Importance of Security

Posted in java by pedro | Thursday, December 1st, 2011 at 11:11 am

Everybody knows web application are now de facto standard in daily use. We go even further as we have more and more mobile devices.
We are building our apps in such a way we can access it from mobile phones, tablets and even e-book readers.

So nobody should be surprised that companies involved in web standards have published article focused on web application security.

  • Google: Browser Security Handbook
  • Google: Web Application Exploits and Defenses part onepart two part threepart fourpart five.
  • Great live step by step tutorial on Gruyere application. It is challenging
  • Mozilla : WebAppSec/Secure Coding Guidelines - Here are some quick wins.
    • For all cookies set the HTTPOnly and Secure flag
    • Make sure login pages are only served on HTTPS and all authenticated pages are only served on HTTPS
    • Don’t trust any user data (input, headers, cookies etc). Make sure to validate it before using it
  • Last but not least OWASP site is one of the best security information site.

Happy Hacking your apps

Posted in java | 2 Comments »

Groovy and Grails Code Quality

Posted in grails, groovy by pedro | Wednesday, August 3rd, 2011 at 11:09 pm

I’m involved in Grails project. Despite of development, my responsibility is taking care about code quality. I do Code Review, and I was wondering about tool to help me a little bit. In meantime I was reading GroovyMag issue and found out CodeNarc tool.

This tool do static analysis for groovy. Last CodeNarc version is 0.14, which means that it is still in development phase, but even now it has 241 rules. Also we can create our rules and rules set which make this tool really useful. Check this documents:

But good tool without integration do not exists. Fortunately CodeNarc comes with support with: Maven, Ant, Gradle, Grails, Griffon, Sonar and Hudson (coming soon).

I was delighted as IntelliJ user, because there is CodeNerc IntelliJ Plugin. After standard plugin activation we have to enable rules, which are disabled by default. See picture bellow.


Till now I disabled some rules, because from my point of view there was to much false positives:

  • Ruleset naming : FieldName -> it complains a lot about DSL-s
  • Ruleset dry: DuplicateStringLiteral -> we have something like this [save: "POST", update: "POST", delete: "POST"] and I think it is more readable than externalizing string “POST”
  • Ruleset dry: DuplicateNumberLiteral -> false positives in tests
  • Ruleset generic: StatelessClass – every class is by default “stateless” so this rule complains a lot about closure methods, fields etc.

I wonder what do you think about disabling this rules and which rules are useless from your point of view.

Last but not least is grails integration. CodeNerc comes with grail plugin, so everything is easy:

> grails install-plugin codenarc

then:

> grails codenarc
….
CodeNarc completed: (p1=0; p2=0; p3=0) 7673msCodeNarc finished; report(s) generated: [CodeNarcReport.html]

And done, you have nice html file with: package, total files, files with violations, priority 1, priority 2 and priority 3. I cannot attach file so just look at images.

Unfortunately plugin do not work with Grails 1.4M1, I do not check it with 2.0M1, but it is working with 1.3.x and probably next version will support 2.0M1/1.4M1.

Happy quality code.


Posted in grails, groovy | 6 Comments »

Google APIs Discovery Service

Posted in google by pedro | Tuesday, May 10th, 2011 at 12:03 pm

Before Google I/O Google released Google APIs Discovery Service. The propose of this API (or meta-API) is to expose machine readable matadata about other Google APIs.

You can get a list of all APIs (of course this is just part of the all Google APIs ;) ) supported by Discovery Service:

GET https://www.googleapis.com/discovery/v1/apis

and as the response you will get JSON object with API list. See apis.json.zip, and here we have an example about Buzz API:

{

“kind”: “discovery#directoryItem”,

“id”: “buzz:v1″,

“name”: “buzz”,

“version”: “v1″,

“title”: “Buzz API”,

“description”: “Lets you share updates, photos, videos, and more with your friends around the world”,

“discoveryLink”: “./apis/buzz/v1/rest”,

“icons”: {

“x16″: “http://www.google.com/images/icons/product/buzz-16.png”,

“x32″: “http://www.google.com/images/icons/product/buzz-32.png”

},

“documentationLink”: “http://code.google.com/apis/buzz/v1/using_rest.html”,

“labels”: [ "labs" ],

“preferred”: true

}

Next we can get more information about particular API by using discoveryLink value. This is called “Discovery Document” which includes:

  • All the API schemas that describe the API usage.
  • Description of methods and parameters.
  • OAuth scopes and Authentication information.
  • Inline documentation with description of schemas, methods, parameters and parameters values.

Let’s try to get more information about Buzz API:

GET https://www.googleapis.com/discovery/v1/apis/buzz/v1/rest

There are ton of information there. So you may ask “what for?”, the answer is to build tools around the Google APIs. Currently Google use this API to build such great tool as API Explorer and Google Plugin for Eclipse also is using Discovery Service to show you information about API.

Happy Discovers

Tags:
Posted in google | No Comments »

Amazon Cloud Drive and Play

Posted in amazon by pedro | Wednesday, March 30th, 2011 at 12:00 am

Amazon is awesome!

Everyone of us have a lot of music files. You can try “du -hs Music/“, I’m getting 100+GB answer, and this is just the part of my music, mostly because “df -h” is saying “Avail 4.5Gb” .
This is after I purge more than 50GB of music.

I’m also user of Grooveshark and Pandora services, because I cannot have all my music.

But the world is changing now, Amazon announced two services:

To start using both services you have to accept terms and you are ready.

Cloud Drive is build on top S3 and you get 5Gb for free. Of course you can buy more till 1000Gb. There is also Metadata Service that allows us to search our files stored into Cloud Drive.

Some photos:
Cloud Drive:

Cloud Player:

Amazon Uploader:

There is also web player as well Android app. Every purchase you made in Amazon MP3 Store or by Android App can be stored in Cloud Drive, than played from whatever place.

Hope Cloud Player for iPhone is in review queue, so it should be announced soon.

My summary: This is Awesome.


Posted in amazon | 6 Comments »

Native Client SDK from Google

Posted in google, web by pedro | Friday, March 11th, 2011 at 3:33 pm

Native Client allows us to build web applications that execute native compiled code inside the
browser. The Native Client SDK includes API, documentation, and examples and it is available to OSX, Linux and Windows platforms. Last version was released on 17 February 2011 (this update force you to use at least Chrome 10.x).

Native Client is available in Chrome Browser.

The first question in my head was: Why? Possible answers are:

  • Games – I’m not really sure if this is the main case, because we have Canvas and of course Flash is still in the game.
  • Existing Software – that is nice, instead of installing on every computer we can run our app in browser (or part of it).
  • Low level – Codecs, communication with OS (it’s limited to special API)

One picture is worth more than thousand: This picture comes from Google’s Technical Overview.


Native Client consist of: HMTL/JS, bridge between JS and native module, plus native module.

 

Example

 

First at all you have to enable Native Client feature in Google Chrome, enter “about:flags” into url address and than find “Native Client” option, you have to enable it and restart the browser.

First at all try some of the examples provided by Google: Native Client Examples, for me Life game was really cool.

I wrote simple hello world application, but it is nothing more than Google tutorial, and of course one more link to Pepper API.

 

Summary

 

I don’t consider Native Client as something that will change the world, but it may be useful in some situations. One additional plus is that we can distribute our application through Chrome Web Store. We will see how much effort Google will put in Native Client development.


Posted in google, web | 2 Comments »

« Older Entries

about me

My name is Sebastian Pietrowski. I've finished Warsaw University as Master degree. During my studies I started work for merlin.pl. The primary language I use is Java but I have also programmed in Python, Ruby and Scala. I worked as a technical solution architect at merlin.pl. infrastructure when we were moving from PL/SQL to J2EE. I engineering a great performance optimized solution that made the application 10 times faster than requirements and 85 times faster as original solution.

Currently, I am working as a Senior Expert at F.Hoffmann-La Roche to help define future roadmap in design and development of Enterprise software at Roche and Genentech and build adoption for new technologies. I'm continuously mentoring new developers, helping them understand how important test driven development is and empowering them to get better at their daily job. I'm involved in many activities which brings new technologies for better and faster development. You can find more details on my LinkedIn profile.

But don’t get me wrong, I am not your typical nerd. I'm a pleasant guy that you can drink a glass of wine with me and talk about a range of topics with. My leisure activities include playing basketball, soccer and listening to music. I try to be pragmatic while staying focused on application performance and tuning with success in my daily work.

My favorite quote from Yoda's and my life’s motto is: Do, or do not. There is no try.