The second half of the morning should prove just as brain charging for CascadiaJS Server Day.
Greg Bulmash: Kids, JS, and Minecraft: A ‘Dynamite’ Combo
Want something simple. One short line vs. complex in Java
Minecraft + JS = Scriptcraft
Links: CanaryMod (need to run server), Yiddish.Ninja workshop docs
Adam Baldwin: The Art of Identifying Vulnerabilities
What is a vulnerability? Is it a bug? Is it a weakness?
A promise that can be broken.
Something that can break the promise of confidentiality, integrity, and availability.
To find vulnerabilities, you need systems, security knowledge, and curiosity.
You must understand the nuances of the systems you create and consume. e.g. What the heck is the event loop anyway?
See slides for other JS Nuances
The area is growing as we get into ECS6.
Vulnerabilities are prevalent between one system & another.
Not just about the code, it’s about other systems. e.g. NPM;
Whose code are you running in production?
Just one person might be dependent on packages which are then dependent on further packages.
Vulnerabilities multiply in the presence of complexity.
e.g. new OpenSSL vulnerability; 300,000 lines of code
Where to start? Intuitive trust that happens without conscious decision. Get something to do something not designed for. What promises does it make?
Analyze and test.
Learn from others
We’re not going to find anything without curiosity even if you have all the knowledge.
Do things to your application that you normally wouldn’t. Shed all prior knowledge, act like a child.
How can it be used in other ways? What assumptions are you making? Ask questions.
It’s about what you don’t know not what you know.
- Understand code, threat model
- identify inputs (sources)
- identify sinks
- follow the data source -> sink
- test & validate
Once you understand sinks and manually checked it, you can automate it.
Be okay with boring, monotonous and unfruitful testing. Be persistent.
Don’t try to do it all at once. Work with your teammates, and the community.
Parashuram N: Automating Web Performance Measurement
Manager says the site feels slow.
As a dev, trying to lower the site load time, but want to make sure the user is happy after the site is loaded. Turns out the complaint was about the site after load, not slow loading.
Used Reading Progress Indicator: show how much user has scrolled, should move vertically based on scroll, save how much user has scrolled.
Found running almost 60 FPS, and a whole bunch of random events that the browser was doing.
Reduced animation events and amount.
Automating Profiler Process
performance is a feature. Should have test suites, continuous integration
Steps for Fixing performance
- Scroll the page in browser
- Collect the timeline data
- Fix it
Can write own code, or use something like Selenium, Google Chrome Timeline tools
Tool: Browser-perf, open source baed on Chromium perf suite, run any selenium action, supports major browsers. Integrate with Grunt, Protractor, etc.
Icons on the page – turns out fonts are faster (vs. SVG)
Become the performance champion!