For the past five years, CQL has sent a group of developers to Codemash to learn the latest current practices, methodologies, and technology trends.
Codemash covers a variety of platforms and development languages like Java, .NET, Ruby, Python and PHP. The event grows in popularity every year typically selling out in minutes.
It’s been very valuable to have our team attend this event and we’ve used many of the new technologies and languages that we first learned about at Codemash.
We’ve collected some insights from our team about what they learned and enjoyed the most about this year’s event.
Future of C#
Plenty of blogs talk about the future of C#, but it was great to get a condensed walkthrough of all these new language features. There is a lot of exciting stuff happening with .NET such as the platform now being Open Source, as well as being hosted on GitHub. In addition, Visual Studio 2015 preview is now available.
An Introduction to Android Studio
Android Studio is the new standard for developing Android apps. It's replacing the eclipse plugins, which are no longer being supported. It's got a bunch of nice features built in that make it feel more integrated and developer friendly. The Emulator is slow, but there are some options to make it faster. Gradle is used behind the scenes for building/compiling. You can use the built in one or set it up as a service/server. It helps you choose the API and form factor (Glass/Wear/TV) you need for the OS’s that you want to target (i.e., Lollipop is used by .08% of phones on the market). Since there are so many different screen sizes and resolutions (compared to apple's 4 or 5 models), the layout needs to flow to fit the screen size. There are a bunch of Intellisense like features built in, like auto-completing localized string and automatically extracting strings to a localized resource.
Why Develop Android?
Issues with Android Development
To make it work, you'll need to use things like DPI Buckets, Auto-Scaling Assets, and layout managers that flow to get a consistent app across devices.
Arduino/Raspberry Pi Smoker
This was a neat talk about a guy's homemade automatic smoker, controlled by Arduino (and then adapted for Raspberry Pi). I was mostly looking for inspiration to do something with the Arduino that's sitting on my desk. He built a neat real time temperature graph on a web page that showed the temperature of the smoker. D3 for the graphs and Socket.io for real-time data, Mongo DB and Node for the backend. My big takeaway from this one was to use the Raspberry Pi as a server or base station and the Arduino as a sensor. Connect them together with xbee chips (low-power wireless communication), and then connect the Pi to your wifi network. The Arduino works as the low powered sensor and you can have the pi stashed away someplace storing and serving the data.
Top 10 OWASP Security
This was a really interesting talk that covered tons of basic and advanced security topics all rapid fire. So much is at risk and it is worth taking time to do security the right way because the penalties for doing it wrong can be severe.
SQL injection is a big deal. Always parameterize queries. Don’t trust your users ever. Sanitize all inputs—especially if rendering user-provided HTML to mitigate cross-site-scripting. He claims that role-based authorization is awful and needs to go away and suggested moving towards a permission-based authorization, but admitted that there aren’t really good permission-based libraries out there like there are for role-based.
Then we got to the obligatory “don’t save your passwords wrong.” Each password should be run through a KDF (Key-Derivation Function) not a hash because hashes are made to be fast which allows them to being easily cracked. Each saved password should also have a unique salt to eliminate the possibility of duplicates. Https should be used all the time for everything because it verifies that you’re talking with who you think you are, that no one else can see what you’re saying, and that no one else can modify the message. It is now the case that if an SSL private key gets compromised that this does not give an attacker the ability to go back and decrypt previously sent packages—this is good.
Cryptographic services should not be done on a web server because these are easier to compromise, instead crypto stuff should be offloaded to another server that is better protected and further removed from the front lines of the web. There was an interesting idea of putting a “honeypot” of fake locations in robots.txt (such as “/admin/login.asp”) to bait hackers into trying to access those fake pages and then block them and do forensics on them before a real attack is launched.
Other Decent Session included:
All in all, we had another solid year at Codemash. Check back for Installment #2 of 2 regarding technologies learned at Codemash 2015.
Did you attend Codemash 2015? What were your favorites sessions or insights? Share them in the comments below!