Joy Clark will be giving a talk at EuroClojure 2017. Her talk is called Simple AND Secure?
PurelyFunctional.tv: How did you get into Clojure?
Joy Clark: I started doing Clojure in the university. I first learned Java in my first programming courses in the university, but I had a great mentor who taught me the principles of functional programming within the Java language. I didn’t use Java 8, but I did try to make all of my classes as immutable as absolutely possible. By the time I took a functional programming course in my Master’s program, I was already thinking in a very functional way. So once I got started using Clojure and got used to the lisp syntax, I absolutely loved it. I can now program exactly what is in my head without having to fight with the programming language.
PF.tv: What is your talk about?
Joy Clark: I'm going to be talking about security in Clojure web applications. The title of the talk is “Simple AND Secure?”. In Clojure you tend not to have a huge framework that does everything for you but rather many different libraries that you can combine together to create a working web application. I find the resulting code to be very simple (i.e. I can really understand each step that is taken from the servlet layer to the handler functions), but there is also the danger that security in the application can be completely missing because the developer has to explicitly add it. However, there are a lot of libraries available in the Clojure universe which can be used to create a secure application, so I am going to talk about those.
PF.tv: Who is your talk for?
JC: My talk is for Clojure developers who are programming web applications. In essence, I created the talk for myself: I wanted to create a checklist of security related aspects that I need to check for each application that I write and also get an idea about how to solve them within my application. As a developer, we can’t protect out application against all attacks or vulnerabilities (because so many of them are unknown), but we really have no excuse for not protecting against the most well known vulnerabilities.
PF.tv: What do you hope people will take away from the talk?
JC: There are quite a few things that I hope people will take away. The most important thing is that I hope Clojure devs start using an HTML Templating language that provides HTML escaping by default (Hiccup 2 does, but Hiccup 1.x does not). And in general, I hope that everyone will come away with more of an idea of what we need to consider in order to achieve at least basic security in our web apps.
PF.tv: What concepts do you recommend people be familiar with to maximize their experience with the talk?
JC: I will not be covering any language basics in the talk, so it is important to be at least familiar with the Clojure language. I will be covering the basics of how a Clojure ring application is structured, but it would probably be best to be familiar with HTTP and web applications in general. Any background knowledge about security vulnerabilities in general will probably help as well.
PF.tv: What resources are available for people who want to study up before the talk?
JC: The main resource that I will be referencing throughout the talk is the OWASP Top 10 2017 list of security vulnerabilities. I will introduce the different vulnerabilities briefly, but I will probably not be able to give an in depth explanation of all of them.
PF.tv: Where can people follow you online?
JC: I am on Twitter at @iamjoyclark.
PF.tv: Are there any projects you'd like people to be aware of? How can people help out?
JC: I am personally not very partial to either Vim or Emacs (here is where the audience lets out a huge GASP and stops respecting me as a person and a programmer, but I’m not afraid of them anymore). For Clojure, most developers use Emacs and therefore the tooling for Emacs is very good. So the project that I would like to make people aware of is Nightcode, which is a Clojure IDE written in Clojure. It isn’t super powerful, but it allows a newbie to spend their time learning the Clojure language instead of learning how to use Emacs (which is much more difficult than the language). For this reason, I think it is very important to support non Emacs/Vim editors/IDEs.
PF.tv: Where do you see the state of Clojure in 10 years?
JC: It's really difficult for me to say what Clojure will be like in 10 years. However, I like to think that the language will be just as strong in the future. Many consider it to be a niche language, but it runs on the JVM and there is a very active open source community, so I don’t think it is going anywhere anytime soon.
PF.tv: If Clojure were an animal, what animal would it be?
JC: As much as I don’t want to compare my favorite language to an insect because the connotation is usually negative, I would probably liken Clojure to an army of ants. A Clojure program is composed of lots of little functions which each have only one task, but when combined together, they are extremely powerful and flexible.