General

ConFoo: Day 3

By December 18, 2016 January 2nd, 2017 No Comments

My experiences at confoo day 3

PHP OOP: An Object Oriented Programming Primer - Eli White

“Whether you are a brand new developer or an experienced coder, the PHP object model can hold some mysteries that are worth exploring. This session will briefly cover the basics of working with Objects in PHP, then dive quickly through inheritance, abstracts, interfaces, traits, late static binding, magic methods, namespaces, and maybe even reflection. It’s a lot to cover, so make sure to show up with your eyes open and be ready to move quickly!”

ConFoo Page

My Notes

Basics on classes, objects, constructors. Public/private. :: error is Hebrew to tie back to the 2 guys that helped with php3.

Inheritance basics.

Abstract class

  • Children need to implement all abstract methods for the parent (methods are empty. Abstract public function save()
  • All abstract methods must be implemented in child class must be abstract as well
  • Method signatures must match exactly

Interface

  • Only methods, no implementation
  • Similar to abstract methods but shareable between classes
  • No code, no properties just an interoperability framework

Interface Extension

  • It is possible for an interface to extend another interface
  • Interface can provide constants

Traits

  • When you want more than a template
  • Enable Horizontal code reuse
  • Create code and inject it into different classes
  • Contains actual implementation
  • Inject into a class with the use keyword
  • A class can include multiple trait

Basics on namespacing

Late static binding (php 5.3)

  • Use self in a parent class you always get the value of the parent.
  • By using static:: keyword, it will call the child’s copy

RegEx Is Your Friend - Liam Wiltshire

“RegEx is scary. At least, if you ask Google, that’s what you might think (257,000). And slow (441,000). In fact, regular expressions are neither of these, and indeed are a powerful tool in your utility belt.

In “RegEx Is Your Friend”, Liam aims to provide some real-world and usable examples of how it can be used in a way that’s fast, explaining how the different parts of regular expressions work and execute to make it understandable for all.”

ConFoo Page

My Notes

When shouldn’t we use it

  • Simple string replacements
  • Data validation libraries

Flags can change the behaviour of the regex, case insensitive, global.

Performance

  • Avoid using match all
    • Be as specific as possible
  • First try to use + instead of *

Data capture

  • Use brackets to group our expressions
  • We can use ?: at the start of the group to make it non-capturing

Atomic groups

  • Cause of slowdowns can be multiple options in a match
  • Slows use to tell the engine to skip the rest of the group as soon as a match is found
  • The sequence of the options is important
  • Longest first
  • Won’t return capture

Conditionals

  • Allowing you to define different patterns depending on a certain condition
  • Combined with lookaheads, it can make life easier
  • (>condition)Then|else

Backreferences

  • Allow you to create a capturing group, and then use it later in the pattern
  • Named backreferences
    • ?P<name> you can give each group a name

The x Flag

  • This makes the engine ignore whitespace and provide the ability to add comments with #

HTTP Caching with Varnish - David Buchmann

“With the Varnish caching proxy, you can greatly increase the speed of websites and handle a lot more load. The basics are quite simple once you understand how the cache handling in HTTP works, so we will look into that first. Then I will go into advanced topics like cache tagging and cache invalidation or using Edge Side Includes.”

ConFoo Page

My Notes

A Reverse proxy. Sits infront of webserver.

What can go wrong

  • Nothing gets cached
  • Too much
  • Editors see no change (cache invalidation)
  • Caches get mixed up (personalized content)

Httpcodes

  • 1xx hold on
  • 2xx Here you go
  • 3xx Go away
  • 4xx You fucked up
  • 5xx I fucked up

Do not cache

s-maxage=0

Default behavior

  • Only attempt to cache get and head requests
  • Never change requests with cookies authorization
  • Never cache response with set -cookie.
  • Only cache safe responses, 200 203,300,301,302,307,404,410

Https support costs money 🙁

Invalidation flavors

  • Purge: URL and all variant
  • Refresh: remove cache for this exact request and warm cache
  • Ban: batch invalidation with reg exp
  • Tagging: batch invalidation based on tags

Edge side includes

  • Like server side includes, but on varnish
  • Content embeds urls to parts of the content
  • Varnish fetches and caches elements separately
  • Individual caching and rules per fragment
  • EG only some elements vary on cookie

Operational Security for Devs, Ops and Other Humans - Jan Schaumann

“This talk will teach you the principles and practices of how to protect yourself from both active and passive attackers during day-to-day operations. We will focus on human aspects and the psychology of how people work to help you protect your information from any number of adversaries, in part by understanding, developing and applying suitable defenses across all layers of ‘cyber.’ ”

ConFoo Page

My Notes

Opsec – being aware of what information you make available, and how it may be used against you.

  • Should clear out shell history, it can store passwords in text.
  • Echo /dev/null > -/.bash_history
  • Can passcode simcard on iphone
  • Privacy screens to prevent others from seeing screen
  • USB condom, protect your data
  • Avoid leaking secrets into code repositories
  • Little Snitch license
  • RFID Wallet
  • FIDO U2F security  Key
  • Webcam cover

Electronics 101 for Software Developers - Dror Helper

“These days, every developer has the power to control the real world using Arduino.
Suddenly confronted with resistors, digital inputs, analog interfaces, and a weird bread board full of holes – a developer is reminded that the world of hardware can be confusing and sometimes downright frustrating.
The good news is that an electrical engineering degree is not required in order to build electronic circuits.”

ConFoo Page

My Notes

  • Voltage – electric potential energy per unit charge.
  • Resistance – the difficulty to pass through an electric conductor, measured in ohm
  • I = current
  • Power I x V = P
  • LED long leg +, short leg –

Solderless breadboard

  • Keeps components in place
  • Connects components

Deployments So Easy, Devs Will Ask For It by Name - Brittany Martin

“Our city’s arts community is dependent on a 24/7 high volume Rails application. We revamped our deployment process to use the new AWS CodeDeploy. CodeDeploy is a free AWS service that efficiently deploys your released code to a “fleet” of EC2 instances while taking care to leave as much of the fleet online as possible. In this talk, you will learn how to skip writing custom deployment tools and celebrate rapid development cycles.”

ConFoo Page

My Notes

  • AWS elastic beanstalk – less control
  • AWS cloudFormation -> more control
  • AWS codedeploy -> middle

Scale from 1 to multiple servers

Setup

  • Gather install steps
  • Design an appsecp
  • Setup AWS CD Group
  • Install Slack Notification

Remove server from balancer adds code and adds back, 1 at a time, ½ at a time or all at a time

Cloudwatch to watch live

SNS to slack

Automatic deployment failure rollback

Price: free & open source

Blue/Green deployments (beta) – Spins up new servers

AWS codebuild similar to travis ci

Final Thoughts

Day 1

Day 2