CFCamp 2015 Day One

CFCamp 2015

Monkeh Works are at CFCamp in Munich and will be posting notes of sessions attended throughout the day.

Thanks to Bluegras.de for organising this great event and for all of the sponsors for, well, sponsoring it.

Day 1

This is the brain dump from day one of the CFCamp conference and notes taken throughout the sessions attended.

Make of them what you will. May contain spelling mistakes.

20 Years of ColdFusion - Rakshith Naresh, Adobe

• 100% representation with top 20 banks
• 90% rep in government agencies

Security

Language, Infrastructure and Resources

Language

• OWASP (ESAPI and AntiSamy)
• CSRF Token Pattern
• Session Rotation
• CRLF Protection

Infrastructure

• Security by default (secure profile and secure sandbox)
• Audit logs
• Password and XSS protection
• Updated crypto libraries

Resources

• Adobe PSRT
• Testing processes
• Knowledge and training
  • Teams are training (belt certification) in security updates and skills
• Security-related bugs take top priority
• 3rd-party audit
  • security agency audits feature set built by Adobe in every release

Web Services and HTML5

CF able to react to industry requirements and add in features and functions including:

• REST creation and publishing
• HTML features
• Mobile (cfclient)

Language Enhancements in CF 11

• cfscript support
• OAuth2 support
• member functions
• JSON enhancements
• closures

Acrobat Integration:

• pixel-perfect HTML conversion
• high performance PDF generation
• e-signatures
• full DDX support
• archiving

ColdFusion next

Raijin (12) and Aether (13)

Raijin

High-level focus areas:

• performance
• security
• PDF
• language improvements

Also focussing on:

• API management
• mobile enhancements

Performance

Preliminary testing numbers (not official white paper results)

• Arrays = 130% faster
• Cached queries = 12% faster
• Scope search = 10% faster
• cfm page execution = 15% faster

Security

Raijin will contain a built-in code analyzer

Within ColdFusion Builder (portal view within editor) to perform security analysis and report any vulnerabilities along with line numbers; also reports what type of vulnerability with pointers to fix issue.

Covers (not complete list):

• SQL injection
• XSS
• Cookie validation
• CSRF
• (and more)

CFIDE script separation - CFIDE now completely removed from webserver

NTML support - cfsharepoint, cfinvoke and cfobject

PDF

• sanitization
• redaction
  • can define coords to redact data / content programmatically
• import / export metadata
  • can also export / extract comments and import back in (not just metadata)
• archive standards update
  • PDF2B standard supported in CF12

Language Improvements

Safe navigation operator

if(isdefined('foo'))
{
  writeOutput(foo.bar());
}
else
{
  writeOutput'not defined');
}

Make this easier using safe navigation operator:

writeOutput(foo?.bar());


writeOutput(employee?.address[1]?.street?.foo);

Ordered and Sorted collections:

str = structNew("sorted");
str.zero = "zero";
str.beta = "beta";
str.alpah = "alpha";

// change order
str = structNew("sorted", "desc");

passArrayByReference setting

searchImplicitScopes setting

CLI

cf.bat file (Windows)

file, database, email and webservice operations

arguments and named arguments can be passed to the command

read(), writeLn() and writeError() methods available

API Management Capabilities

• 63% of CF user base already expose APIs
• 34% of which are intranet APIs
• 23% or which are internet APIs
• 43% have both internet and intranet APIs

APIs being used for:

• 47% mobile enablement
• 45% driving internal innovation (reuse and cost reduction)
• 32% new channel for data, services or technology (increased reach)
• 25% customer and partner enablements
• 18% new source of revenue

APIs - from concept to go-to-market:

1. define business objectives
2. design your API
3. code your API
4. secure your API - access control mechanism (uername and password or API key generation)
5. manage your API
6. engage developers
7. measure impact
   • detailed analytics from the API

Raijin will include steps 2-7. Security, measurement and management included in CF12.

Secure your API

• Basic authentication
• API key generation
• OAuth
  • built-in OAuth server included with token generation
• OAuth with SAML

Manage your API

• API versions
• private, public or partner
• API lifecycle - draft, published, deprecated and retired
• SLAs - rate limiting and throttling

Engage Developers

• Import portal users/developers from LDAP/database
• full fledged developer portal
  • explore APIs available
  • read API documentation
  • tryout APIs from UI
  • sign up for APIs

Measure impact

• compare metrics to business objectives
• admin, publisher, subscriber roles (and dashboard)
  • detailed dashboard to view analytics based upon role
• metrics - timestamp, version, publisher
• metrics (cont.) - SLA, request method, status code, request and response content size

Extra SOAP support

• SOAP to REST translation
• SOAP Gateway

ColdFusion Advantage

• direct import of REST services from CF server
• minimal configuration to go live
• in VM interaction for faster access

Swagger

http://swagger.io

Import Swagger API Descriptions into the API management console / dashboard

(Monkeh Works <3 Swagger)

Static site generation using Node.js - David Boyer

http://www.metalsmith.io/

Generate your sites dynamically, hosting static pages and sites.

Can be easily regenerated any time, anywhere.

Not tied specifically to Node.js - can use any language.

Generate your static site by script or application.

Why Not Dynamic?

Speed is key. Dynamic servers and apps will introduce latency and bottlenecks

"Every 100ms delay costs 1% of sales" - Greg Linden - Amazon (2006)

Dynamic resources add latency

• databases
• server-side manipulation

Security Concerns with Dynamic Apps

• secure version of your server-side language
• 3rd-party code (modules, libraries, extensions) need monitoring
• ensure server-side code is secure (parameter protected and XSS safe)

Every new additional layer to your app adds an extra point of failure.

With static sites these points of failure and bottlenecks are greatly reduced.

Running costs are much lower with static sites. HTML can be hosted anywhere (for free) with minimal layers.

Why Static?

• improved security - only a web server to attack
• faster, no databases or server-side processing to construct the page
• fewer points of failure
• easily cacheable or hosted across multiple servers
• easier to debug
• HTML only changes when you regenerate the content

Mix and Match

• static content pages mixed with dynamic server pages
• static generated site, backed by an API and client side Javascript for dynamic components
• dynamic content management system producing a static based site
• Areas of your static pages can still be dynamic using client-side JS

Suggested Usage (from Metalsmith site)

Metalsmith / static generation can be used for:

• project scaffolder
• build tool
• ebook generator
• technical documentation
• article / blog site
• startup / product based sites

Metalsmith

Recursive read of all files in the ./src directory.

Manipulates the file data through a series of plugins.

Write the results to a ./buid directory.

Install:

npm init

to create package.json file (if it doesn’t already exist)

npm install metalsmith --save

Plugins

• provided to metalsmith through the .use(fn) method
• plugin is provided with a list of files found and parsed by metalsmith

• a reference to the metalsmith instance

  npm install –save metalsmith-markdown

Use YAML definitions to crate metadata.

The markdown plugin will be able to parse this information and use it when generating your site

The YAML for THIS blog post:

---

title: CFCamp 2015 Day One
slug: cfcamp-2015-day-one
date: 2015-10-22
categories:
- Events
- ColdFusion
tags:
- Events
- Developers
- ColdFusion
excerpt: "Notes taken during day one at CFCamp 2015 in Munich."
---

Many templating engines available. This blog uses Jade (as you can see from the above YAML)

npm install metalsmith-layouts --save

The metalsmith configuration file declares which engine is used

.use(layouts({
  engine: 'jade',
  directory: path.join(__dirname, 'templates'),
  basedir: path.join(__dirname, 'templates'),
}))

Useful Plugins

• metalsmith-more
• metalsmith-feed
• metalsmith-lunr
• metalsmith-prism
• metalsmith-redirect

** NOTE: I’ll be writing up a Metalsmith article after CFCamp to document how this site is generated **

Using ColdFusion as the Lynchpin of Modern, 3-Tiered Web Apps - Dave Gallerizzo

Define the 3-tiered architecture

• also called a layer
• should be able to be constructed separately, possibly by different teams
• each tier should contribute something different to the whole

Why is CF uniquely qualified to support a 3-tier architecture?

• enterprise data connectivity (SQL and Non-SQL)
• native support for implementing RESTful web services
• ease of converting data to/from JSON

Benefits of 3-tiered architecture

• flexibility
• maintainability
• reusability
• scalability
• reliability
• framework

Implementing

By default most legacy CF based applications are built in what we call a 1-tier architecture

1-tier = presentation logic, business logic and data access logic with every single request.

Rules

The browser is a tool, not a tier. Code which runs IN the browser is a tier.

ColdFusion applications using components to separate data access from presentation and business logic is a 2-tier architecture.

You’re still accessing the data access logic directly from the presentation tier.

ColdFusion in a 3-tiered architecture

• delivering mobile data with CF
• creating and invoking RESTful web services
• working with HTML5 websockets

Introduction to Data und Text Mining with Java und CFML - Kai König

What is data mining?

Why do we have so much data nowadays?

• cheap storage and better processing power
• legal and business requirements
• digital hoarding

“Data mining is the extraction of implicit, previously unknown, and potentially useful information from data. The idea is to build computer programs that sift through databases automatically, seeking regularities or patterns. Strong patterns, if found, will likely generalize to make accurate predictions on future data. … Machine learning provides the technical basis for data mining. It is used to extract information from the raw data in databases…” - Ian Witten

Learning

"Things learn when they change their behaviour in a way that makes them perform better in the future"

Types:

• classification learning
• association learning
• clustering
• numerical prediction

Thing we want to learn is the concept.

The output of a learning scheme is the concept description.

Classification learning is sometimes called supervised learning. The outcome is the class.

Examples are called instances.

Discrete attribute values are usually called nominal values, continuous attribute values are called just numeric values.

Weka

Waikato Environment for Knowledge Analysis

Download for Mac OS X, Linux and Windows (any platform that runs Java)

http://www.cs.waikato.ac.nz/ml/weka/downloading.html