Strategic Security, Inc. © Time To Learn How To Program

Strategic Security, Inc. © No Geekenese A lot of computer scientists will be familiar with programming concepts such as: Turing’s Primitives Programming Logic Data Structures and Algorithms Object Oriented Programming If you are like me then none of this stuff makes any sense to you I don’t understand any of this stuff, and don’t plan on trying I’m regular working stiff – so that means that I like: Alcohol Sports Barbequing My weekends are no longer consumed with writing code or recompiling my kernel We will focus on the job. Application development and security for working InfoSec professionals

Strategic Security, Inc. © THINK CODE

Strategic Security, Inc. © Programming is simple Skip programming logic – let’s keep this simple Code can only do 3 things: Processing Decision Looping

Strategic Security, Inc. © Keep it simple Processing Read Write Math Decisions If/Then Looping For While

Strategic Security, Inc. © Programming Logic Write a log parser using what I just taught you Think it through… READ the log file, FOR every line in the log file, IF you see this IP address, WRITE found the IP Write a port scanner using what I just taught you Think it through… READ the list of ports to connect to, FOR every port in the, WRITE the connection to the port, IF the port is open, WRITE port is open, IF the port is closed, WRITE port is closed

Strategic Security, Inc. © Code is like building blocks

Strategic Security, Inc. © Be Lazy and start small Write some code that does something You probably don’t think you can write a tax program like QuickBooks or TurboTax But I bet you can figure out how to calculate sales tax So maybe sales tax is 7%, so how about we do x *.07 Salestax = x *.07

Strategic Security, Inc. © Be Lazy and start small Ok we started with Salestax = x *.07 Once you have a few lines of code (usually less than 10 lines) Take the code that you wrote and you put it in a FUNCTION called “salestax” Now anytime you need to calculate sales tax you just call the salestax function. Then you do the same thing for: Incometax Propertytax Estatetax

Strategic Security, Inc. © Be Lazy and start small Ok we started with a FUNCTION called “salestax” Then we created more functions: Incometax Propertytax Estatetax Now, you take all of those functions and you put them in a CLASS A class is just a container of objects and functions (for right now – more later) This is what developers mean when they talk about making code modular

Strategic Security, Inc. © Class Example In Java

Strategic Security, Inc. © Object Example In Java

Strategic Security, Inc. © Object Example In Java

Strategic Security, Inc. © You down with OOP? OOP allows classes to inherit commonly used state and behavior from other classes. Objects often have a certain amount of similarities Mountain bikes, road bikes, and tandem bikes, all share the characteristics of bicycles (current speed, current pedal cadence, current gear). But they also have their own special features: –tandem bicycles have two seats and two sets of handlebars –road bikes have drop handlebars –some mountain bikes have an additional chain ring, giving them a lower gear ratio

Strategic Security, Inc. © You down with OOP? In this example, Bicycle now becomes the superclass of MountainBike, RoadBike, and TandemBike.

Strategic Security, Inc. © Time To Do Something Define this stuff Simple Programming Array Function Class Library Header File Interpreted Languages Compiled Languages

Strategic Security, Inc. © Break

Strategic Security, Inc. © Break

Strategic Security, Inc. © Software Alphabet Soup Client-Server, Multi-Tier, MVC, MVP, MVVM, SOA

Strategic Security, Inc. © What is Software Architecture?

Strategic Security, Inc. © Software Architecture Software architecture is a technical blueprint explaining how the system will be structured The system architecture describes: How the system will be decomposed into subsystems (modules) Responsibilities of each module Interaction between the modules Platforms and technologies Each module could also implement a certain architectural model / pattern

Strategic Security, Inc. © A Simple App – Just Kidding

Strategic Security, Inc. © Ouch – Let’s slow down

Strategic Security, Inc. © Client-Server Architecture

Strategic Security, Inc. © Example of Multi-Tier Software Architecture

Strategic Security, Inc. © Client-Server Architecture The client-server model consists of: Server – a single machine / application that provides services to multiple clients Could be IIS based Web server Could be WCF based service Could be a services in the cloud Clients –software applications that provide UI (front-end) to access the services at the server Could be WPF, HTML5, Silverlight, ASP.NET, …

Strategic Security, Inc. © The Client-Server Model Server Desktop Client Mobile Client Machine network connection

Strategic Security, Inc. © Client-Server Model – Examples Web server (IIS) – Web browser (Firefox) FTP server (ftpd) – FTP client (FileZilla) server (qmail) – client (Outlook) SQL Server – SQL Server Management Studio BitTorrent Tracker – Torrent client (μTorrent) DNS server (bind) – DNS client (resolver) DHCP server (wireless router firmware) – DHCP client (mobile phone /Android DHCP client/) SMB server (Windows) – SMB client (Windows)

Strategic Security, Inc. © 3-Tier / Multi-Tier Architectures Classical Layered Structure of Software Systems

Strategic Security, Inc. © The 3-Tier Architecture The 3-tier architecture consists of the following tiers (layers): Front-end (client layer) Client software – provides the UI of the system Middle tier (business layer) Server software – provides the core system logic Implements the business processes / services Back-end (data layer) Manages the data of the system (database / cloud)

Strategic Security, Inc. © The 3-Tier Architecture Business Logic Desktop Client Mobile Client Machine network Database Data Tier (Back-End) Middle Tier (Business Tier) Client Tier (Front-End)

Strategic Security, Inc. © Typical Layers of the Middle Tier The middle tier usually has parts related to the front-end, business logic and back-end: Presentation Logic Implements the UI of the application (HTML5, Silverlight, WPF, …) Business Logic Implements the core processes / services of the application Data Access Logic Implements the data access functionality (usually ORM framework)

Strategic Security, Inc. © Multi-Tier Architecture DB ORM WCF ASP.NET HTML

Strategic Security, Inc. © Time To Do Something Define this stuff Presentation Layer HTML CSS Business Logic Layer Ruby on Rails, Django C#, ASP.NET J2EE, JPA, JSF NOTE: The programming languages in this layer produce the stuff in the presentation layer, and provides the guts of the app or business logic. (this confuses people) Database Layer Oracle MSSQL

Strategic Security, Inc. © Break

Strategic Security, Inc. © MVC (Model- View-Controller) What is MVC and How It Works?

Strategic Security, Inc. © Model-View-Controller (MVC) Model-View-Controller (MVC) architecture Separates the business logic from application data and presentation Model Keeps the application state (data) View Displays the data to the user (shows UI) Controller Handles the interaction with the user

Strategic Security, Inc. © MVC Architecture Blueprint

Strategic Security, Inc. © MVC-Based Frameworks.NET ASP.NET MVC, MonoRail Java JavaServer Faces (JSF), Struts, Spring Web MVC, Tapestry, JBoss Seam, Swing PHP CakePHP, Symfony, Zend, Joomla, Yii, Mojavi Python Django, Zope Application Server, TurboGears Ruby on Rails

Strategic Security, Inc. © MVC-Based Frameworks MVC does not replace the multi- tier architecture Both are usually used together Typical multi-tier architecture can use MVC To separate logic, data and presentation Model (Data) Data Access Logic Views (Presentation) Controllers (Business Logic)

Strategic Security, Inc. © MVP (Model-View-Presenter) What is MVP Architecture and How it Works?

Strategic Security, Inc. © Model-View-Presenter (MVP) Model-View-Presenter (MVP) is UI design pattern similar to MVC Model Keeps application data (state) View Presentation – displays the UI and handles UI events (keyboard, mouse, etc.) Presenter Presentation logic (prepares data taken from the model to be displayed in certain format) MVP is usually used for building user interfaces (can be in any MVC framework)

Strategic Security, Inc. © Presentation-Abstraction-Control (PAC) What is PAC and How It Works?

Strategic Security, Inc. © Presentation-Abstraction-Control (PAC) Presentation-Abstraction-Control (PAC) interaction-oriented architectural pattern Similar to MVC but is hierarchical (like HMVC) Presentation Prepares data for the UI (similar to View) Abstraction Retrieves and processes data (similar to Model) Control Flow-control and communication (similar to Controller)

Strategic Security, Inc. © Presentation-Abstraction-Control (PAC) – Hierarchy

Strategic Security, Inc. © MVVM (Model -View-ViewModel) What is MVVM and How It Works?

Strategic Security, Inc. © Model-View-ViewModel (MVVM) Model-View-ViewModel (MVVM) is architectural pattern for modern UI development Invented by Microsoft for use in WPF and Silverlight Based on MVC, MVP and Martin Fowler's Presentation Model pattern Officially published in the Prism project (Composite Application Guidance for WPF and Silverlight) Separates the "view layer" (state and behavior) from the rest of the application

Strategic Security, Inc. © MVVM Structure Model Keeps the application data / state representation E.g. data access layer or ORM framework View UI elements of the application Windows, forms, controls, fields, buttons, etc. ViewModel Data binder and converter that changes the Model information into View information Exposes commands for binding in the Views

Strategic Security, Inc. © MVVM in WPF / Silverlight View – implemented by XAML code + code behind C# class Model – implemented by WCF services / ORM framework / data access classes ViewModel – implemented by C# class and keeps data (properties), commands (code), notifications

Strategic Security, Inc. © MVVM in WPF / Silverlight MVVM is typically used in XAML applications (WPF, Silverlight, WP7) and supports unit testing

Strategic Security, Inc. © MVP vs. MVVM Patterns MVVM is like MVP but leverages the platform's build-in bi-directional data binding mechanisms

Strategic Security, Inc. © Break

Strategic Security, Inc. © SOA (Service-Oriented Architecture) SOA and Cloud Computing

Strategic Security, Inc. © What is SOA? Service-Oriented Architecture (SOA) is a concept for development of software systems Using reusable building blocks (components) called "services” Services in SOA are: Autonomous, stateless business functions Accept requests and return responses Use well-defined, standard interface

Strategic Security, Inc. © What is SOA? Autonomous Each service operates autonomously Without any awareness that other services exist Stateless Have no memory, do not remember state Easy to scale Request-response model Client asks, server returns answer

Strategic Security, Inc. © SOA Services (2) Communication through standard protocols XML, SOAP, JSON, RSS, ATOM,... HTTP, FTP, SMTP, RPC,... Not dependent on OS, platforms, programming languages Discoverable Service registries Could be hosted "in the cloud" (e.g. in Azure)

Strategic Security, Inc. © What is Cloud Computing? Cloud computing is a modern approach in the IT infrastructure that provides: Software applications, services, hardware and system resources Hosts the applications and user data in remote servers called "the cloud” Cloud computing models: IaaS – infrastructure as a service (virtual servers) PaaS – platform as a service (full stack of technologies for UI, application logic, data storage) SaaS – software as a service (e.g. Google Docs)

Strategic Security, Inc. © Loose Coupling Loose coupling is the main concept of SOA Loosely coupled components: Exhibits single function Independent of other functions Through a well-defined interface Loose coupling programming evolves: Structural programming Object-oriented programming Service-oriented architecture (SOA)