Learn from Java Champion Brian Demers: Talking Security & Software Development

Brian Demers is a Developer Advocate at Gradle and a PMC member for the Apache Shiro project. He spends much of his day contributing to OSS projects in the form of writing code, tutorials, blogs, and answering questions. Along with typical software development, Brian also has a passion for fast builds and automation.

Away from the keyboard, Brian is a beekeeper and can likely be found playing board games. You can find him on Twitter at @BrianDemers and most other places as ‘bdemers’.

Dreamix: What is the most common security mistake programmers make? 

Brian Demers: Not thinking about security or trying to add it at the last minute. Security needs to be considered at all levels of your application. Just as important, after your application is deployed, it must be updated regularly to avoid vulnerabilities.

Dreamix: Do we need to report a vulnerability? If yes, then is there a situation where it is good not to do it? 

Brian Demers: Yes, vulnerabilities should be reported! I think more projects and companies should be more transparent about reporting vulnerabilities; there is a fear that a vulnerability in a project will taint the project, or public companies may fear it could affect the stock price, so they remain silent; this behavior hurts the whole industry.

Developers know all software has bugs; we also know security is complex, but somehow we don’t expect there to be security issues. Instead, we should assume there will be security issues and have a plan for dealing with them.

Vulnerabilities should be reported responsibly whenever possible (allowing the project to fix the issue before it is announced to the world). However, if an exploit is already out in the wild, it should be disclosed immediately.

Dreamix: When to Use JWT vs. OAuth or both? 

Brian Demers: It depends on the use case, but developers should be more focused on higher-level protocols like OAuth 2.0 or OpenID Connect. A JWT by itself is just a way to encode data, not a security protocol, so whether to use JWTs or not should be an implementation detail. 

Dreamix: How to avoid session replication or clustering if a web server fails or is taken down for any reason when we are using load balancer?

Brian Demers: Developers are led to believe that server-side sessions are bad and we should chase stateless applications. Sometimes that makes sense, but for most browser-based apps, sessions are a great option.

Dreamix: If need to refactor legacy monolith applications from where to start and how to organize the process?

Brian Demers: There is no one size fits all answer for this. To me, the term “legacy” typically means there are no tests, or it’s an application that is painful to work on (slow builds, flaky tests, etc.); refactoring will not help unless you fix the underlying problems.

If the monolithic application is a single module (Maven or Gradle), I suggest breaking it into separate sub-modules. Be sure to move or add relevant tests for each of those modules. If the build is slow, that means you have a lot of tests; that’s a good thing! But, if that is the problem you are trying to address, you could also look into other techniques to speed up your build.

Parts of your legacy application could probably be replaced with a modern framework (Spring Boot, Quarkus). Use that framework to replace the boilerplate of your application. One of my favorite things to do is delete code!

Dreamix: Apache Shiro, Keycloak, Spring Security…. Which one to choose?

Brian Demers: I suggest using the security library that is built into the framework you are using if possible.

Dreamix: Apache Shiro and Unit tests. How to handle it? The fastest and the proper way.

Brian Demers: Apache Shiro provides some examples of tests running with a Subject (a user). The examples listed use an older version of JUnit, but the same patterns can be used with any testing framework. 

Dreamix: TDD, BDD – exoticism or the right way to develop applications?

Brian Demers: Any form of development that puts an emphasis on testing is the right approach. Personally, I try to follow TDD practices, for me, writing tests is not only how I tell if my code works, but it’s one of the ways I check if the code reads well and is understandable when it’s actually used. Those things are hard to figure out if you don’t have a way of executing your code.

Dreamix: Every project is built by a team. If you had to define the composition of the team, what would it look like? How many programmers will it be built by? Will there be manual/automation testers and product analysts involved?

Brian Demers: Like everything in software development, the answer is “it depends”. The team makeup providing lower-level SDKs would look different than an end-user-facing application. Similarly, the team required to build a medical application would differ from developer-focused applications. I like to work on teams where there is a diverse set of knowledge and people that can help level up my skills.

Dreamix: When you work on a big project, you inevitably face the problem of too many meetings. How do you organize your time in such a situation?

Brian Demers: Software development is a craft that requires focused time; however, we also need to communicate with each other. I have a few suggestions for dealing with the “too many meetings problem”:

– Start company or engineering-wide no-meeting days; pick a day or two Tuesay-Thrusday as the day (Monday and Friday are often long weekend days, so choose a different day).

– Block out time in your calendar, 2-4 hours at a time, and turn off your notifications unless you are on-call; your team can live without you for a few hours.

– Decline meetings. Unless you are going to actively participate in the meeting, don’t go. Read the meeting notes or transcript. My rule is if there are more than 15 people in the meeting, I think twice about whether I need to be there.

Dreamix: How do you update yourself about the latest trends in Java?

Brian Demers: This is a great question! There are a ton of great resources out there: blogs, videos, tutorials, etc. I learn things by doing, so I need to hack on code. One way to do this is to create a small-ish application and write multiple times, each time using different frameworks, patterns, or techniques (similar to a code kata). By recreating the same application, you can focus more on the code and less on the problem.

Dreamix: Can you recommend a favorite book about programming? What about a favorite book in general?

Brian Demers: Some of my favorite programming books are a little older now, and I’m a little behind in my reading list; I have a couple of books on my desk’s read-me pile that are screaming at me right now. Outside of programming, some of my favorite series are Bobiverse, Magic 2.0, and Red Rising.

Is there anything else you would like to ask Brian Demers? What is your opinion on the questions asked? Who would you like to see featured next? Let’s give back to the Java community together!

Do you want more great blogs like this?

Subscribe for Dreamix Blog now!