php[tek] 2019
21 - 23 May 2019 at Loudermilk Convention Center

1

Object-Oriented programming provides a framework for software collaboration. We’ll see how the terminology relates to our code. We’ll see how these techniques provide the framework for collaboration, and we’ll learn to match the strategies to the terminology. Our first key to collaboration is that we all understand this terminology and how it’s expressed in our code. We’ll be examining the code for a specific project that we’ll be building on throughout the conference, beginning with keeping track of file imports.

Federated identity and authentication come in a number of flavors. There’s OAuth, OpenID Connect, SAML, FIDO, and Web Authn to name a few. Learn about the pros, cons, and use cases for each.

When it comes to web APIs, we tend to forget that we consume various APIs (other people’s code) every day in the form of SDKs, libraries, development tools, etc. The same design principles that make the high-quality non-web APIs we consume easy to work with can be applied to the web APIs we build. In this session we’ll explore what attributes are common to the tools, SDKs, libraries – the other APIs – we use on a daily basis, and how we can apply them to the web APIs we’re building.

An Intro to PHP Internals: Getting Involved Without Being an Expert in C “I don’t know C!”, is probably one of the most common excuses that us PHP developers give for not contributing to PHP source. And top it off with all the overly-publicized drama surrounding the PHP internals mailing list, most user-land PHP developers don’t want to touch PHP internals with a ten-foot pole. Contrary to popular belief, being an internals contributor isn’t just for C experts that play in a “toxic kindergarten;” in fact, there are myriad ways to get involved with PHP internals without writing a single line of C code and that doesn’t play into any toxicity at all. And on top of some of the conventional ways to get involved with PHP internals, you’ll learn about some new and exciting projects that desperately need a courageous person (read, “you”) to launch. If you’re ready to meet a lovely, helpful community of passionate individuals who will mentor and support your efforts to make PHP better, this talk will encourage and inspire you to join me on an epic journey to the center of PHP internals.

2

Get a quick refresher on all aspects of Objects, as we cover basic inheritance and method/property visibility. We’ll learn these by example. We’ll see magic methods and anonymous functions. We’ll also learn about Exceptions and error handling the PHP way.

Biometric authentication is no longer relegated to science fiction and spy novels. It continues to become more and more popular as it is both secure and less obtrusive than the traditional password. However, the very nature of biometrics requires special handling and forethought. By the end of this session you will have learned: How biometrics have advanced over the years How you can utilize biometrics in your applications How biometric data is different from other authentication methods How to protect your application users from data breaches and account takeover

3

We’ve all heard about ‘API First’ when it comes to building a new product or feature. It can allow your team to develop in parallel, enable expansion to multiple platforms, and create an opportunity for outside integration. But creating a usable and maintainable API doesn’t start with opening your IDE. If you want to build an API that will meet the long term needs of your users (both internal and external), you start by designing the interface they’ll consume, not writing the code that powers that interface. In this session, we’ll consider the benefits of a design-first approach, how that contrasts some of our natural instincts as web developers, and how design-first works even when you don’t do ‘API first’.

Step debugging through the PHP engine with GDB/LLDB and Visual Studio Code You may have already used Xdebug with your favorite IDE to step through your PHP apps line by line, but what happens “behind the curtain” at the C level? That’s where the GDB debugger steps in. In this talk, you will learn to: Compile PHP from source with debug symbols Run PHP scripts through the GDB debugger Control GDB from the command line Configure Visual Studio Code to step through the C code By the end of the talk, you should feel more confident in exploring how the sausage is made by stepping through the C code.

0

Naming things is hard but sorting out how your application should be structured shouldn’t be! It’s always frustrating when the boss or client hands you this giant ball of requirements and how everything is interconnected. Half the fun of programming is breaking these down and turning these requirements into code to solve the business needs. We’ll cover several code scenarios and show you the best way to break down complex domains.

2

The first point of contact most users have with your application is the login screen. It’s a ubiquitous interface, and approaches for handling authentication are legion. A plethora of options for authentication doesn’t mean it’s an easy practice, though. Together, we’ll review authentication from first principles, starting with password-based systems and diving deeper into defensive hashing techniques and the edge cases developers need to consider when protecting user data. We’ll also go deep into the secure remote password flow, leveraging the technique both from native PHP and a JavaScript client-side implementation. By the end of this session, you will have learned: How to advise your customers on password strength How to enforce users are leveraging strong passwords How to protect your application from brute-force bypass attempts How to securely authenticate a user without ever seeing their password

Does GraphQL signal the end of REST APIs? Does GraphQL really solve problems the REST pattern fails to address? Can the two be used in a complementary way? In this session, we’ll take a high-level look at what GraphQL offers, as well as use cases where GraphQL is a good fit – and those where it isn’t. We’ll also explore what it takes to write code that consumes GraphQL, and the code that provides a GraphQL interface.

Most people don’t stop to think about how their car works; They just turn the key and go. That’s not good enough for engineers, and the same isn’t good enough for programmers who rely on a software engine to get their work done. This session is a high-level overview of what makes up the PHP runtime, how the pieces fit together, and what to expect as the language continues to evolve in the coming years. We’ll cover the lifecycle of a request, compilation, execution, caching, and leveraging all these tools to gain a broader understanding of what happens when you turn that key and ask your web server to go.

Algorithms are much like design patterns. They are a way of collaborating and sharing an experience. As we think through how to solve a specific programming problem, we’re actually designing (or using) an algorithm. Meanwhile, the “fizz buzz” coding challenges we find in job interviews are based on the premise that most professional software developers and computer science graduates “can’t code their way out of a wet paper bag.” We won’t talk about fizz buzz, but we’ll talk through a programming problem. We’ll design an algorithm to convert numbers from decimal to hexadecimal and back – in our heads, without calculators, computers, or sprints(). It’s fun!

1

Many developers using hosted database solutions like Amazon RDS or Microsoft Azure are familiar with the “encrypt at rest” checkbox provided by their host. This will provide a modicum of security, but only defends your data against a narrow set of potential threats. Instead, we’ll discuss both the threats this feature does and does not protect against and some practical approaches to handling the uncovered edge cases. Attendees will learn how their application can both encrypt and decrypt data before communicating with an external data store for complete data protection. By the end of this session, you will have learned: The difference between encryption at rest and in transit Some of the approaches to end-to-end data protection How to construct an application that handles protected data securely

As you design an API you’ll run into a few questions. How should you authenticate your users? Are there cases where you don’t even need to? There are a variety of authentication methods, which one is the best? It’s time to talk about API security – at least one aspect of it. Each method has strengths and weaknesses, and the right authentication method depends on a few things: the kind of API you’re building, the users that consume it, and the context of the authentication. A client-side browser application shouldn’t use the same authentication mechanism as an API that serves data to other web services. In this session, we’ll cover various authentication methods, and gain an understanding of the similarities and differences of the underlying mechanisms. We’ll also consider various use cases and the authentication concerns they introduce.

With the retirement of the last release of PHP 5, some sites are still scrambling to complete an upgrade that’s been in the works for a while. Others, who perhaps leverage the latest PHP has to offer, need even more than what’s delivered by default. Whatever your motivation, join us for a high-speed journey through the process of creating, debugging, and releasing an extension for PHP 7 written in C/C++. We’ll expose new functional and oop based APIs, wrap methods from 3rd-party libraries, and explore PHP’s type system in ways you never get to see from userland.

0

We don’t need to burden modern PHP code with countless “require” or “include” statements. In this talk, we’ll learn how the PHP autoloader works, how to write our own autoloader, and how to work with composer’s autoloading map. We’ll see exactly how to design our namespaces for PSR-4 compatibility so everything “just works.” We’ll learn the PEAR and PECL conventions as well. We’ll finish by learning how to create our own packages for distribution and reuse.

Mobile devices, namely smartphones allow users to perform several actions from the basic phone call, the use of geo-location services and even processing payments. Though how are mobile applications able to perform so many actions on behalf of a user? What really happens when a user gives an application permission to use device services? Join us in this talk as we dive deep on different user-facing mobile permissions, learn about the potential risks of accepting permissions, and walk through cases studies of how device permissions could serve as potential risks to the end user. By the end of this session, you will have learned: The differences between Android and iOS device permissions What device permissions are typically asked of mobile device users? How asking for too many permissions might put the end user at risk?

Requests and responses are the core of an API, and a significant part of the interface you’re designing. The code that consumes your API needs to create the request, and parse the response, so it’s worth considering what formats are natural for those consumers, not just what’s natural for the API code we’ll be writing. But the consuming code isn’t the only thing to consider. If you have to support multiple formats, how do you do that consistently? What techniques can be used in APIs that need to handle binary data as well? In this session, we’ll take a look at common request and response formats. We’ll also consider the advantages of each, not just in terms of the consuming code, but also use case and context. Finally, we’ll explore the general structure of API requests and responses for different API design patterns.

As you might have already heard from a grumpy individual, adding more tests to your codebase is crucial to its stability over time. This talk isn’t about adding tests to your PHP codebase; it’s about adding tests to the PHP language itself. And the best part is, all the tests are written in PHP so you don’t even have to dust off that old C book from college. In this talk, we will show you how to find untested parts of the PHP source code, how to write a test for the untested feature and how to submit your tests to PHP internals. Not only will you be making PHP more stable and reliable, but there’s a good chance the tests you write will give you a deeper understanding of PHP; the knowledge you can use to improve your own codebases. Not to mention you’ll be able to call yourself an internals contributor. Come on in! The water’s fine!

0

Dependency injection is a powerful technique allowing different parts of a system to collaborate with each other. Injection is the passing of a dependency (such as a service or database connection) to an object that would use it. This way, the object need not change because the outside service changed. This often also allows the object to be more easily tested by injecting a mock or stub service as the dependency.

Why don’t we just use that service to get the information we need? This common thought comes into place when making decisions such as Facebook/Google/Twitter login. While third-party services can ease the ability to onboard a user into a new application, are they always necessary? even more importantly are we exposing our users to more risks by utilizing these services? Join us in this talk as we discuss the use of third-party services, the advantages, and potential risks. By the end of this session, you will have learned: Use cases for integrating with third party services User sentiment on use of third-party services The potential risk associated with third-party services

2

API tools, services, and techniques abound, but in this session, we’ll focus on the ones that require little (or no) setup, and that you can start using right now (during the session). Whether you’re building or consuming APIs, there will be something for you. If you’re new to APIs, you’ll leave with a bunch of things you can use right now. If you’ve been doing this for a while, you’ll probably see a new way to simplify something that’s bugged you in the past.

Ever wondered why PHP works the way it does, or why some “odd” behavior remains “unfixed” for years? There’s a story behind every quirk and oddity of your favorite language. Enjoy a quick trip down memory lane with this look back at over two decades of Personal Home Page tools.

0

The Model-View-Controller (MVC) design pattern is heavily used (and misused) in the PHP world. Many PHP frameworks help us – expect us – to organize our web application around this pattern. We’ll examine the intended separation of concerns. We’ll see the middleware, the request-response loop. We’ll configure GET and POST routing. We’ll look at the pattern itself. The model represents the data in our application. The view is the visual component that presents the interface for users to interact with that data, such as clickable links, form fields, and buttons. The controller coordinates it all.

0

Full-stack development requires a full understanding of all elements of your stack – not just backend and frontend software, but the server and lower-level tools upon which your application is built. The most secure coding in the world won’t protect against a misconfigured or vulnerable server. Together we’ll walk through all elements of the stack, from the application itself through the utilities it interacts with to the server upon which everything runs – all from the perspective of security and keeping your customers and their data secure. By the end of this session, you will have learned: How to configure the Linux server upon which your stack runs How to lock down the webserver (Nginx/Apache) itself How to protect your database from abuse How to isolate your application from other systems running on the machine

API gateways come in many different packages, from hosted services to open source applications and address a wide range of needs. Are they useful for more than just large scale APIs? What problems do they solve when building a new API? What about existing legacy APIs? In this session, we’ll dig into where API gateways came from, and the variety of use cases for them. We’ll take a look at the role they can plan at different stages of API development – from building a new API, to making an existing internal API open to the public, to maintaining an existing API.

The core of PHP’s standard library comes from its collection of “glue” extensions. Add-ons to PHP who’s only job is to connect the runtime with a common C-library which does all the real work. PHP 7.4 will bring us a whole new way to create these kinds of simple glue wrappers without requiring any knowledge of C or build tools. This session brings the first introduction of FFI, or Foreign Function Interface, an incredibly powerful yet simple to use bridge between PHP and external libraries.

0

Refactoring is the art of improving the design of existing code. When we have an application that continues to produce revenue, it’s almost always better to reduce, reuse, and refactor, rather than throwing away the old code and starting anew. We’ll learn specific techniques, approaches, and code smells. We’ll see that our IDE can handle simple refactorings such as Extract Method. We’ll use our test suite to ensure that functionality did not change as a result of the refactoring. We’ll gain the habit of refactoring to make our code more expressive and therefore more easily understood after time has passed. Martin Fowler notes that the code we write today is merely tomorrow’s legacy code. Let’s make it as easy as we can on our future selves.

0

Half of the application security risks (ASRs) covered by the OWASP Top Ten list address requests made by visitors or third parties against your web application. Learn what each ASR is, how to identify it in your application, and how to protect against potential abuse. By the end of this session, you will have seen and learned to defend against: Injection (ASR-1) Broken Authentication (ASR-2) XML External Entities (ASR-4) Cross-site Scripting (ASR-7) Insecure Deserialization (ASR-8)

While the request and response encapsulate your API’s data, URIs provide the path to that data. But different API design patterns use URIs in different ways. In some, the API paths are nothing more than the address all data flows to and from. In others they communicate far more, describing relationships and even aspects about the request. In this session, we’ll explore those differences, and the friction introduced when APIs aren’t consistent about usage. We’ll also consider some patterns and anti-patterns of URI path structure, and how to define a path structure that’s future friendly.

0

The performance of a website affects the users of that website in ways that are hard to measure. The lack of responsiveness, lag, jank, and UI lockups can cause cognitive dissonance that breaks the user’s flow of thought. A page not responding in the way the user expects, or as fast as the user expects it to, can result in frustration and anger. From a business point of view, frustrated and angry users are unlikely to convert, and buy items from the site. Apart from the psychological and emotional effects of bad performance, the factors that result in bad performance can also make sites expensive to use. How much bandwidth does your site require to be downloaded? How much does that bandwidth cost in different parts of the world? How expensive is your site in terms of battery usage? How do you decide how fast your site should be? How do you decide if a feature is worth adding or if its benefits will be outweighed by the performance cost? How do you justify the development cost of improving performance? In this session, we’ll answer these and more questions by looking at the human aspects of performance, and how they can affect your business.

We start with the basics: What problems are version control systems intended to solve? We’ll see how to solve these problems by using git. We’ll learn some standard git-based workflows. We learn about the git repository as a graph; each git commit is a node in that graph. Finally, we’ll take away strategies and steps to follow when things didn’t go as intended. We’ll learn specifics such as squashing commits (why, and how to do safely); rebase vs. merge; signing commits; features specific to GitHub or Gitlab.

0

Some of the trickier application security risks (ASRs) covered by the OWASP Top ten are focused on infrastructure and application configuration. As these risks are deeper within the production stack, they can be harder to find and address. Together, we’ll walk through each of these risks, examine how to identify them in an application or production environment, and cover actionable steps you can take today to address them with your application. By the end of this session, you will have seen and learned to defend against: Sensitive Data Exposure (ASR-3) Broken Access Control (ASR-5) Security Misconfiguration (ASR-6) Using Components with Known Vulnerabilities (ASR-9) Insufficient Logging & Monitoring (ASR-10)

There are a few certainties when it comes to versioning APIs: It’s not something you want to do. When you finally do it, you’re going to do it wrong (according to someone). So is it possible to avoid it entirely? If you have to version your API, the overall design philosophy you’ve picked needs to influence how you go about that process. In this session, we’ll consider some of the common versioning techniques, how they fit with various API design patterns, and what to look out for when versioning an API. We’ll also explore ways to avoid versioning while still changing an API.

1

Whenever we speak about measuring web performance and user experience, we typically refer to static events in the browsing experience. Modern websites, however, are far from static, and user interactions with these websites have continuous aspects that cannot be represented by distinct events. How do you measure user frustration? How do you tell how fast your users expect your site to be? How do you tell if users were frustrated or annoyed before they got to your site or if your site caused that frustration? What are TTVR, TTI, TTFI, FID, and which of them is the most important? How do you tell if your page locks up during user interaction? What is your site’s median lethal dose? In this talk, we’ll look at some new user experience metrics. We’ll find out how to measure page responsiveness, smoothness, jank, and usability. We’ll learn about things like Rage Clicks, Missed Clicks, Dead Clicks, and Cursor Thrashing. We’ll also look at real user data that we’ve collected showing how these aspects of the page affect user behavior.

How do we get the most out of a code review? How do we keep it a positive experience? In this talk, we’ll consider both the culture needed for collaboration and specific methods to assist the process. Learn to give and receive feedback as a natural part of the job. Define metrics to measures the effectiveness of these reviews

0

Proving the identity of a user isn’t the end of an application’s responsibilities: you must also verify the user is allowed to perform the actions they’re attempting. Conflating authentication (the act of identifying users) with authorization (the act of verifying their level of access within the system) is one of the most common ways applications have been breached in the recent past. Don’t fall victim to simple oversights and instead keep your application – and your users – safe. By the end of this session, you will have learned: The differences between the various access control systems that are available: Role-based Attribute-based Rule-based Risk-based … and more How to integrate your PHP application with an access control system How to gauge where authorization is necessary and where it potentially fails

0

In an increasingly connected world, APIs are key to great tools and effective workflows. What is better than an API? A webhook of course! Webhooks are a key building block of a modern application, allowing systems to exchange data in response to events. This session gives examples of webhooks currently in use “in the wild” and examines both when a webhook is useful and the internal design and structuring of webhook payloads. We’ll discuss how to work with webhooks in a scalable way regardless of technology stack; how to receive and process incoming webhooks from an external system and how to design and publish your own for use by partners or consumers.

1

One of the first things to do when working on performance improvements is to start measuring. We cannot improve what we don’t measure, and things that are measured and watched tend to improve over time. The earlier talks in this track discussed which metrics were important to measure. In this talk, we’ll go over how to measure performance, and how to get useful diagnostics out of our tools. We will cover: Tools to measure web performance Understanding waterfalls Understanding browser diagnostic data Measuring RUM data How do modern web applications complicate the situation? Single Page Applications (SPAs) Accelerated Mobile Pages (AMP) Progressive Web Apps (PWA) At the end of this talk, attendees will have a strong understanding of how to find and debug web performance problems.

With high-volume data wrangling, it pays to remember the fundamentals with PHP prepared statements. We walk through our benchmark showing techniques that lead to 10X performance improvements. We’ll then take advantage of the producer/consumer pattern to implement our measured performance. We’ll be creating the data layer of our file-import project.

With recent GDPR policies, it became more evident that users should have more control over how their data is used. Though this brings to mind an even bigger question do we know how we’ve told users we plan to use their data? Have you read your privacy policy/terms of use? Are you building applications as promised? Join us in this session as we discuss the importance of being an ethical developer and ensuring we’re knowledgeable about the policies around the applications we build. By the end of this session, you will have learned: What is a privacy policy? What are terms of use? Importance of understanding how your application data is intended to be used

PHP is no stranger to APIs. In the PHP ecosystem, there are API related libraries, API micro-frameworks, full-fledged API frameworks, and more. While other sessions cover general API design patterns, in this session we’ll consider examples of common code patterns used when building APIs with PHP. We’ll explore some of the common patterns used in popular API frameworks – as well as the patterns found in some of the API related PSRs.

PHP performance has improved dramatically from PHP 5 to PHP 7. Gone are the days where PHP applications are slow because of PHP itself. So where does one look when a PHP application starts to slow down? We need to have the ability to quantify and measure performance before we can make meaningful optimizations. Otherwise, we are simply guessing and may be focusing on something that doesn’t need to be optimized. In this session, we’ll walk through concepts like profiling and instrumentation. We’ll learn about the performance impact profiling has on the code being profiled. We’ll also discuss resources and tools developers have at their disposal to help measure the performance of their PHP applications.

When MySQL tables quickly grow by millions of rows, table storage space becomes an issue. Our table design must focus on keeping these tables compact and efficient. We’ll be refactoring both our code and database table designs from Part 1. Code refactoring techniques include method extraction, abstract base class, static properties and methods, late static binding, arrays of instance objects, internal cache. We refactor our tables to place them in “third normal form,” providing far more compact storage and improved row-insert performance. We’ll be improving the data layer of our file-import project.

Keeping data safe and secure is critical in modern software development. This is especially true for the development of web applications and APIs. The tools you need to secure that data are based in cryptography, By the end of this session you will have learned: How creating randomness in the form of entropy is crucial in all forms of cryptography The differences between symmetric and asymmetric key cryptography How to utilize encryption secure data in transit and at rest How to utilize digital signatures to ensure and verify the validity of data How to utilize hashing functions to efficiently compare data How to utilize key derivation functions for storing and validating passwords Which libraries and modules to utilize for the best results

No, it’s not skynet. Hypermedia – and the concept of HATEOAS – may seem a little intimidating at first glance. But it’s not so much about generic API clients that can crawl any compliant API, and more about just applying concepts that have worked well for human navigation of the web to our APIs. In this session, we’ll consider the benefits of avoiding client-side path construction. We’ll also take a look at how applying some simple hypermedia concepts to our request/response design can open up significant potential for improvement, and greatly simplify the code consumers of our API have to write.

1

There are many areas to work on when improving web performance. For every type of resource that makes up a page, there are different ways of optimizing them. In this talk, we’ll look at several low hanging fruit – assets that can be optimized with very little work, most of which can be automated into your CI pipeline. We’ll then go into some more advanced front end topics that require development work, and humans to make a decision on whether it’s worth it or not. Topics that we will cover are: Image Optimization Compression Combining or Splitting CSS & JavaScript Whether to use domain sharding or not CSS & JavaScript considerations Service Workers Web Workers Preload hints At the end of this talk, attendees will have the skills needed to bring about immediate performance improvements to their sites, often with very little effort.

0

We all want our project to go well. We thus need clearly-defined goals. By structuring our projects around users’ needs we can ensure that the products do their job. We’ll learn to meet users where they are, think through their intuitive experiences, and create products that more effectively meet both stakeholder goals and our end users’ goals. We’ll practice thinking critically through the steps and decisions encountered in interacting with our product.

Making informed decisions regarding cryptography require a deeper knowledge of the differentiators between available algorithms, methods, and modes. Although creating these algorithms, methods, and modes is extremely difficult, understanding them isn’t nearly as difficult as you might think. By the end of this session you will have learned: How computer systems build entropy How cryptographic algorithms differ and why some are better than others How hashing algorithms work and what makes some more brute force resistant than others How key derivation functions work and what makes some less crackable than others Why quantum computing is so scary to cryptographers and what you can do today to protect your applications

0

API Spec Languages (like the OpenAPI Spec) are actively improving, and provide significant value. But they can also seem a bit out of reach for existing APIs that may be a bit ‘unruly’, and a bit tedious when you’re in the design phase of a new API. In the session, we’ll take a close look at the various benefits spec languages offer, from documentation generation to validating design without writing code. We’ll also consider some practical ways to get starting using spec languages, for both existing and new APIs.

0

In the previous talk, we covered some easy wins with performance optimization. In this talk, we’ll look at aspects of frontend performance that need to be tuned or fixed server-side, either via a web server, or operating system configuration. We’ll look at HTTP level questions like: How aggressively should you be caching, and what are the optimum cache headers to use? How do anti-virus tools installed on client computers affect web performance and what can you do about them? How do you prevent unnecessary requests from going through to the server? How does H2 prioritization work? How does H2 push work? We’ll also look at TCP level questions like: What are MTU, MSS, and TCP Windows and how do they affect performance? What are TCP slow-start and fast-open? What is QUIC (HTTP/3)? How to use Wireshark to study network activity? At the end of this session, attendees will understand how to debug low network level performance problems, and configure systems for performance improvements.

Specification by Example (SBE) is a powerful form of collaboration with our project stakeholders. We have processes to ensure our software works as designed, but did we design the right features in the first place? SBE allows us to write down and verify enough concrete examples using the stakeholder’s own language. We’ll build “Given… When… Then…” examples which then become tests, and therefore executable specifications.

0

Properly securing your applications and data require an understanding of the threats facing them. Threat modeling is the methodology for identifying and quantifying the threats your application can and will face. There are a number of resources available for performing a threat model but this session will get you started building a strategy from nothing. You will learn: How threat modeling works How to map out your application and its assets, levels of trust, and dependencies How to properly rank threats with a standard ranking model Simple risk mitigation strategies How to inject threat modeling into your software development lifecycle

As a variety of well-supported HTTP clients meets the rise of consistent patterns applied to API design, are we essentially removing the usefulness of an API specific client library? Standards like HAL and Siren address common parts of API response. Description languages like the OpenAPI Spec define a way to communicate the behavior and structure of an API. With generic libraries that consume well-known API formats and code generators that create API specific bindings is there any value in a bespoke language-specific API wrapper? In this session, we’ll consider how client libraries can help create a better developer experience for existing APIs and explore what a long term vision of client libraries may be, as more new APIs embrace modern patterns and standards.

Getting started with performance and profiling tools can seem a little overwhelming. How do you install them? How do they work? What do they do? Are they safe to run in production? In this hands-on session, we’ll take a look at a few profiling tools so you can see them in action. We’ll work on a sample project together to see if we can find performance optimizations with our newly installed tools. You’ll leave the session with confidence to continue your performance work on your own projects. A link to the project will be provided prior to the conference. The repository will contain a list of dependencies. If you want to take part in the hands-on aspect of this session, ensure you have the project downloaded and its dependencies installed before the session starts.

Before you start writing tests, you need to move a level up and learn about what benefits you are going to receive by investing your time into learning the technical and people skills you will need. In this session you’ll learn about the Five Factors of testing: Verify the code is working correctly Prevent future regressions Document the code’s behavior Provide design guidance Support refactoring

Producer/consumer programming is essentially a collaboration pattern. Different groups or teams can independently handle their own responsibilities. Teams can use different programming languages from each other, different infrastructure, and so on, allowing groups to collaborate with each other without being constrained by the other groups’ processes. The producer/consumer pattern also allows for scaling out an application, for offloading work from the main application to reduce bottlenecks, and reducing the impact of severe traffic spikes. The producer/consumer pattern is also one way of introducing microservices. The code for this talk continues our file-import project.

“DevOps” will save us all from a horrible workflow of waiting for some faceless team to set up servers and deploy our application. I mean, “DevOps” will make it easier for developers to deploy their applications as they see fit. Sorry, I mean that “DevOps” will allow our application to scale. What exactly does “DevOps” actually mean? Where did it come from? And why can we not decide on what “DevOps” means. Let’s set the stage for what to expect and dig into what DevOps should be.

So what will your first test end up looking like? In this session, you’ll be taken on a guided tour of how to approach writing a test and implementing a series of tests. This session is a guided tour of creating a series of testing scenarios for implementing the FizzBuzz algorithm. By the end of this session you will have learned about the following: How Test-Driven Development works The testing building block of assertions How to build test scenarios using the Arrange-Act-Assert pattern How to reduce the amount of code you need using built-in PHP features

With the producer/consumer pattern we can produce information, such as usage statistics or event logging, literally anywhere and ship the information off to a centralized data processor. We’ll see how to create messages without concern for the ultimate destination or distribution. We’ll process the messages with a PSR-3-compliant logger. In this talk, we’re instrumenting our file-import project with event logging.

One thing that most programmers do not take the time to understand is the servers that their application lives on. Most know a smattering of Apache configs, PHP configs, and basic information about the OS. This talk will help developers a better understanding of the underlying operating systems, how they work, and how they are configured. Developers deploying to bare metal, VPS’s, and containers will all benefit from knowing what is happening under the hood.

Now it’s your turn to write a test! In this session, you will follow along with the instructor as they guide you from having nothing to having PHPUnit installed and some tests written to implement an Arabic to Roman Numeral conversion tool. Bring your laptop with you and let’s hope the conference wifi stays up! By the end of this session you will have done the following: Learned how PHPUnit works behind the scenes Installed and configured PHPUnit Built a series of tests using the Arrange-Act-Assert pattern

If you attended previous talks, we have been building data pipelines using the producer/consumer pattern. We now add more steps to our data flow, placing records into an Elasticsearch database and using Kibana for data visualization. Although our PHP code works with one record at a time, we’ll learn how to view the data flow like a river, from upstream to downstream. We’ll be visualizing the results of our file-import project

Containers are one of the most misunderstood technologies that we have today. Despite that, everyone wants to use containers. Let’s explore what exactly containers are, how many different kinds there are, and how they work. If you want to know how a container works, this talk is for you!

Test doubles are a very controversial topic for those who care about writing tests. Knowing what they are and having a strategy for using them is an essential tool for writing effective tests. By the end of this session you will have learned the following: What types of test doubles PHP folks are likely to use The Chicago School vs. London School test double argument How to use test doubling frameworks How to roll your own test doubles

1

Working with streams sounds scary and complicated but we’ll show you how to leverage streams to process large data imports without having to sell your house to buy RAM. Streams are a way to generalize data for easier processing in a linear way including the ability to seek around the stream. We’ll cover our own tips and tricks we’ve learned along the way to help you dive deep into processing streams. Streams have been in PHP since back in the 4.x days however we continually see developers trying to iterate on huge data sets and often run out of memory. We’ll show you a better solution instead of “ ini_set(‘memory_limit’,’16GB’);”

Thanks to tools like vagrant, puppet/chef, and Platform as a Service services like Heroku, developers are extremely used to being able to spin up a development environment that is the same every time. What if we could go a step further and make sure our development environment is not only using the same software, but 100% configured and set up like production. Docker will let us do that, and so much more. We’ll look at what Docker is, why you should look into using it, and all of the features that developers can take advantage of.

Test-Driven Development is great when you are in a position to start from scratch. Most of you will be working with existing code bases so the approach is different. The tools are the same but you have to master some new skills to make it work! By the end of this session you will have learned: How to create testing environments that match production How to identify dependencies for a test Refactoring strategies to make the code more testable

0

Dive deep into your code bases and add strict typing to leverage static analysis tools that can help find bugs in your code before it’s even run! We’ll explore Phan and PhpStan, both fantastic static analysis tools that can give detailed introspection into our applications. Static Analyzers can help find overly complicated logic and other common issues in our code bases as well as ensure our data types are standardized across our application processing.

Using containers locally is one thing, but deploying them into a production environment can be a whole other animal. There are multiple options like Rancher, Swarm, and Kubernetes, each with their own learning curve. How do we take a container and set of locally developed software and deploy it to the cloud? We will look at different ways to handle moving from development to Production with containers.

There are some tools that we should be taking a look at if we are writing tests and aiming to increase the quality of our code while reducing the number of bugs. Not only that, you need to be able to make the case to skeptical co-workers (or even bosses) on why committing to automated testing is worth the effort. By the end of this session you will have learned: How to integrate build systems into your workflow How static analysis tools help improve your code How mutation testing helps you create better tests How testing is about shifting the cost of bug fixing to the cheapest time

Caching is among the most vital parts of any modern system, and one of the most cost-effective ways of squeezing that extra bit of oomph from an app. Thankfully, we now have more caching techniques and tools than ever, but knowing how they fit together is difficult. Memcached and Redis are just the first steps on a journey of building leaner, faster apps. We’ll go from reverse proxies like Varnish and NGINX to the newest features of Redis 3.0, and beyond. After this session, you’ll have everything you need to create the right caching game plan for your application!

Despite the marketing speak, containers will not magically make your application scale. There are things that you still need to consider, not only with how your application is architected but also how it is deployed. We will look at what you need to consider from the deployment and packaging to notifying the stack that there are more containers.

These sessions have concentrated on using PHPUnit and tools that are bundled with it. There are definitely more tools out there that you can use! With an understanding of the basics, you can evaluate other testing tools to see if they are a better fit for you. By the end of this session you will have learned the following: Unit tests vs. integration tests vs. functional tests phpspec Codeception atoun Kahlan

The Application and Service Architecture is a style of software design where services are provided to an application by other systems through a communication protocol over a network. These may be cloud-based services and/or microservices. Large systems can be composed across numerous platforms with differing security requirements. We’ll note potential pitfalls, including automation, deployment, and monitoring.

Containers are a wonderful tool that helps us create clean room environments for doing our work. We can extend this to being used in our Continous Deployment workflows to do things like run our unit tests, integration tests, and even set up small-scale deployments for testing. Containers are also super-useful for allowing CI workflows to use the tools they want, no matter the underlying infrastructure. Let’s look at how we can use containers with tools like Jenkins, CircleCI, and GitLab for doing work.