Can you imagine losing your home?

Imagine you have a home … the home of your dreams. The home you have built with years of toil … blood, and sweat.
Imagine sharing it with your family … wife, kids, parents.
Imagine losing it all in the blink of an eye to the roaring stream of water!!

Imagine you have a home ... the home of your dreams. The home you have built with years of toil ... blood, and sweat. 

Imagine sharing it with your family ... wife, kids, parents. 


Now imagine losing it all in the blink of an eye to the roaring stream of water!! 

It is undeniable that our world is going through a climate crisis. Decades of unsustainable environmental practices and misaligned priorities have created a horrific scenario. This monstrosity appears at an ever-increasing rate in the form of famine, floods, and extreme temperatures.

Sadly, this time it hits close to my home. Pakistan, my home country, is the fifth largest country in the world, with a population of 220 million (approx). It has witnessed an unprecedented monsoon season, resulting in massive floods across its vast rural plains. According to government sources, almost 33 million people are directly affected, and it has killed more than 1000 people. The flood mainly hit the rural parts of the country, which lack health and infrastructure services. In addition, there is a looming food crisis as the agricultural land has been devastated. 

Yet Another tragic humanitarian crisis created by humans!

Recently, a friend of mine lost his home because of these floods and had to relocate, leaving behind everything. Unfortunately, there are many stories like that. They are also not unique to Pakistan. Last year, we faced flooding in British Columbia, Canada (my adopted home). Iran, South Africa, and many more. Same template, different premises … Similar distress, many sufferers! 

It is a terrifying moment for all of us. As a result, there is a great need to re-evaluate our individual and collective actions. We have to put our environment first, just like we put our home or our families first.

In these dark hours, it is all the more important to keep hope alive. A hope that we may find a way to coexist with our surroundings and somehow figure out a way to undo centuries of vendetta again our mother nature. 

If you like to help with the relief work, you can donate to support efforts to relocate families from remote areas and provide them with food rations and medicines. Following are some of the trusted charities that you can consider:


Ensuring Quality Through the Definition of Done

This is the article, I wrote a long time ago and was published on the scrum alliance community blog. Unfortunately, after a recent revamp, old blogs were removed from the site. Given this article was viewed and discussed by many, I am putting a copy here. Hope you will like it.


Quality is one of the most commonly used terminologies and at the same time the most misunderstood one. It serves as a ‘get out of jail card’ and marketing jargon. Putting the shenanigans aside, there is a greater need to understand the term. So let’s try to explain the quality and how we can ensure a quality of a product.

Quality is an abstract concept and any description will be a mere approximation. For example, quality can be defined as a general satisfaction level of a person or compliance with a certain set of standards. Therefore, it is very important for a development team to come up with their own definition of quality or quality goals for their product. Quality goals are complementary to the functional requirements and will play an important role in the success of the product.

It is important to understand that quality can have subjective or objective aspects. Each subjective aspect needs to be approximated to an objective aspect. For example, client satisfaction is a subjective aspect that can be approximated to client feedback and survey. Similarly, client preferences can be mapped to business intelligence reports or business analytics. Once all the aspects are defined, the next step is to document and share that information with the whole team. This is where SCRUM can play a vital role. SCRUM not only defines a way of doing things but also specifies the nature and requirement of the work to be done. One of the key work-related concepts is ‘Definition of Done (DoD). DoD refers to the general understanding of the team regarding a completed work. However, with the help of Scrum Master (SM), we can incorporate quality aspects into the DoD. There are three main advantages of doing this:

1. the whole team will have a common understanding of the quality requirements and will take ownership of this.

2. the quality will be ingrained within the product as no task will be completed without fulfilling the quality requirements.

3. Quality assurance early in the development process. This can save huge effort and money on costly quality control processes.

This approach can be applied to both new and ongoing development.

Tips to make Definition of Done (DoD) work for you
– Put DoD on the Scrum team’s board or wall, where it is visible to the team all the time. Let your creativity fly, come up with a unique or eye-catching way of describing doneness. The more verbose or monotonous the definition, the less likely people will notice (remember we are living in the world of ever-shirking attention span).

– If you are a Scrum Master, try to emphasize the importance of DoD once in a while. Lead by example all the time.

– Having well-defined review or change management process.

That’s about it. This is a very simple, cost-effective, and agile approach to ensure a quality product.

Leaky cauldron: A case of a vulnerable container

Containerised application development is a common engineering practice. However, putting your code in a container doesn’t make it secure out of the box.
Want to know more?
Let me tell you about 5 simple ways to make your container application secure. See my blog for details… ttyl

Is your container truly secure?

Containerised application development is a common engineering practice. However, putting your code in a container doesn’t make it secure out of the box. Yup! you heard it right. And believe me, you are not the only one! Count me on this list as well.

The moment of realisation dawn upon me when I had a conversation with the AppSec engineer (Aaron) about it. That’s how the conversation went (at least what I can recall).

Me: Hey Aaron, how are you doing mate!

Aaron: Good OZ, how about it.

Me: Same old same old. Hey, I would like to run a few things with you regarding the new service I am working on.

Aaron: Sure! Shoot

Me: Well! it will be quick as I have it all covered (me showing off). It is a containerised application so security wouldn't be an issue...

Aaron: Hold it right there. What makes you say that?

Me: (caught up a bit surprised) aa.. as I said it is CONTAINERISED.

Aaron: News flash OZ, putting your code in a container doesn't make it secure out of the box. At worst, it give you an illusion of security which can catch you off-guard.

Me: I have to be honest with you, I wasn't aware of it.

This conversation was a bit embracing but I have been a developer long enough to know what I don’t know and never shy to admit it. This conversation made me think about the security aspects of a container-based application. It started a journey to explore the notion of security in the context of a container based applications.

In this blog, i will share a quick summary of useful stuff that helped me create a better, more secure application.

Without further ado!

Drum rolls please!!

5 simple ways to improve your container security

1: Smaller container = Smaller attack surface

The container should only contain enough support structure (OS features, tools, libraries, running processes, etc) to run the desired application as expected. Everything else should not be part of your container ecosystem.

Given the hereditary nature of the container framework like Docker. You are not only inheriting the functionality but also the security vulnerabilities. It is important to evaluate the base image carefully.

One possible solution is to use Docker Slim which minify the image and create security profiles (more on it later). Check out this short video for details

Don’t take my word for it… see it in action!

This principle will guide you to adopt micro service based architecture. A smaller size image is easier to sync with remote repositories and improves the deployment time.

2: Contain the container

Control what the container can see and do!

Operating System (OS) provides a large number of system calls to perform various OS / Kernel related operations like modifying I/O privileges or profiling etc.

It is important to control the sys commands a container can run. By default, Docker applies a “Seccomp” profile which whitelists a small subset of commands. However, you can take a step further to create a tighter list.

Ensure that the container is running in the least possible privilege settings. Aside from Seccomp, you can isolate containers (limit what container can see or do) by running it in the context of an unprivileged user. DON’T USE ROOT USER unless there is a clear case for it. Remember: root user in a container is a root user outside.

3: Run vulnerability scans

Containers are created hierarchically. Your container uses a base image that may inherit from any other and so on. This establishes a system largely based on vendors or third-party routines. With this model, you will inherit the good, the bad and the ugly.

If your base image has a security vulnerability, guess what!! it has become your application’s security vulnerability. This serious problem leads to the rise of security vulnerability tools like Twist Lock, Anchore, Clair, etc. There are a lot of options out there…. open source, proprietary. In fact, Docker Enterprise also provides scan features when you push your docker image to the registry. Personally, I am using Twist-Lock and it works like a charm.

To put it simply the main purpose of the security vulnerability tool is to perform a static analysis of the dependency tree and identify any potential security loopholes by comparing it with the database of known security issues.

The scan results may look like this:

Recently, I used these tools extensively with the service I am working on. I will share my insights about comparative analysis of JRuby image on Open JDK, AWS Corretto, Adopt JDK and Azul Zulu. Let’s keep this topic for another blog 🙂

Pro tip: Integrate Security Vulnerability scan in your CI/CD pipeline and make it a blocker for your deployment.

4: Apply security best practices

I got to have this one on my list. It is always handy to have a tool for course correction, especially for a lazy lousy developer like me.

Lads! please welcome “Docker Bench Security“. Shout out to Thomas & Diogo for this Swiss army knife of a tool for docker developers.

When you run this tool on your container or image, it executes a script to check common best practices (like the stuff we discussed in point #2) and give you a quick summary and report. Running this tool while developing apps will ensure that all bases are covered.

# clone the repo and run it like this.
sh -i <Container or Image Name>

One area of improvement for this script. I would love to have something like this as part of my continuous development process or as a plugin to my IDE. Like to know your thoughts. If I get 10 or more yeas, I will work on it.

5: Use signed images

This may sound obvious and common knowledge but more often than not, it slips through the cracks. You can blame the triviality of the task but it can be consequential.

As a general rule of thumb, you should know the owner of the docker image you are using (as a base or an element of a composite). This is where “signed images” come into the picture. It revolves around the idea of using Digital Signature to ensure integrity.

The author should sign the images and the consumer should use one. Let’s break this down a bit.

Author Checklist

One of my signed images #self marketing

– Generate “root key” using docker trust. See the link below for more details

– Use the root key to create a repository tag pair using the docker trust signer. The public key will be shared by Docker Notary service.

– Use the private key to sign the tag.

– No need to signed all the tags. However, you should sign the ones your consumers will use. For example, latest or LTE tag, etc.

– Make this part of your build process to avoid manual work.

– Think about whether it makes sense for you to make it an Official Docker container. It is not straight forward, you need to comply with the list of requirements that may affect your timelines.

More details here.

Consumer Checklist

– Use official or user signed images.

– Enforce this check on the docker daemon to avoid non-compliance.

Application security is a vast and evolving field. I am not an expert in it by any means. The main purpose of this blog is to share my experience and things I learned by reviewing articles, documentation and going through many iterations of trial and error.

I hope it helps in your journey! Let me know your feedback.

Stay Safe! Stay Hopeful!

My Experience @ VoxxedDays 2019

VoxxedDays only started organising conferences and tech community events in Singapore recently. However, they are establishing themselves as one of the legit places for developer, entrepreneurs and techies.

My relationship with VoxxedDays goes back to 2017 when they did their first conference in Singapore and I was lucky to participate init.

This year’s conf lives up to its reputation.

Fan moment #1 “With Compiler Wizard Chris Thalinger”
Fan moment #2 “Jenkins Creator Kohsuke Kawaguchi”

Key takeaways are the sessions related to Graal (which includes mine as well), Kafka and Kubernetes. Since its my blog, i will share my session link 🙂

I also like to give a special mention to the day 1 closing note from Tim Berglund.

Checkpoint 2019

Its that time of the year when we look at the passage of day and night with more excitement.

It’s not just another day end…

it’s not just another month end…

ITS is the end of the whole freak’in YEAR

and I don’t see any reason not to celebrate it… we made it through.

Just like with everything these days, new year’s eve attracts a share crowed of negativity who argues the rationale of celebrating the new year.

I hear your point! I do!

Now, let me if new year’s celebration is not worth celebrating then what else is?

Human celebrations (almost all of them) is associated with the start of OR end of something … Independence Day, Spring Coming, Harvesting, Birthday and so on!

So, on this special occasion try not to be a drag and have some fun!

Happy Holidays, Merry Christmas and Happy New Year to everyone!

What’s up with all the silence, OZ

Wasn’t blogging for a while and let me tell you why!

Let me be the first to admit that I had been awfully quiet on my blog for a few months. All the silence of the blog is not telling the whole story of my past months. Looking back, they had been hectic. Let’s break it down a bit!

Hello Fatherhood

Became father of a baby gal (wooohoooo)… I was shit scared but holding your child is the best feeling in the whole… words can’t explain and words are not enough.


I wanna be a youtube star 😀

Started youtube series about serverless computing model. Episode 1 already up!!

OZvsServerless EP1


Attended + Presented at FOSSASIA 2018. It was fun reconnecting with old friends and visitors from all over the world.


See the full video here: The myths and realities of serverless architecture – Owais Zahid – FOSSASIA 2018

Hello Toronto

Took a 23-hour flight to Toronto and attended Scrum Gathering. It was an amazing experience visiting this lovely city and meeting the most polite ppl on the planet :D. More on this later.


Few Other things!!

Apart from the big apples! Participated in Google Code Jame, Hackathon and learned how to change diapers:D, had an argument with Lufthansa Flight (see twitter for the whole story :p)

There you have it! A quick summary of what happened. Now the dust is settled, I will add more blogs and videos (so stay tuned!)

Connecting people in Style … CSS

Why Tech communities are important? Is your organization socially connected?

Quick Question, “Do you know why Open Source / Inner Source projects are more successful and evolve at a higher rate?”

Well! there are many reasons for it, but none more important or crucial as “Community”.

The community is the set of people which have common understanding, aspirations, and concerns. From social work to social awareness, communities have been integral to the development, improvement, and sustenance of human societies.

Using the same definition, we can infer by virtue of “what’s true in the real world is true in the virtual world”. Communities or to be specific Tech Communities are integral to development, improvement, and sustenance of projects. The main reason we use a particular tool or technology has a lot to do with the number of people backing it. We frequently come across the statements which mention “number of stars” or “forks” on GITHUB, amount of documentation, tutorials available etc. All these factors are crucial to the success of a project.

Long story short, “Tech communities are important”

More so, there is a social aspect of the communities. When people are part of the group, they start to build relationships and bonds. This process not only strengthens the fabric of the unit but also accelerate learning and exchange of ideas. The idea to bring people of a community always results in innovation, creativity … spark

Continuing the traditions of social connectivity, on 29th Nov Autodesk Singapore hosted Singapore CSS meetup group. The idea is to bring Web experts and enthusiasts on a single platform and let the 2-way communication kicks in. From financial institutes to design studios, from college students to tech company; we got a crowd of over 40 people from all walks of life.

We also got an opportunity to showcase some of the awesome stuff we are doing at Autodesk. We propagate the message that Autodesk is one of the great places to work for and we value innovation and creativity. All in all, I had a great time meeting new and old friends and learning new things.

To know more about the event, see the official page. Following are some of the pictures from the event 🙂