Descriptions and links to various presentations from Kevin Hakanson.


Kevin Hakanson (@hakanson) is an experienced Software Architect focused on highly scalable web applications, especially the JavaScript and security aspects. His background includes both .NET and Java, but he is most nostalgic about Lotus Notes. He has been developing professionally since 1994 and holds a Master’s degree in Software Engineering. When not staring at a computer screen, he is probably staring at another screen, either watching TV or playing video games with his family.

Fine-Grained Authorization in Modern Software Applications

Authentication (AuthN) and Authorization (AuthZ) are critical for most software applications. The increased adoption of standardized frameworks for AuthN has improved overall security posture. “Broken Authentication” was #2 risk on the OWASP Top 10:2017 list but slid in 2021 to be part of a rescoped #7. AuthZ is trending the wrong direction with “Broken Access Control” the #1 security risk on 2021 list. This session discusses how open-source policy languages and evaluation engines can improve access control in applications.

The key acronyms are reviewed for background: JWT concepts (claims, scopes); access control models (RBAC, ABAC, ReBAC), data-flow model of XACML (PAP, PDP, PEP, PIP). Examples of applications requiring fine-grained authorization are modeled using different open-source solutions (Cedar, OpenFGA, OPA) focusing on their policy language and evaluation engine integration. This session spans high-level architecture to low-level code, and sprinkles humor (and acronyms) throughout.

  • That Conference (30 July 2024 - 1 August 2024)

Cedar policy language in action

Cedar is a language for defining permissions as policies that describe who should have access to what. Amazon Verified Permissions and AWS Verified Access use Cedar to define fine-grained permissions for applications and end users. In this builders’ session, first learn how to write Cedar policies. Then, take on a challenge problem building the set of policies representing a full application. This session uses open source Cedar and the free online playground, so there is no need to install anything or have an AWS account. You must bring your laptop to participate.

  • AWS re:Inforce 2023 (13 June 2023 - 14 June 2023) ( workshop, code )
  • AWS re:Invent 2023 (27 November 2023 - 1 December 2023)

Build On AWS weekly - Go Apps on AWS - CDK 💜 Go

This episode reviewed different options for deploying Go based services on AWS, starting with a code-based service using AWS App Runner, then container-based using CDK (also written in Go) to deploy to both Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS).

  • AWS Twitch Channel (23 March 2023) ( video )

Resilience on AWS

Resilience refers to the ability for workloads to respond and quickly recover from failures. Workloads deployed to the AWS cloud follow the Shared Responsibility Model separating resilience “of” the cloud from workloads running “in” the cloud. Part of a workload’s responsibility is to think about resilience threat modeling, the scenarios where things could go wrong, and the cost, business, or mission impact. This session will review strategies and design considerations around resilience, and reference how some AWS Public Sector customers are building resilience into their mission-focused workloads.

  • Code Freeze 2023 (12 January 2023)

Build On AWS weekly - Code me some diagrams

This episode reviewed diagram types, when teams should create architecture diagrams, when to choose diagrams-as-code instead of presentation software or drawing tools, and sprinkled in a bit of fun.

  • AWS Twitch Channel (15 December 2022) ( video )

Run your Go applications on the cloud (BOA104)

Start building deployment pipelines for your Go applications on the cloud. You’ve been running Go applications on your machine, but how do you run these in the cloud? In this chalk talk, discuss an easy-to-deploy pipeline for the development, testing, building, and deployment of applications written in Go. Although this example is tailored to Go, it can be easily modified to deploy applications written in other languages too. Join this chalk talk to learn how to deploy your application as containers from GitHub to the cloud with AWS CodePipeline, AWS CodeBuild, AWS CDK, and AWS CodeDeploy.

  • AWS re:Invent 2022 (28 November 2022 - 2 December 2022) ( presentation, code )

Sharpen your “Architecture Documentation” Saw: Architectural Decision Records (ADR) and Diagrams-as-Code

All solutions implicitly have an architecture, ideally one which is both intentional and documented. The Architectural Decision Records (ADR) process distributes architectural decision-making across team members. Accelerate the time consuming process of hand drawing diagrams by rendering from a text-based source. Communicate effectively by committing both your markdown-based ADRs and text-based diagrams into your source code repository. This talk will review these techniques, provide actionable steps to adoption, and even live-code some examples.

  • AWS WWPS SLG/EDU xTech Solutions Architect offsite (23-24 August 2022)
  • Open Source North (24 May 2023) ( presentation)
  • Minnesota Developers Conference 2023 (3 October 2023) ( presentation, code )
  • Twin Cities .NET User Group (7 December 2023)

Building SaaS on AWS - Multi-Tenant Data on S3

In this episode we chat about best practices and patterns to adopt when dealing with Partitioning and Isolating Multi-Tenant SaaS Data with Amazon S3

  • AWS Twitch Channel (3 August 2022) ( video )

Accelerate building your demo web app with an AWS UI template

Customer-facing builders (including AWS Solutions Architects like myself) want to create great looking demo web apps and AWS Samples. Would you like to avoid front-end fatigue and have a working web application in moments? Scaffolding your project using a pre-built template can be a “polyfill” for your web development skills.

This session will review the choices made for a circa 2022 template, which also works for external customers. It starts with the open source variant of the AWS Design System (AWS UI), React, and TypeScript. Vite is used for a lightning fast dev server and Amplify Hosting support is pre-configured. Routing, state management, testing, code quality, and more are included. Come learn if a template like this can accelerate your next project.

  • Amazon WebDevCon Seattle 2022 (27-29 April 2022)

Who’s in your Cloud? Cloud State Monitoring

When it comes to cloud operations, monitoring security and visibility are critical. Integration by other systems via Cloud APIs is one of the most powerful value drivers of the hyperscale cloud providers.

In this session, we will describe Cloud State Monitoring, including why it is important and who needs awareness in your organization. An explanation of the categories of Cloud APIs (including the management plane, control plane, and data plane) will give us background. Specific use cases across AWS, Azure, and GCP will dive deep into various changes you might not have considered monitoring.

  • MN ISSA and CSA MN Joint Chapter Meeting (15 December 2020) ( presentation, video )

Adopting Multi-Cloud Services with Confidence

In transitioning to multi-cloud, IT organizations have the same responsibility to provide quality service and operational security, yet have a much greater need to understand how to efficiently govern and manage these disparate cloud services.

In this session, we will examine some key patterns and models taken from a Cloud Adoption Framework through a multi-cloud lens. The presentation will include a mixture of high-level guidance, examples where vocabulary and terminology differ, and opinions on when to utilize cloud-agnostic vs cloud-native technologies for strategic decisions. Attendees will leave with a better understanding of how to implement a Cloud Adoption Framework across multiple clouds and a higher level of confidence in their multi-cloud adoption plans.

Aumentum Cloud Strategy: Public Cloud vs. Government Cloud

As Aumentum transitions to a cloud hosted SaaS product, the conversation about “public cloud” vs. “government cloud” is of interest to customers. This session will review some cloud computing definitions, discuss what is commonly referred to as “government cloud,” and provide a preview of the Aumentum cloud strategy.

  • Thomson Reuters Synergy 2019 (23-26 September 2019) ( presentation )

Introduction to Speech Interfaces for Web Applications

Speaking with your computing device is becoming commonplace. Most of us have used Apple’s Siri, Google Now, Microsoft’s Cortana, or Amazon’s Alexa - but how can you speak with your web application? The Web Speech API can enable a voice interface by adding both Speech Synthesis (Text to Speech) and Speech Recognition (Speech to Text) functionality.

This session will introduce the core concepts of Speech Synthesis and Speech Recognition. We will evaluate the current browser support and review alternative options. See the JavaScript code and UX design considerations required to add a speech interface to your web application. Come hear if it’s as easy as it sounds?

  • Twin Cities Code Camp 20 (16 April 2016)
  • MinneBar 11 (23 April 2016)
  • Midwest JS (10-12 August 2016) ( presentation )
  • Thomson Reuters Beyond the Edge - Ann Arbor (12 September 2016)

Learning to Mod Minecraft: A Father/Daughter Retrospective

What do Minecraft and Blockly have in common? Minecraft is a popular, open world video game where players can build structures using digital blocks. Blockly is a open source visual programming language where students can build programs using blocks. LearnToMod combined these together to teach students how to modify Minecraft using either the Blockly visual editor or JavaScript.

This session will be the retrospective of an enthusiastic father teaching his hesitant daughter (who loves Minecraft) about programming. We started with Hour of Code and pair-programmed through LearnToMod’s video lessons. What did we create? How did we like it? What would we recommend to others? Come learn about our experience and ask questions.

ng-owasp: OWASP Top 10 for AngularJS Applications

The OWASP Top 10 provides a list of the 10 most critical web application security risks. How do these relate to AngularJS applications? What security vulnerabilities should developers be aware of beyond XSS and CSRF?

This session will review the OWASP Top 10 with a front-end development focus on HTML and JavaScript. It will look at patterns to implement and others to consider avoiding. We will also explore several built-in features of AngularJS that help secure your application.

  • Thomson Reuters Beyond the Edge - Ann Arbor (17 September 2014)
  • AngularMN Monthly Meetup (4 March 2015) ( presentation, video )
  • Twin Cities Code Camp 18 (25 April 2015)
  • NDC Oslo (17-19 June 2015) ( presentation, video )
  • That Conference (10-12 August 2015) ( presentation )
  • DevFestMN 2016 (6 February 2016)

Securing TodoMVC Using the Web Cryptography API

The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions.

Instead of storing the Todo list as plaintext in localStorage, this “secure” TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveBits operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item “A6-Sensitive Data Exposure” from the OWASP Top 10.

With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.

  • JavaScriptMN Monthly Meetup (28 August 2014)
  • Thomson Reuters Eagan Technology Unconference (5 September 2014)
  • jQuery Conference (12-13 September 2014) ( presentation, code, demo, video )
  • Twin Cities Code Camp 17 (4 October 2014)

Make your own Print & Play card game using SVG and JavaScript

Want to leverage your creativity, love of board games, and web platform experience to do something different? Turn your imagination into a Print & Play card game using only a modern web browser, color printer and text editor.

This session will use the Scalable Vector Graphics (SVG) image format and JavaScript programming language to make a deck of cards for a simple game. Creating a few cards in graphics software like Inkscape is one thing, but what about 50 or 100 cards? What happens when you need to update them all? That’s the value of generating your SVG using JavaScript.

We will start with a blank screen, adding color and graphics elements like lines, shapes, text and images. Learn about container elements and defining content for re-use. Understand how units in the SVG coordinate system can transform our on-screen creation into an 8.5 by 11 inch printed page (or PDF). SVG examples will be both in their native XML format and created from JavaScript using Snap.svg, an open source library from Adobe designed for modern web browsers.

You will leave this session with a basic knowledge of SVG concepts, how to programmatically generate SVG using JavaScript, and how to make your SVG creation printer friendly.

Scaling Agility from the Trenches

Let’s start a conference with a conversation. Instead of an opening talk, Twin Cities agile practitioners will share a fishbowl with coaches in a free-for-all discussion around the good the bad and the ugly of scaling agility instead of simply adding more process. Stop back for more details or stop in and enjoy the (fishbowl) madness.

  • Agile Day Twin Cities 2013 (15 November 2013) ( panel participant; facilitated by David Hussman )

Internationalize your JavaScript Application: Prepare for “the next billion” internet users.

Are you prepared for “the next billion” internet users, most of whom don’t use English as their primary language? This session will explore the globalization (internationalization and localization) of JavaScript based applications. It will look at the ECMAScript Internationalization API and popular open source projects like AngularJS, messageformat.js, jQuery Globalize and twitter-cldr-js. Topics will include cultures/locales, character encoding, number formatting, date formatting, choice/plural formatting and translations.

A Humorous Comparison of Software Development with Star Wars: The Clone Wars

Lightning talk style presentation describing software development using references from Star Wars: The Clone Wars. ( screencast )

  • Thomson Reuters Eagan Technology Unconference (6 September 2013)
  • JavaScriptMN Monthly Meetup (26 September 2013)
  • Iowa Code Camp 12 (2 November 2013)

Developer’s Guide to JavaScript and Web Cryptography

The increasing capabilities and performance of the web platform allow for more feature-rich user experiences. How can JavaScript based applications utilize information security and cryptography principles? This session will explore the current state of JavaScript and Web Cryptography. We will review some basic concepts and definitions, discuss the role of TLS/SSL, show some working examples that apply cryptography to real-world use cases and take a peek at the upcoming W3C WebCryptoAPI. Code samples will use CryptoJS in the browser and the Node.js Crypto module on the server. An extended example will secure the popular TodoMVC project using PBKDF2 for key generation, HMAC for data integrity and AES for encryption.

  • Twin Cities Code Camp 14 (27 April 2013) ( presentation, video, demo )
  • JavaScriptMN Monthly Meetup (30 May 2013) ( presentation )
  • Iowa Code Camp 11 (8 June 2013) ( presentation )
  • Thomson Reuters Legal Market Dev Tech Forum Series (11 July 2013)
  • Minnesota Developers Conference 2013 (26 September 2013) ( presentation )
  • cf.Objective() 2014 (13-16 May 2014) ( presentation )

HTTP Potpourri

Embracing HTTP is an important property of well constructed ReSTful and web apis. Every web developer is familiar with GET and POST, 200 and 404, Accept and Content-Type; but what about 207 and 413, OPTIONS and PROPFIND, Transfer-Encoding and X-File-Size? This session will be based on usage of various HTTP methods, headers and status codes drawn from the development of large scale, web applications. Examples will include raw HTTP, mixed in with JavaScript and ASP.NET MVC code.

  • Twin Cities Code Camp 12 (14-15 April 2012) ( presentation )

Implementing Messaging Patterns in JavaScript using the OpenAjax Hub

Is your web application a tightly coupled, DOM event handler mess? Use techniques from the Enterprise Integration Patterns book to build better components. Concepts including message, publish-subscribe channel, request-reply and message filter will be demonstrated in JavaScript (along with corresponding tests) using the OpenAjax Hub.

BP101 Adding Lotus Sametime to Your Collaborative Commerce Web site

There are many statistics on the number of shopping carts being abandoned. This session will show how to use Lotus Sametime to add real-time, online customer service to your Collaborative Commerce Web site. A real-time intervention by a company representative can happen as a reaction to a customer request or a proactive response to a potential need. These and other situations will be demonstrated.

  • Lotusphere 2001 (14-18 January 2001)

BST108 eCommerce with Domino

In this session, you will learn the ins-and-outs of building an eCommerce site with Domino, and how you can build a site faster and easier with Domino than with other technologies. We will explain how to set up customer registration, build a product catalog, and manage the shopping cart. Tips on how to implement effective application security and get the best site performance will also be included. Finally, this session will describe the different ways to integrate you eCommerce applications with existing ERP applications.

  • Lotus Developers’ Conference 1999 (20-23 June 1999)

Kevin Hakanson

Multi-Cloud Certified Architect | DevSecOps | AppSec | Web Platform | Speaker | Learner | Builder
Twitter | LinkedIn | GitHub | Stack Overflow | Credly

© 2024 Kevin Hakanson (built with Gatsby)