Last week saw the third DCPHP Conference happen on George Washington University. This post covers the second day of the conference and was written after everything was done. The first day of coverage is available here: 2008 DCPHP Conference – Day 1.
The opening keynote this morning was from the highly esteemed PHP security guy Chris Shiflett. His keynote – titled "Security-Centered Design: Don't Just Plan for Security; Design for It" – was a bit different than his usual talks. Let's face if, if you don't get "Filter Input, Escape Output", you're probably a lost cause… instead he focused on concepts and ideas to make security a more tangible concept for the user of the application. On ideas to give them "ambient signifiers" to identify to them that certain things are to be trusted or not… that a certain flow or process should be accepted or not. He used a number of examples reaching into psychology to demonstrate that the human brain can be tricked or trained easily and that we should take advantage – or protect against – those aspects. Honestly, I hope I can catch this presentation again sometime soon.
The next session was from the leader of PHP Atlanta, Ben Ramsey on "Distribution and Publication with Atom Web Services". He covered the background of Atom not only as an xml format but also as a protocol. He gave an overview of REST and the RESTful concepts and then jumped into showing how it comes together and becomes usable for manipulating resources. He also gave a snapshot of some of the tools and libraries that give you Atom manipulation quickly and easily.
Next, we had Barry Austin – a local DCPHP'er – and his session on "How to Make Application Security Suck Less". Throughout the presentation, he poked holes in the concepts of security and how it gets applied in web development. He doesn't go in depth into XSS, CSRF, or any of the common issues and classes of attacks. Instead he approaches security more from an assessment angle and discusses the trade offs of risk vs security. I think it served to provide a more strategic approach to security as opposed to the "patch it when it breaks!" model that we often get now.
After lunch, we had the Battle Royale. The event that everyone was looking forward to and will be spoken about for ages to come:
The PHP IDE Smackdown.
In the ring, we had some of the best players from among the community. We had the Ning'er from New York David Sklar representing Emacs; the coder from Canada Jeff Griffiths of ActiveState championing Komodo; my friend and collaborateur Eli White of Digg tackling Textmate; the Instigator from Iowa Tony Bibbs defending the honor of Zend Studio for Eclipse; and finally the English Engineer Wez Furlong representing VI/VIM. And I had the special opportunity to ask some questions, challenge some assertions, and generally attempt to moderate.
I started with simple introductions from everyone along with an explanation of why they use their tool of choice. We moved into what annoys them about their tool. The licensing/availability and pricing of each of them. How they might improve it. What other tools they use. And how to extend and customize each of them. To protect the honor of each of the participants, we did not capture the event on video, but some key quotes were captured:
In response to "What is the one thing that drives you nuts about your tool?", David stated "Emacs is not a one night stand" to which Jeff asserted "Emacs is a lifestyle". In response to "Why wouldn't you use your tool?", Tony stated "Don't use Zend if you're broke".
Overall, it was a great opportunity to learn a bit about each of the tools, a chance to let them trade shots and (constructive!) criticism, and get an overview of a wide swath of tools. There was something for everyone… from Free Software to Open Source to proprietary to project-based to file-based to the Swiss army knife of tools.
My friend Eli White deserves acknowledgement for arranging this one. He started kicking around the idea a few months ago, figured out who to contact, got them on board, and then let me run with it. Without him kicking it off, it would not have happened. Thanks.
The next session was from Ben Ramsey on "Give Your Site a Boost with Memcached". He laid out a number of usage cases, when not to use it, some of the pitfalls, and what to watch out for. If you're considering Memcache and haven't used it before, take a spin through his presentation and make sure you understand what it should and should not be used for. If you really need it, this isn't something to screw up.
The final session of my day (there was one after that I missed) came from another friend Mike Ho who is the brain behind Qcodo. Every time I see one of his presentations, I'm amazed. This time, he built Quicken Lite in approximately 45 minutes. Technically his presentation was called "Ajaxing Without Javascript: PHP-generated AJAX". He demonstrated how Qcodo can be used to auto-generate the Javascript behind the scenes of requests without digging into the Javascript itself. While this is massively powerful, don't forget Tony Bibb's framework presentation from Day 1. 😉
The night wrapped with a mass migration of attendees to restaurants around the area. Detailed notes about the evening were taken and then immediately destroyed to protect the innocent bystanders and conference attendees inadvertently involved.