# Security Assignment Feedback

Those of you who did it have a risk matrix. Cool!


Many of you seemed to have problems with running OWTF...



## Some found some cool vulnerabilities!

  - Accessing another group's database from what is known from the repository 

![](https://github.com/KLMM-LSD/LSD-Experimental/blob/lorem/DBVulnerabilityProof.PNG?raw=true)

# Technical Debt

![](https://www.monkeyuser.com/assets/images/2018/106-tech-debt.png)


  > Technical debt is a concept in programming that reflects the extra development work that arises when code that is easy to implement in the short run is used instead of applying the best overall solution.
  >
  > Technical debt is commonly associated with extreme programming, especially in the context of refactoring. That is, it implies that restructuring existing code (refactoring) is required as part of the development process. Under this line of thinking refactoring is not only a result of poorly written code, but is also done based on an evolving understanding of a problem and the best way to solve that problem.
  >
  > https://www.techopedia.com/definition/27913/technical-debt



![](http://mmhan.net/assets/tech-debt.png)


![](https://qph.fs.quoracdn.net/main-qimg-87417c2785ec94e5648b06ad56729b36)





## How debt is introduced?

![](https://martinfowler.com/bliki/images/techDebtQuadrant.png)

https://martinfowler.com/bliki/TechnicalDebtQuadrant.html





Technical debt
Each feature adds complexity Complexity requires  me Time requires money
Humans are horrible logic machines





## Avoiding debt

  * Change avoidance
    - Avoid bringing yourself in a situation where you have to change 
    - Get the requirements right
    - Design processes, RUP, SCRUM, etc.
  * Change tolerance
    - Design for change
    - Design patterns, compositionality, coupling, etc.



## Measuring technical debt


  * Metrics
    - LOC
    - Test coverage
    - "Code smells"
  * CI
    - Measure debt difference 
    - Refuse PR if debt increases

### SonarQube

https://www.sonarqube.org/index/clean-code2x.png

![](https://www.sonarqube.org/index/clean-code2x.png)



  > Technical Debt
  >
  > The estimated time required to fix all Maintainability Issues / code smells
  
  
https://docs.sonarqube.org/latest/user-guide/metric-definitions/ below metrics

# Maintainability

  > M2. Maintenance typically consumes about 40 to 80 percent (60 percent average) of software costs. Therefore, it is probably the most important life cycle phase.
  > 
  > ...
  > 
  > M3. Enhancement is responsible for roughly 60 percent of software maintenance costs. Error correction is roughly 17 percent. So, software maintenance is largely about adding new capability to old software, not about fixing it.
  >
  > ...
  >
  > M5. Most software development tasks and software maintenance tasks are the same—except for the additional maintenance task of "understanding the existing product." This task is the dominant maintenance activity, consuming roughly 30 percent of maintenance time. So, you could claim that maintenance is more difficult than development.
  >
  > Robert L. Glass _"Frequently Forgotten Fundamental Facts about Software Engineering"_ [http://www.eng.auburn.edu/~kchang/comp6710/readings/Forgotten_Fundamentals_IEEE_Software_May_2001.pdf](http://www.eng.auburn.edu/~kchang/comp6710/readings/Forgotten_Fundamentals_IEEE_Software_May_2001.pdf) 
  
  
## What comprises Maintainance?

  * fixing bugs
  * keeping its systems operational
  * investigating failures
  * adapting it to new platforms
  * modifying it for new use cases
  * repaying technical debt
  * adding new features
  * etc.
  
-------

 * Many people seem to dislike fixing others peoples bugs
 * Work with "old" tech and with legacy systems
 
## Design for Maintainability

...minimize pain during maintenance, and thus avoid creating legacy software ourselves.

  * **Operability**
    Make it easy for operations teams to keep the system running smoothly.
  * **Simplicity**
    Make it easy for new engineers to understand the system, by removing as much complexity as possible from the system. (Note this is not the same as simplicity of the user interface.)
  * **Evolvability**
    Make it easy for engineers to make changes to the system in the future, adapting it for unanticipated use cases as requirements change. Also known as extensibility, modifiability, or plasticity.
    
  
### Operability: Making Life Easy for Operations


Do you support your operations team, wrt. your Hackenews Clones, in that you support to:

  * Monitor the health of the system?
  * Quickly restore a service if it goes into a bad state?
  * Track down the cause of problems, such as system failures, degraded performance, etc?
  * Keep software and platforms up to date?
  * Observe how different systems affect each other?
  * Anticipate future problems and solve them before they occur (e.g., capacity planning)?
  * Establish good practices and tools for deployment, configuration management, etc.?
  * Perform complex maintenance tasks, such as moving an application from one platform to another?
  * Preserve the group’s knowledge about the system, even as individual people come and go?

In [1]:
from IPython.display import IFrame
IFrame('https://peerj.com/preprints/1233.pdf', width="100%", height=500)

Good operability means making routine tasks easy:

  * Provide good monitoring to make runtime behavior and system internals visible
  * Provide good support for automation and integration with standard tools
  * Avoid dependency on individual machines
  * Provide good documentation and an easy-to-understand operational model
  * Provide good default behavior, but allow administrators to override defaults when needed
  * Provide self-healing where appropriate
  * Exhibiting predictable behavior, minimizing surprises
  
### Simplicity: Managing Complexity

Many of the fixes applied to your Hackernews Clone systems, will eventually create a _"big ball of mud"_:

In [2]:
from IPython.display import IFrame
IFrame('http://laputan.org/mud/mud.html#Abstract', width="100%", height=350)

##### Do I have a _"big ball of mud"_?

  * **hacks aimed at solving performance problems**
  * tight coupling of modules
  * tangled dependencies
  * inconsistent naming and terminology
  * explosion of the state space
  
Issues with the _"big ball of mud"_:

  * budgets and schedules are often overrun. 
  * risk of introducing bugs when making a change
  
  
removing accidental complexity with the help of abstraction


### Evolvability: Making Change Easy

  * unlikely that your system’s requirements will remain unchanged forever
  * keeping things operational and simple as described above allows for evolvability
  
  
  
----------

These notes are based on chapter 1 _Maintainability_ p.18ff in _Designing Data-Intensive Applications_ by Martin Kleppmann.
  

-------------------------

# Techniques for Subsystem Division


### What was this?

![Packages](images/packages.png)


In [3]:
from IPython.display import IFrame

url = 'http://editor.swagger.io'
IFrame(url, width='100%', height=500) 

In [None]:
%%bash
unzip python-flask-server-generated.zip
cd python-flask-server
docker build -t pet-server .
docker run -it --rm -p "8080:8080" pet-server:latest
$ curl -X GET http://localhost:8080/v2/pet/findByStatus?status=pending -H "accept: application/json"
"do some magic!"

# Your Turn

## First Hour

Try to integrate SonarCube (https://sonarcloud.io/about) into your build chain and see what it reports as maintainability issues and for the technical debt.


## Second Hour
  - Try to formalize a part of the communication in between your Hackernews Clone subsystems with the OpenAPI Spec, see http://editor.swagger.io.
  - Create code for a server and a client in the languages of your choice.
  - Compare the generated server to the server that you implemented manually.
    - Figure out, where to attach the business logic from your manually implemented server into the generted server.
    - Try to add your business logic there.
    - See if you can make the communication work via generated Swagger server.
