Brian Sletten

Brian Sletten
 

Forward Leaning Software Engineer @ Bosatsu Consulting

Brian Sletten is a liberal arts-educated software engineer with a focus on forward-leaning technologies. His experience has spanned many industries including retail, banking, online games, defense, finance, hospitality and health care. He has a B.S. in Computer Science from the College of William and Mary and lives in Auburn, CA. He focuses on web architecture, resource-oriented computing, social networking, the Semantic Web, AI/ML, data science, 3D graphics, visualization, scalable systems, security consulting and other technologies of the late 20th and early 21st Centuries. He is also a rabid reader, devoted foodie and has excellent taste in music. If pressed, he might tell you about his International Pop Recording career.

Presentations

Automating Security Fixes with OpenRewrite

Patching Vulnerabilities Across the Codebase

8:30 AM MDT

Security problems empirically fall into two categories: bugs and flaws. Roughly half of the problems we encounter in the wild are bugs and about half are design flaws. A significant number of the bugs can be found through automated testing tools which frees you up to focus on the more pernicious design issues. 

 In addition to detecting the presence of common bugs as we have done with static analysis for years, however, we can also imagine automating the application of corrective refactoring. In this talk, I will discuss using OpenRewrite and the Moderne cli to fix common security issues and keep them from coming back.

 

In this talk we will focus on:

  • Introducing the OpenRewrite OSS framework and demonstrate how it can automate common code remediation tasks.
  • Using OpenRewrite and the Moderne cli to automatically identify and fix known security vulnerabilities including:
  • Common Java flaws
  • OWASP Top Ten
  • Common Spring Issues
  • Checking in credentials
  • Integrating security scans with OpenRewrite for continuous improvement.
  • Writing custom recipes for defining your own security policies
  • Free up your time to address larger concerns by addressing the pedestrian but time-consuming security bugs.

Automating Security Fixes with OpenRewrite

Patching Vulnerabilities Across the Codebase

10:30 AM MDT

Security problems empirically fall into two categories: bugs and flaws. Roughly half of the problems we encounter in the wild are bugs and about half are design flaws. A significant number of the bugs can be found through automated testing tools which frees you up to focus on the more pernicious design issues. 

 In addition to detecting the presence of common bugs as we have done with static analysis for years, however, we can also imagine automating the application of corrective refactoring. In this talk, I will discuss using OpenRewrite and the Moderne cli to fix common security issues and keep them from coming back.

 

In this talk we will focus on:

  • Introducing the OpenRewrite OSS framework and demonstrate how it can automate common code remediation tasks.
  • Using OpenRewrite and the Moderne cli to automatically identify and fix known security vulnerabilities including:
  • Common Java flaws
  • OWASP Top Ten
  • Common Spring Issues
  • Checking in credentials
  • Integrating security scans with OpenRewrite for continuous improvement.
  • Writing custom recipes for defining your own security policies
  • Free up your time to address larger concerns by addressing the pedestrian but time-consuming security bugs.

Web Security for APIs

1:00 PM MDT

There's a clear need for security in the software systems that we build. The problem for most organizations is that they don't want to spend any money on it. Even if they did, they often have no idea how much to spend. No particular initiative is likely to imbue your system with “security”, but a strong, deep defensive approach is likely to give you a fighting chance of getting it right.

Web Security as applied to APIs in particular are an important part of the plan. In this workshop, we'll show you how approaches to defining “enough” as well as concrete techniques to employ incrementally in your designs.

In this workshop, we will pick a hands on framework for implementation, but the ideas will generally be standards-based and transcend technology choice so you should have a strategy for mapping the ideas into your own systems.

We will cover a broad range of topics including:

  • The concepts behind Building Security in
  • Designing for Security
  • Authentication and Authorization Strategies
  • Identity Management
  • Protecting Data in transit
  • Protecting Data at rest
  • Frameworks for selecting security features
  • Attack and Threat Models for APIs

Web Security for APIs

3:00 PM MDT

There's a clear need for security in the software systems that we build. The problem for most organizations is that they don't want to spend any money on it. Even if they did, they often have no idea how much to spend. No particular initiative is likely to imbue your system with “security”, but a strong, deep defensive approach is likely to give you a fighting chance of getting it right.

Web Security as applied to APIs in particular are an important part of the plan. In this workshop, we'll show you how approaches to defining “enough” as well as concrete techniques to employ incrementally in your designs.

In this workshop, we will pick a hands on framework for implementation, but the ideas will generally be standards-based and transcend technology choice so you should have a strategy for mapping the ideas into your own systems.

We will cover a broad range of topics including:

  • The concepts behind Building Security in
  • Designing for Security
  • Authentication and Authorization Strategies
  • Identity Management
  • Protecting Data in transit
  • Protecting Data at rest
  • Frameworks for selecting security features
  • Attack and Threat Models for APIs

Context-Based Software Engineering

5:00 PM MDT

There's an implied context to your software running in the world and processing data. The problem is that it is usually a reductive and insufficient context to capture the fluency of change that occurs at multiple layers. This need for shared context spreads to API usage which often necessitates fragile, custom development.

In this talk we will address the importance of dynamic context in software systems and how to engender flexible, sufficiently rich context-based systems.

We will cover the history of context-based thinking in the design of software systems and network protocols and how the ideas are merging into something along the lines of “Information DNS” where we resolve things at the time and place of execution into the form in which we need it.

Consider software systems with the technical and financial properties of the Web.

While this is a developing approach to software development, it builds on established ideas and will help provide the basis for next-generation development.

Behavior-Driven REST (An API Case Study)

9:00 AM MDT

A client once asked me to take a team that was new to REST, Agile, etc. and put together a high profile, high value commerce-oriented API in the period of six months. In the process of training the team and designing this API, I hit upon the idea of providing rich testing
coverage by mixing the Behavior-Driven Design testing approach with REST.

In this talk, I will walk you through the idea, the process, and the remarkable outcomes we achieved. I will show you how you can benefit as well from this increasingly useful testing strategy. The approach makes it easy to produce tests that are accessible to business analysts and other stakeholders who wouldn't understand the first
thing about more conventional unit tests.

Behavior is expressed using natural language. The consistent API style minimizes the upfront work in defining step definitions. In the end, \you can produce sophisticated coverage, smoke tests, and more that exercise the full functionality of the API. It also produces another organizational artifact that can be used in the future to migrate to
other implementation technologies.

Automating API Evolution with OpenRewrite

11:00 AM MDT

One of the nice operational features of the REST architectural style as an approach to API Design is that is allows for separate evolution of the client and server. Depending on the design choices a team makes, however, you may be putting a higher burden on your clients than you intend when you introduce breaking changes.

 By taking advantage of the capabilities of OpenRewrite, we can start to manage the process of independent evolution while minimizing the impact. Code migration and refactoring can be used to transition existing clients away from older or deprecated APIs and toward new versions with less effort than trying to do it by hand.

 

In this talk we will focus on:

Managing API lifecycle changes by automating the migration from deprecated to supported APIs.
Discussing API evolution strategies and when they require assisted refactoring and when they don’t.
*Integrating OpenRewrite into API-first development to ensure client code is always up-to-date with ease.

Tech Trends for Tech Leaders

3:15 PM MDT

There are certain tech trends people at least know about such as Moore's Law even if they don't really understand them. But there are other forces at play in and around our industry that are unknown or ignored by the ever diminishing tech journalism profession. They help explain and predict the pressures and influences we are seeing now or soon will.

In this talk, I will identify a variety of trends that are happening at various paces in intertwined ways at the technological, scientific, cultural, biological, and geopolitical levels and why Tech Leaders should know about them. Being aware of the visible and invisible forces that surround you can help you work with them, rather than against them. You will also be more likely to make good choices and thrive rather than being buffeted uncontrollably.

Empowering Generalists

5:00 PM MDT

Since the Scientific and Industrial Revolutions, there has been more to know every day. No individual can know it all and we have seen the entrenchment of the specialist for the past hundred or so years. When all of this tacit knowledge was locked in our heads, the specialist was rewarded for knowing details.

In our industry we have seen professionals gravitate to specific languages, specific tiers in the architecture (e.g. front-end vs backend), and specific libraries or frameworks. Sometimes they will even go so far as to list specific versions of specific technologies on their resume.

All of this specialization can be beneficial when you need resources that are deep within narrow confines. The ubiquitous glut of available information no longer requires us to know topics to this level of detail. Market realities are also such that nobody has the budget to employ only specialists any more. Developers have needed to learn to become designers, testers, data-experts, security-aware, AI-cognizant, and capable of communicating with various stakeholders.

When your industry epitomizes unfettered change, you need to rely on generalists, not specialists; synthesizers, not knowledge keepers. How can you attract, hire, and benefit from technologists who identify as problem solving value adders rather than programmers of a specific language? How can you encourage their growth and measure success? Even more, how do you lead them yourself?

In this talk we will discuss the rise of the generalist knowledge worker who creates value even in the face of information overflow and AI.

Rust : Making Software Fast and Safe

8:30 AM MDT

New languages often carry an operational burden to deployment and involve tradeoffs of performance for safety. Rust has emerged as a powerful, popular, and increasingly widely-used language for all types of development. Come learn why Rust is entering the Linux kernel and Microsoft and Google are favoring it for new development over C++.

This Introduction to Rust will introduce the students to the various merits (and complexities) of this safe, fast and popular new programming language that is taking the world by storm. This
three day course will cover everything students from various backgrounds will need to get started as a successful Rust programmer.

Attendees will Learn about and how to:

  • Understand the purpose and consequences of Rust's Memory model
  • The concept of ownership and borrowing
  • The robust and friendly toolchains
  • Idiomatic Rust practices
  • The basics of lifetimes
  • The Rust Standard Library
  • Generics and Traits
  • The power of Pattern Matching

Rust : Making Software Fast and Safe

10:30 AM MDT

New languages often carry an operational burden to deployment and involve tradeoffs of performance for safety. Rust has emerged as a powerful, popular, and increasingly widely-used language for all types of development. Come learn why Rust is entering the Linux kernel and Microsoft and Google are favoring it for new development over C++.

This Introduction to Rust will introduce the students to the various merits (and complexities) of this safe, fast and popular new programming language that is taking the world by storm. This
three day course will cover everything students from various backgrounds will need to get started as a successful Rust programmer.

Attendees will Learn about and how to:

  • Understand the purpose and consequences of Rust's Memory model
  • The concept of ownership and borrowing
  • The robust and friendly toolchains
  • Idiomatic Rust practices
  • The basics of lifetimes
  • The Rust Standard Library
  • Generics and Traits
  • The power of Pattern Matching