Secure Developments

From Perl to Java

What’s next This is my last post that targets IronMan. So if you want to keep reading my blog, which will probably argely be a mix of security, and java with occasional dev ops, please subscribe directly. If you have suggestions for what categories I should collect things under fee free to comment. Currently the only for sure category is Security. Why not Perl? This post is 3 years in the making. Read more →

Goodbye blogger, migrating this weekend

Well it’s the end of a decade of blogging with blogger for me. Though you’ve probably noticed I haven’t really been blogging for the last 2 years. I hope that’s a combination of these 2 things, but no promises. writing a tech blog with blogger is incredibly painful when I switched from Perl to Java I wasn’t an expert, and had little to contribute So I’m sure you’re wondering what I’ve switched to? Read more →

Falsehoods programmers believe about versions

given Jeff Atwoods recent blog post and an inspiration today for me to write a “falsehoods” about versions. If you’d like to contribute yours please feel free to send me a pull request, it’d be greatly appreciated. versions always increase versions are numbers versions are strings versions are semantic versions are decimals a major number of 1 or above means stable api versions with the same major number will have the same api versions have numbers, periods, and maybe a preceding v semantic is always the best way to go versions are consistent within a project semantic versions will never see double digits or triple digits within dots at least if you’re using a semantic version people can compare it correctly versions will be consistent amongst projects in a given language or community semantic versioning cannot be represented as number or decimal as long as the versions increase the length of the version doesn’t matter if versions have the same number they are equivalent in a given archive all code will have the same version semantic versions can only have 3 positions dates are bad for versions versions always increase by exactly one Read more →

Premature optimization is not evil

Or rather people should stop saying this because most of the people that say it don’t actually seem to actually know what is meant by “Premature Optimization” or how to determine when it is evil. I’ve heard people say premature optimization is evil to asking. “Is there a 3rd party library that does this more efficiently?” (knowing if there are better options is premature optimization?), “Thinking about architecting your app for horizontal scalability is premature optimization” (it is if the design is significantly more complex, but if it’s just between using REST and ensuring stateless (which is about the same complexity up front, but it’d be harder to convert later)), “wanting to do Dependency Injection is. Read more →

Celebrity nude scandal, on security, an analogy

Though I won’t say they aren’t victims of a crime… What the victims did is fundamentally the equivalent of using skeleton keys in the modern day. What apple did or rather didn’t do, is prevent that. Apple could have used a tool like cracklib, and said at the time of password creation, this is too short, this is not random enough, we are refusing to allow you to put this skeleton key lock on your front door. Read more →

Java Privacy, broken by design

It is worth noting that none of the following arguments apply to anything using the keyword static which makes things more procedural (or in some cases functional, than Object Oriented. The suggestion in Java is to give the least required permission, but this, in my humble opinion, violates the Open-Closed Principle. Java has four privacy levels. Giving something the least permission required to function is fine in a Security context, privacy in programming however is simply there to discourage developers from doing stupid things. Read more →

Two Hundred Posts

My blog is 6 years old and 200 posts, and over 120k hits, Probably my first interesting post is when decided I was switching to git from svn, and it’s not very interesting, and I think much more poorly written than I write things now. Since then I’ve re-skinned the blog to new templates at least twice. I now list books that I recommend on the right side of my blog, and I’ve ensured that all content is clearly licensed under the creative commons. Read more →

REST, ROA, and HATEOAS often leads to bad webservice design

This is not to say that they are bad, but I find that all too frequently the resulting API’s are poorly designed due to forgetting one thing, RPC (Remote Procedure Call) is expensive. Now by RPC, I do not mean custom messaging formats such as SOAP, or XML-RPC, I mean calling a method on a remote server. Do not think that just because you are using HTTP as the message format with something like XML or JSON, that calling GET /resource, is significantly all that different from calling get_resource in a SOAP call. Read more →

Advent, good idea, but problematic execution

So advent is 24 days of high quality tutorials, and it’s great, and ++ too all the people who make articles. But I’ve got a problem… it never shows up in my feed that I read in Feedly (formerly read in Google reader). This is compounded by the fact that there are many advents, each with there own yearly feed… so each year I have to poke around at the various projects to see if they’re doing advent, and if so to subscribe to the feed. Read more →