Learning
  • Software Engineering Golden Treasury
  • Trail Map
  • Caching
    • Alternatives to use before using cache
    • Caching Architecture
    • Cache Invalidation and Eviction
    • Cache Patterns
    • Cache
    • Consistency
    • Distributed Caching
    • Issues with caching
    • Types of caches
  • Career
    • algo types
    • Backend Knowledge
    • Burnout
    • consultancy
    • dev-level
    • Enterprise Developer
    • how-to-get-in-tech-from-other-job
    • how-to-get-into-junior-dev-position
    • induction
    • Interview
    • junior
    • mid
    • New Job
    • paths
    • Principle/staff Engineer
    • Requirements for job
    • Senior Dev capabilities
    • learning
      • automating-beginner
      • company1
        • analyst-progression
        • core-eng-progression
        • dev-progression
        • perf-eng-progression
        • soft-deliv-progression
    • mentoring
      • mentor-resources
    • recruitment
      • questions
      • Spotting posers
  • Computer Science
    • boolean-algebra
    • Compiler
    • Finite State Machine
    • Hashing
    • Algorithms
      • Breadth Firth Search
      • complexity
      • Depth First Search
      • efficiency
      • Sliding Window
      • sorting
    • data-structures
      • AVL Trees
      • data-structures
      • Linked List
    • machines
      • Intel Machine
      • Turing Machine
      • von neumann machine
      • Zeus Machine
  • devops
    • The 5 Ideals
    • microservice
    • Artifact repository
    • Bugs and Fixes
    • Build police
    • cloud-servers
    • Deployments
    • Environments
    • GitOps
    • handling-releases
    • infrastructure-as-code
    • System Migrations
    • SDP
    • On Premises Hosting
    • Properties/configuration
    • Release process
    • Release
    • Roll Outs
    • serverless
    • Serverless
    • Cloud Services
    • Versioning
    • AWS
      • deploy-docker-esc
      • cloud-practitiioner-essentials-notes
        • Module 1 - Intro to AWS
        • Module 2 Compute in the cloud
        • Module 3 Global Infrastructure and Reliability
        • Module 4 Networking
        • Module 5 Storage and Databases
        • Security
        • 7 Monitoring and Aanlytics
        • 8 Pricing and Support
        • 9 Migration and Innovation
      • developer-associate
        • AWS Elastic Beanstalk
    • build-tools
      • Managing dependecies
      • Apache ANT
      • Gradle
        • Custom Plugins
        • local-jars
      • Project Management - maven
        • Archtypes
        • Build Lifecycles
        • Customising build lifecycle
        • Dependencies
        • Directory layout
        • jar-files
        • one-to-one
        • Modules
        • Phases
        • Maven Plugins
        • POM
        • profiles
        • setup
        • Starting a maven project
        • wrapper
    • CI/CD
      • Continuous Delivery
      • zookeeper
      • Continuous Integration (CI)
      • github-actions
      • Pipeline
      • Teamcity
    • Cloud computing
      • Overview
      • Service Models
      • Cloud Services
    • containers
      • Best Practices
      • Docker
    • Infrastructure
      • IT Infrastructure Model
      • Non functional Attributes (Quality Attributes)
        • Infrastructure Availability
        • Performance
        • Secruity
    • monitoring
      • Alerting
      • Monitoring & Metrics
      • Metrics
      • Ready pages
      • Splunk
      • Status pages
      • notes-devops-talk
      • logging
        • logging
        • issues
        • Logging
        • Logging
    • Service mesh
      • Service Discovery
      • Istio
    • Terraform
    • container-management
      • Kubernetes
        • commands-glossary
        • OLTP
        • config-maps
        • Links
        • ingress
        • SDP
        • minikube
        • filter
        • indexes
        • sidecar
        • continuous-deployment
  • General Paradigms
    • CAP theorem
    • designing data-intensive applications summary
    • a-philosophy-of-software-design-notes
    • Aspect oriented Programming (AOP)
    • Best Practice
    • Cargo Cult
    • Clean Code
    • Coding reflections
    • Cognitive Complexity
    • Complexity
    • Conventions
    • Design discussions
    • Design
    • Error Handling Checklist
    • Exceptions
    • Feature Flags/toggle
    • Functional requirements
    • Last Responsible Moment
    • Lock In
    • Named Arguments
    • Naming
    • Performance Fallacy
    • Quality
    • Redesign of a system
    • Resuse vs Decoupling
    • Rules for software designs
    • Sad Paths
    • Scaling Webservices
    • Scientific Method
    • stream-processing
    • Upstream and Downstream
    • Patterns
      • Client-SDK-Pattern
      • ORM
      • Api gateway
      • Business Rules Engine
      • cache
      • Composition Root
      • Dependency Injection Containers
      • Dependency Injections
      • Double Dispatch
      • Exception Handling
      • Gateway pattern
      • Humble Object
      • Inheritance for reuse
      • Null Object Pattern
      • Object Mother
      • Patterns
      • Collection pipeline pattern
      • Service Locator
      • Setter constructor
      • Static factory method
      • Step Builder Pattern
      • telescopic constructors
      • Toggles
      • API
        • Aims of API designs
        • Avoid Checked Exceptions
        • Avoid returning nulls
        • Be defensive with your data
        • convience-methods
        • Fluent Interfaces
        • Loan Pattern
        • prefer-enums-to-boolean-returns
        • return-meaningful-types
        • Small intefaces
        • Support Lambdas
        • Weakest type
      • Gang of Four
        • Builder
        • Factory Pattern
        • Strategy Pattern
        • Template
        • abstract Factory
        • Adapter
        • Bridge Pattern
        • Chain of responsibility
        • Command Pattern
        • Composite Design Pattern
        • Decorator Pattern
        • Facade Pattern
        • Flyweight pattern
        • Guard Clause
        • Interpreter
        • html
        • Mediator Pattern
        • Memento Pattern
        • Observer
        • Prototype
        • Proxy
        • Singleton
        • State Pattern
        • Visitor Pattern
    • Architecture
      • Entity Component System
      • Integration Operation Segregation Principle
      • Adaptable Architecture
      • Architecture
      • C4 Modelling
      • cell-based
      • Clean/Hexagonal Architecture
      • Codifying architecture
      • Correct By configuration
      • Cost Base Architecture
      • Data Oriented Design
      • deliberate
      • Domain oriented DOMA
      • Event Driven Architecture
      • Evolutionary Architecture
      • examples
      • Feature Architecture
      • Framework and Libraries
      • functional-core-imperative-shell
      • Layered Architecture
      • Micro services
      • monoliths-to-services
      • Multi tiered Architecture
      • Multi tenant application
      • Resilient Architecture
      • stage event driven architecture (SEDA)
      • links spring rest app
      • Tomato Architecture
      • Tooling
      • Types of architecture
      • checklist
        • Checklist for new project
        • Back end Architecture Checklist
        • Front end Architecture Checklist
        • Mobile Architecture Checklist
      • Cloud Patterns
        • Command and Query Responsibility Segregation (CQRS)
        • Event Sourcing & CQRS
        • Asynchronous Request and Reply
        • Circuit Breaker
        • Retry
        • Sidecar
        • Strangler pattern
      • Domain driven design
        • value & entity
      • Microservices
        • Alternatives to choosing microservices first when scaling
        • Consistency in distributed systems
        • 12 Factor applications
      • Modularity
        • Module monolith vs Microservices
        • Spring Moduilth
      • Architecture Patterns
        • Hexagonal architecture
        • Inverting dependencies
        • Layering & Dependency Inversion Principle
        • Mappings
        • Vertical Slice architecture
        • Web Client Server
        • domain
          • Business and Data Layers Separation
          • DTO
          • Domain Model Pattern
          • Domain Object
          • Transaction Script/ Use Case pattern
        • Enterprise Patterns
          • Concurrency
          • Distribution strategies
          • Domain layer patterns
          • Layering/organisation of code
          • Mapping to datasource
          • Session State
        • Usecases
          • Use case return types
      • Serverless
        • Knative
    • Design architecture aims
      • back of envelope
      • Design ideas
      • Design mistakes
      • high-volume-design
      • ISO Quality Attributes
      • Non functional requirements
      • “Designing for Performance” by Martin Thompson
      • High Performance
      • Qaulity Attributes
        • Availability
        • System Availability
        • Fault Tolerance
        • interoperability
        • Latency
        • Maintability
        • Modifiability
        • Performance
        • Readability
        • Reliability
        • Scalability vs performance
        • Scalability
        • Scaling
        • statelessness
        • Testability
        • Throughput
      • System Design
      • web-scalability-distributed-arch
        • scalable-and-distributed-web-architecture
    • README
      • Conflict-free Replicated Data Type
      • Fallacies
      • Load balancing
      • Rate Limiting
      • Transactions
    • Patterns of Enterprise Application Architecture
      • Repository Pattern
      • Rules Engines
      • scatter-gather
      • Specification Design Pattern
      • Table Driven Development
      • Workflow Design Patterns
        • Triggers
    • Principles
      • Do It Or Get Bitten In The End
      • Dont Repeat Yourself
      • Habitability
      • Keep it simple
      • Responsibility Driven Design
      • Ya Ain’t Gonna Need It
      • Conceptual Overhead
      • CUPID
      • Reuse existing interfaces
      • Facts and Fallacies
      • locality of behaviour
      • Separation of Concerns
      • Simplicity
      • SLAP principle
      • Step down rule
      • Unix Philosophy
      • Wrong abstractions
      • SOLID
        • 1. Single Responsibility Principle
        • 2. Open Close Principle
        • 3. Liskov Substitution Principle
        • 4. Interface Segregation Principle
        • 5. Dependency Inversion Principle
        • GRASP (General Responsibility Assignment Software Principles)
        • Solid for packages
          • jobs
          • CCP
          • CRP
          • REP
          • egress
          • gossip-protocol
        • STUPID
    • programming-types
      • Coding to Contract/Interface
      • Links
      • Declarative vs Imperative Programming Languages
      • defensive-programming
      • Design by contract
      • Domain Specific Languages (DSL)
      • Event Driven
      • file-transfers
      • Logical Programming
      • Mutability
      • Self Healing
      • Simplicity
      • Type Driven Design
      • Value objects
      • Aspect Oriented Programming
      • Concurrent and Parallel Programming
        • Actor Model
        • Asynchronous and Synchronous Programming
        • Batch processing
        • Concurrency Models
        • SAP
        • Multithreading
        • Non Blocking IO
        • Optimistic vs Pessimistic Concurrency
        • Thread per connection or request model
        • Actor
        • aysnchronous-tasks
          • Computational Graphs
          • Divide and conquer
          • Future
          • Thread Pool
        • barriers
          • Barriers
          • Race conditions
        • design
          • agglomeration
          • Communication
          • Mapping
          • Partitioning
        • Liveness
          • Abandoned Lock
          • Deadlocks
          • Livelock
          • Starvation
        • locks
          • Read write lock
          • Reentrant lock
          • Try Lock
        • Mutual Exclusion
          • Data Races
          • Mutual Exclusion AKA Locks
        • performance
          • Amdahl's Law
          • Latency, throughput & speed
          • Measure Speed up
        • synchronization
          • Condition variable
          • producer consumer pattern
          • Semaphore
        • Threads and processes
          • Concurrent and parallel programming
          • Daemon Thread
          • Execution Scheduling
          • sequential-parallel
          • Thread Lifecycle
          • threads-and-processes
      • Functional Programming
        • Currying
        • design-patterns-to-func
        • imperative-programming
        • First class functions
        • Functional Looping
        • Higher Order Functions
        • Immutability
        • Issues with functional Programming
        • Lambda calculus
        • Lazy & Eager
        • map
        • Monad
        • Railway Programming
        • Recursion
        • Reduce
        • referential-transparacy
        • Referential transparency
        • Supplier
      • oop-design
        • Issues with object oriented code
        • Aggregation
        • Anti Patterns
        • Association
        • class-and-objects
        • Composition
        • general-laws-of-programming
        • general-notes
        • Getters and Setters
        • Inside out programming
        • Inversion of control
        • oop-design
        • Other principles
        • Outside in programming
        • Readability
        • Why OO is bad
        • README
          • abstraction
          • encapsulation
          • inheritance
          • Polymorphism
        • clean-code
          • Code Smells
          • Comments
          • Naming
          • CLEAN design
            • code is assertive
            • Cohesion
            • Connascence
            • Coupling
            • Encapsulation
            • Loose Coupling
            • Nonredundant code
      • Reactive Programming
        • reactive-programming
    • Projects and Software types
      • Applicatoin Development
      • Buying or creating software
      • Console Applications
      • Embedded Software development
      • Enterprise
      • Framework Development
      • Games
      • Library development
      • Rewriting
      • White Label Apps
    • State Machines
      • Spring State Machine
  • Other
    • 10x devs
    • Aim of software
    • Choosing Technologies
    • Coding faster
    • Component ownership
    • developer-pain-points
    • Developer Types
    • Effective Software design
    • Full Stack Developer
    • Good coder
    • Issues with Software Engineering and Engineers
    • Learning
    • Logic
    • Role
    • Software Actions
    • Software craftmanship
    • Software Designed
    • Software Engineering
    • Software
    • article-summaries
      • General notes
      • Summary of The Grug Brained Developer A layman's guide to thinking like the self-aware smol brained
      • improve-backend-engineer
      • Optimising Api
      • Simple and Easy
    • README
  • Hardware
    • Cpu memory
    • Storage
  • Integration
    • GRPC
    • API
    • Apis and communications between apps
    • asynchronous and synchronous communications
    • Batch Processing
    • Communications between apps
    • Delivery
    • Distributed Computing
    • Entry point
    • Event Source
    • SDP
    • egress
    • Graphql
    • Idempotency
    • Libraries
    • Long Polling
    • Multiplexing & Demultiplexing
    • Publish Subscribe
    • Push
    • Request & Response
    • REST
    • Remote Method Invocation
    • Remote Procedure Calls
    • Server Sent Events
    • Short Polling
    • Sidecars
    • SOAP
    • Stateless and Stateful
    • Streams
    • Third Party Integrations
    • wdsl
    • Web Services
    • Webhooks
    • repository
    • Kafka
      • Kafka Streams
    • message-queues
      • ActiveMQ
      • Dead Letter Queue
      • JMS
      • Messaging
  • Languages
    • C
    • Choosing A Language
    • cobol
    • Composite Data Types
    • creating
    • Date time
    • Numbers
    • Pass by value vs Pass by reference
    • Primitive Data Types
    • REST anti-patterns
    • Rust
    • Scripting
    • Static typing
    • string
    • Task Oriented Language
    • assembly
    • Getting started
      • Functional Concepts
    • cpp
    • Java
      • Code style
      • Garbage Collection
      • Intellij Debugging
      • Artifacts, Jars
      • Java internals
      • Java resources
      • Java versions
      • JShell
      • Libraries
      • opinionated-guide
      • Starting java
      • Java Tools
      • Why use java
      • Advanced Java
        • Annotations
        • API
        • Database and java
        • Debugging Performance
        • Files IO
        • Finalize
        • JDBC
        • jni
        • Libraries
        • Logging
        • SAP
        • Memory Management
        • Modules
        • OTher
        • Packaging Application
        • Pattern matching
        • performance
        • Properties
        • Reference
        • reflection
        • Scaling
        • Scheduling
        • secruity
        • Serilization
        • Time in Java
        • validation
        • Vector
        • Concurrency and Multithreaading
          • Akka
          • ExecutorCompletionService
          • Asynchronous Programming
          • Concurrency and Threads
          • CountDownLatch
          • Conccurrent Data Structures
          • Executor Service
          • Futures
          • reactive
          • Semaphore
          • structured concurrency
          • Threadlocal
          • Threads
          • Virtual Threads
          • Mutual Exclusion
            • Atomic
            • Synchronized
            • Thread safe class
            • Threads
        • debug
          • heap-dumps
          • thread-dumps
        • functional
          • Collectors
          • Exception Handling
          • Flatmap
          • Functional Programming
          • Generators
          • Immutability
          • issues
          • Optional
          • Parallel Streams
          • Reduce
        • networks
          • HTTP client
          • servlet-webcontainers
          • sockets
          • ssl-tls-https
      • Basics of java
        • compilation
        • computation
        • Conditonal/Flow control
        • Excuting code
        • Instructions
        • Looping/Iterating
        • memory-types-variables
        • methods
        • Printing to screen/debugging
        • Setup the system
        • Data structures
          • Arrays
          • Arayslist/list
          • Map
      • Effective Java notes
        • Creating and Destroying Objects
        • Methods Common to All Objects
        • best-practice-api
        • Classes and Interfaces
        • Enums and Annotations
        • Generics
      • framework
        • aop
        • bad
        • Dagger
        • Databases
        • Lombok
        • Mapstruct
        • netty
        • resliance4j
        • RxJava
        • Vert.x
        • Spring
          • Spring Data Repositories
          • actuator
          • cloud-native
          • H2 Db in Spring
          • Initializrs
          • JDBC Template
          • Java Persistence API (JPA)
          • kotlin
          • Pitfalls and advice
          • PRoxies
          • Reactive
          • spring security
          • spring-aop
          • Spring Boot
          • spring-jdbc
          • Spring MVC
          • Spring Testing
          • Testing
          • Transaction
          • patterns
            • Component Scan Patterns
            • Concurrency
            • Decorator Pattern in Spring
        • Micronaut
          • DI
        • Quarkus
          • database
          • Links
      • Intermediate level java
        • String Class
        • Assertions
        • Casting
        • Clonable
        • Command line arguments
        • Common Libraries/classes
        • Comparators
        • Where to store them?
        • Shallow and Deep Copy
        • Date and Time
        • Enums
        • Equals and Hashcode
        • Equals and hashcode
        • Exceptions
        • Final
        • Finally
        • Generics
        • incrementors
        • Null
        • packages and imports
        • Random numbers
        • Regex
        • Static
        • toString()
        • OOP
          • Accessors
          • Classes
          • Object Oriented Programming
          • Constructors
          • Fields/state
          • Inheritence
          • Interfaces
          • Methods/behaviour
          • Nested Classes
          • Objects
          • Static VS Instance
          • Whether to use a dependency or static method?
        • Other Collections
          • Other Collections
          • Arraylist vs Linkedlist
          • LinkedHashMap
          • Linked List
          • Priority queue
          • Sequenced Collections
          • Set
          • Shallow vs Deep Copy
          • Time Complexity of Collections
          • What Collection To use?
    • kotlin
      • Domain Specific Language
      • learning
      • Libraries
      • Personal Roadmap
      • Links
    • Nodejs
      • Performance
  • Management & Workflow
    • Agile
    • Take Breaks
    • # Communication
    • Engineering Daybook
    • Estimates
    • Feedback Loops
    • Little's law
    • Managing Others
    • poser.
    • Presentations
    • self-improvement
    • software-teams
    • Task List
    • trade-off
    • Types of devs
    • Type of work
    • Waterfall Methodology
    • coding-process
      • Bugs
      • Code Review
      • Code Reviews
      • Documentation
      • Done
      • Handover
      • Mob Programming
      • Navigate codebase
      • Pair Programming
      • Pull Requests
      • How to do a story
      • Story to code
      • Trunk based development
      • Xtreme Programming (XP)
      • debugging
        • 9 Rules of Thumb of Dubugging
        • Debugging
        • using-debugger
      • Legacy code
        • Legacy crisis
        • Working with legacy code
    • Managing work
      • Theory of constraints
      • Distributed Teams
      • estimations
      • Improving team's output
      • Kanban
      • Kick offs
      • Retrospectives
      • Scrum
      • Sign offs
      • Stand ups
      • Time bombs
      • Project management triangle
    • Notion
    • recruitment
      • In Person Test
      • Interviews
      • Unattended test
  • Networks
    • Content Delivery Network - CDN
    • DNS
    • cache control
    • Cookies and Sessions
    • Docker Networking
    • Duplex
    • Etags
    • HTTP Cache
    • HTTP - Hyper Text Transfer Protocol
    • HTTP/2
    • Http 3
    • Internet & Web
    • iptables
    • Keep alive
    • Leader Election
    • Load balancer
    • long-polling
    • Network Access Control
    • Network Address Translation (NAT)
    • Network Layers
    • Nginx
    • OSI network model
    • Persistent Connection
    • Polling
    • Proxy
    • Quic
    • reverse-proxy
    • servers
    • Server sent events (SSE)
    • SSH
    • Streaming
    • Timeouts
    • Url Encoding
    • Web sockets
    • WebRTC (Web Real-Time Communication)
    • Wireshark
    • tcp/ip
      • Congestion
      • IP - Internet Protocol
      • TCP - Transmission Control Protocol
  • Operating Systems
    • Cloud Computing
    • Distributed File Systems
    • Distributed Shared Memory
    • Input/Output Management
    • Inter-Process Communication
    • Threads and Concurrency
    • Virtualization
    • Searching using CLI
    • Bash and scripting
    • Booting of linux
    • makefile
    • Memory Management
    • Processes and Process Management
    • Scheduling
    • Scripting
    • Links
    • Ubuntu
    • Unix File System
    • User groups
    • Linux
  • Other Topics
    • Finite state machine
    • Floating point
    • Googling
    • Setup
    • Unicode
    • Machine Learning
      • Artificial Intelligence
      • Jupyter Notebook
    • Blockchain
    • Front End
      • Single Page App
      • cqrs
      • css
      • Debounce
      • Dom, Virtual Dom
      • ADP
      • htmx
      • Island Architecture
      • Why use?
      • Java and front end tech
      • mermaidjs
      • Next JS
      • javascript
        • Debounce
        • design
        • Event loop
        • testing
        • Typescript
        • react
          • Design
          • learning
          • performance
          • React JS
          • testing
      • performance
      • Static website
    • jobs
      • Tooling
      • bash text editor - vim
      • VS code
      • scaling
        • AI Assistant
        • Debugging
        • General features and tips and tricks
        • IDE - Intellij
        • Plugins
        • Spring usage
  • persistance
    • ACID - Atomicity, Consistency, Isolation, Durability
    • BASE - Basic Availability, Soft state, Eventual Consistency
    • Buffer
    • Connection pooling
    • service
    • Database Migrations - flywaydb
    • Databases
    • Eventual Consistency
    • GraphQL
    • IDs
    • indexing
    • MongoDB
    • Normalisation
    • ORacle sql
    • Partitioning
    • patterns
    • PL SQL
    • Replication and Sharding
    • Repository pattern
    • Sharding
    • Snapshot
    • Strong Consistency
    • links
    • Files
      • Areas to think of
    • hibernate
      • ORM-hibernate
    • Indexes
      • Elastisearch
    • relationships
      • many-to-many
      • SDP
      • serverless
      • x-to-x-relationships
    • sql
      • Group by
      • indexes
      • Joins
      • Common mistakes
      • operators
      • performance
    • types
      • maven-commands-on-intellij
      • in-memory-database-h2
      • Key value database/store
      • Mongo DB
      • NoSQL Databases
      • Relational Database
      • Relational Vs Document Databases
  • Security
    • OAuth
    • API Keys
    • Certificates and JKS
    • Cluster Secruity
    • Communication Between Two Applications via TLS
    • Cookies & Sessions
    • CORS - Cross-Origin Resource Sharing
    • csrf
    • Encryption and Decryption
    • Endpoint Protection
    • JWT
    • language-specific
    • OpenID
    • OWASP
    • Secrets
    • Secruity
    • Servlet authentication and Authorization
    • vault
  • Testing, Maintainablity & Debugging
    • Service-virtualization and api mocking
    • a-test-bk
    • Build Monitor
    • Builds
    • Code coverage
    • consumer-driven contract testing
    • Fixity
    • Living Documentation
    • Mocks, Stubs & Doubles
    • patterns
    • Quality Engineering
    • Reading and working with legacy code
    • Reading
    • remote-debug-intellij
    • simulator
    • Technical Debt
    • Technical Waste
    • Test cases
    • Test Data Builders
    • Test Pyramids
    • Test Types
    • Testing Good Practice
    • Testing
    • What to prime
    • What to test
    • Debugging
      • Debugging in kubernetes or Docker
    • fixing
      • How to Deal with I/O Expense
      • How to Manage Memory
      • How to Optimize Loops
      • How to Fix Performance Problems
    • Legacy Code
      • Learning
      • Legacy code
      • techniques
    • libraries
      • assertj
      • Data Faker
      • Junit
      • mockito
      • Test Containers
      • Wiremock
      • Yatspec
    • Refactoring
      • Code Smells
      • refactoring-types
      • Refactoring
      • Technical Debt
      • pyramid-of-refactoring
        • Pyramid of Refactoring
    • Test first strategies
      • Acceptance Testing Driven Developement (ATDD)
      • Behaviour Driven Development/Design - BDD
      • Inside out
      • Outside in
      • Test driven development (TDD)
    • testing
      • Acceptance tests
      • How Much Testing is Enough?
      • Approval Testing
      • Bad Testing
      • End to end tests
      • Honeycomb
      • Testing Microservices
      • Mutation testing
      • Property based testing
      • Smoke Testing
      • social-unit-tests
      • solitary-unit-tests
      • Static Analysis Test
      • Unit testing
  • Version Control - Git
    • Branch by Abstraction
    • feature-branching
    • Git patches
    • Trunk Based Development
Powered by GitBook
On this page
  • Risk Management
  • Risk Response
  • Exploits
  • Secruity controls
  • Attack vectors
  • Secruity Patterns
  • Identity and Access Management (IAM)
  • Segregation of duties and least privilege
  • Layered Security
  • Cryptography

Was this helpful?

  1. devops
  2. Infrastructure
  3. Non functional Attributes (Quality Attributes)

Secruity

  • Definition

    • information systems security can be defined as the combination of availability, confidentiality, and integrity, focused on the recognition and resistance of attacks.

    • Computer crimes use some form of gaining control over IT infrastructures

    • Preventing information being leaked or changed, preventing actions that system will take from doing something unwanted, preventing application from not working or working below standards

  • Reasons for commiting coputer crimes

    • Personal exposure and prestige

    • Creating damage

      • create bad publicity for company

      • defacing websites, bringing down systems or websites, or making internal documents public.

    • Financial gain.

      • by holding data hostage and asking for ransom, stealing credit card data, changing account data in bank systems, or stealing passwords of customers and ordering goods on their behalf.

    • Terrorism

      • creating fear and chaos in a society

      • controlling water supply or nuclear plants

    • Warfare

      • Hacking over country's systems for intel or damage

Risk Management

  • Managing security is all about managing risks.

    • If there are no risks, we don't need any security controls.

  • The effort we put in securing the infrastructure should therefore be directly related to the risk at hand

  • Definition

    • Risk management is the process of

      • determining an acceptable level of risk

      • assessing the current level of risk

      • taking steps to reduce risk to the acceptable level

      • maintaining that level.

  • A risk list can be used to quantify risks

    • Created with help of stakeholders

    • Definesthe following

      • asset: the component that needs to be protected.

      • vulnerability: a weakness, process or physical exposure that makes the asset susceptible to exploits

      • exploit: a way to use one or more vulnerabilities to attack an asset

      • probability: an estimation of the likelihood of the occurrence of an exploit (how often do we estimate this will happen)

      • Impact: he severity of the damage when the vulnerability is exploited.

      • Risk: The probablity x impact

  • Controls mitigate these risks.

    • Example: a control for the risk of laptops with sensitive data getting stolen is to encrypt the hard disk to make the data unreadable for anyone but the owner.

    • Controls can be designed and implemented based on the identified severity of the risk in the risk list.

Risk Response

  • Definition

    • An agreed upon response to each risk decided by senior management

  • Types of risk

    • Acceptance of risk

      • the risk could be accepted if the risk is very unlikely to happen and the costs of the damage imposed by exploitation of the risk is low and the cost of mitigating the risk is high.

    • Avoidance of risk

      • do not perform actions that impose risk

      • for instance, don’t host your own website or e-mail server

    • Transfer of risk

      • transfer the risk to an insurance company, if it happens, the insurance company will pay for the damage

    • Mitgation of risk and accepting the residual risk

      • How

        • Design for minimum risk

          • Design the system to eliminate as much vulnerabilities as possible.

          • Example

            • Using source code analysis in software development

            • by running critical systems stand-alone instead of connected to other systems

        • Incorporate safety devices

          • Reduce risk using devices like firewalls and hardened screened routers.

          • Dont affect the probabilty of exploit occuring, but reduces severity of the exploit

            • ie automobile seat belt doesn’t prevent a collision,

            • ie firewall oes not prevent attacks, but reduces the chance of an attacker connecting to sensitive parts of the network.

        • Provide warning devices

          • used to detect an undesirable condition, and to alert staff, or take automated actions.

          • Intrusion Detection System that alerts systems managers when a system is under attack

        • Implement training and procedures.

Exploits

  • Types of explouting a system

    • Key loggers can be maliciously installed on end user devices.

      • They can send sensitive information like passwords to third parties.

      • Someone needs to install it on the box either physically or via ssh/network using authenticated access

    • Network sniffers can show network packages that contain sensitive information or replay a logon sequence by which a hacker can successfully authenticate to an IT system.

      • wireshark

      • man in the middle attack

      • Use of https & tls to encrypt data over the wire

    • Data on backup tapes outside of the building can get into wrong hands.

      • Or extracting data via portable device (ie usb stick)

      • PCs or disks that are disposed of can get into the wrong hands

      • End users are led to a malicious website that steals information

        • phishing

      • Use of access logs, to show actions of all users

      • some alerting for certain actions

Secruity controls

  • Three goals of secruity (CIA)

    • Confidentiality

      • prevents the intentional or unintentional unauthorized disclosure of data.

      • Examples of levels

        • 1 = Public information

        • 2 = Information for internal use only

        • 3 = for internal use by restricted groups

        • 4 = secret, reputationla damage if leaked to public

        • 5 = top secret, damage to organisation ro society if leaked

    • Integrity

      • Ensures

        • No modifications to data are made by unauthorized staff or processes.

        • Unauthorized modifications to data are not made by authorized staff or processes.

        • Data is consistent

      • Examples of levels

        • 1 = integrity is of no importnance

        • 2 = errors in info are allowed

        • 3 = only incidental erros in information are allowed

        • 4 = no errors allowed, leads to reputational damage

        • 5 = no errors allowed, leads to society damage

    • Availability of information

      • ensures the reliable and timely access to data or IT resources by the appropriate staff

      • Examples of levels

        • 1 = no requirements on availability

        • 2 = some unavailability is allowed during office hours

        • 3 = some unavailability is allowed outside office hours

        • 4 = no unavailability is allowed risk to company damage

        • 5 = no unavailability is allowed risk to society damage

  • For all applications and data set, a CIA classification should be given

    • using the levels above

    • Once levels given,then controls can be implemented to mitigate the identified risks

    • Auditors can see how risk is controlled

    • project manages can calculate effort needed to make system secrure

Attack vectors

  • Attacks on the infrastructure can be executed using

    • malicious code

      • are applications that, when activated, can cause network and server overload, steal data and passwords, or erase data.

      • Types

        • Worms

          • are self-replicating programs that spread from one computer to another, leaving infections as they travel.

        • A virus

          • is a self-replicating program fragment that attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels

        • Trojan Horse

          • Some software that appears to be useful software but will actually do damage once installed or run on your computer

          • Users are usually tricked into starting them because they appear to be receiving legitimate software or files from a legitimate source. Trojan horses can be used to deliver viruses or worms.

      • Most malicious code can be detected and removed by virus scanners.

        • Detecting viruses is mostly done using a so-called virus signature– a unique string of bits that identifies a part of the virus. When a file contains this signature, it is assumed that the file is infected with the viral code.

        • Heuristic scanning looks for certain instructions or commands within a program or script that are not found in typical applications

    • denial of service attacks

      • A Denial of Service (DoS) attack is an attempt to overload an infrastructure to cause disruption of a service

      • his overload can lead to downtime of a system, disabling an organization to do its business.

      • How

        • an attacker fires off a large number of (often malformed) requests to a server reachable from the internet

        • Because of the high load the server needs to process, or because the requests fill up the request queues, the server either crashes, or performs so slow that in effect it is not functioning anymore.

      • Distributed Denial of Service (DDoS) attack is used, as more than one server is used and cannot be brought down using dos attakcs

      • can use groups of computers that are infected by malicious code, called botnets, to perform an attack.

      • To prevent

        • Split business and public resources so that in case of an attack the business processes are not effected

        • Move all public facing resources to an external cloud provider

        • Setup automatic scalability (auto scaling, auto deployment) using virtualization and cloud technology

        • Limit bandwidth for certain traffic – for instance limit the bandwidth or the maximum number of calls per second on ports 53 (DNS)

          • as increased spike in traffic is a sign of dos

        • Lower the Time to Live (TTL) of the DNS records to be able to reroute traffic to other servers when an attack occurs

        • Setup monitoring for early detection on:

          • Traffic volume

          • Source and number of requests

          • Transaction latency

      • When it occurs:

        • Immediately inform your internet provider and ask for help

        • Run a script to terminate all connections coming from the same source IP address if the number of connections is larger than ten

        • Change to an alternative server with another IP address

        • Scale-out the public facing environment under attack

        • Reroute or drop suspected traffic

      • Use of CDN can be used to route traffic to your website

    • social engineering

      • social skills are used to manipulate people to obtain information, such as passwords or other sensitive information, which can be used in an attack.

      • Use of cognitive biases

    • phishing

      • a technique of obtaining sensitive information.

      • Typically, the phisher sends an e-mail that appears to come from a legitimate source, like a bank, requesting "verification" of information.

        • The e-mail usually contains a link to a fraudulent web page that seems legitimate, with a form that captures your sensitve data like passwords, pins etc

    • Baiting

      • uses physical media, like an USB flash drive, and relies on the curiosity of people to find out what is on it.

      • The media is infected

      • Turn off auto run

Secruity Patterns

Identity and Access Management (IAM)

  • the process of managing the identity of people and systems, and their permissions

  • STeps

    • Users or systems claim who they are:

      • identification – they provide their identity, typically their name.

    • The claimed identity is checked:

      • authentication – identities provide for instance a password, which is checked

    • Permissions are granted related to the identity and the groups it belongs to:

      • authorization – identities are allowed into the system

  • Connecting identities and their permissions

    • ie the kernel of an operating system owns an administration of users and a list of user rights that describes which identities are allowed to read, write, modify, or delete files. Trusted Computing Base (TCB)

  • USed in apps, database and systems

  • Single Sign-On (SSO), a user logs in once and is passed seamlessly, without an authentication prompt, to SSO enabled applications.

    • risk when the login credentials of a user are known, an attacker gains access to all SSO enabled systems for that user.

    • SSO is typically implemented using identity providing systems like LDAP, Kerberos, or Microsoft Active Directory.

    • Users authenticate to these identity providers, and applications trust the identity provider, so they allow access when a user is authenticated

    • Federated identity management extends SSO above the enterprise level, creating a trusted identity provider across organizations.

      • participating organizations share identity attributes based on agreed-upon standards, facilitating authentication from other members of the federation and granting appropriate access to systems

  • users can be authenticated in one of three ways:

    • Something you know, like a password or PIN

      • Many systems only use a username/password combination

    • Something you have, like a bank card, a token or a smartphone

    • Something you are, like a fingerprint or an iris scan

    • systems use multi-factor authentication, where at least two types of authentication are required

      • n ATM machine, where both a bank card is needed (something you have) and a PIN (something you know)

  • Role Based Access Control (RBAC) model

    • identities are members of one or more groups (typically related to their roles in the organization) and, instead of granting permissions to individual identities, groups are granted permissions. And since groups can be nested (a group is member of another group)

Segregation of duties and least privilege

  • Also known as separation of duties

    • assigns related sensitive tasks to different people or departments.

    • The reasoning is that if no single person has total control of the system’s security mechanisms, no single person can compromise the system

    • ie Vault, cannot access system as root unless x number keys are used

  • principle of least privilege.

    • that users of a system should have the lowest level of privileges necessary to perform their work, and should only have them for the shortest length of time.

  • In many organizations, a systems manager has full control of the system’s administration and security functions.

    • bad idea

    • Security tasks should not automatically be given to the systems manager.

    • In secure systems, multiple distinct administrative roles should be configured, like a security manager, a systems manager, and a super user.

      • The security manager, systems manager, and super user may not necessarily be different people (but this would be preferred of course).

      • these roles are controlled, logged, and audited

    • a two-man control policy can be applied, in which two systems managers must review and approve each other’s work.

      • minimize fraud or mistakes in highly sensitive or high-risk transactions.

Layered Security

  • also known as a Defense-In-Depth strategy

  • to implement security measures in various parts of the IT infrastructure

    • comparable with physical security

      • place as many different barriers to cross

      • each barrier requires differetn skills

      • Increase time to break down barriers, increase risk of detection

      • Number of barriers should be unknown (or changing)

      • All barriers are independet, when one is crossed the others remain intact or if it has a vulnerability

  • Each layer can be integrated with an Intrusion Detection System

  • A disadvantage of implementing layered security is that it increases the complexity of the system.

  • Every security layer must be managed, and systems managers must have knowledge about all used technologies

    • a risk if they are compromised

Cryptography

  • the practice of hiding information using encryption and decryption techniques.

  • Encryption is the conversion of information from a readable state to apparent random data.

    • Only the receiver has the ability to decrypt this data, transforming it back to the original information

  • A cipher is a pair of algorithms that implements the encryption and decryption process.

    • The operation of a cipher is controlled by a key.

    • The key is a secret onlyknown by the sender and receiver

    • Two types of ciphers:

      • block ciphers

        • takes as input a block of plaintext and a key, and outputs a block of cipher text.

        • popular ones The Data Encryption Standard (DES) and the Advanced Encryption Standard (AES)

          • DES is deprecated, more secure is triple DES

        • uses

          • ATM machine data encryption to e-mail privacy and secure remote access

      • stream ciphers

        • create an arbitrarily long stream of key material, which is combined with the plaintext bit-by-bit or character-by-character.

        • used when data is in transit using a network

        • the output stream is created based on a hidden internal state which changes as the cipher operates. That internal state is initially set up using a secret key. RC4 is a widelyused stream cipher.

Symmetric key encryption

  • Symmetric key encryption is an encryption method where both the sender and receiver share the same key.

  • example

    • X sends a file to Y and encrypts it before sending using a cipher and a secret shared key. Upon receiving the file, Y’s cipher decrypts the data stream using the same key, leading to the original file. Both ciphers use the same secret shared key, only known by X and Y

  • disadvantage

    • the key management necessary to use them securely. Each pair of communicating parties must share a different key.

    • The number of keys increases exponentially with number of users

    • The difficulty of securely establishing a secret key between two communicating parties, when a secure channel does not already exist between them, also presents a chicken-and-egg problem.

Asymmetric key encryption

  • two different but mathematically related keys are used: a public key and a private key.

  • The public key may be freely distributed and is for instance published on the organization’s website. Its paired private key must remain secret by the organization

  • Example

    • X sends a file to Y and encrypts it before sending using a cipher and Y’s public key. The encrypted file can only be decrypted using Y’s private key (which must be kept a secret to everyone but Y). Upon receiving the file, Y’s cipher decrypts the data using his private key, leading to the original file.

    • When Y wants to send a file to X, X’s public and private keys are used

  • disadvantage

    • very slow process

      • it is mostly used to setup a channel between two parties, to safely exchange a new, temporary symmetric key,

      • After exchanging symmetric keys, the rest of the communication is done using much faster symmetric key encryption.

  • Commona algorithms

    • Diffie–Hellman and RSA algorithms

Hash functions and digital signatures

  • Hash functions take some piece of data, and output a short, fixed length text string (the hash) that is unique for that piece of data and which can be used to validate the integrity of the data

    • practically impossible to find two pieces of data that produce the same hash

    • If the hash of a piece of data is known, and the hash is recalculated later and it matches the original hash, the data must be unaltered

  • The length of this hash will not grow, even if the input for the hash function is increases

  • Popular hash functions

    • MD5, SHA1 and SHA512

  • To create a digital signature, a hash is created of some text (like an e-mail) and encrypted with the private key of the sender

    • The receiver decrypts the hash key using the sender's public key.

    • The receiver also calculates the hash of the text and compares it with the decrypted hash to ensure the text wasn't tampered with

    • Since the hash was encrypted using a private key, it is guaranteed that the hash was created by the owner of the private key

  • Used

    • network security schemes (like SSL/TLS and many VPNs

Cryptographic attacks

  • It is scientifically proven that a so-called one-time pad cipher is unbreakable, provided the key material is truly random, never reused, kept secret from all possible attackers, and of equal or greater length than the message.

    • Very impractical

    • as the key must be exchanged between sender and receiver in a safe way, and the key has the same length as the data to be transferred. So, you might as well exchange the data in a safe way instead of the key.

  • brute force attack

    • Most ciphers, apart from the one-time pad, can be broken given enough computational effort

    • consists of systematically checking all possible keys until the correct key is found.

    • The amount of effort needed, however, is usually exponentially dependent on the size of the key

  • Effective security could be achieved if it is proven that no efficient method (as opposed to the time consuming brute force method) can be found to break the cipher.

  • Most successful attacks are based on flaws in the implementation of an encryption cipher.

  • You should not do create own chipher

    • use open source ciphers

PreviousPerformanceNextmonitoring

Last updated 3 years ago

Was this helpful?