14 Oct 2016

CD Summit & Jenkins Days: Promising DevOps Technologies

I had the pleasure of attending CD Summit & Jenkins Days this week in Denver. The conference was very focused on Continuous Delivery, DevOps, and great team culture to promote best development and deployment practices. I’ve never been to this conference series before but it was a pleasant experience that I hope to check out again in the future.

If you are responsible for championing DevOps at your place of employment and wear many hats, it can be difficult to keep track of all the fancy new developments. Here’s a list of the new technologies that I learned about or dove deeper with while attending the conference:

Jenkins Pipeline

DevOps - Jenkins Pipeline View

  • Really cool way to manage your workflow from build to test to deploy.
  • Reminiscent of the fancy pipeline approach I dig about GoCD
  • Groovy DSL and Jenkinsfile yummies. Less UI-based configuration please!

IBM BlueMix Garage Method and ToolChains

DevOps - IBM Bluemix Toolchains

  • DevOps best practices through the Garage Method
  • Customizable Toolchains to get you from dev to deploy
  • Sweet Web-based IDE
  • Both free for anyone using BlueMix

Electric Cloud’s Electric Flow

DevOps - Electric Cloud Electric Flow

  • A fully featured and extensible release automation tool with a super slick UI
  • Free for up to 10 deploy nodes
  • So far about 180 different plugins

In Conclusion

I enjoyed my time at the conference and learned a lot. The tools above are the three most impressive that I saw and I look forward to playing around with them!

Share this
28 Sep 2016

A Comparison of Material Design Frameworks

Responsive design and material design are hot topics in front-end development and User Interface design. In 2011 Blueprint, the first CSS framework came out and revolutionized the way websites were built. Less than five years since the redesign framework - blueprint logolease of Blueprint there has been an explosion in the number of front end frameworks for developers to choose from. Frameworks now need to be innovative and keep up with the latest design standards. They also have to utilize different stacks of technologies in order to differentiate from their competitors. In this modern world that is full of choices we now need to look closer at our options, sift through the clutter and decide what the right framework is for our situation.

When deciding what framework is best for a particular project we need to first take into account why we are using a framework to start with. In our case we are using a framework to save time, unify our design elements and optimize our project scope by cutting out the task of repeatedly writing large amounts of custom code. In order to find the best framework to effectively achieve these goals we have come up with the following list of criteria to analyze.

 

  • Maturity of the library
  • Other technologies used by the framework
  • Ease of implementation
  • Design features
  • Size of the framework after minimizing 

 

We mentioned earlier that there are quite a few frameworks in circulation for us to choose from, talking about all of them in one blog post would be confusing and less effective. As a team of developers that often works with Angular.js we decided that the framework would need to either already implement Angular in its stack of technologies used, or play well with it. Secondly, we considered strength of design, so using Google’s new Material design is a requirement as well. Lastly we looked to see what the most popular frameworks being used by our fellow developers are and took into account their reviews. Our conclusion was to look into Angular Material, LumX,  and Materialize. The following is a breakdown of what our research found.

 

Maturity of the Library

The maturity of the library refers to the size of the community supporting the framework and how long it has been around. The Internet is a quickly evolving place and over time things become outdated if they aren’t constantly updated. We need to be sure that our framework will have people maintaining it in the future.

 

Angular Material
Angulardesign framework - angular material logo Material was first released on Github in 2014 under the MIT license . Since then the framework has had 66 updated releases coming from its 176 Github contributors. The documentation includes a website with Demos, API references and version release notes. Although in alpha, there is a version of this UI framework for the newest version of Angular, Angular2. There is still the need to port some more components, but you can keep up on progress here. Angular Material is also supported internally at Google rounding off support making it a mature and well supported.

 

LumX
design framework - lumx logoLumX was first released on Github in 2014 under the MIT license . Since then it has had 162 updated releases coming from its 13 Github contributors. The framework also has additional resources provided by a website that includes help with setting up, code demos and information on how to contribute.

 

Materialize
design framework - materialize logoMaterialize was first released on Github in January of 2015 making it the newest of the frameworks that we are reviewing. It was originally developed by four graduates from Carnegie Mellon University. Materialize like LumX and Angular Material is also under the MIT license. Over the last year since release it has had 24 updated releases coming from its 126 Github contributors.  There is also a website for the framework providing additional resources very similar to Angular Material’s. The website features code demos, documentation on getting started and a live chat where you can interact with other developers who are currently using Materialize.

 

Other technologies used by the framework

This is where we take a look at any CSS preprocessors, fonts, icon libraries, or other frameworks that are used. Using other technologies can strengthen a frameworks effectiveness and design. Additional frameworks can also weigh down a project that does not need them. When choosing a framework this is where you need to spend some time comparing the project needs to what you are getting from the framework. To give you an example you do not want to implement a framework that comes with Angular.js for a static one page HTML site that does not require any sort of JavaScript. Let’s look at what each framework is offering us.

 

Angular Material
Angular Material is the biggest of the three libraries that we are comparing. It uses two main JavaScript frameworks jQuery and Angular. Unlike LumX and Materialize, it also includes some of the subsets of the main Angular library such as Angular-animate and Angular-message by default. The framework’s website also suggests that if they are useful to your project ngMessages , ngSanitize  and ngRoute can easily be applied to your stack. Using all of these frameworks can be a plus when working on a larger multidimensional project, but they can also bog down a small project where they are unnecessary. Angular Material also includes the basic icon and font sets used with Material design, Roboto and the Material Design icon set. With this framework there is a large list of dependencies to go along with the few we mentioned. Click here to see the full list.

LumX
LumX is not as robust of a framework as Angular Material, but it still includes both jQuery and Angular. Instead of using Angular-animate for transitions the framework utilizes Velocity. For a date picking element it requires you install Moment.js. This framework uses Sass and Bourbon for CSS preprocessing along with variable mixins for every color in the Material UI Color palette. To view an up to date list of the dependencies required by LumX  Click here.

 

Materialize
Materialize in the smallest of the frameworks we are comparing in this post. It is the only one of the three that does not come with Angular as a dependency, although it is easily implemented. This framework uses jQuery, CSS with Sass and HTML. Google Material’s recommended Roboto Font and Material Icon sets are also included. Click here to get the complete up to date set of dependencies from the Materialize Github page.

 

Ease of implementation

bower-npm-logosIn the beginning of this post we mentioned that saving time is one of the main reasons that we are using a framework in our project. If a framework is time consuming to install or is lacking detailed instructions we could end up spending unnecessary amounts of time figuring out how to get started. To avoid spending that extra time lets take a look at each framework and see what they have to offer for helping us get started.

 

Angular Material

Angular Material can easily be installed through either npm, JSPM, or Bower. There are also a few tutorials and Codepen examples you can play with if you are new to the framework and need additional resources. If you are using Angular2 then you can install Angular Material2 with npm and the Angular2 cli. There are a few extra steps for Material2 that can be found here on the Material2 website.

 

LumX

LumX can be installed through npm and Bower. If you do not want to use npm and Bower to install the framework the website gives you a step by step guide on how to install it manually.

 

Materialize

Materialize offers two different versions that can be downloaded and installed. The first version is the simple version with no CSS preprocessor or the second option that includes Sass. The framework can be downloaded from the Materialize website and easily installed with npm.  Detailed installation instructions are included on the site under the download buttons. If you want to get a quick start there is also two prebuilt templates that can be downloaded that are already set up and ready to customize.

 

Design features

design framework - materialdesign_introductionWe are looking at three frameworks that all apply Material Design theory,  this gives all of them a similar aesthetic. All three of these frameworks use Google’s Roboto font, the Material icon set, the Material Color palette and Material’s guide to motion. In this section we will look closer at how these design elements are implemented and how easily they can be customized. Responsiveness  is no longer an optional feature in a framework and is one of the most important design features we work with. To dive deeper into responsive design support we will be examining how each framework handles its grid on different size screens.

 

Angular Material
Angular Material comes with a large selection of prebuilt services and directives that take care of many of the basic components we find ourselves rebuilding in projects. Some examples are lists, dropdown menus, and formatted lists. Click here for a complete list of prebuilt services and directives. This framework makes using the Material color palette easy with custom theming. The developer picks ‘primary’, ‘accent’ and ‘warning’ colors; once configured Material injects the color theme through the project. One of the unique design options in Angular Material is the option to configure multiple sets of color schemes in one project.

Responsive design is handled in Angular Material through the use of layout containers and transition classes. The layout containers hold the grid of the project as device screen sizes adjust. The container classes are used in order to hide and show content depending on the size of the screen it is viewed on.

 

LumX
LumX uses SASS and Bourbon preprocessors this allows developers to easily work with and change CSS styling. To make following Material style guidelines a more fluid process the framework offers variables for the entire Material UI Color Palette library to be mixed in with designs. Like Angular Material this framework uses a color scheme that has a primary, accent and warning color. To customize the default theme you need to go in and override the default settings in the main SCSS file, although a much less desirable way to handle custom theming than what’s offered by Angular Material.

LumX handles responsive design through the use of Flexboxes and Mixins. Flexboxes work similarly to layout containers in Angular Material to hold the grid of a project as the screen scales. Mixing are used for different media query sizes to show and hide different elements in a project on different screen sizes.

 

Materialize
Materialize like Angular and LumX also offers a large list of prebuilt design elements that can be found on their website. One of the key features of Material design is the use of a 3d space, where the pieces of an application or website are no longer flat, but are now layered on one another. The framework includes a unique class that lets designers decide where in that 3d space an element exists. This feature is the shadow, and it is controlled by the z-depth class.

The z-depth class gives the element a new z-index and a more or less defined shadow based on where it exists in relation to the user.  When looking at customizing colors in Materialize you have a few options. If you are using the stripped down version of the framework you can can access the Material color palette variables and apply them to your design. If you are using the version that includes SASS you will also have access to mixins to reuse customized versions of a color from the palette.

design framework - shadow
The framework has a number of tools to help developers with responsive design including columns, rows, offsets, push and pull classes, and a detailed guide on setting up responsive layouts. The columns and rows work similarly to the way Flexbox and layout containers do in the previous frameworks. The offsets are special areas used to hold space in a grid column as the screen adjusts. The push and pull classes are  used to hide and show elements on different screen sizes. Materialize offers an additional resource for mobile devices, a plugin can be used to implement drag and swipe gestures on a user’s phone.

 

Size of the framework after minimizing

The last thing we are going to take a look at is the size of the framework after minimizing. We got the following information by downloading the frameworks installing their dependencies and then compressing the file.

 

Angular Material

  • 81.4MB

 

LumX

  • 19.9MB

 

Materialize

  • Without Sass 1.2MB
  • With Sass 1.3MB

 

Conclusion

We now have the information we need to make an informed decision on what framework will work best for our project:

  • Reviewed the maturity of the framework to see which has been around the longest and the level of community support provided.
  • Analyzed the technologies each framework has taken advantage of to offer us additional support if we need it.
  • Tested how easy each framework is to implement so we do not spend too much time trying to get our project started.
  • Assessed the design features each framework was offering us for customizing their prebuilt elements and for assisting with responsiveness as we transition through different screen sizes.
  • Downloaded each library, installed its dependencies and minimized it to see how it stacked up against the others in regards to size.

Based on the above, what we have concluded that if you are working on a project that needs a few interactive web elements and a solid design structure based on Google Material then Materialize is a great choice. It is a lightweight framework that can be installed easily, it even has template pages if you need to create a well designed website quickly.

On the other hand, if you need some extra Angular support, but want to keep your design framework on the lighter side Lumx is a great choice. It has extra features that Materialize does not include, but it is lacking in the strong support system and easy customization options that Angular Material provides.

Finally, there are many benefits to using Angular material if you can incur the size of the framework. When you create a larger project that needs a framework that works alongside your Angular code it is tuned to work with Angular. It is also the only framework of the three that offers a version of the framework for Angular2, the latest version of Angular. There are Codepen demos of all of the elements this framework provides that makes getting familiar with it without installation easy. The option to create multiple configurable themes in one project allows it to be the most easily customized framework of the three as well.

There are a lot of frameworks to choose from. Figure out the specifications and requirements for your project and match it with the framework that fits best!

Share this
07 Sep 2016

Triggering actions in Wowza over HTTP

In this post, you’ll look at a couple of ways to trigger applications and live streams using HTTP requests. You can use this to treat Video-On-Demand content as if it were live without having to set up a schedule or stream it from an encoder, or to control Wowza from an external location.

Prerequisites:

You should have

  • a local instance of Wowza Streaming Engine
  • an IDE such as Eclipse – here’s a link to get started with the Wowza IDE
  • experience programming in Java
  • experience with creating Wowza modules – here’s a link to developer documentation for the Wowza Streaming Engine Java API

 

Method 1:

You’ll be starting an application and a live-stream by sending a request to:

http://localhost:8086/customListener/myVideo/live

You’ll need to create a HTTP Provider, which can be used to send and receive information from the Wowza server.  You’ll make use of the HTTProvider2Base class in order to enable this capability. After you build your project into a .jar, you’ll install this module as a server listener through the configuration files.

 

Explanation:

public class Application extends HTTProvider2Base {
    @Override
    public void onHTTPRequest(IVHost vhost, IHTTPRequest req, IHTTPResponse resp) {
    
        String[] splitPath = req.getPath().split("/");

When an HTTP request comes in, you’ll need to catch it by implementing onHTTPRequest. When a request arrives, most of the important information will be inside of the IHTTPRequest object. Extract this important information from the path and store it in an array.

    String resource = "";
    String application = "";
    String applicationInstance = "";
 
    if(splitPath.length > 2){
        //Resource to play
        resource = splitPath[1];
        //Application to play it on
        application = splitPath[2];
    }else if (splitPath.length > 3){
        //Optional instance of application
        applicationInstance = splitPath[3];
    }

Next, assign this information to values that you’ll use later. The first part of your path, splitPath[0], is used only to navigate to your HTTP Provider, so you can safely ignore it. The second part of the path at splitPath[1] should be the resource you wish to stream. This should be a file name without an extension. For example:  myVideo

The third part of your path should be the application you want to utilize. For example: live

Optionally, you may add a fourth segment, which will be the application instance where you want to create the stream. For example, include channel1 if you wish to stream to live/channel1. If you do not specify this value, it will default to _definst_.

    //start application
    vhost.startApplicationInstance(application);
    //get application
    IApplication app = vhost.getApplication(application);
    IApplicationInstance instance = app.getAppInstance(applicationInstance);
    //Start stream
    Stream stream = Stream.createInstance(instance, "MyStream");
    stream.play(resource,0,-1,false);

Finally, you’ll  start up the application, access the application instance (which may just be the default), and use the resource named in the url to start your stream. In this example, your stream will be titled MyStream.

Your stream will be accessible at rtmp://localhost:1935/live/MyStream

Complete code:

package com.realeyes.wowza.modules.httpDemo
 
import com.wowza.wms.application.IApplication;
import com.wowza.wms.application.IApplicationInstance;
import com.wowza.wms.http.HTTProvider2Base;
import com.wowza.wms.http.IHTTPRequest;
import com.wowza.wms.http.IHTTPResponse;
import com.wowza.wms.stream.publish.Stream;
import com.wowza.wms.vhost.IVHost;
 
public class Application extends HTTProvider2Base {
    @Override
    public void onHTTPRequest(IVHost vhost, IHTTPRequest req, IHTTPResponse resp) {
 
    String[] splitPath = req.getPath().split("/");
    String resource = "";
    String application = "";
    String applicationInstance = "";
 
    if(splitPath.length > 2){
        //Resource to play
        resource = splitPath[1];
        //Application to play it on
        application = splitPath[2];
    }else if (splitPath.length > 3){
        //Optional instance of application
        applicationInstance = splitPath[3];
    }
 
    //start application
    vhost.startApplicationInstance(application);
    //get application
    IApplication app = vhost.getApplication(application);
    IApplicationInstance instance = app.getAppInstance(applicationInstance);
    //Start stream
    Stream stream = Stream.createInstance(instance, "MyStream");
    stream.play(resource,0,-1,false);
 
    }
}

Post-code Setup:

After you’ve saved your code and built it into a .jar file (which should be done for you automatically when running the default settings), you need to specify this as an HTTP Provider.

  1. Navigate to your wowza install directory and open conf/VHost.xml
  2. Under <HttpProviders>, add a <HTTPProvider> entry.
  3. Specify BaseClass as the fully qualified class path to your module.
  4. Specify RequestFilters as “customListener*”
  5. Specify AuthenticationMethod as “none”

It should look something like this:

<HTTPProvider>
	<BaseClass>com.realeyes.wowza.modules.httpDemo.Application</BaseClass>
	<RequestFilters>customListener*</RequestFilters>
	<AuthenticationMethod>none</AuthenticationMethod>
</HTTPProvider>


The value you specify for RequestFilters will end up being splitPath[0], and only requests that match this filter will run through your code.

Restart Wowza, and you should be able to hit your endpoint at http://localhost:8086/customListener/myVideo/myApplication

Method 2:

What if you don’t want to use port 8086, or what if you’d rather start and connect to a stream with just one request? You can use a similar technique at the application level as well, by implementing a built-in listener called “onHTTPSessionCreate”. Using this, you’ll intercept the request and delay the response until you’ve started your stream.

Your URL will look a little different as well. It should look like this:

http://localhost:1935/live/myStream/playlist.m3u8?fileName=sample.mp4

For this method, you’ll access the application and the stream directly, and specify the resource to use through a query parameter.

 

Explanation:

public class Application extends ModuleBase {

    IApplicationInstance thisInstance;
    public Map <String,String> query = null;

    public void onAppStart(IApplicationInstance appInstance) {
        thisInstance = appInstance;
    }

First you’ll want to store your application instance and create a map for your query parameters. You’ll use this later.

public void onHTTPSessionCreate(IHTTPStreamerSession httpSession) {

    try {
        query = splitQueryString(httpSession.getQueryStr());
    } catch (UnsupportedEncodingException e) {
        e.printStackTrace();
    }
    
    //...
}
        
//Taken mostly from http://stackoverflow.com/a/13592567/773737
public Map <String, String> splitQueryString(String str) throws UnsupportedEncodingException {
    final Map <String, String> query_pairs = new LinkedHashMap <String, String>();
    final String[] pairs = str.split("&");
    for (String pair: pairs) {
        final int idx = pair.indexOf("=");
        final String key = idx > 0 ? URLDecoder.decode(pair.substring(0, idx), "UTF-8") : pair;
        if (!query_pairs.containsKey(key)) {
            query_pairs.put(key, null);
        }
        final String value = idx > 0 && pair.length() > idx + 1 ? URLDecoder.decode(pair.substring(idx + 1), "UTF-8") : null;
        query_pairs.put(key, value);
    }
    return query_pairs;
}

The onHTTPSessionCreate listener catches requests to HLS streams that end with playlist.m3u8. From here, extract the query string from your request into the map you created previously.

    if (query.get("fileName") != null) {
        String fileName = query.get("fileName");
        Stream stream = Stream.createInstance(thisInstance, "myStream");
        stream.play(fileName, 0, -1, false);

        //Sleep so we don't disconnect the client while the stream is starting up
        try {
            Thread.sleep(3000);
        } catch (InterruptedException e) {
             e.printStackTrace();
        }
    }

Finally, use the fileName parameter to start up your stream in the same way as method #1. You don’t need to specify your application or your application instance, because this code is being run inside of your application instance.  You’re actually accessing a stream that doesn’t yet exist, and since the stream creation process call takes a few seconds to complete, this would normally return an error. To prevent this, sleep for a few seconds in order to delay the response.

Your client should experience a short delay in addition to the seconds you spend sleeping, but afterwards, it should be connected to the new stream.

Complete code:

 

package com.realeyes.wowza.modules.httpDemo2;

import com.wowza.wms.application.*;

import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.LinkedHashMap;
import java.util.Map;

import com.wowza.wms.amf.*;
import com.wowza.wms.client.*;
import com.wowza.wms.module.*;
import com.wowza.wms.request.*;
import com.wowza.wms.stream.publish.Stream;
import com.wowza.wms.httpstreamer.model.*;
import com.wowza.wms.httpstreamer.cupertinostreaming.httpstreamer.*;

public class Application extends ModuleBase {

    IApplicationInstance thisInstance;
    public Map <String,String> query = null;

    public void onAppStart(IApplicationInstance appInstance) {
        thisInstance = appInstance;
    }
    
    public void onHTTPSessionCreate(IHTTPStreamerSession httpSession) {

        try {
            query = splitQueryString(httpSession.getQueryStr());
        } catch (UnsupportedEncodingException e) {
            e.printStackTrace();
        }
        
        if (query.get("fileName") != null) {
            String fileName = query.get("fileName");
            Stream stream = Stream.createInstance(thisInstance, "myStream");
            stream.play(fileName, 0, -1, false);

            //Sleep so we don't disconnect the client while the stream is starting up
            try {
                Thread.sleep(3000);
            } catch (InterruptedException e) {
                 e.printStackTrace();
            }
        }
    }

    //Taken mostly from http://stackoverflow.com/a/13592567/773737
    public Map <String, String> splitQueryString(String str) throws UnsupportedEncodingException {
        final Map <String, String> query_pairs = new LinkedHashMap <String, String>();
        final String[] pairs = str.split("&");
        for (String pair: pairs) {
            final int idx = pair.indexOf("=");
            final String key = idx > 0 ? URLDecoder.decode(pair.substring(0, idx), "UTF-8") : pair;
            if (!query_pairs.containsKey(key)) {
                query_pairs.put(key, null);
            }
            final String value = idx > 0 && pair.length() > idx + 1 ? URLDecoder.decode(pair.substring(idx + 1), "UTF-8") : null;
            query_pairs.put(key, value);
        }
        return query_pairs;
     }
}

 

 

Post-code Setup:

After you compile and build your module, add it to your application.

To install this module to the default “live” application:

  1. Navigate to your Wowza install directory and
  2. Open /conf/live/Application.xml,
  3. Add a new <Module> to your <Modules> entry, like so:
<Module>
 <Name>httpDemo</Name>
 <Description>demo</Description>
 <Class>com.realeyes.wowza.modules.httpDemo2.Application</Class>
</Module>

Restart your server and you should be good to go.

Conclusion:

Being able to trigger applications or streams over HTTP can be a useful tool. You can make further use of this functionality to stop streams, gather metrics, kick users or inject advertisements. You could even create a REST service using this, and integrate Wowza into your back-end server.

To see the official documentation behind the concepts used here, follow these links:

Stream Class Example

How to create an HTTP Provider

How to control access to RTSP/RTP streams

How to control access to HTTP streams

 

Share this
18 Aug 2016

Lock Down Your Production DB: Five SQL Security Tips

Locking down your production SQL database can be one of the more important things you do as a business to increase your security. Your database can hold valuable customer, company, or other high risk information. I recently attended a MySQL conference where Benjamin Wood, from Oracle, presented on database security. I’ll go over the five main security risks and how to prevent them.

1. Shared Service Accounts

Shared service accounts are commonly used with databases in development because members of development teams can easily remember the shared service account credentials. Shared service accounts also require very little oversight, but they are strongly discouraged in production, especially in a larger corporate environment. The biggest threats to your database due to shared service accounts are former employees. These employees may be less than happy with your company, and they could use a shared service account to log into your server. Once they’re in they may have the ability to drop your database, steal information, or give credentials away. If they can’t log in to the server from outside of the business, they can still contact somebody on the inside to perform actions on their behalf.

LDAP, Active Directory, and Kerberos are examples of authentication/authorization solutions that could eliminate shared service accounts. If an employee gets fired, these systems allow you to just remove their credentials from the directory and the problem is solved.

2. SQL Injection

A common and scary form of database hacking is with SQL injection. SQL injection allows a hacker to expose backend data through unexpected SQL. SQL injection leverages SQL commands on application forms in an unexpected way that exposes the backend database. Here’s an example of a form that asks for your email.

  • The query on the backend looks like this:
    ‘select user from usertable where email = ’
  • The hacker would input something like this:
    ‘email@email.com’ OR ‘x=x.’
  • The x=x was unexpected and the query now says:
    ‘select user from usertable where email = email@email.com’ or ‘x = x’
  • When the query executes it will return the entire user list because the query returns TRUE.

You can combat SQL injection by validating user input. The best kind of validation is known as “positive security,” a.k.a whitelist. Using positive security, you specify what can be entered into a field rather than just specifying what can’t be entered into that field. Email addresses follow a regex pattern: they can’t have the word OR, they can’t have an equal sign, and they have to be a string with no quotation marks. When you use positive security you can prevent most injection attacks.

Another way to combat SQL injection is to return quality error messages. When you have a descriptive error message when a hacker’s injection attack is disallowed they may be deterred and move on. For instance, if an email doesn’t pass validation your error should say, “invalid email format,” rather than “email not found.” Quality error messages will show the hacker that entries are being checked and validated.

3. Unsupervised Operations

Unsupervised operations is a threat that is very similar to that of shared service accounts. The threat is introduced when you have an employee who is upset with the company and have no way to monitor their access to important systems. This employee might be about to quit their job and in a fit of rage, they decide they’d like to trash the database.

Monitoring and alerting anomalous access and operations is really the only decent way to keep tabs on this type of malicious activity. If employees are aware that transactions they do on the database are being stored in a logging system, then they’ll be less likely to do anything malicious.

4. Compromised Root Privileges

If a hacker gains root privileges to your database server, your data will be vulnerable and they can do whatever they’d like with it. Root privileges are often compromised because of a phishing attack on an employee. If your database information is encrypted, and the key lives on the server, the hacker has access to the key as well and can easily read your data.

Transparent data encryption with a key held in a keystore, can dramatically help with this issue. Transparent data encryption (TDE) encrypts data as it goes over the wire in both directions, so the data “at rest” on the server is encrypted. Because the encryption keys are in a keystore, root access to the server doesn’t compromise security to your encrypted database.

5. Privileges and Passwords

A phishing attack can expose usernames and passwords to a database. Hopefully those exploited credentials don’t have root privileges. Also, a hacker could figure out a simple username/password combination such as “admin/password” quite easily.

A secure production database environment should have systems in place for password complexity, rolling updating passwords, and user privileges to the database. These methods can’t stop hackers from ever gaining access, but it can greatly deter them. When using these methods, hackers have to spend more time breaking in. Also, correct database privileges will prevent hackers from gaining access to everything at once from a single password hack. Provide developers with only the access they need to do their job. By allowing only necessary access it will make it extremely hard to for anybody attacking from the outside to gain root privileges to your data.

There are many solutions for each of these problems through third party software or internal solutions. I know that MySQL enterprise has built in tools for every single one of these if you choose to go that route. Of course, security is never guaranteed. If you take the proper precautions in a sensitive production environment, you can greatly reduce your risks.

Share this
15 Jul 2016

Why RealEyes Switched to TypeScript.

Within the past few months RealEyes has switched from using JavaScript as its main development language to TypeScript. We have successfully launched a large production application developed entirely using TypeScript and have found the change to be helpful and has increased productivity.

Why TypeScript?

Readability

The most attractive benefit to using TypeScript in my opinions is readability. The ability to create a more readable code base that explicitly states class declarations, and property types is something that was missing from JavaScript.

Take a simple namespace with a class definition developed in both JavaScript and TypeScript:

Screen Shot 2016-06-27 at 12.10.33 PM

JavaScript namespace and class declaration.

Screen Shot 2016-06-27 at 12.11.01 PM

TypeScript namespace and class declaration.

Notice how with TypeScript we are able to explicitly state our namespace and class, unlike JavaScript where that is inferred and only a seasoned developer would understand what is actually occurring. With TypeScript we are also explicitly able to provide variable types and return types within the code without having to spend time creating additional documentation with tables to define everything for other developers to use.

Code Hinting

With TypeScript your IDE or Text Editor can be setup in such a way to allow for easy hinting to display property types, return types, and comments. This increases productivity so that a fellow developer doesn’t have to find the documentation for the library or class that they are using or have to look at any source code to determine what is required and what the expected output is. When working within teams where many developers are working on multiple services this ability to quickly show each other all the types is invaluable.

Take the following screenshots:

Screen Shot 2016-06-27 at 11.19.09 AM

TypeScript: available class found within ‘test’ module

Screen Shot 2016-06-27 at 11.17.45 AM

Class definition hint

Screen Shot 2016-06-27 at 11.21.04 AM

Class constructor properties hint

Screen Shot 2016-06-27 at 11.22.32 AM

Available properties and methods on SomeClass

With TypeScript and a plugin with your favorite IDE or Text Editor such as WebStorm, VSCode, Sublime Text, Atom, etc; we can show available class or properties found within an external module, view class constructor properties and return types, and view class properties and methods. You can also add any documentation about the properties or methods by adding simple comments within the module.

This ability to show module classes and class properties and methods also extends outside of your teams code base. Using a popular npm module Typings you can download definition files for your favorite libraries such as JQuery and then have access to that libraries type definitions.

Screen Shot 2016-06-27 at 11.48.47 AM

Sample of available properties and methods on JQuery library

Valid JavaScript is Valid TypeScript

Since TypeScript is an encapsulation of JavaScript (ES7, ES6, and ES5) not only do we get to use the new methods provided with ES6 and ES7, all valid JavaScript is valid TypeScript. This means that even though we enforced strict typing and class structure within our development environments through linters (tslint) and the tsconfig; sometimes when a developer who is still learning TypeScript needed to quickly lay down some comfortable JS logic to solve a problem. It was still able to transpile and work without them being blocked by a learning curve. This then allowed the team to learn the TypeScript way at a more leisurely pace instead of being thrown into the deep end without a life vest.

Popularity

TypeScript has quickly become a popular language within the web development industry. With Angular 2‘s adoption of the language, many other developers and companies are quickly moving to TypeScript. Meaning that this language will be receiving a lot of support within the community, and more developers will be learning and practicing this language. Additionally with the familiar layout of other object oriented languages such as Java, or C#, it may start attracting more developers who found JavaScript unattractive and confusing.

Share this
15 Jul 2016

Unified Content Across Platforms, Are We There Yet?

tl;dr; For content that doesn’t require DRM, we’re there. If you need DRM there’s still some work ahead.
At WWDC 2016 Apple had some big news for the video streaming community. They announced two big changes that move us closer to a world where media files can truly be shared. Announcement one was that the HLS (HTTP Live Streaming) specification would be expanded to allow for use of fMP4 (fragmented MP4) media segments. The second announcement was that FairPlay would support fMP4 segments that are encrypted with CENC. Unfortunately as is often the case, the devil is in the details.
Let’s start with the good news. fMP4 support in HLS means that content libraries that do not require DRM can use a single set of content to serve most (if not all) clients. You will need an MPEG-DASH manifest and an HLS manifest, but the segments referenced by those manifests can be shared. This is huge! This has a major impact on the cache-ability of assets and on storage costs for media libraries. The open question here is what versions of iOS will support this new version of HLS? Will there be an update to old versions of iOS or will this be an iOS 10+ feature?
Now for the news that turned out to be a pretty big letdown. Apple announced “Sample encryption uses part of ISO/IEC 23001:7 2016” (that specification is for Common Encryption, a draft version can be obtained from mpeg). The next line in the slide says “MPEG standard—“Common Encryption”, this is looking great. However that was followed by “‘cbcs’ mode” which made it clear something fishy was going on. The language they used should also have made it clear something was up “uses part of” is not a good sign for implementing a standard.
To understand what is going on here we need to understand the CENC spec and the new HLS spec a bit better. The new versions of the CENC spec define 4 separate protection schemes for content. The 4 protection schemes defined in section 4.2 of that specification are ‘cenc’, ‘cbc1’, ‘cens’, and ‘cbcs’ (yes, one of the schemes has the same name as the overall spec). Of these 4 protection schemes only the first, cenc, is required for implementors to support. The other three are optional.
Now we need to better understand what was added to HLS. The new spec in section 4.3.2.4 says “fMP4 Media Segments are encrypted using the ‘cbcs’ scheme of Common Encryption”. They’ve added support for the optional ‘cbcs’ protection scheme, without adding support for CENC spec required ‘cenc’ protection scheme. This means that if you need to protect your content with DRM you cannot use the same fMP4 fragments for FairPlay as you use for PlayReady or WideVine.
Why would Apple choose to “use part of” the CENC spec and not implement the one required protection scheme? We don’t know all of the answers, but one key point that Roger Pantos drove home in one of his presentations “Content Protection for HTTP Live Streaming”[4] was that battery life is king. He even said “every choice we made was predicated on giving you good battery life”. So what does the ‘cbcs’ protection scheme have to do with good battery life?
Of the 4 protection schemes defined in CENC the first two (‘cenc’ and ‘cbc1’) are Full Sample Encryption. As the name implies these protection schemes encrypt the entirety of the protected segment. The two newer protection schemes (‘cens’ and ‘cbcs’) use Subsample Encryption. In subsample encryption only a portion of the protected segment is encrypted. The spec says “Each Subsample SHALL have an unprotected part followed by a protected part”, so about half of the segment ends up being encrypted. This means that there is less work that needs to be done on the client as only about half as much data needs to be decrypted. In addition the ‘cbcs’ protection scheme treats each subsample as an independent encrypted block, this means that subsamples can be decrypted in parallel allowing for faster decryption of streams.
The ‘cbcs’ protection scheme is a great approach allowing for faster and more efficient protection of content, however the lack of support for ‘cenc’ within FairPlay means that DRM protected content must still be fragmented. We’ve come much closer to an ecosystem where we can use a single set of content files to deliver high quality protected video content, but we’re not quite there yet.
Share this
15 Jul 2016

Automated Functional Testing with Intern

What is automated testing?

Automated testing is a way for developers to test their code without having to manually go through and review everything they have built. It allows for warnings to be thrown when specific parts of the code are broken, this helps developers quickly narrow down what is defective. Efficient automated tests can save hours of debugging and QA time. There are two types of automated testing: Unit testing and Functional testing. Unit testing takes in inputs and checks that the functions being tested return the expected output. Functional testing tests the interactions a human would have with a program. In this Blog Post we will be focusing on writing functional tests with an automated testing framework called Intern.

Why use intern…

When picking a framework to use for your automated testing you have a few different choices. You need to consider what you need from the framework and what type of application you are testing.

leadfootLogo

We chose to use Intern as our testing framework because of its flexibility and compatibility with web applications written with JavaScript. Intern is able to assist in running both unit and functional tests. chaiJSLogoIntern uses a few different tools within the framework. Leadfoot API is included to give the developer a selection of methods that can be utilized in order to mimic user interactions with different UI elements. Intern can use Selenium in order to automate browsers that are being tested and can also be leveraged to use cloud-based testing tools such as BrowserStack. Intern also uses assertion libraries to run specific tests on targeted elements. It is compatible with any assertion library, we are choosing to use Chai.js in our example.

The following is a simple example of how to use Intern

The following is a basic functional test that we are using to load the Intern.io website and check that the title text says “Intern.”

define([
'intern!object',
'intern/chai!assert',
'require'
], function (registerSuite, assert, require, registry) {
registerSuite({
name: 'intern',
'00-page-load': function () {
.get(require.toUrl('https://theintern.github.io/'))
.sleep(8000)


return this.remote
.get(require.toUrl('https://theintern.github.io/'))
.sleep(8000)
.findByClassName('logo')
.getVisibleText()
.then(function (text) {
assert.strictEqual(text, 'Intern.', ' The visible page title should say “Intern.” ');
})
.end()
}
});
});

Lets break this down…

We are using define in order to load in the modules required to write our test with Intern then registering the suite.

define([
'intern!object',
'intern/chai!assert',
'require'
], function (registerSuite, assert, require, registry) {
registerSuite({

Name of our test suite, multiple tests can share this name
name: 'intern',

Our first test name, this needs to be unique
'00-page-load': function () {

This loads the page we will be testing (Intern’s homepage) then gives it 8 seconds to load before running the next method.
return this.remote
.get(require.toUrl('https://theintern.github.io/'))
.sleep(8000)

This loads the page we will be testing (Intern’s homepage) then gives it 8 seconds to load before running the next method.
return this.remote
.get(require.toUrl('https://theintern.github.io/'))
.sleep(8000)

The title of the Intern.io page is the text in the logo. We are looking for the logo class and checking to make sure this class is visible and displaying the correct text.

.findByClassName('logo')
.getVisibleText()
.then(function (text) {


Uses the Chai Assertion to make sure the visible page title says Intern.

assert.strictEqual(text, 'Intern.', ' The visible page title should say “Intern.” ');
})

Ends the most recent filtering operation. In this case it is .findByClassName(). If you do not include the end method your next filtering operation will fail.
.end()
}
});
});

Chrome Plugin

Intern has created a Chrome plugin to make testing even easier. The Intern Recorder plugin helps track user interactions in your browser and translates them to code in the Chrome console under a tab labeled ‘Intern’. The Intern recorder is useful for targeting UI elements and tracking user processes . One of the biggest issues we found in depending on the Intern Recorder is that it relies on Xpath methods from Leadfoot that are not currently supported by IE.

In conclusion

Automated functional testing is a great way to cut down on QA and debugging time. Find the framework that is the most compatible with the code you are writing. If you are working with web applications we suggest Intern. If you need more help setting up your first test here is a link to Intern’s getting started documentation .

Now have fun writing functional tests!

Links

Share this
15 Jul 2016

Angular CLI Preview

The Angular team has announced that Angular2 is in Release Candidate status, so it’s time to get started on learning the new framework and its structure. Angular2 is quite different from Angular1.x, and the familiar JavaScript has been replaced with the newer TypeScript. Transitioning from framework to framework can be difficult enough, but when you throw in a new language, growing pains are sure to set in. However, the good news is that the Angular team has a tool to help you skip some of those growing pains and speed up development for those already in the TypeScript camp. Give a hearty welcome to the Angular CLI!

The Angular CLI is a command line tool that is built not only to help you bootstrap your project, but also to handle the build files, linting configuration, testing setup, and other boilerplate that can consume your precious development time. The CLI can help you with the following tasks:

  • Generation of a base project
  • Generation of components, services, directives and more
  • Generation of unit testing and e2e testing stub files
  • Creation of a build script
  • Serving your project with live reloading of changes
  • Linting
  • Compilation of Less, Sass, Compass and Stylus files
  • Generation of routes using lazy loading
  • Creation of production builds
  • Getting your project on GitHub
  • Plenty more. See the details on the CLI’s GitHub page.

Currently the CLI is in beta, but it is certainly ready for use and pretty well documented. The installation is simple with npm:

npm install -g angular-cli

If you are on Windows, you will likely need to run your command line as Administrator for this to succeed. You may also need to run a separate global install of the typings npm package.

Once you have installed the CLI, all you have to do to generate a project is navigate to the directory you want to create your project in via the command line and enter:

ng new PROJECT_NAME

Then change into the directory the CLI just created and serve the project

cd PROJECT_NAME
ng serve

Angular CLI will compile your TypeScript, start up a web server, and possibly even open a browser tab to show your application. (Otherwise it will tell you the URL to launch) Super easy!

This generates a whole host of files for you, including the .ts file for your component, the HTML for the page and the components templates, and the CSS files for those as well. On top of everything needed to actually compile and run your project, it also has created the hooks for you to start creating tests for your application using Karma or Protractor.

If you want to use Less or Sass rather than straight up CSS, all you have to do is change the file extension of the CSS files the CLI generates for you to be .less or .sass and the ng serve command will cause those to be compiled into CSS.

The next step is to start creating some components to go in your application. Of course Angular CLI has you covered there too. Instead of having to spend time memorizing the format for a component file and debugging your typos, you can just use the CLI:

ng g component new-cmp

Or, this, if you’re not into that whole brevity thing:

ng generate component new-cmp

That again will generate all the boilerplate TypeScript, HTML, and CSS necessary to get your Angular2 component bootstrapped. It is up to you, however, to import your component in the right places where it will be used. The CLI isn’t that magic yet.

The CLI also can help you take advantage of the lazy loading by routes in Angular2. By default, when you generate a route in the CLI, it creates a route that will only load its required components when that route is activated. This saves you the upfront cost of loading components up front that a user may never visit. Of course, you may also want to load everything up front so route changes are quicker. You can of course toggle the default lazy loading off:

ng generate route my-route --lazy false

When you’re done with your coding and it’s time to build, not only can the Angular CLI handle your build process, but can even do some deploying. ng build will compile everything and move it into a dist directory. ng github-pages:deploy will create a repo for your project on GitHub and then deploy the build using GitHub pages. Granted you will have to make sure you have the tokens and ssh credentials set up for such a deployment, but the fact that Angular CLI can do all this out of the box is pretty amazing.

If you’re looking at Angular2 and wondering whether to put the effort into switching to the new framework, the Angular CLI will hopefully help you make up your mind by saving effort and keeping you from getting tripped up on typos or stuck scripting methods to serve up and compile your code. The Angular CLI is a powerful tool to help you get up and running on your way to Angular2.

Share this
16 Dec 2015

A First Look at Project Comet

2016 is just around the corner so we decided to do a bit of research to see what kind of exciting new changes in the world of UI/UX we had to look forward to in the new year. We found a lot of the usual New Years talk about upcoming design trends and predictions, but one thing in 2016 stood out from from the rest: Project Comet

read more
Share this
02 Oct 2015

Material with LESS

In this post we are going to create a dynamic style-sheet that can be altered to fit any web application project while keeping inline with Material standards. This project is a great way to familiarize yourself with Material design while creating a style-sheet that can be recycled over and over again to create unique looking designs by just changing a few lines of code.

read more
Share this

© 2017 RealEyes Media, LLC. All rights reserved.