Certificate Revocation Does Not Work!

One thing that’s very surprising about PKI infrastructure is the fact that a lot of the mechanisms put in place don’t work, or don’t work as they should. Often this is driven by sheer necessity, and the need to keep the internet working no matter what. One example of this is certificate revocation. If you are setting up a domain and requesting a new certificate, you would assume that once issued the certificate can be revoked in the case of a security breach.

But you’d be wrong. Even when you revoke the certificate attackers can still use it to enable MIIM attacks. Read on to see why….

Continue reading →

DynamoDB: Partition, Primary and Sort Keys

One thing that I’ve had to get my head around when learning about DynamoDB is what exactly partition and sort keys are, and how they tie into the more familiar concept of a primary key. DynamoDB as you may know is a hosted NoSql database that can store heterogeneous items of varying structures; imagine a system that stores miscellaneous JSON documents, each with a unique key, and you’ll get the idea (though it’s not strictly a JSON document store)

The DynamoDB documentation talks of two concepts, a partition key and a sort key, and it’s not immediately obvious how these relate to the more common concept of a primary key that you’d get in a traditional database. Really it’s quite simple, but first let’s clarify what each term means. Continue reading →

REST -What It’s Good For (Part 2: Semantics and Information Sharing)

In my previous post, I detail how REST allows us to utilise the HTTP’s native caching functionality without the need for additional technologies or knowledge. However, this whole ‘using what we know about HTTP already’ philosophy goes much deeper than that.

Consider one of the biggest problems with API design and maintenance: getting your clients to use the API correctly, especially when it’s changing or is constant development. This might be easy if you are integrating with one team that sits next to you (and even then misunderstandings can arise), but what if you have multiple clients across the organisation, or if you API is public? Read on if you want to see how REST can help….

Continue reading →

REST -What It’s Good For (Part 1: HTTP Caching)

So I already covered some of the misconceptions around REST in my previous post (if you haven’t read it, please do), but I want to delve into some of the advantages of using such a methodology. This pattern assumes a simple point-to-point, client/server, request/response architecture, which is far from the only way to skin a cat out in IT land, but if it fits your app, REST can give you certain benefits. Today I will focus on HTTP Caching.

Continue reading →

Agile Testing & BDD eXchange 2016 (Part 2)

A few months ago I had the opportunity to go to the Agile Testing & BDD eXchange 2016 conference (https://skillsmatter.com/conferences/7428-agile-testing-and-bdd-exchange-2016). I’ve finally had the chance to write up the notes I took (if any of the speakers are reading this and feel that I’m ‘stealing their lunch’ or infringing on their rights, please let me know and I’ll remove the offending content.)

The notes below reflect my own jottings down and interpretations, and not necessarily the views of the speakers. 

Continue reading →

Agile Testing & BDD eXchange 2016 (Part 1)

A few months ago I had the opportunity to go to the Agile Testing & BDD eXchange 2016 conference (https://skillsmatter.com/conferences/7428-agile-testing-and-bdd-exchange-2016). I’ve finally had the chance to write up the notes I took (if any of the speakers are reading this and feel that I’m ‘stealing their lunch’ or infringing on their rights, please let me know and I’ll remove the offending content.)

The notes below reflect my own jottings down and interpretations, and not necessarily the views of the speakers.

Continue reading →

REST: What It Is (and What It Isn’t!)

REST (Representational State Transfer) has been bandied around as a term for a long time when it comes to API design, and it’s not hard to see the attraction. It relies on the pre-existing HTTP protocol, which is pretty much what the web already runs on, and if implemented well it can make use of a lot of features of HTTP (such as caching).  This is a huge boon to application developers, saving them having to learn/implement a new technology/protocol and implement these features themselves. Continue reading →

It’s The Fastest System That Gets Used, Not The Most Appropriate.

A security expert once said to me, “It’s the fastest teams and the fastest systems that get used for new features, not the most appropriate, and this causes security breaches”. I never understood what he meant, until I saw it with my own eyes.

Continue reading →

Runtime Vs. Checked Exceptions

Java is strange, in that it makes a distinction between runtime exceptions (which don’t need to be declared, and can bubble all the way up to the top of the stack), and checked exceptions, which need to be either wrapped in a “try-catch” block, or declared in the method signature so that the calling method will have to deal with them.

Continue reading →

‘Synchronize’ Gotcha: The Thread Locks The Object, Not The Method!

This is one of the fundamental aspects of Java synchronisation, but I have seen so many people get it wrong when I’m interviewing them. It’s very simple, but slightly contrary to how you might think synchronisation works.

Continue reading →