Continuous Delivery for Legacy/Heritage Systems – LondonCD meetup June 2017

This is part 3 of a 4-part series of articles based on discussions at the LondonCD meetup group on 12 June 2017. The other posts are linked at the end of this article.

Applying the principles and practices of Continuous Delivery for new software is fairly straightforward (at least, until you deal with data and databases). However, existing “legacy” systems that were built without many automated tests and without much concern for repeatable deployments of discrete functionality pose a challenge for moving to Continuous Delivery.

Office Lens 20170612-205923

Continue reading

Continuous Security in Continuous Delivery – LondonCD meetup June 2017

This is part 1 of a 4-part series of articles based on discussions at the LondonCD meetup group on 12 June 2017. The other posts are linked at the end of this article.

How do we continuously address security concerns with modern software development? That was one of the questions we discussed and tried to answer at LondonCD meetup group on 12 June 2017. “The yearly PEN test is dead!”, said one person, meaning that reliance on an infrequent, specialist test to address all security problems is simply not good enough any more.

Office Lens 20170612-201113

Continue reading

Verified by Visa Confirmed Dangerous

New research from the University of Cambridge supports the view that Verified by Visa is deeply flawed and unsafe. I first came across this mess of an implementation a while back, and the situation has only become worse since then:

the scheme has become a target for phishing, partly because inconsistent authentication methods can leave customers confused.

It’s time to insist that Visa, MasterCard and other payment gateway providers take some responsibilty for this, and stop pushing risk onto the customer.

How to encrypt passwords in the Tomcat server.xml file

By default, Tomcat stores passwords in server.xml in clear text, which can lead to obvious security lapses.

The easiest way to mitigate against user account compromise is to use a password digest (SHA, MD2 or MD5 are supported).

With $CATALINA_HOME/lib/catalina.jar and $CATALINA_HOME/bin/tomcat-juli.jar on your class path, just use the following to generate the digested passwords:

java org.apache.catalina.realm.RealmBase \
   -a {algorithm} {cleartext-password}

The digest technique works by having the incoming clear text password (as entered by the user) digested, and the results compared to the stored digested password. If the Two digests match, the password entered by the user must be correct, and the authenticate() method of the Realm succeeds.

Grey Matter Workout

I spent part of today scratching my head and dredging up long-forgotten details of the .Net Framework and C# over at – to my relief, I didn’t disgrace myself: a test score average of 4.25 puts me in good stead for my forthcoming MCP exam later in June.

Some of the tricky areas:

ACCU Conference 2006

I went to the ACCU Spring Conference 2006 last week. There were some interesting sessions, as usual.

XSLT2 and XPath2

Version 1 of XSLT and XPath were fairly limited in their XML processing abilities in some respects: no possibility to reference local variables was the worst. Version 2.0 of these langauges fixes this and other shortcomings with a raft of new features and generalisations. In fact XSLT2 and XPath2 are very different from their predecessors.

XSLT2 allows operations on temporary/local variables and returned node sets. This can lead to greatly simplified XSLT documents. In addition, there are some nice new operator and keywords:

  • xsl:for-each – generalised operations over the universal new Sequence type (see below)
  • xsl:for-each-group – allows GROUP BY (pivot) of data
  • xsl:analyze-string – use RegEx to match text in nodes
  • xsl:function – define a custom function in XSL, and call it using XPath2 expressions
  • xsl:unparsed-text – handle non-XML text e.g. CSV

The most fundamental change in XPath2 is that all XPath2 expressions now operate upon the (typed) Sequence datatype instead of node sets. XPath2 also allows conditional expressions, whereas in XPath1 all expressions had to resolve at ‘compile’ time.

Comments are now allowed in XPath2 expressions, and nested loops are allowed (akin to JOIN in SQL). There is a new doc() function for pulling in nodes from a separate XML document, and RegEx support has been beefed up.

Java Server Faces 1.2 (JSF)

Java Server Faces is Sun’s answer to ASP.NET, and shares the smae basic approach of separating logic from presentation.

Sun seems to have taken the ‘any browser’ abstraction from ASP.NET and extended this to ‘any device’: we were shown a demonstration of the same JSF application serving pages to a web browser, a Telnet client, and a Jabber client, of all things!

It’s possible to define much of the application and component configuration via config files, and this process seemed simpler than the techinique for ASP.NET, even version 2.0 with the improved config file handlers.

The other nice thing about JSF 1.2 was the Page Flow model: a sequence of navigation actions by the user can be captured in the config file, allowing JSF to craft up appropriate links (e.g. for Edit, Save, Delete actions) automatically.

Due Diligence

I spend some valuable time talking to on of the keynote speakers about Due Diligence reviews for software.

Approximation: the source code doesn’t matter: it’s the environment and processes which determine how maintainable the software is.


Secunia is an excellent site, listing outstanding and historic vulns for all major (and many minor) software products. For exmaple, compare security flaws for DotNetNuke with the flaws for PHP-Nuke. There is clearly no competition there. Alarmingly, Firefox has 12% unpatched vulns since 2003, but of course stats can lie.