[devnexus 2024] breaking ai: live coding and hacking apps wih generative ai

Speaker: Micah Silverman

For more, see the 2024 DevNexus Blog Table of Contents


Changes/Trends

  • AI is not a silver bullet
  • Treat AI like a junior dev and verify everything produced
  • New iteration of copy/paste. More code that got from Stack Overflow
  • We don’t do thorough code reviews of libary code. Loo at security, number commiers, when last release
  • Different because our name now on commit
  • More challenging to maintain visiblity
  • Backlog ever growing

Common use in Dev

  • Addig coents
  • Summarizing code
  • Writing Readme
  • Refactorin code
  • Providing templates
  • Pair programming
  • Generating code (the new stack overflow)

Stats

  • 92% software dev using AI in some form
  • Those who use AI are 57% faster
  • Those who use AI are 27% more likely to complete task
  • 40% of co pilot generated code conains vulnrabiliies. Same stat without AI s o this is what we trained it on
  • Those using AI wrote less secure code but believed ore secure. We trust AI too much. Junior devs get more scrutinity than senior devs
  • [Some of these stats aren’t austation. Ex: early adopters]

Using AI well

  • Good starting point
  • Don’t use without review

Problems

  • Hallucinations – including supporting “evidence” even where wrong. Gave addition example
  • ChatGPT got worse in math over a few months. 98% to 2%. Now some math specific AIs
  • ”ChatGPT is confidentally wrong” – Eelko de Vos
  • First defamation lawsuit – ChatGPT made up case law
  • AI doesn’t know when wrong

AI and Code

  • Asked for Express app taking name as a request parameter. Tried a bunch of times and name parameter never sanizitzed so cross site scripting vulnerabilities. Ideally wouldn’t auto generate vulnerabilities
  • Can give bad advice – asked if code was safe from NoSQL inection. GPT and Bard said safe. Was not safe.
  • Samsung put all code in ChatGPT and leaked code, keys, trade secrets. Became part of training data. ChatGPT says got better about dealing with secrets.
  • Terms of services of ChatGPT say can use anything as training data

Sample Conference App

  • Using CoPilot
  • Spring Boot app in IntellIJ

Basic example

  • Gave co-pilot comments/prompts to create code
  • Showed generating code to read a file that doesn’t exist due to a typo

JPA SQL injection example

  • Showed not the most common way to write JPA here in 2024; usually don’t need direct query
  • Showed copilot offers prompt to get result
  • Tried adding to prompt to protect against SQL injection. Got a naive regex sanitizer
  • Then tried requesting named parameters in the query. After that did promps for setting parameter and getting result. All was well.

Example

  • Tried getting file then wih a file separator
  • Successfully got constant defined in file so some context sensitivity. But ignored file separator reques fro propt
  • Then requesting saving the file and successfully geerated code to write it
  • Requested getting a person and successfully called already written getPerson() method
  • Then set image name
  • Co pilot offered to write prompt to save person.
  • Then requested adding the message and added attribute to model
  • However, has path traversal issue
  • Showed BurpSuite monitoring as run example. “Send to repeater” keeps cookies and such while letting alter request.
  • Changed file name to ../image/snyklogo.png”. If works will replace logo with uploaded pic
  • Showed Synk IDE extension which also note path traversal issue
  • Tried asking to sanitize input against path traversal an got check for two dots. Not good enough but a first pass
  • Tried asking for whitelist to protect against directory traeversal. Checked directory name prefix which is better but also not a whitelist
  • Then tried requesting to validae that there is not a path traversal using the normalize method. Did what requested including the prefix check from previous prompt but Micah noted that’s what did in the past

What can do

  • Use tool to scan code and tell when makes mistake
  • Learn. Ex Snyk has a lesson on prompt injection. – Getting AI to tell info it shouldn’t

Future

  • Currently have Math aware AIs. Maybe will have security aware AI in future

My take

Good mix of background and live code. I like that Micah didn’t assume security knowlege while keeping it engaging for people who are familiar. I had never seen BurpSuite so that was a happy bonus in the demo.

[devnexus 2024] knowledge management for the technicaly inclined

Speaker: Jacqui Read

fosstodon.org/@tekiegirl

For more, see the 2024 DevNexus Blog Table of Contents


Book: Communication Patterns

Knowledge Management

  • McKinsey used phrase internaly in 1987
  • not just putting info on the wiki
  • can’t simply buy it
  • apps can help but small part of what doing

Examples

  • Naming a repo – convey what is i without going in and looking
  • Integrating one app with another – edges are where discover and exchange knowledge
  • Lessons learned – learn from past mistakes and build on successes
  • Inventory – catalog
  • Dashboards – static or dynamic
  • Dcouments – files
  • Expertise locator – how find info in peoples heads
  • Policies and procedures
  • Wikis an articles
  • Forms and templates
  • Databases
  • Meetings and workshops – generate a lot of knowledge. Not always recorded

General

  • ”Knowledge management is the process of capturing, distributing and effectively using knowledge “ – Tom Davenport
  • No org is a vacumn
  • Relationsips change over time and knowledge gets lost
  • If written down, softens the blow
  • Forces between fiishing tech stuff vs getting things done
  • Capturing gets lost and no organization learning. Makes stagnant org and competitors can overtake
  • Fortune 500 companies lose at least $31.5 million a year due to lost info
  • Companies with better knowledge manageent did better during pandemic

Remote first

  • Enable doing best work wherver are Not a bolt on to office work.
  • If anyone remote, everyone is on own device
  • Value output over time spent
  • Emphasis on async communication
  • Better continutiny for time zones, transit strikes, snowstorms, people going out to see eclipse
  • Improved productivity because valued for output and happier. Not trying to look like working
  • Better documentation due to async communications

Sync vs Asyc

  • Async communication – no expectation of reading/responding as soon as received
  • This talk is synchronous for people in room and async for people watching on video later
  • Can capture, publish and use info sync or async

Glossaries

  • Centralize so not looking through multiple or guessing where to put
  • Federated for maintenance – anyone can add
  • Partitioned by domain – different definitions for different parts of business. Define scope
  • Cross reference for simplicity – don’t duplicate

Products over Products

  • Mindset change
  • Other projects can reference
  • Reuse
  • Long term view

Inventories

  • Catalog assets
  • Expicit knowledge -easy to articuate and write down. Think about what it is, structure, format, etc
  • Implicit knowledge – harder to write down. Think about who knows. Is it tacit knowledge (ex: leadership/riding a bike)?
  • Put tacit knowledge in expertise locator
  • Make ore of he implicit knowledge explicit

Personal Knowledge Management (PKM)

  • Encourage people to share what know
  • Bottom up info sharing
  • Can boost carer to share knowledge
  • Can be rabbit hole

Automate knowedge management

  • Documentation as code. Not just markdown. Could be diagrams as code, json, asciidoc etc
  • Optionally review for accuracy. Especially if publishing publicly
  • Automated review for syntax, spelling, links, etc
  • Convert to a useful format like PDF or a website
  • Decouple data fro presentation

Knowledge Management as Code

  • ex: Swapper API docs
  • ex: contract testing
  • ex: Pacts dashboard showing last time tested each API

Hive MInd

  • Optimize knowledge so available at right time
  • Without knowledge manageent, have high cognitive load and chaos
  • With knowledge management, reduce cognitive load
  • With hive mind, reduce cognitive load as much as possible
  • Hierarchy: Wisdom, knowlege, info, data

AI

  • Garbage in, garbage out

Collaborative Knowedge Management

  • Big picture event storming – find boundaries where people disagree. Generates lots of options
  • Domain storytelling – create diagrams with actors and processes. Focus on one way. If hae another version, create a new diagra
  • Bytesize Architecture Session – can use for mix of business and technical. Start with session goal. Then everyone starts independently at same time so not drowned out by loudest voice in room. Then find consensus
  • 6 page memo – re Amazon. Doc created before meeting. Everyone reads at same time (to fence time for reading) then discuss. Downside is that people have thoughts after meeting. Doc needs to be collaborative as well
  • Architecture Decision Records – not just for architectures. Include title, status, context, evaluation criteria, options, decision, implications, consultation Avoids risk of changing something without understanding why decision made. Avoids rework of inestigating same thing repeatedly. New people on team can read why decision made
  • Business Decision Record – same idea as ADR, but for other things. Ex: why buy/choose a product, hiring, strategy

Key takeaways

  • Software BBOM (big ball of mud). Probably also have Documentation BBOM.
  • Think about as wall of ivy instead. Have info hidden in here
  • Good knowledge manageent virtal for building and understanding software
  • Collaborate to collect and record knowledge. Get more perspectives. Break down silos
  • Involve as many minds as possible
  • Elicit the implicit knowledge so don’t miss
  • Knowledge management supports better decision making Need a decision support system
  • Engineer knowledge as much as engineer software
  • Own your knowledge. If don’t know what have, can’t use it

My take

Excellent start to the morning. It was fun seeing how different parts of KM interact. Plus learned some new techniques.

[devnexus 2024] apache maven 4

Speakers: Chandra Gunter and Rodrigo Graciano

@CGuntur and @rodrigograciano

For more, see the 2024 DevNexus Blog Table of Contents


General

  • Apache Maven 4 is still in alpha
  • Avoid profiles where can
  • Shoutout for mvn verify (vs maven install)
  • Sample code: https://github.com/c-guntur/maven4

Pain Points in Maven 3

  • Painful to maintain versions in multi module projects – flatten-maven-plugin helps with child versions but has hissues with profile interpolation. ci-friendly-flatten-maven-plugin solves profile interpolation problem but requires including third party plugin
  • No implicit way to separate build info from consumer info. Why do consumers need SCM location and Jira link – flatten-maven-plugin and c-friendly-flatten-maven-plugin help
  • Handling versions of sibling modules is a chore
  • We use default versions for plugins. Ex: compiler version has default so not everyone specifies.
    Creating BOM (Bill of Materials) not easy. No way to identify that default version is in use

Maven 4

  • Requires Java 17+ to run Maven and Java 17 to compile (but can use Java 17 to compile earlier version)
  • New schema version in <project> xmlns
  • <moduleVersion> is now 4.1.0
  • Can use <version>${revision}</version> without plugin – can pass from root pom or command line
  • Get warning in build log if use the default version number of any plugins
  • Two poms in .m2 for artifact. artifact-version-build.pom is what is used to build and artifact-version.pom is the consumer pom that goes to the repo when deploy
  • No need to specify version number of parent in multi module project. Figures out automatically. Version is still allowed. It is an optional field so can specify older version at will.
    • Build caching is improved so faster performance. ex: less re-compiling

My take

I didn’t take notes on Maven itself only the differences between Maven 3 and 4. I know it was necessary to get everyone on the same page. Given everyone raised their hand on using Maven, I wonder if could have been briefer. (Got to limitations of Maven 3 at 20 minute mark) I liked the interaction between the presenters to make it a conversation. The list of Maven 3 problems was great. And the demo of how Maven 4 fixes was good.