Brian Sletten

Web Security for APIs

8:30 AM MDT

There's a clear need for security in the software systems that we build. The problem for most organizations is that they don't want to spend any money on it. Even if they did, they often have no idea how much to spend. No particular initiative is likely to imbue your system with “security”, but a strong, deep defensive approach is likely to give you a fighting chance of getting it right.

Web Security as applied to APIs in particular are an important part of the plan. In this workshop, we'll show you how approaches to defining “enough” as well as concrete techniques to employ incrementally in your designs.

In this workshop, we will pick a hands on framework for implementation, but the ideas will generally be standards-based and transcend technology choice so you should have a strategy for mapping the ideas into your own systems.

We will cover a broad range of topics including:

• The concepts behind Building Security in
• Designing for Security
• Authentication and Authorization Strategies
• Identity Management
• Protecting Data in transit
• Protecting Data at rest
• Frameworks for selecting security features
• Attack and Threat Models for APIs

Web Security for APIs

10:30 AM MDT

There's a clear need for security in the software systems that we build. The problem for most organizations is that they don't want to spend any money on it. Even if they did, they often have no idea how much to spend. No particular initiative is likely to imbue your system with “security”, but a strong, deep defensive approach is likely to give you a fighting chance of getting it right.

Web Security as applied to APIs in particular are an important part of the plan. In this workshop, we'll show you how approaches to defining “enough” as well as concrete techniques to employ incrementally in your designs.

In this workshop, we will pick a hands on framework for implementation, but the ideas will generally be standards-based and transcend technology choice so you should have a strategy for mapping the ideas into your own systems.

We will cover a broad range of topics including:

• The concepts behind Building Security in
• Designing for Security
• Authentication and Authorization Strategies
• Identity Management
• Protecting Data in transit
• Protecting Data at rest
• Frameworks for selecting security features
• Attack and Threat Models for APIs

Automating Security Fixes with OpenRewrite

Patching Vulnerabilities Across the Codebase

1:00 PM MDT

Security problems empirically fall into two categories: bugs and flaws. Roughly half of the problems we encounter in the wild are bugs and about half are design flaws. A significant number of the bugs can be found through automated testing tools which frees you up to focus on the more pernicious design issues. Even in the time of AI, there's a discussion to be had.

 In addition to detecting the presence of common bugs as we have done with static analysis for years, however, we can also imagine automating the application of corrective refactoring. In this talk, I will discuss using OpenRewrite and the Moderne cli to fix common security issues and keep them from coming back.

In this talk we will focus on:

• Understand that security is a process of risk-management, not using a tool or piece of software.
• Introducing the OpenRewrite OSS framework and demonstrate how it can automate common code remediation tasks.
• Using OpenRewrite and the Moderne cli to automatically identify and fix known security vulnerabilities including:
• Common Java flaws
• OWASP Top Ten
• Common Spring Issues
• Checking in credentials
• Integrating security scans with OpenRewrite for continuous improvement.
• Writing custom recipes for defining your own security policies
• Free up your time to address larger concerns by addressing the pedestrian but time-consuming security bugs.
• Understand when AI-based tools will help and when they won't.

Automating Security Fixes with OpenRewrite

Patching Vulnerabilities Across the Codebase

3:00 PM MDT

Security problems empirically fall into two categories: bugs and flaws. Roughly half of the problems we encounter in the wild are bugs and about half are design flaws. A significant number of the bugs can be found through automated testing tools which frees you up to focus on the more pernicious design issues. Even in the time of AI, there's a discussion to be had.

 In addition to detecting the presence of common bugs as we have done with static analysis for years, however, we can also imagine automating the application of corrective refactoring. In this talk, I will discuss using OpenRewrite and the Moderne cli to fix common security issues and keep them from coming back.

In this talk we will focus on:

• Understand that security is a process of risk-management, not using a tool or piece of software.
• Introducing the OpenRewrite OSS framework and demonstrate how it can automate common code remediation tasks.
• Using OpenRewrite and the Moderne cli to automatically identify and fix known security vulnerabilities including:
• Common Java flaws
• OWASP Top Ten
• Common Spring Issues
• Checking in credentials
• Integrating security scans with OpenRewrite for continuous improvement.
• Writing custom recipes for defining your own security policies
• Free up your time to address larger concerns by addressing the pedestrian but time-consuming security bugs.
• Understand when AI-based tools will help and when they won't.

Context-Based Software Engineering

5:00 PM MDT

There's an implied context to your software running in the world and processing data. The problem is that it is usually a reductive and insufficient context to capture the fluency of change that occurs at multiple layers. This need for shared context spreads to API usage which often necessitates fragile, custom development.

In this talk we will address the importance of dynamic context in software systems and how to engender flexible, sufficiently rich context-based systems.

We will cover the history of context-based thinking in the design of software systems and network protocols and how the ideas are merging into something along the lines of “Information DNS” where we resolve things at the time and place of execution into the form in which we need it.

Consider software systems with the technical and financial properties of the Web.

While this is a developing approach to software development, it builds on established ideas and will help provide the basis for next-generation development.

Quantum and Biological Systems

It's Gonna Get Weird

8:00 PM MDT

Our industry is in the process of changing our understanding of computational systems. The combination of extreme computational and energy power demand is a key part of modern data centers and runtime platforms. How many calculations can we produce at what energy cost? The limitations are a confluence of material science, system design complexity, and the fundamental laws of physics.

It's about to get weird as we enter the world of quantum and biological systems.

We started with coprocessors, FPGAs, ASICs, GPUs, and DSPs as lowerpower, highperformance custom hardware. We're now seeing the emergence of neural processing units and tensor processing units as well.

But we are on the cusp of enormous shifts in what's possible computationally with the advent of quantum and biological systems. Not every computational element is suitable for every problem, but quantum computing will make some problems impossibly fast to handle. Artificial biological brains will be able to computations, like the human brain, with the power budget of a light bulb.

Come hear how things are already in the process of changing as well as what is likely to come next.

Tech Trends for Tech Leaders

3:15 PM MDT

There are certain tech trends people at least know about such as Moore's Law even if they don't really understand them. But there are other forces at play in and around our industry that are unknown or ignored by the ever diminishing tech journalism profession. They help explain and predict the pressures and influences we are seeing now or soon will.

In this talk, I will identify a variety of trends that are happening at various paces in intertwined ways at the technological, scientific, cultural, biological, and geopolitical levels and why Tech Leaders should know about them. Being aware of the visible and invisible forces that surround you can help you work with them, rather than against them. You will also be more likely to make good choices and thrive rather than being buffeted uncontrollably.

Behavior-Driven REST (An API Case Study)

5:00 PM MDT

A client once asked me to take a team that was new to REST, Agile, etc. and put together a high profile, high value commerce-oriented API in the period of six months. In the process of training the team and designing this API, I hit upon the idea of providing rich testing
coverage by mixing the Behavior-Driven Design testing approach with REST.

In this talk, I will walk you through the idea, the process, and the remarkable outcomes we achieved. I will show you how you can benefit as well from this increasingly useful testing strategy. The approach makes it easy to produce tests that are accessible to business analysts and other stakeholders who wouldn't understand the first
thing about more conventional unit tests.

Behavior is expressed using natural language. The consistent API style minimizes the upfront work in defining step definitions. In the end, \you can produce sophisticated coverage, smoke tests, and more that exercise the full functionality of the API. It also produces another organizational artifact that can be used in the future to migrate to
other implementation technologies.

Rust : Making Software Fast and Safe

8:30 AM MDT

New languages often carry an operational burden to deployment and involve tradeoffs of performance for safety. Rust has emerged as a powerful, popular, and increasingly widely-used language for all types of development. Come learn why Rust is entering the Linux kernel and Microsoft and Google are favoring it for new development over C++.

This Introduction to Rust will introduce the students to the various merits (and complexities) of this safe, fast and popular new programming language that is taking the world by storm. This
three day course will cover everything students from various backgrounds will need to get started as a successful Rust programmer.

Attendees will Learn about and how to:

• Understand the purpose and consequences of Rust's Memory model
• The concept of ownership and borrowing
• The robust and friendly toolchains
• Idiomatic Rust practices
• The basics of lifetimes
• The Rust Standard Library
• Generics and Traits
• The power of Pattern Matching

Rust : Making Software Fast and Safe

10:30 AM MDT

New languages often carry an operational burden to deployment and involve tradeoffs of performance for safety. Rust has emerged as a powerful, popular, and increasingly widely-used language for all types of development. Come learn why Rust is entering the Linux kernel and Microsoft and Google are favoring it for new development over C++.

This Introduction to Rust will introduce the students to the various merits (and complexities) of this safe, fast and popular new programming language that is taking the world by storm. This
three day course will cover everything students from various backgrounds will need to get started as a successful Rust programmer.

Attendees will Learn about and how to:

• Understand the purpose and consequences of Rust's Memory model
• The concept of ownership and borrowing
• The robust and friendly toolchains
• Idiomatic Rust practices
• The basics of lifetimes
• The Rust Standard Library
• Generics and Traits
• The power of Pattern Matching