Here is a link to my full CFObjective() 2008 Google Notebook. It has a little nicer format than the BlogCFC posts.

CFObjective() 2008 Google Notebook

Mike Brunt - Alagad

Clustering is becoming more and more important in the CF world. Think about it from the beginning. For example, think about paths, locale issues, etc. Software Clustering (Java, CF, JRun), Hardware Clustering Consideration, Hardware and Software Clustering, Load Testing Different Algorithms. Simply going from 1 server to 2 servers in a cluster is a huge leap for reliability.

If you are really interested in High Availability, you need to have two of everything, 2 routers, 2 firewalls, etc. A Load Balancer should really be called a "Clustering Device" because load balancing is only a part of clustering. Not sure if I agree with this because our load balanced servers have no connection to each other. They don't communicate between themselves, which I would view as vital to the idea of a cluster.

Mike will be looking and Win2K3 Network load balancer on his blog. Will also be looking at Barracuda products, which are much cheaper than BigIP.

With CF Clustering, he recommends RoundRobin with Sticky Sessions.

Remember that with clustering, if you have a hardware device that pings a page for availability, make sure the page you are pinging is OUTSIDE of your main application. You don't want it to be pulling a big Application.cfc, etc. This is a very common mistake.

Paessler - Web Server Stress Tool (http://www.paessler.com/) - This is a tool the Mike uses for load testing. Very cheap compared to alternatives.

Mike went through a sample CF8 install. He said that when you install at the very beginning you should use the CF built-in webserver for the Master CF instance because you are only going to use it for setting up other instances. Oops.

Building Flex apps using Cairgorm

Why does Cairngorm seem so difficult? Tends to over explain the patterns in CG. Forget that and just focus on easily-repeatable approach. MATE is another potential Flex framework to check out.

DL from labs.adobe.com/wiki/index.php/Cairngorm. Add it to the Flex Project Build Path > Add SWC.

The FrontController determines where to route requests like other CF frameworks. Command executes the service via a Delegate, returning data to result(). Delegate encapsulates access to biz service. ModelLocator maintains state of app similar to App.cfm, via data binding.

You might use CG if your project is moderate to high level complexity or has several or more use cases. Or you are working with a group of devs. Don't try to learn along with learning Flex in general.

WireFrame Viewer/Editor 5.0 from RIA Forge - Pretty good wireframing tool, but it requires Fusebox 5. Still though, this could be really big for us. We might want to try it out.

Styling vs. Skinning Flex apps. Styling will keep them looking like Flex apps. You can, however, completely skin Flex apps by using the skinning features built into Flex Builder which integrates into other Adobe products. You can use Flash, Illustrator, Fireworks, or Photoshop. Flash and Illustrator would be best because they create vector graphics rather than raster images in Photoshop. You can create a skin in Flash and have Flex Builder simply import it completely into your Flex app. Skinning via Flash will gain a slight advantage in file size, but it's not as robust.

Applying the Flex 3 skinning extension to a C3 product will give you access to every element (with state) available to a Flex app. You can skin any of it.

Flex Builder 3 has much better CSS editing and skinning than 2. If you style a component in Design mode, you can create CSS from those styles. Change the style on one button and use Convert to CSS in order to get all your buttons with the same style name (class) to look the same.

Everything you create in your Flex prototype can be used in the actual product... if the final product is Flex app!

scale9.com - easy Flex skins for download

All of this assumes that your final app is going to be a Flex app. :( I was assuming that we were going to talk about using Flex Builder as a wireframing tool for traditional apps. That's where the first half of the presentation was leading, and then Scott suddenly assumed that your final app was going to be in Flex. I asked it he would recommend using Flex Builder simply as a rapid wireframing tool, and he said no. I sort of thought that was the whole point of the session. Oh well, there was still a lot of neat info about Flex skinning.

labs.fusionlink.com pcianswers.com

Created by the major CC companies to protect CC info. pcisecuritystandards.org - actual doc is only 16 pages

PCI compliance is Pass/Fail - either you have it 100% or nothing.

Applies to any company that processes, transmits, or stored CC info. Web or brick and mortar. It is enforced by the merchant account issuer.

Non-compliance can results in fines $90-$500 per card exposed. Includes re-imbursement of fees incurred from breach. This is contractually enforced through the contract when you obtain your merchant account. You need liability insurance if you do any CC work.

Other state or federal laws that might apply: - Base II - Gramm-Leach-Biley Act - Heath Insurance Portability Act - Sarbanes-Oxley - California Bill AB 779

Merchant Levels - Level 1 - Over 6 million transactions - Level 2 - 1 to 6 million - Level 3 - 20,000 to 1 mill - Level 4 - Less than 20,000

Rules for each level is slightly different. The levels are not set in stone.

Level 4 merchants are supposed to do a self-audit annually with sign-off of CTO-level person.

What is in PCI-DSS? 6 logical areas with 12 requirements

Maintain a secure network

- Install and maintain a firewall - Document list of service and ports used - Have a formal process for approving and testing external conns - Quarterly review of firewall and router rule sets - Firewall should deny all traffic other than allowed - DB servers must be segregated from the DMZ - Personal firewall software needs to be on mobile devices with access to the network

Maintain a Secure Network

- Do not use default passwords - Eliminated unnecessary accounts - Only 1 primary function per server (web, db, dns, etc.) - disable all unnecc scripts, drivers, freatures. - encrypt all data moving in and out of the server SSH, SFTP, etc.

Protect Cardholder Data

- Keep card storage to a minimum (ie, 30-day money back guarantee, etc) - Do not store the CC verification number! Never - Do not store the card's PIN - Mask PAN when displayed, for example only show the last 4 digits - Encrypt PAN when it is stored (PAN is the actual card number) industry standard - Encrypt transmission of cardholder data across networks SSL etc. - Never send PANs via email (unencrypted)

Maintain a Vulnerability Management Program

- Update virus software and make sure it's good stuff - Everything needs to be logged

- Develop and maintain secure systems and apps - All software needs to have latest patches (within a month of release) - Maintain separate dev, test, and production environment - Live PANS cannot be used for testing - Code must be reviewed for vulnerabilities before going live

Regarding ColdFusion

Cover these common coding vulnerabilities - unvalidated input - broken access control - broken authentication and session management (use of session cookies) - cross site scripting attacks - buffer overflows - injection flaws - improper error handling - insecure storage - denial of service - session timeouts must be 15 minutes or less! - client management, if used, must be set to DB - "scriptprotect" in cfapplication needs to be set to "all", though it's poor protection - Have all code reviewed for these common vulnerabilities by an outside org that specializes in security by June 30, 2008. - Have a "Web Application Firewall". port80.com

Implement Strong Access Control Measures

- Assign a unique ID to each person with computer access. FTP is usually a failing here. Must be logged. - All passwords must be encrypted. Min 7 chars alphanumeric. - Need a lockout policy not more than 6 attempts with log and notification to self. - Physical access needs to be secure - Determine between employees and non-employees

Regularly Monitor and Test Networks - Audit trails - Clocks must be synched - Backup logs off server - Review logs daily! HAHAHAHa - Retain logs for 1 year - Test security controls annually - Run internal/external scans quarterly. Companies who provide this vary WIDELY in quality. - Perform penetration testing annually - Use network intrusion detection systems. Need to be alerted to an attack.

Maintain a Security Policy

- Estabish and publish security standard - Develop daily operations procedures - Implement a formal security awareness program for all employees - Educate employees upon hire and annually - Outside vendors required to be PCI compliant

XSS - cross-site scripting is probably the area you should focus on. And logging is very important. For example, if you scrub data, you might want to log the dirty data first before you scrub it so you can see what people are trying to do.

Keep in mind!

CC transactions can be outsourced completely. The PCI compliance can be avoided with this method. Duh, thanks for telling this at the very end of the presentation.

www.robrusher.com Flex and AIR instructor and ACE Author of "AIR: Desktop Applications with Flex"

Turning YAFA from Flex to AIR (www.keaura.com/photosearch/)

Add Network Detection

SDK classes URLMonitor (port 80) or SocketMonitor (alternate ports) addEventListener - StatusEvent.Status Invoke start() method

example: listen for the flickr API using the urMonitor The monitor will continually check for a connection and then mark it as enabled or disabled.

Add Native Windows (that you will see in your task bar)

SDK classes - NativeWindow - NativeWindowInitOptions MXML component - Window addEventListener - Event.Closing (also a Closed event) - NativeWindowBoundsEvent.Resizing Interactive full-screen - StageDisplayState

Add HTML Content

Open source WebKit (webkit.org) - Also used by Safari SDK class - HTMLLoader MXML component - HTML

Add File System Access

SDK classes - File - FileStream - FileMode Synchronous or Asynchronous

Add Embedded Database (SQLLite)

Look for SQL Lite Administrator http://sqliteadmin.orbmu2k.de/

SDK classes - SQLConnection - SQLStatement - SQLResult Synchronous or Asynchronous

Other Things You Can Add

Native Menus Taskbar, system tray and dock icons Application update User presence Encrypted local storage PDF and DRM support

Check the AIR Marketplace for sample apps (that will often also provide source)

There was no way to really take an applicable notes. This session was virtually all demo.

Matt Woodward

Domain Model is the most important. Use UML to think things through. Easier to change a diagram. Objects and Methods.

The database is not that important. It shouldn't drive your application design. On the app side, think about objects, not tables, etc. Only worry about your DB once your domain model has been worked out.

Very Important Concepts Cohesion: degress to which an object does one thing and does it well. Coupling: degree to which objects depend on one another. Strive for high cohesion and loose coupling

Biz Logic is most important

Beans and DAOs A small object like a person (person.cfc) in a contact manager with getters and setters for each piece of data DAO (personDAO.cfc) talks to the database about the bean. The bean is just a container for the object. (PersonGateway.cfc)

Service Layer (biz logic's receptionist) Must go trough to get to biz logic. Critical for reusability of your biz logic.

CF/AIR/Flex > Service Layer > Biz Logic

Controller Layer Can be a framework, etc. Roll your own.

UI Layer You can pick any that you like. All UIs talk through their controllers to access the Service Layer

(Matt was whipping through the slides.... need to download the pres after the conf)

Contact Manager App Demo using HTML, AJAX, and Flex with no code changes.

ANT requires the use of source control because it's a scripting tool that does a bunch of things automatically... can mess things up if you get it wrong. You'll need to be able to restore if necessary.

Latest version is 1.7. Java-based and comes bundled with Eclipse with ANT 1.6.5. Can be used right out of the box with Eclipse.

Automated software builds. XML file describes the build and dependencies. Similar to shell scripting.

Benefits of build tools. Reduce errors during testing, etc. Save time not having to do tedious tasks. Can hook into CruiseControl, Hudson, CFCUnit, Selenium, etc.

Common uses of ANT

Packaging and deploying your app to Test, Production. Moving, modifying application elements. Usually the app on your machine or Dev is not configured the same way that it would be in Production. ANT handles this.

Application Testing. Functional testing (Selenium), Unit testing (CFCUnit, MXUnit), Database testing (DBUnit). Selenium sounds awesome... in-browsing testing.

Automatic CFC documentation generation (CFC.doc tool via "get" task). Automatic "var" scope checking (VarScoper via CSV output). Email results regarding success/fail of targets.

The build.xml file - Can be verbose and confusing.

Eclipse features useful built-in editor with code insight. Located in root of the project. Executing ANT targets - from Eclipse. ANT tasks are called targets.

Anatomy of a build file

(root node) "name" of project "default" target to execute if no target is defined "basedir" usually left at "." "." is the relative directory to the build.xml. Similar to getCurrentTemplatePath() in CF. Use relative path because abs path are less portable.

Used to set variabes in targets, config details, etc.

...lots of too-specific details for now.

Selenium - functional testing framework used to test the UI of application! Use Selenium ANT runner to automate tests by creating a test suite. Test suite file location is disk path, not URL. Must point to test suite and not to single test case.

Demo was very cool.

CFCUnit hasn't been updated in a long time. Can't work with ANT without compiling it yourself, etc. Use MXUnit instead.

ANT can also link into other tools to minimize JS and CSS files. YUICompressor can compress CSS files. Neat.

SVNANT is used for linking ANT with Subversion.

"ANT in Action" is the best book available

How to get everyone else to use the modern development tools and techniques that you do. ;)

"Pragmatic Programmer"

Things we should probably use in the office:

Eclipse (with Aptana and Flex Builder) - With Aptana, I have officially and completely switched over to Eclipse.

Local Development - for full server control, general debugging, step debugging, speed, stability. All the peeps here consider a shared Dev server to be a bad thing.

Subversion - The CF community uses Subversion. Nobody uses Surround. Nobody has even heard of it. (http://tortoisesvn.tigris.org/ - Tortoise as an interface)

ANT (possibly) - For builds. Or even simply EAR packaging for build deployment.

CFCUnit - I really know nothing about this, but it comes up again and again in these sessions. It is just assumed that everyone uses it.

Frameworks - Possibly Model Glue for Phoenix. Since we are building from scratch, it might be valuable to invest the effort to learn and use a framework so we are all coding in the same way. This is difficult and initially painful, but it may pay off big time for everyone.

Tactics: How do we go about doing all of this?

- Focus on the specific needs and goals of your organization. Maybe we don't need to use everything above, but maybe just one or two can really help us improve. We don't necessarily NEED to use Model Glue, but perhaps generally adopt the MVC paradigm.

- Demonstrate - Create a demo or something that exhibits the benefits of the tool/idea.

- Focus on compromise and things that remove restrictions. The example here was an org that forced all SQL to be in stored procedures, but a dev wanted to use Coldspring. Coldspring uses cfqueryparam in its generated code, which solved the same issues that prompted the org to adopt their stored procedure rule in the first place. All other devs were happy because they hated the stored procedures.

- Bridge gaps - Perhaps you can't get everyone to move over all at once, but you can make incremental changes.