Nested Workflows with jBPM

I am working on a project where  we are utilizing BPMN for authoring and controlling the processing of analysis. Any single analysis task may yield several descendants like how a .ZIP file has many child files. Additionally, many analyzers also yielded additional analysis for both the inputted artifact as well as additional artifacts. Currently we we treating each and every child artifact, as well as child workflows, as completely separate entities.

This hurt us for a number of reasons: For artifacts that had a very large number of children, like large APK file types, they would clog up our system and prevent other users from utilizing the system until that processing was complete. Additionally, it was never evident when the total analysis was completed on the initial artifact. That made it that analysis from a descendant that may actually affect the final analysis of a top level artifact inaccurate and misleading.

I was tasked with fixing this issue to help both the system utilization issue as well as being able to accurately  determine when a top-level workflow is indeed complete. I theorized that we were in fact under utilizing jBPM and that it is the proper way to handle this task. Initially I used the forEach block which would iterate through all the new work orders. Instead of invoking the worker directly I recursively called this new handler I created. As each process completed it was returning the child workflows allowing jBPM to further invoke all child workflows. This worked really well causing all child workflows to finish up prior to considering its parent is complete.

Unfortunately, after some testing this proved to be a disappointment with respect to performance. The forEach loop is blocking and is single threaded. That means for each child workflow you had to wait for its sibling to complete. This was a tremendous under-utilization of resources and really slowed down performance. I had attempted to optimize in other areas, but this was the bottleneck. I redesigned this quickly and got rid of the forEach loop instead I handle this but submitting the Runnable tasks directly to my threadpool. Now I did have to track those tasks completion which was an added complexity. This was well worth it. The end result yielded performance even faster than the initial non nested version. I strongly recommend this approach for large scale workflows that are utilizing a jBPM engine. This project was using an slightly older version of jBPM (5.5.0.Final) but I think this design would still be useful even with 6.X.X. I hope to post some sample code soon to better illustrate how to leverage this technique.

As for the other issue of clogging the system, now we can manually adjust how many “child workflows” consume the thread-pool. In fact, I configured it so that once the thread-pool became full instead of queuing up the next child workflow, it was run serially. This was necessary because the child workflows determined when the parents were deemed completed. That meant if the child workflows were queued up…it may be possible that the parent workflow could result in a deadlock and never complete. Forcing them to run serially would be slower but would ensure an eventual completion.

To all those that understand appreciate this, enjoy!

Securing your digital life: A brief guide

I want to begin by saying that I am not an authority on cyber security but am trying to compile a guide of best practices to secure your digital life.

This guide is a practical approach as opposed to a list of impossibly complex things that your average Joe couldn’t or wouldn’t do. I’m not going to claim it’s foolproof but I will say that it’s easy enough that I don’t get too inconvenienced while it provides a reasonable security blanket to my digital life.

The first thing you will want to do is purchase a Yubikey ( There are a number of different vendors of U2F (  devices but the Yubikey 4 has support for a number of different protocols that we will take advantage of.

I’m going to tailor this around using Gmail as your email provider and LastPass ( as your password manager and using Authy ( as your two-factor authentication manager. If you choose to use different services they may not support all of the actions described here.

I use Windows 10, Linux, Mac OS (not by choice…company issued), and Android with this setup. I don’t own an iOS device but I do not anticipate any compatibility issues there.

Everything starts with safeguarding your email account. Most accounts you use on the Internet provide a forgot password feature. This is a very serious vulnerability if you are not careful. The first thing you should do is create an email address only you know. Do not use it publicly and don’t name it something that could even closely be identified as your email address by a third party. The purpose of this is to limit access to your accounts with a common link. Your email address would be out of plain sight from the public domain making it an unlikely target should your identity ever be targeted.

That email address as well as your publicly known email address will be locked down. Setup your accounts to support a two factor authentication mechanism. There are many different types of two-factor authentication mechanisms, there are pros and cons to each. One of the most common forms of TFA (Two-factor authentication) is by sending an SMS text message to your mobile device with a unique code for you to enter. This exists in multiple forms replace SMS with an automated phone call or by a simple email. The time synchronized codes have benefits over the more simplistic send a unique code to xxxxx. The difference is when you setup your TFA you get a special secret that is used to generate unique codes that are time synchronized based on the secret key. This secret key is stored within an application that you may use to generate the authentication code. There are also hardware fobs that can provide this same functionality ( We will see soon that there is also the OTP (One time password) and U2F that the Yubikey supports that really are the swiss-army knife of account security.

The idea is to remove as many possible vulnerabilities as possible. If you are relying on SMS/email/phone all of which can be compromised independently. A physical key is just like a secret but even simpler because all you do is stick it in your USB and you are done.

In addition to the verification code, you will use a physical security key which is the Yubikey you purchased. This is even easier than the security code and perhaps even more secure. Should you not have your security key you can still enter in your authentication code.

The next phase is securing everything else. That is where the password manager comes in. For the rest of your accounts LastPass will generate and remember all your authentication credentials. Use your private email address for accounts wherever you can and let LastPass autogenerate a very long and complex password for the site. LastPass works really well with Android for automatically entering your credentials into various applications. Of course for the few apps that aren’t supported you can always copy and paste your credentials manually.

LastPass can offer to change your password automatically and remember that password and can even notify you if you have duplicate passwords to mitigate security breaches. I haven’t used these features myself too much…but I probably should!

As for securing LastPass itself, you should set up both the verification code two factor authentication. In addition, you should use the one-time password that the Yubikey supports (  This makes your security ironclad. You should have three different secure passwords that you must remember: your public email address, your private address, and your LastPass account password. Additionally I use Authy which tracks the authentication codes that sync between devices. This also has a password which you can set. There are other two-factor authentication managers like Google Authenticator, I like Authy better because you can sync it between many devices including Chrome, Android. Authy will make you verify from one device when you want to add a new device which is a very nice security mechanism.

Change your passwords often, never the same password for an account. Only use secure passwords: minimum of eight characters with mixed case, numbers and special characters. Just like you wouldn’t walk down a street that looks unsafe…don’t open an email that looks suspicious. The mugger of today may be more likely to steal from your digital life than your physical one. I’m not saying that with an actual statistic…thought I wouldn’t be surprised depending on the location. I want to offer a word to wise, and that is security is never going to make your life easier. It also won’t happen magically. Don’t wait to become a statistic and be one of the many people who are taken advantage of and have aspects of your life pried away from you. Do your due diligence and taking these precautions.