Monday, 23 March 2015

Making Applications Secure



Developing applications that are secure is becoming an essential part of the toolkit of any programmer, and project managers are increasingly tasked to ‘Make it more secure - we don’t want to be the next headline…’ In 2015, this has become a major priority for many people.

So if you want a week of immersive training in making mobile, web and other applications more secure, then I thoroughly recommend the SecAppDev conference. It’s an intense program of background lectures where you learn the theory, and hands-on workshops where you get to try it out for real. Even better, it’s set in a renovated 17th century university location 25 kilometers east of Brussels, arguably the epicentre of Europe, and easy to get to by train or plane. Leuven is a charming ‘student city’ venue, full of bikes and cobbled streets, and where you can walk to just about anywhere inside the ring-road in less than half an hour. And the cars on that outer ring aren’t allowed far into the central area, so apart from a few busses, students and bikes rule! There’s a very good overview of the history of Leuven here: https://www.cosic.esat.kuleuven.be/course/about_leuven.shtml

The SecAppDev conference is held in the Faculty Club, to the south of the centre of Leuven. http://www.facultyclub.be/en/ It’s a perfect mix of old exteriors and modern interiors, and whilst this is the Dutch/Flemish part of Belgium, the conference language is English. KU Leuven, the University of Leuven, founded in 1425, is the oldest Catholic University in the world.

Inside the conference, you step straight into the 21st century. The two-track program covers topics like post-Snowden, cryptography, TLS hands-on, SDL, Threat Modelling, and web/mobile hardening. I like following a topic and getting immersed, and so I went to the sessions where the introductory lecture covered the theory, and then the hands-on double-lecture provided a detailed hands-on workshop with plenty of opportunity to dig deep into the material. Pre-prepared VMs are used for some of the workshops, so that everyone has an isolated and common starting point, and I was particularly impressed with the TLS session, where you configured an Apache web server (on Fedora) from scratch so that HTTPS worked properly by using tools like mod_ssl and Open_SSL, replacing the default self-signed certificate with a trustable one from a CA using a CSR, generating a key-pair using Open-SSL… The Threat Modelling workshop was notable too, with teams competing to find flaws in a web system. The lecturers were all very familiar with their subject matter, and I learnt a lot.

If a day of intense learning wasn’t enough, the local chapter of OWASP had an evening event on the Tuesday night, which was an opportunity for more learning and networking. With the Computer Security and Industrial Cryptography (COSIC) research group and the Department of Electrical Engineering nearby, and the meeting being held in the Department of Computer Science, there was a large and informed audience.

There is a wealth of information on the SecAppDev website ( http://secappdev.org ), with handouts going back to 2007 (the first SecAppDev was in 2005, so this was the 11th conference!), video recordings of lectures before 2013, A YouTube channel for more recent videos ( https://www.youtube.com/channel/UCSii2fuiLLlGqaR6sR_y0rA ), and a blog which has an entry that describes the user experience in more detail: http://secappdev-org.blogspot.co.uk/2014/02/secappdev-2014-reflections-from-ido.html 

Secappdev.org is a non-profit organisation whose aim is to broaden security awareness in the development community and advance secure software engineering practices. For me, the week at SecAppDec 2015 taught me a lot, provided consistently excellent interactive workshops, good networking and follow-up opportunities, and was totally worthwhile. If you develop, or manage developers, or just want to be ‘security-savvy’, then you should be considering attending SecAppDev 2016!

Oh yes, and the food at the Faculty Club was wonderful!


Sunday, 15 March 2015

Pause for thought

I've read enough blogs to recognise the signs. Initial flurry of posts, then a few pauses, then a few more bursts, then a longer pause, followed by a burst, and then... nothing. Usually that's it. There are lots of possible explanations: the blog writer has got a new job, or moved on, or something else. Whereas a newspaper column would quickly be replaced, blogs are different. They continue to exist on the Interweb, although the 'old' last entry is like a flag that hints at a story, but no more. But sometimes it is different...

It's now been quite a few years since I last made an entry in this blog, and my analysis would have been exactly the same as for any other blog. But then, surprise, surprise, here's a new entry. And more intriguingly, it's an entry that examines what happens when a blog pauses and then restarts. I suspect that this makes this entry doubly rare, and so something really unusual.

It wasn't a new job, or rather it wasn't as simple as that. Being diagnosed with cancer when you have never spent any time in hospital, when you've never had an MRI, a CT scan, an X-ray outside of the dentist's chair, comes as quite a shock. It's one of the 'something else' reasons for stopping a blog that popular culture would have you supposing that a restart is unlikely. And it's a full time job, fighting.

So I'm more than happy to say that sometimes, interesting and unlikely things happen. After a challenging pause, I'm now going to try and write the occasional blog post again. Here. From me. To you.

Sunday, 19 December 2010

IET John Logie Baird Lecture Archive


Back in November, I chaired the 2010 IET John Logie Baird lecture - a yearly celebration of multimedia innovation. This year's lecture was called: 'a day in the life of a multimedia communicator'. The IET web-site is now up, and contains an archive of material from previous lectures in the series, plus videos from this year.

The speakers and topics were:

Brian Levy (
former CTO of RedBee (BBC Technology) - The Multimedia Future

Mike Short (VP Technology, O2 Group) - ADITLOAMC

Marian Ursu (Deputy head of Department of Computing, Goldsmiths) - Shapeshifting Media: Interactive Moving Picture Storytelling

Alistair Crane (CEO, Grapple Mobile) was unfortunately unable to attend.


There is also a video of the panel session that I chaired.

TelevisionImage via WikipediaJohn Logie BairdImage by Tetramesh via Flickr
Enhanced by Zemanta

Sunday, 18 July 2010

Self-imposed Constraints

The Crystal Maze has long been one of my favourite TV programmes, and I have watched (and thoroughly enjoyed) quite a few of the ongoing repeats on the 'Challenge' TV channel in the UK. Sometimes the puzzle catches your imagination, and this happened to me with a recent episode.



The puzzle seemed straight-forward: just arrange the six lowest-value dominoes into a square where each of the sides add up to the same value. A quick bit of brow-furrowing got me to the value - it has to be four, but actually solving the puzzle was rather trickier. I began to feel rather like the unfortunate contestant, who has also failed to solve the problem - and I had the considerable advantage of not having any time limit (plus I didn't have the other contestants shouting 'often less-than useful' advice at me all the time.



Eventually I found the solution, but it wasn't a very satisfying answer. The reason has to do with the way that I think about dominoes. I spent many of my formative Saturday nights at 'Domino Drives', mainly because my Dad was a seasoned card player who was pretty successful at the accompanying 'Whist Drives', and so transport wasn't a problem. As a result, I think of dominoes as being arranged with ends matching, and doubles rotated through ninety degrees. Now there were some local variations: Up North, where I lived at the time, they played with dominoes that went all the way up to Double Nines, and the One spots were not red, nor were they a different size. White dots all the way from none to nine was what I was brought up with, and it wasn't until many years later that I discover the many variations of domino that existed elsewhere...



Subconsciously, I was applying the 'match the ends' rule as a constraint to this problem. Not rotating the doubles so that they were across the flow wasn't a problem, because I had grown up with players who didn't cross doubles, and there were always people around the table who would 'tut-tut' and rotate any uncrossed double during play. But matching those ends was totally automatic, and so I quickly came up against the problem that wherever you placed the Double Two domino, the two dominoes either side immediately made those two sides add up to more than four!



Eventually it dawned on me that the only way to solve the problem was to ignore my self-imposed constraint and not to match the ends of dominoes. Once you do this, then the solution drops out quite quickly.



But, as frequent readers of this blog will tell you, my head doesn't let me stop there. My mind continuously looks beyond the obvious, and I now realised that actually, not all of the junctions between dominoes broke the rule/constraint - just some of them. Now I already knew that the 'no junctions break the rule/constraint' was not possible, so was it possible to break the rule/constraint at all the junctions?



It seems that you can't do this either. This was my best result, and here all but one of the junctions breaks the rule/constraint.

So, today's observation is that: 'Sometimes you unconsciously impose rules where there aren't any rules at all.' - plus the corollary that: 'breaking constraints sometimes produces interesting results', which gives s revised, and more difficult puzzle:

Can you arrange the six lowest-value dominoes in a square so that the sides all add up to the same number, and with the highest possible number of junctions between dominoes where they have different numbers of dots?


Enhanced by Zemanta

Wednesday, 2 June 2010

'Childhood Remixed' by Pixelh8


I've always been fascinated by the mixture of mechanics and electronics that you find in toys, and so Pixelh8's first solo exhibition needed little introduction. Titled 'Childhood Remixed', it is all about making sounds with children's toys, and the complete project also includes workshops and talks too.

It is open to the public from May 29th to July 12th, 2010 in the Town Hall Galleries, Ipswich, Suffolk, UK. There's a bigger report in my music synthesis blog: synthesizerwriter.

Reblog this post [with Zemanta]

Friday, 28 May 2010

Innovation Catalyst

I attended one of the excellent monthly 'Entrepreneurs On the Move' (EOTM) networking meetings organised by Connected Cambridge this week, and was approached by an MBA student who was intrigued by my description in the attendee notes:

I'm one of those unusual individuals who works best at the intersection of technology, creative, and sales/marketing - coming up with innovation, persuasion, strategies, and new combinations / products / solutions for clients, marketing, creatives and developers. I have experience in all of these areas, but most of all, I have experience at utilising them in combination.


Now I would be one of the first to admit that this isn't a normal job description, and so I explained my mental model of entrepreneurship and what I did... As I did so, I was reminded of something that EOTM event organiser Peter Hewkin (the founder of the Centre for Business Innovation ) had said earlier in the evening, which boils down to something like: "Do it once manually, but after that make it happen automatically!" and so I'm publishing my reply so that others can find my explanation. (This is the first of a series of articles covering what I said...)

Here's a Venn diagram that shows the way that I think things work:


So there are the three areas of entrepeneurial/business endeavour that I mentioned: Technology, Creative, and Sales/Marketing, and there's me, in the intersection right at the centre. Technology-wise, I've worked on mechanical and electronic hardware, embedded firmware and a variety of software ranging from medical and industrial applications through telecoms coding, metadata and multimedia to music synthesis and installation art, both by myself and managing programming teams. Creative-wise, I've done photography, photoshopography, vector art, logos, videos, 3D animation and interactive narrative collaborations, again individually and as part of a team. Marketing-wise I've done everything from being a shop-floor salesperson to planning products to convincing clients that a technology was right for their application, once again as an individual and as part of a team.

I've always thought that the interesting parts of any subject are where it meets other disciplines, and so the next diagram looks at what happens in those intersections:



In my mind, the intersection of Technology and Marketing is where Products and Services happen. The mixing of Marketing and Creative is exploited in Advertising. And forcing Creative and Technology together is where Design occurs. Like all models, it isn't perfect, but it helps me to give structure to a complex world.

As part of the process of working in each of the big circles, then I've also worked in those intersections too, and so the diagram makes it very clear why Design is so different from Products - one is primarily a Creative/Technology result, whilst the other is primarily a Marketing/Technology result. But what is really interesting is that the dark intersection at the centre of the diagram is where the hardest and most challenging stuff happens, because here all three disciplines make contributions, and it is here where there are lots of forces pulling me in all directions.

The next diagram tries to show just three of those forces:



Actually, it is good to think of these three arrows as pieces of elastic, because then you can see the importance of the intersection that is opposite to the arrow. So for 'Persuasion', whilst Advertising and the Product or Service is important, it is often the Design that will make the marketing succeed. Apple is a good example of this happening in practice. Equally, Creativity in Design and Advertising is good, but the other end of the 'Inspiration' elastic is the Product or Service, and that really matters! Looking at the way that 'Innovation' is connected to Advertising is a reminder that technology innovations like Flash or HTML may start out as pure technology, but they can rapidly become incorporated as a key part of the Creative and Marketing story.

If we go into the centre of the diagram, then we can start to apply more buzz-words to those vectored forces:



With the diagram acting as a key to strategic thinking, then we've already thought about where Flash and HTML 5 sit - on the Innovation arrow where it meets Advertising. You can also now see that CRM is a way of Designing to Persuade people, and so on. Suddenly 'Zero Touch' is revealed not as just a neat way of using Technology to do the Marketing, but also a topic that requires careful Creative thinking as well as Design and Advertising consideration too!

I use the type of thinking shown in this diagram a lot to help me understand the way that the various parties involved in entrepreneurship and business need to work together. Working from the centre of the diagram, as I do, you need to be able to appreciate the different intersections and the vectored forces that connect them together. By using this model, I've been able to successfully innovate and strategise across the three circles in many ways. To learn more visit my LinkedIn profile, or contact me.



Reblog this post [with Zemanta]

Friday, 14 May 2010

The Future is about to start!


Time is subjective - the apparent rate is related to the density of events. So when there is lots happening, time rushes by, whilst when you are waiting for something to happen, then time can seem to creep by...

This subjectiveness also applies to groupings of time like The Past and The Future. I've deliberately avoided trying to apply any measure of how long 'Now' is because I think that it is normally so fleeting that it is almost just the membrane that separates Past from Future. Of course, if you don't have any significant events, then Now can be used to show the current 'state of the art', but as soon as you get any event, then it immediately becomes The Past.

The other aspect to subjectivity is knowledge and viewpoint. This particularly affects The Future. If you are living on the leading edge of technology, then your Now might be viewed as being The Future by many people who are slightly behind the leading edge. This was highlighted very strongly for me when I read the final report on 'Future Digital Content' that has just been published by the 'Beacons For Innovation' project in the UK's 'Knowledge Transfer Network for the Creative Industries', from the UK Government-funded 'Technology Strategy Board'. If you hadn't heard of the Technology Strategy Board, then their web-site provides this explanation:

The Technology Strategy Board is an executive non-departmental public body (NDPB), established by the Government in 2007 and sponsored by the Department for Business, Innovation and Skills (BIS).

The activities of the Technology Strategy Board are jointly supported and funded by BIS and other government departments, the devolved administrations, regional development agencies and research councils.


The 'Future Digital Content' report is very much from the viewpoint of the Creative Industry, and makes interesting reading when you have 'subjectivity' in mind. Much of what it covers as Future seems like Now to me, but then I've spent the last ten years or more looking at the future of content, and so my viewpoint is very skewed. But it is fascinating to see how you can have different views of Now and The Future.

It is also fascinating to see how words and structure can get in the way of comprehension. I didn't know that the Department for Trade and Industry (DTI) had changed to the Department for Business, Innovation and Skills (BIS) until I head about the Technology Strategy Board (whose web-site URL stresses innovation!), and I now think of these things using a more familiar metaphor: the 'breadcrumb trail' that you see for navigation on some web-sites:

UK Government>DBIS>Technology Strategy Board>KTN-Creative Industries>Beacons>Report

Reblog this post [with Zemanta]