Things Web Application Monitoring Can Pick Up From Casino Security

This is an opinion piece written by a new author to the blog. Let me know what you think.

Security exists in order to protect the important things. While network security is constantly being upgraded in order to fend off attackers, it could actually learn a lesson or two from the surveillance of a casino floor.

Web-based security, especially for pay-to-play sites, uses multiple layers of protection. Betfair, currently the biggest Internet betting exchange, is one of the providers that use a 2-step authentication, intrusion detection systems, and other methods of security in order to solidly protect their customers. Unfortunately, sometimes, not even the strongest protections for sites are enough to prevent hackers from gaining illegal access and that is because of how threats are currently being handled by programmers.

The difference between web applications security and casino surveillance is this: when there’s suspicious activity, web applications tend to shut down ENTIRELY until programmers can identify the extent of the damage or the data that have been compromised. Casinos, on the other hand, handle the situation differently. Instead of the management shutting down the entire casino, it tries to contain the threat quietly in order to not upset or disturb its other patrons. If casinos operated similarly with web applications, its popularity would immediately decline and would probably be out of business soon. When a site is hacked and reported by the global media, people tend to stay away from it even if the site has been restored to normal. Response to threats is what web applications could primarily learn from casino surveillance.

The problem is that data gathered by most web servers today isn’t enough for conducting incident responses. Most of the time, request and response procedures are excluded from logging, which is kind of similar to a broken communication between a host and a server. The paper written by Gunnar Peterson titled How to do Application Logging Right, is a nice manual that can be followed in order to overhaul the common procedure in gathering data by web servers today.

To start improving the data gathering, web apps can act like casino cameras, which record all the data and store them for later use in case disputes happen. If there are any problems, casino management can simply review the tapes to help them identify the problem and culprit(s). In web application security monitoring, data gathering can be done through alert systems like AppSensor and then backed up with full audit logging.

When someone deviates from the norm (like when someone is suspected of card counting at the blackjack tables or when someone inserts an unusual card in slot machines), the casino management looks at the surveillance camera closely and zooms in on the suspect. This is similar to web app firewalls that have automated profiling and security procedures for the expected web app behavior. So instead of completely shutting down operations, what web app security can initially do is increase the audit logging and mark suspects while recording the traffic.

Web security shouldn’t only focus on completely eliminating threat without knowing what’s going on first. Hacks come in different forms and it’s better to have a closer inspection first on what they’re all about in order to have an idea how to counter them. It can be very dangerous to keep the enemy at bay without knowing what their plans are.

Simplifying Google Play Games API

Previously we covered Using Google Play Games on the Web and how Google Play Games services[3] can be used for web games[1]. There was a lot of interest on that article, mostly about providing UI components, which is a project that I have started, when I am not working on the refactor of Gaming Engine - Snake Demo v2. However, before building a UI, the API needed to be cleaned up, ...

Using EMCAScript 6 Today

I have been avoiding writing about ECMAScript 6 (E6)[6] for the past couple of years. This is mostly because the standard was not finalized, and consequently most browsers/engines were implementing different and often unstable versions of the various new features. With the E6 spec stabilizing almost a year ago now[1] and the final release date scheduled sometime later this year[1], I expected most browsers/engines would have implemented much of it, with bake ...

Video Recording with MediaProjectionManager

Recording video on an Android device, as a developer, should be as easy as calling a platform-level API, possibly showing an intent for permission approval, before starting to streaming video. Unfortunately, we don’t live in an ideal world, and video recording is far more difficult than it should be. Fortunately, starting in Android Lollipop, there is a new API (MediaProjectionManager[1]) to make recording video easier. However, there is a remarkable amount of incomplete or ...

Karma Test Runner with QUnit in 10 Minutes

This is a ten minute primer for using Karma and QUnit to unit test JavaScript.

Getting ready

Install Karma[1], plugins, and Qunit[2].
 # Install Karma npm install karma --save-dev # Install plugins npm install karma-qunit karma-phantomjs-launcher --save-dev # Add global CLI npm install -g karma-cli # Install QUnit npm install --save-dev qunitjs 

How do it…

In your project directory, run the Karma initialization script:
 karma init ...

Object Pool Pattern in JavaScript

Now that we understand the Recycler Object for Object Pool Pattern, we can build the logic for managing the object pool. An object pool is a simple API that manages recycling and fetching recyclable objects. There are two common models for object pools, one with a fixed number of objects that errors if too many objects are requested, and the other (more flexible approach) is to use the object pool for a fixed number ...

Recycler Object for Object Pool Pattern

Creating or destroying an object is never free and JavaScript is no exception. Generally, the cost of creating/destroying an object in JIT-optimized JavaScript runtimes doesn't affect performance, but other languages will have a performance hit as well. The real culprit is the increase in your application's memory footprint (watch the memory tab in a developer tool while running the tests below for an illustration). This is why, in most cases, reusing a single object is ...

Start Using SRCSET IMG Attribute For Serving Device Specific Images

The article, JavaScript Low Resolution Image Replacer, discussed a JavaScript solution for replacing low resolution images with higher resolution ones after the page finishes loading all the initial resources (thereby reducing the load time of your pages). But what about loading different image sizes based on the resolution of the user’s device. We could write a JavaScript solution for this (and some developers have), but HTML 5 already introduces the concept of <img srcset[

JavaScript Low Resolution Image Replacer

This is a handy, yet very simple, widget I was hacking on to replace loading or low resolution images with higher resolution ones once the document has finished loading.

How do it…

The widget is built using the jQuery plugin system and here is the complete code:
 (function($) { var isLoaded = false, REPLACEMENT_CLASS = "replacement-class", REPLACEMENT_RCLASS = "replacement-rclass", REPLACEMENT_URL = "replacement-img", TIMER = 500; $(window).load(function() { isLoaded = true; }); function ...

Network Information API Polyfill

One of the many new HTML5 APIs slowly being implemented by browsers is the Network Information API[2]. It exposes information about the type of network that the connecting device is using. In theory, this allows developers to optimize content around the connection speed of the user. However, as with most HTML5 APIs it is supported only by some browsers with/without prefixes, and has a legacy implementation, so a polyfill is useful when working with ...