标题:
Architecture and Practice for DAL (5) Data Sharding
Architecture and Practice for Data Access Layer (5) Data Sharding
联动优势数据访问层DAL架构和实践之五:分片数据分片
说明:
How to implement a dalet to access sharding databases.
和已有DAL软件(如许超前DAL手机之家、陈思儒Amoeba/贺贤懋Cobar等)不一样,在前端访问方式的选择上,抛弃JDBC方式,而是为同一个dalet数据服务,同时提供自定义TCP长连接和HTTP长连接两种接口。
因而通过抛弃JDBC可以获得多方面的好处——
1)可减少S端协议解析和查询分析的开销;
2)也简化C端编程。
3)后端存储就不再限于RDB了,而可以是任意NOSQL、文件、缓存、甚至是Tuxedo等在线服务。
4)可以实现无状态了,更容易横向扩展。
5)从接口上就可消除join等关键字的误用,避免引起服务端负担过重。
Distributed agile in the enterprise and virtual spaces 2012-08-16drewz lin
The document discusses strategies for enhancing collaboration in distributed teams. It notes that collaboration is more difficult without face-to-face interaction and participation can be stifled with unequal access. However, team building can still be done remotely through shared virtual spaces. Large time zone differences also present challenges. The document describes how one company achieved hyper productivity with distributed teams using practices like daily video meetings, regular travel, and shared digital tools.
The document discusses different techniques for mocking dependencies in C++ unit tests, including overriding virtual methods, composing mocks, and using templates to mock automatic variables and COM interfaces. It shows examples of mocking COM interface calls, automatic variables, and method return values to enable in-memory unit testing without external dependencies.
1) The document discusses cross-platform automated testing and tools used at Trend Micro for a product launched in 2012 on Windows, iOS, Android, and browsers.
2) An automation framework was developed using Python and STAF for centralized build monitoring, testing deployment, execution, and reporting.
3) Localization testing was automated to efficiently validate UI changes and truncation issues across languages. Screenshots were automated for iOS using UIAutomation and Android using Robotium.
Lasse Koskela presented on optimizing build times. He explained that delayed feedback is bad and can cost companies money when bugs are found later in the process. He demonstrated profiling builds to identify bottlenecks, such as tests that do unnecessary setup, build inputs slowly, or repeat work. Tests can also be slow if they use real objects instead of stubs. The presentation provided examples of optimizing test code and infrastructure. Infrastructure tweaks included using multiple CPUs, faster hardware, or the cloud to lift CPU or I/O bottlenecks.
The document discusses how to estimate the cost of a project. It explains that accurate cost estimation requires understanding all elements of a project including scope, schedule, resources, risks and uncertainties. The document recommends starting with a high-level estimate and then refining it over time as more details emerge through research and planning.
An old dinosaur mainframe faced challenges adapting to agile. [1] Its legacy codebase of 14 million lines had no documentation or structure. [2] It lacked modern tools for collaboration, testing and code management. Adopting agile practices helped by [3] focusing on experience sharing, strong product ownership and frequent customer feedback. Tailoring agile to the unique mainframe environment built a better team and improved customer satisfaction.
Exploring ux practices 4 product development agile2012drewz lin
This document describes a workshop on exploring Lean UX techniques and when they should be applied. [1] The goals of the workshop are to learn about Lean UX techniques that can be used at different development stages and do a collaborative design session to develop a minimum viable product (MVP) mobile app. [2] The workshop involves reviewing development stages and commonly used Lean UX techniques, brainstorming additional techniques, and doing a collaborative design exercise where teams research, scope, prototype, test and pitch a mobile networking app for conference attendees. [3] A retrospective is held at the end to discuss lessons learned.
This document discusses several secure design principles for software systems: the principle of least privilege, defense-in-depth, securing the weakeakest link, having fail-safe measures, being secure by default, keeping designs simple and usable. It provides examples for how to implement each principle and notes that security is a process, not a product, and following principles alone does not guarantee full security.
This document outlines an agenda for a workshop on affordance-driven process improvement. The goals are to help participants identify affordances influencing their team's processes, practice improving processes through an simulation, and map behaviors to agile practices. The theory of affordances is explained as perceivable elements that guide actions. Examples show how affordances can encourage good or bad behaviors. The workshop involves establishing team values, evaluating behaviors, identifying influencing affordances, and proposing process changes.
标题:
Architecture and Practice for DAL (5) Data Sharding
Architecture and Practice for Data Access Layer (5) Data Sharding
联动优势数据访问层DAL架构和实践之五:分片数据分片
说明:
How to implement a dalet to access sharding databases.
和已有DAL软件(如许超前DAL手机之家、陈思儒Amoeba/贺贤懋Cobar等)不一样,在前端访问方式的选择上,抛弃JDBC方式,而是为同一个dalet数据服务,同时提供自定义TCP长连接和HTTP长连接两种接口。
因而通过抛弃JDBC可以获得多方面的好处——
1)可减少S端协议解析和查询分析的开销;
2)也简化C端编程。
3)后端存储就不再限于RDB了,而可以是任意NOSQL、文件、缓存、甚至是Tuxedo等在线服务。
4)可以实现无状态了,更容易横向扩展。
5)从接口上就可消除join等关键字的误用,避免引起服务端负担过重。
Distributed agile in the enterprise and virtual spaces 2012-08-16drewz lin
The document discusses strategies for enhancing collaboration in distributed teams. It notes that collaboration is more difficult without face-to-face interaction and participation can be stifled with unequal access. However, team building can still be done remotely through shared virtual spaces. Large time zone differences also present challenges. The document describes how one company achieved hyper productivity with distributed teams using practices like daily video meetings, regular travel, and shared digital tools.
The document discusses different techniques for mocking dependencies in C++ unit tests, including overriding virtual methods, composing mocks, and using templates to mock automatic variables and COM interfaces. It shows examples of mocking COM interface calls, automatic variables, and method return values to enable in-memory unit testing without external dependencies.
1) The document discusses cross-platform automated testing and tools used at Trend Micro for a product launched in 2012 on Windows, iOS, Android, and browsers.
2) An automation framework was developed using Python and STAF for centralized build monitoring, testing deployment, execution, and reporting.
3) Localization testing was automated to efficiently validate UI changes and truncation issues across languages. Screenshots were automated for iOS using UIAutomation and Android using Robotium.
Lasse Koskela presented on optimizing build times. He explained that delayed feedback is bad and can cost companies money when bugs are found later in the process. He demonstrated profiling builds to identify bottlenecks, such as tests that do unnecessary setup, build inputs slowly, or repeat work. Tests can also be slow if they use real objects instead of stubs. The presentation provided examples of optimizing test code and infrastructure. Infrastructure tweaks included using multiple CPUs, faster hardware, or the cloud to lift CPU or I/O bottlenecks.
The document discusses how to estimate the cost of a project. It explains that accurate cost estimation requires understanding all elements of a project including scope, schedule, resources, risks and uncertainties. The document recommends starting with a high-level estimate and then refining it over time as more details emerge through research and planning.
An old dinosaur mainframe faced challenges adapting to agile. [1] Its legacy codebase of 14 million lines had no documentation or structure. [2] It lacked modern tools for collaboration, testing and code management. Adopting agile practices helped by [3] focusing on experience sharing, strong product ownership and frequent customer feedback. Tailoring agile to the unique mainframe environment built a better team and improved customer satisfaction.
Exploring ux practices 4 product development agile2012drewz lin
This document describes a workshop on exploring Lean UX techniques and when they should be applied. [1] The goals of the workshop are to learn about Lean UX techniques that can be used at different development stages and do a collaborative design session to develop a minimum viable product (MVP) mobile app. [2] The workshop involves reviewing development stages and commonly used Lean UX techniques, brainstorming additional techniques, and doing a collaborative design exercise where teams research, scope, prototype, test and pitch a mobile networking app for conference attendees. [3] A retrospective is held at the end to discuss lessons learned.
This document discusses several secure design principles for software systems: the principle of least privilege, defense-in-depth, securing the weakeakest link, having fail-safe measures, being secure by default, keeping designs simple and usable. It provides examples for how to implement each principle and notes that security is a process, not a product, and following principles alone does not guarantee full security.
This document outlines an agenda for a workshop on affordance-driven process improvement. The goals are to help participants identify affordances influencing their team's processes, practice improving processes through an simulation, and map behaviors to agile practices. The theory of affordances is explained as perceivable elements that guide actions. Examples show how affordances can encourage good or bad behaviors. The workshop involves establishing team values, evaluating behaviors, identifying influencing affordances, and proposing process changes.
SQL injection attacks pose a major security threat by allowing attackers to alter intended database queries or commands through injection of malicious SQL code. Effective defenses include whitelisting input, escaping special characters, and using prepared statements with bind variables to separate data from SQL commands. These techniques help prevent attacks that could compromise user data, modify critical database information, or grant unauthorized access to attackers.
This document discusses principles of innovation and product development. It covers compelling offers that provide 10x improvement, the importance of immediate connection between creators and consumers, considering the adoption chain of all parties needed for success, and validating assumptions through experimentation. Teams are encouraged to observe user needs, question assumptions, network across organizations, and test hypotheses to develop products that deliver meaningful value.
The document discusses strategies for creating a shared vision among teams. It describes five common strategies: telling, selling, testing, consulting, and co-creating. Telling involves dictating the vision from leadership while co-creating involves developing the vision collaboratively. The document provides examples of how different strategies were used successfully, such as Kennedy's vision for NASA. It also outlines activities and tools that teams can use to develop a shared vision, including exploring the strategies, co-creating a vision for an agile conference, and using the Passion Meter protocol to identify high priority elements.
The document describes the Kanban Pizza Game, which is used to teach the concepts of Kanban. The game has participants work together to produce pizzas, with the goal of maximizing their score. Over multiple rounds, the game introduces concepts like limiting work-in-progress, visualizing the workflow, and measuring lead times. Playing the game helps participants experience how Kanban practices like pull-based workflows and limiting bottlenecks can improve productivity and collaboration.
Modeling, simulation & data mining agile 2012 (magennis & maccherone)drewz lin
Modeling, Simulation & Data Mining: Answering Tough Cost, Date & Staff Forecasts Questions provides techniques for using modeling, simulation, and data mining to answer difficult questions about project costs, dates, and staffing needs. The presentation discusses using the Scrum and Kanban frameworks in simulation models to forecast outcomes under different conditions. It emphasizes that forecasts should include uncertainty and risk, and that risk factors often have a bigger impact on outcomes than estimated backlog alone. Sensitivity analysis and Monte Carlo simulation are presented as ways to better understand uncertainty and communicate risk to executives. Best practices for model building and experimentation are also provided.
This document discusses strategies for solving large, complex problems referred to as "big rocks." It suggests breaking big rocks down into smaller problems, or "little rocks," that can each be addressed individually. Participants are divided into roles of miner, geologist, and monitor to work on identifying action items, next steps, and milestones for a selected rock. Various problem-solving techniques are presented, such as the rubber duck strategy of explaining issues out loud, sharing problems between pairs, and stopping temporary fixes to focus on real solutions. The goal is to make big problems more manageable by analyzing them as a series of smaller problems.
This document provides a summary of a presentation by Linda Rising on developing an agile mindset. The presentation discusses research showing that having a fixed versus agile mindset impacts goals, reactions to failure, beliefs about effort, and attitudes towards others. An agile mindset believes that abilities can grow with effort over time rather than being fixed. The presentation provides tips for developing an agile mindset in children, oneself, and others by praising effort over talent and viewing challenges and failures as opportunities to learn and improve.
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
1) Web application security is often approached incorrectly, focusing too much on annual penetration tests and compliance, rather than ongoing monitoring and prevention through the development process.
2) Many vulnerabilities are introduced through third party libraries and dependencies, which are not properly tested or managed. Continuous testing across the full software supply chain is needed.
3) Not all vulnerabilities are equal - context is important. A risk-based approach should prioritize the most critical issues based on factors like impact, likelihood, and the development environment. Compliance alone does not ensure real security.
This document summarizes a presentation about the mobile security Linux distribution Santoku Linux. It discusses how Santoku Linux was created by modifying Lubuntu to include mobile forensic and security tools from the company viaForensics. Some key tools discussed include AFLogical OSE for Android logical acquisitions, iPhone Backup Analyzer, and utilities for analyzing mobile malware samples. Real-world examples of analyzing the Any.DO task manager app and Korean banking malware are also provided.
This document discusses sandboxing untrusted JavaScript from third parties to improve security. It proposes a two-tier sandbox architecture that uses JavaScript libraries and wrappers, without requiring browser modifications. Untrusted code is executed in an isolated environment defined by policy code, and can only access approved APIs. This approach aims to mediate access between code and the browser securely and efficiently while maintaining compatibility with existing third-party scripts.
This document discusses how HTML5 features can be used for authentication purposes and addresses some security challenges. It describes APIs like local storage, canvas, geolocation, and notifications that could be leveraged for authentication factors like passwords, patterns, and one-time passwords. However, it also notes risks like storing sensitive data on devices, spoofing locations, and notifications not being reliable. The document advocates using HTML5 responsibly and understanding privacy and user behavior when designing authentication solutions.
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
The document discusses code review techniques for advanced mobile applications. It begins with an overview of why mobile security is important given the rise in mobile usage. It then discusses different mobile application types and architectures that can be code reviewed, including native, hybrid, and HTML5 applications. The document outlines the goals of mobile application code reviews, such as understanding the application and finding security vulnerabilities. It provides the methodology for conducting code reviews, which includes gaining access to source code, understanding the technology, threat modeling, analyzing the code, and creating automation scripts. Finally, it discusses specific vulnerabilities that may be found in Windows Phone, hybrid, Android, and iOS applications.
The document discusses research conducted by Gregg Ganley and Gavin Black at MITRE in FY13-14 on iOS mobile application security. It describes their work on a tool called iMAS (iOS Mobile Application Security) which aims to provide additional security controls and containment for native iOS applications. iMAS addresses vulnerabilities related to runtime access, device access, application access, data at rest, and threats from app stores/malware. It utilizes techniques like encrypted code modules, forced inlining, secure MDM and more to raise security levels above standard iOS but below a fully customized/rooted mobile device environment. The document outlines the motivation, capabilities and future research directions for the iMAS project.
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
This document discusses how to defeat cross-site scripting (XSS) and cross-site request forgery (XSRF) when using JavaServer Faces (JSF) frameworks. It covers validating user input, encoding output, and protecting view states to prevent XSS, as well as configuring JSF implementations to protect against XSRF by encrypting view states and adding tokens to URLs. The presentation emphasizes testing validation, encoding, and protection in specific JSF implementations since behaviors can differ.
This document summarizes a presentation on defending against CSRF (cross-site request forgery) attacks. It discusses four main design patterns for CSRF defenses: the synchronizer token pattern, double submit cookies, challenge-response systems, and checking the referrer header. It then provides details on implementing these patterns, specifically looking at libraries and features in .NET, .NET MVC, Anticsrf, CSRFGuard, and HDIV that can help implement CSRF tokens and validation. The document covers the tradeoffs of different approaches and considerations for using them effectively on the code and server level.
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21drewz lin
This document provides an overview of the OWASP Broken Web Applications (OWASP BWA) project. It discusses the background and motivation for the project, describes the current status including what applications are included in the virtual machine, outlines future plans, and solicits feedback to help guide and expand the project. The goal of OWASP BWA is to provide a free, open-source virtual machine containing a variety of intentionally vulnerable web applications to aid in testing tools and techniques for finding and addressing security issues.
This document provides a summary of a presentation by Robert Hansen on the future of browser security. Hansen argues that while browser developers want to improve security and privacy, their companies' business models focused on advertising revenue prohibit them from doing so. He outlines various techniques used by advertisers and browser companies to track users against their preferences. Hansen advocates for technical controls that allow users to opt out of tracking through a "can not track" approach, rather than relying on ineffective "do not track" policies. He concludes by discussing WhiteHat Security's focus on privacy and their plans to add more security and privacy features to their Aviator browser.
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
This document summarizes Stefano di Paola's talk on security issues with JavaScript libraries. It discusses how jQuery's $() method can be considered a "sink" that executes HTML passed to it, including examples of XSS via jQuery selectors and AJAX calls. It also covers problems with JSON parsing regular expressions, AngularJS expression injection, and credentials exposed in URLs. Solutions proposed include validating all input, auditing third-party libraries, and moving away from approaches like eval() that execute untrusted code.
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
(1) A study surveyed 600 software developers and found that most did not have a basic understanding of software security concepts, with 73% failing an initial survey and the average score being 59% before training. (2) However, after training, developers' understanding of key concepts increased, with some areas like cross-site scripting seeing a 20 percentage point gain. (3) The study concluded that targeted security training can improve developers' knowledge in the short-term, though retention of this knowledge may require refresher training over time.
This document summarizes Bruno Gonçalves de Oliveira's talk on hacking web file servers for iOS. It introduces Bruno and his background in offensive security and discusses how iOS devices store a lot of information and mobile applications are often poorly designed and vulnerable. It provides examples of vulnerable file storage apps, outlines features and vulnerabilities like lack of encryption, authentication, XSS issues, and path traversal flaws. The document demonstrates exploits like unauthorized access to file systems on jailbroken devices and how to find vulnerable systems through mDNS queries. It concludes that mobile apps are the future but designers still do not prioritize security and there are too many apps for users to vet carefully.
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
This document discusses forensic investigations of web exploitations. It presents a scenario where a web server in a DMZ zone was exploited but logs are unavailable, so network traffic must be analyzed. Wireshark will be used to analyze a PCAP file of recorded traffic to determine what happened and find any traces of commands or malware. The document also provides information on the costs of different types of cyber attacks, how to decode HTTP requests, and discusses tools that can be used for network forensics investigations like Wireshark, tcpdump, and Xplico.
Appsec2013 assurance tagging-robert martindrewz lin
The document discusses engineering software systems to be more secure against attacks. It notes that reducing a system's attack surface alone is not enough, as software and networks are too complex and it is impossible to know all vulnerabilities. It then discusses characteristics of advanced persistent threats, including that the initial attack may go unnoticed and adversaries cannot be fully kept out. Finally, it argues that taking a threat-driven perspective beyond just operational defense can help balance mitigation with detection and response.
The document summarizes a presentation on vulnerabilities found in SCADA systems between 2009-2013. It analyzed vulnerabilities by component, with the majority (66%) found in communication components like Modbus and DNP3 protocols. Examples of vulnerabilities are described for several devices. Real-world issues with SCADA systems are discussed like lack of authentication and patching. Recommendations are provided like auditing SCADA networks, implementing secure protocols and password policies, and keeping systems updated.
This 3-page document discusses the real-world challenges of implementing an agile software development lifecycle (SDLC) approach from the perspectives of Chris Eng and Ryan O'Boyle. It was presented at the OWASP AppSec USA conference on November 20, 2013 and focuses on practical lessons learned and best practices for incorporating security throughout an agile SDLC.
This document outlines a presentation given by Simón Roses Femerling on software security verification tools. It discusses BinSecSweeper, an open source tool created by VulnEx to scan binaries and check that security best practices were followed in development. The presentation covers using BinSecSweeper to verify in-house software, assess a company's software security posture, and compare the security of popular browsers. Examples of plugin checks and reports generated by BinSecSweeper are also provided.