Establishing Excellence
Omnitech strives to be a learning organization. Technology is constantly changing, helping us solve new problems or resolve familiar ones more efficiently. One way we do this is to send people to conferences.
Four of our developers went to the Norwegian Developers Conference (NDC) Minneapolis/St. Paul in May 2019. NDC is an international conference hosted all over the world. For the past two years, Minnesota has held the event that features international speakers ready to share their expertise on important software development topics. We had a good time together as a team, ate some great food, and had a lot of conversations on technical topics. Each of us wanted to share some highlights from the conference.
Topics of Interest
There was a wide variety of topics including: Docker, Kubernetes, Security, Blazor, Microservices, Authentication and Authorization with Identity Server, Machine Learning, Process, Cloud Architecture, CSS, and JavaScript.
Individual Observations
Kevin
I was able to go to a 2 day workshop on Docker and Kubernetes with Shahid Iqbahl (https://www.twitter.com/shahiddev) from UK. He's an independent contractor who has traveled the world working and teaching about Docker and Kubernetes (K8s). After Google created K8s and then donated it to the Cloud Native Computing Foundation (https://www.cncf.io/) it has soared in popularity and usage. I've heard that containers are the future, so it was helpful to spend some focused time on it.
We learned the basics and built up to Azure Kubernetes Service (AKS). Shahid said that Docker containers can be thought of as lightweight VMs that start very fast. Kubernetes orchestrates all the containers. It is not for every project and has challenges (learning curve, security considerations to learn and keep in mind, your organization might not be ready for it), but offers a lot of benefits for teams looking for scalability, reliability, consistency in environments.
Overall, I still have a lot to learn and try out but will be sharing it with our Omnitech team and getting more people to think about when it is the right tool for the job.
Chad
I enjoyed Troy Hunt's Hack Yourself First workshop. Troy left a corporate software-related job to focus his time on security research and speaking. He developed the Hack Yourself First workshop to convey the importance of having security in mind throughout the entire development process rather than it being just an afterthought that may or may not get done.
We participated in nine different labs that walked us through how to find vulnerabilities to various types of attacks against websites – vulnerabilities in almost anything that connects to the Internet and sends and receives data, really (websites, API's, mobile applications, IoT devices, "smart" devices, etc.), how to exploit those vulnerabilities, and, most importantly, how to protect against their exploitation – spoiler alert...most modern browsers and many modern development frameworks already have built-in protections for many of the most widespread vulnerabilities and they are enabled by default.
Troy also was the keynote speaker at the beginning of the main conference where he continued the security discussion and delved into more real-world examples of data breaches or severe vulnerabilities, he was either made aware of (Troy created and operates the Have I been PWNED?) or directly researched himself.
I continued the security theme later in the week by attending a breakout session on Identity Server presented by Brock Allen. It was a highly condensed version of the workshop Riley attended and writes about below.
With renewed focus and vigor, I returned to Omnitech, ready to scan every application for vulnerabilities and shine a spotlight on every boogeyman hiding in every dark corner. On that front, the team that coordinates speakers and topics for Omnitech's Tuesday Lunch & Learn and I conceived of a plan to give the third Tuesday of every month a security theme. I plan to present what I learned from the conference during the first several themed sessions and then hope to encourage others to take up the cause with me.
Riley
I had the opportunity to go to a workshop on Authentication and Authorization in .NET Core with Brock Allen. Brock has more than 20 years of experience, much of it specializing in web-based security. Brock is most well-known for co-authoring the popular open-source security framework Identity Server.
Web-based solutions are more complicated today than in the past:
- Many Web applications need to be able to authenticate with a third-party such as Microsoft or Google.
- Enhanced security measures such as multi-factor authentication need to be implemented.
- Organizations have multiple applications that need to share login credentials.
- Microservices are gaining popularity. There needs to be a way to control access to all these small web services.
- Applications need to work across multiple operating systems and devices.
The workshop showed how all the issues above can be addressed with the OpenID Connect and Oauth 2.0 specifications. The workshop used Identity Server as an identity provider that acts as a central hub for authentication across applications. Identity Server follows the OpenID Connect and Oauth 2.0 specifications to handle authentication for these other applications.
The workshop started off by taking a deep dive into the built-in authentication and authorization libraries in .NET Core MVC. In most cases the built-in libraries have everything you need to connect to an external identity provider. The workshop then moved on to talking about how the OpenID Connect and Oauth 2.0 specifications work. There are a couple different methods, called flows, which should be used depending on the type of client application.
I set up an Identity Server that implements authentication through the different flows we learned about, but that's only half of the story. I also had to configure clients to authenticate using the Identity Server. At the end of the workshop I had a working example of an Andriod application, a .NET MVC web application, and a single page JavaScript application using a single sign-on to authenticate through the Identity Server.
I was surprised by the depth of the workshop and the amount of information I gained. Much of the time was spend digging into complicated scenarios that occur in the real world. I feel that I left with enough information to implement these kinds of authentication and authorization solutions in a production setting. I'm eager to teach our Omnitech team some of these concepts, as well as educate clients on why building a centralized identity solution across their organization may or may not suit their business needs.
Jeremy
I was able to attend a workshop focused on cloud patterns and the various services offered by different cloud vendors. Gaining this broader understanding of the major vendors (Microsoft, Amazon, and Google) and their different offerings will help us recommend the best tool for the job to our clients. I also enjoyed learning about some of the tools that are unique to certain cloud vendors - Google's ML tools are a good example of an easy-to-use service that could provide value to companies in the right situation.
I also attended several sessions that introduced new concepts - GraphQL and the new features of Azure Functions Premium particularly stood out.
GraphQL is an API design pattern and query language that lets calling UI code define what will be returned, instead of having to make multiple queries against a REST API or write complex logic on the server. Because of its prescriptive nature, GraphQL has the potential to reduce the complexity of web projects we build by loosening the coupling between the front-end UI code and the back-end processes. It isn't the right answer in all scenarios, and one of the challenges I see straight away is making an implementation performant. Still, I'm excited to do some research and tinkering to see where it could be a useful tool.
Microsoft's new Azure Functions Premium plan addresses many of the performance issues associated with serverless computing. As a serverless provider scales out instances when under load, new instances take time to come online and begin serving traffic. This leads to performance degradation during times of increasing load. The Azure Functions Premium plan addresses this by keeping a number of instances around to handle increasing traffic load, reducing or eliminating performance issues while scaling. This additional feature will come at an increased cost, but it purports to solve an issue that makes serverless computing less attractive. The ability to scale automatically to handle the current work load and only incur costs when the service is under use is very attractive, but it must make sense for a given project. I am looking forward to testing this new offering and seeing if it fits any project needs.
I am very grateful that Omnitech sent me to this conference and took the time to invest in learning - I am looking forward to bringing new ideas back to the team and discussing them with my teammates.
Down Time
During some of our down time, we took the opportunity to explore some of Saint Paul (on foot). We walked by the state capitol building (and several non-descript government office buildings Chad was convinced were CIA fronts). We also took in some fascinating architecture – old mansions, the capitol building and a couple of old cathedrals.
An old cathedral we captured at sunset
Wrapping Up
We learned a lot and are thankful for the NDC experience so close to home. If you're near the RiverCentre, we highly recommend the Downtowners Woodfire Grill and ordering the lamb shank meal. It was excellent, or as Kevin said in a slip of the tongue to the manager, "that was established excellent". We strive to continue establishing excellence at Omnitech and in all the work we do.
There are many recordings from past NDC's https://www.youtube.com/channel/UCTdw38Cw6jcm0atBPA39a0Q, some of the same speakers were in St. Paul this year.