SE Radio 658: Tanya Janca on Secure Coding

Software architect and author Vlad Khononov joins host Jeff Doolittle for a discussion on balancing coupling in software design. They start by examining coupling and its relationship to complexity and modularity. Vlad explains the historical models for assessing coupling and introduces his updated approach, integration strength, which aims to simplify earlier frameworks and adapt them for modern practices. The episode explores three dimensions of coupling: integration strength (knowledge sharing), distance (proximity of components), and volatility (likelihood of change). Vlad illustrates how design decisions can lead systems toward complexity or modularity, and he emphasizes the importance of managing coupling to minimize cognitive load and cascading changes. The conversation wraps up with insights on applying these principles to real-world software projects and a reminder of coupling's critical role in software architecture. Brought to you by IEEE Computer Society and IEEE Software magazine.

Sunil Mallya, co-founder and CTO of Flip AI, discusses small language models with host Brijesh Ammanath. They begin by considering the technical distinctions between SLMs and large language models.  LLMs excel in generating complex outputs across various natural language processing tasks, leveraging extensive training datasets on with massive GPU clusters. However, this capability comes with high computational costs and concerns about efficiency, particularly in applications that are specific to a given enterprise. To address this, many enterprises are turning to SLMs, fine-tuned on domain-specific datasets. The lower computational requirements and memory usage make SLMs suitable for real-time applications. By focusing on specific domains, SLMs can achieve greater accuracy and relevance aligned with specialized terminologies. The selection of SLMs depends on specific application requirements. Additional influencing factors include the availability of training data, implementation complexity, and adaptability to changing information, allowing organizations to align their choices with operational needs and constraints. This episode is sponsored by Codegate.

Pete Warden, CEO of Useful Sensors and a founding member of the TensorFlow team at Google, discusses TinyML, the technology enabling machine learning on low-power, small-footprint devices. This innovation opens up applications such as voice-controlled devices, offline translation tools, and smarter embedded systems, which are crucial for privacy and efficiency. SE Radio host Kanchan Shringi speaks with Warden about challenges like model compression, deployment constraints, and privacy concerns. They also explore applications in agriculture, healthcare, and consumer electronics, and close with some practical advice from Pete for newcomers to TinyML development. Brought to you by IEEE Computer Society and IEEE Software magazine.

Brenden Matthews, a seasoned software engineer, entrepreneur, and author of the Idiomatic Rust and Code Like a Pro in Rust books (both from Manning), speaks with SE Radio host Gavin Henry about Idiomatic Rust. They start with a look at what "idiomatic" means, and then discuss Generics, Traits, common design patterns you'll see in well written Rust code, and anti-patterns to avoid. Matthews suggests some tools that can help you immediately write idiomatic Rust, as well as what building blocks can also help. This episode examines what Generics are and how they compare to other languages, as well as what Traits are, how macros help, what a Fluent Interface is, and why unwrap() is bad. They also discuss what code smells to look out for, Clone, Copy, and a really nice place to go read real-world Idiomatic Rust code. Brought to you by IEEE Computer Society and IEEE Software magazine.

Tanya Janca, author of Alice and Bob Learn Secure Coding, discusses secure coding and secure software development life cycle with SE Radio host Brijesh Ammanath. This session explores how integrating security into every phase of the SDLC helps prevent vulnerabilities from slipping into production. Tanya strongly recommends defining security requirements early, and discusses the importance of threat modeling during design, secure coding practices, testing strategies such as static, dynamic, and interactive application security testing (SAST, DAST and IAST), and the need for continuous monitoring and improvement after deployment. This episode is sponsored by Codegate.ai

Hong Minhee, an open source developer and creator of the Fedify ActivityPub library, discusses the ActivityPub protocol and the fediverse with SE Radio's Jeremy Jung. They explore ActivityPub use cases, including microblogging applications such as Mastodon and Misskey, as well as activities built into the specification such as Like, Follow, and Accept. They also discuss extending the specification to include properties like Discoverable and Suspended, how different implementations communicate when they don’t implement the same extensions, ND the use of JSON-LD and why it is challenging to implement. Finally, they consider the HTTP-based inbox communication model, difficulties with scaling when using a push rather than a pull model, account migration, and resources for implementing the ActivityPub specification. Brought to you by IEEE Computer Society and IEEE Software magazine.

Ivett Ördög speaks with host Sam Taggart about rewrite versus refactor -- a choice that many projects face as they grow. It's a topic that inspires a lot of dogmatic feelings. They discuss how companies and projects end up at this crossroads and consider some strategies to try to avoid it. Ivett challenges the myth that you should never rewrite but points to two key factors that need to be present for a successful large-scale rewrite or refactor. They end by talking about how to get management on board for such large-scale rewrite or refactor projects. Brought to you by IEEE Computer Society and IEEE Software magazine.

In this episode, Charles Humble speaks withhost Brijesh Ammanath about skills that can provide developers a grounding in systems thinking. Charles is a 30-year veteran of the IT industry, including as a former software engineer, architect, and CTO, as well as former editor in chief of InfoQ and chief editor for Container Solutions. He has published “Professional Skills for Software Engineers” as a series of 14 O’Reilly shortcuts covering communication, critical thinking, documentation, and networking. Underlying his work is the idea that as complexity increases in IT systems, the roles of architects and leaders move from linear thinking to something that might be more broadly defined as systems thinking -- looking at problems and systems as a whole rather than just the individual parts. This requires a skill set that isn’t generally taught or widely valued as an industry -- in part, because it's hard to test in whiteboard interviews. It requires a mixture of communication skills; interpersonal skills; critical thinking; the ability to synthesize large amounts of information.  Brought to you by IEEE Computer Society and IEEE Software magazine.  

Chris Patterson, founder and principal architect of MassTransit, joins host Jeff Doolittle to discuss MassTransit, a message bus framework for building distributed systems. The conversation begins with an exploration of message buses, their role in asynchronous and durable application design, and how frameworks like MassTransit simplify event-driven programming in .NET. Chris explains concepts like pub/sub, durable messaging, and the benefits of decoupled architectures for scaling and reliability.  The discussion also delves into advanced topics such as sagas, stateful consumers for orchestrating complex processes, and how MassTransit supports patterns like outbox and routing slips for ensuring transactional consistency. Chris highlights the importance of observability in distributed systems, sharing how MassTransit integrates with tools like OpenTelemetry to provide comprehensive monitoring. The episode includes advice on adopting event-driven approaches, overcoming leadership hesitancy, and ensuring secure and efficient implementations. Chris emphasizes the balance between leveraging cutting-edge tools and addressing real-world challenges in software architecture. Brought to you by IEEE Computer Society and IEEE Software magazine.

Asanka Abeysinghe, CTO at WSO2, joins host Giovanni Asproni to discuss cell-based architecture -- a style that's intended to combine application, deployment, and team architecture to help organizations respond quickly to changes in the business environment, customer requirements, or enterprise strategy. Cell-based architecture is aimed at creating scalable, modular, composable systems with effective governance mechanisms. The conversation starts by introducing the context and some vocabulary before exploring details about the main elements of the architecture and how they fit together. Finally, Asanka offers some advice on how to implement a cell-based architecture in practice. Brought to you by IEEE Computer Society and IEEE Software magazine. Related Episodes SE Radio 396: Barry O’Reilly on Antifragile Architecture SE Radio 331: Kevin Goldsmith on Architecture and Organizational Design SE Radio 263: Camille Fournier on Real-World Distributed Systems SE Radio 236: Rebecca Parsons on Evolutionary Architecture SE Radio 213: James Lewis on Microservices SE Radio 210: Stefan Tilkov on Architecture and Micro Services SE Radio 203: Leslie Lamport on Distributed Systems