function), $args);
}
}
CLASS;
eval($class);
}
return new $proxyClassName();
}
Jankowfsky, Rinne – Mayflower/swoodoo
34. Global ?
class someOtherClass {
var $setting;
function calculateSomething($a, $b) {
return $a+$b;
}
}
class myOldNastyClass {
function needToTestThisFunction() {
$class = new someOtherClass();
$z = $_GET['input'];
// ....
return $class->calculateSomething( $class->setting, $z);
}
}
Jankowfsky, Rinne – Mayflower/swoodoo
35. class someOtherClass {
private $setting;
public function calculateSomething($a, $b) {
return $a+$b;
}
public function setSetting($set) {
$this->setting = $set;
}
public function getSetting() {
return $this->setting;
}
}
class myInput {
public function getParameter($name) {
return $_GET[$name];
}
}
class myOldNastyClass {
private $input; // set e.g. in constructor
public function needToTestThisFunction(someOtherClass &$class, $z) {
$z = $input->getParameter('input');
// ....
return $class->calculateSomething( $class->getSetting(), $z);
}
}
Jankowfsky, Rinne – Mayflower/swoodoo
37. Dependencies...
class displayUserDetails()
{
/**
* Processes input and sends user first name, last name to display;
*/
function show() {
global $dbLink;
global $templateEngine;
$itemId = (int) $_REQUEST['user_id'];
$firstName = $dbLink->getOne(quot;select first_name from users where id = $itemIdquot;);
$lastName = $dbLink->getOne(quot;select last_name from users where id = $itemIdquot;);
$templateEngine->addTemplateVar('firstName', $firstName);
$templateEngine->addTemplateVar('lastName', $lastName);
$templateEngine->display();
}
}
Jankowfsky, Rinne – Mayflower/swoodoo
38. /**
* A view class responsible for displaying user details.
*/
class userView()
{
/**
* Loads user object and sends first name, last name to display
*/
public function show()
{
$userId = $this->_inputProcessor->getParameter(quot;user_idquot;);
$this->templateEngine->addTemplateVar('user', $this->model->loadUser(userId));
$this->templateEngine->display();
}
}
/**
* And the corresponding model
*/
class userModel()
{
public function loadUser($userId)
{
$user = new User( $userId );
return array( 'firstName' => $user->getFirstName(),
'lastName' => $user->getLastName());
}
}
Jankowfsky, Rinne – Mayflower/swoodoo
39. Fixtures
- Make sure that tests do not alter fixture.
- Fixture is FIXture
- if you feel that creating fixtures is too much
work - refactor more!
- Do never let tests leave altered data!
Jankowfsky, Rinne – Mayflower/swoodoo
40. Fixtures the ruby way...
- Ruby uses „YAML Ain’t Markup Language“
- http://www.yaml.org/
- PHP YAML support done via Syck
- Syck = YAML + fast.
- http://whytheluckystiff.net/syck/
- http://www.frontalaufprall.com/2008/05/05/
Jankowfsky, Rinne – Mayflower/swoodoo
41. yaml - loading
public static function create($fileName)
{
$fileName = 'Fixtures'.DIRECTORY_SEPARATOR.$fileName;
ob_start();
include $fileName;
$fileContents = ob_get_contents();
ob_clean();
$yamlData = syck_load($fileContents);
return $yamlData;
}
Jankowfsky, Rinne – Mayflower/swoodoo
42. yaml - storing
public static function load($fixtures, $tableName)
{
if (is_array($fixtures) && count($fixtures)) {
foreach ($fixtures as $fixture) {
if (is_array($fixture) && is_array(current($fixture))) {
Fixtures::load($fixture, $tableName);
}
$fields = array_keys($fixture);
$statement = quot;INSERT INTO $tableName (quot; . implode(', ', $fields) . quot;) VALUES (:quot; . implode(quot;, :quot;, $fields) . quot;)quot;;
$stmt = self::$_db->prepare($statement);
if (count($fixture)) {
foreach ($fixture as $key => $value ) {
$stmt->bindValue(':'.$key, $value);
}
}
$stmt->execute();
self::$_usedTables[$tableName] = $tableName; }
}
}
Jankowfsky, Rinne – Mayflower/swoodoo
43. yaml - cleanup
if (!empty(self::$_usedTables)) {
foreach (array_reverse(self::$_usedTables) as $tableName) {
self::$_db->execute(quot;TRUNCATE TABLE $tableNamequot;);
}
}
Jankowfsky, Rinne – Mayflower/swoodoo
44. Fixtures the other side...
- manual fixtures are too much work?
- use a test database
- think about automatic creation of yaml files
Jankowfsky, Rinne – Mayflower/swoodoo
45. Mocking Stubs?
„...may simulate the behavior of existing code (such as a
procedure on a remote machine) or be a temporary
substitute for yet-to-be-developed code...“
Why do we need this ?
stub: einfache klasse, die
so tut, als wäre sie wie
das original
mock: das gleiche, aber
mit introspektion und
von aussen
Jankowfsky, Rinne – Mayflower/swoodoo
konfigurierbar
46. Stubs
- Unit testing is about testing a unit of work, not
a complete workflow
- isolates your code from external dependencies
- can be done with PHPunit, but doesn‘t need to
Jankowfsky, Rinne – Mayflower/swoodoo
47. Stubs
/**
* The PHPUnit way
*/
/**
* A simple stub providing a simple result directly instead of using the database
*/
class UserModelStub extends UserModel {
public getUserCount() {
return 10;
}
}
UserModelStub extends PHPUnit_Framework_Testcase {
public function testGetUserCount() {
$stub = $this->getMock(‘UserModel‘);
$stub->expects($this->any())->method(‘getUserCount‘)->will($this->returnValue(10));
}
}
Jankowfsky, Rinne – Mayflower/swoodoo
48. Mock Objects
- Helpful tool to fake complex objects
- Useful to mock service apis, external
software, ...
/**
* The PHPUnit way
*/
class UserModelTest extends PHPUnit_Framework_Testcase {
public function testGetUserCountIsCalled() {
$usermock = $this->getMock(‘UserModel‘);
$usermock->expects($this->once())->method(‘getUserCount‘)->with($this->equalTo(ADMIN));
$admin = new AdminModel($usermock);
$admin->getNumber();
}
}
Jankowfsky, Rinne – Mayflower/swoodoo
49. About Mocking
- a better separation of concerns helps
- writing less mock objects
- writing easier mock objects
- if there is a lot of mock objects, rethink your
architecture -> refactor more!
Jankowfsky, Rinne – Mayflower/swoodoo
50. Golden rules
- know your budget: what are your maintenance
costs? What are the things you can‘t do now?
- there is no silver bullet. Introducing TDD takes
A LOT of time
- TDD wins on the long run, not on the short
- Confident developers are efficient developers
- There is no way around proper coding style and
documentation
- You have to rewrite code, some even twice.
Jankowfsky, Rinne – Mayflower/swoodoo
51. Tools?
- CruiseControl for continous integration
- PHPUnit
- SeleniumRC and SeleniumIDE
- PHP Code Sniffer
- PHP CodeBrowser
Jankowfsky, Rinne – Mayflower/swoodoo