Monthly notes 40

Refactoring, computer science concepts on day job, doing better code reviews, battling CSS and watching cat videos. That’s Monthly notes for April. Not much so enjoy slowly :)

Issue 40, 4.2019

Learning

Refactoring.Guru
Refactoring.Guru makes it easy for you to discover everything you need to know about refactoring, design patterns, SOLID principles and other smart programming topics.

Microservices

CompSci and My Day Job
Rob Conery talked at NDC Conference London 2019 about computer science concepts he used on his day job without actually knowing them. All of this changed as he put together the first two volumes of The Imposter’s Handbook. He talks what he has learned and applied to the applications created on his day job. And gives you more tools under your belt to help you do your job better.

Software development

Code Review: How can we do it better?
Fun Fun Function talks about how to become a better code reviewer and reviews some listeners sent code. General rules for pull requests: make everything readable by humans, title, description, commit comments and most important – your code. DRY KISS

Dev perception

“However, none of the [Formula One] teams used any of the big modern frameworks. They’re mostly WordPress & Drupal, with a lot of jQuery. It makes me feel like I’ve been in a bubble in terms of the technologies that make up the bulk of the web.”

Dev perception

When we’re evaluating technologies for appropriateness, I hope that we will do so through the lens of what’s best for users, not what we feel compelled to use based on a gnawing sense of irrelevancy driven by the perceived popularity of newer technologies.

Engineering guide to writing correct User Stories
Agile people are obsessed with writing user stories. And it is a powerful instrument indeed. But, from my practice a lot of people are doing it wrong…” (from @PracticalDev)

Tweet threads to read

It’s Friday. Pushing to production ?
They say Kubernetes is simple?

Frontend

CSSBattle!
CSS code-golfing is here! Use your CSS skills to replicate targets with smallest possible code. Feel free to check out the targets below and put your CSS skills to test.

Tools of the trade

rvpanoz/luna
Luna – npm management through a modern UI

Something different

Why the Human Mind Can Become More Motivated After Watching Cute Animal Videos
“…it turns out that taking a break to view some cuteness might actually benefit your work there’s a lot we’re still learning but according to some research looking at cute animals is associated with a boost and focus and fine motor skills.” (from Weekend Reading)

Code quality metrics for Kotlin project on SonarQube

Code quality in software development projects is important and a good metric to follow. Code coverage, technical debt, vulnerabilities in dependencies and conforming to code style rules are couple of things you should follow. There are some de facto tools you can use to visualize things and one of them is SonarQube. Here’s a short technical note of how to setup it on Kotlin project and visualize metrics from different tools.

Including what analysis SonarQube’s default plugins provide we are also using Detekt for static source code analysis and OWASP Dependency-Check to detect publicly disclosed vulnerabilities contained within project dependencies.

Visualizing Kotlin project metrics on SonarQube

SonarQube is nice graphical tool to visualize different metrics of your project. Lately it has started to support also Kotlin with SonarKotlin plugin and sonar-kotlin plugin. From typical Java project you need some extra settings to get things working. It’s also good to notice that the support for Kotlin isn’t quite yet there and sonar-kotlin provides better information i.e. what comes to code coverage

Steps to integrate reporting to Sonar with maven build:

  • Add configuration in project pom.xml: Surefire, Failsafe, jaCoCo, Detekt, Dependency-Check
  • Run Sonar in Docker
  • Maven build with sonar:sonar option
  • Check Sonar dashboard
SonarQube overview
SonarQube project overview

Configure Kotlin project

Configure your Kotlin project built with Maven to have test reporting and static analysis. We are using Surefire to run unit tests, Failsafe for integration tests and JaCoCo generates reports for e.g. SonarQube. See the full pom.xml from example project (coming soon).

Test results reporting

pom.xml

<properties> 
<sonar.coverage.jacoco.xmlReportPaths>${project.build.directory}/site/jacoco/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths> 
</properties> 

<build> 
    <plugins>
        <plugin>
            <groupId>org.jacoco</groupId>
            <artifactId>jacoco-maven-plugin</artifactId>
            <executions>
                <execution>
                    <id>default-prepare-agent</id>
                    <goals>
                        <goal>prepare-agent</goal>
                    </goals>
                </execution>
                <execution>
                    <id>pre-integration-test</id>
                    <goals>
                        <goal>prepare-agent-integration</goal>
                    </goals>
                </execution>
                <execution>
                    <id>jacoco-site</id>
                    <phase>verify</phase>
                    <goals>
                        <goal>report</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
        <plugin>
            <artifactId>maven-surefire-plugin</artifactId>
            <configuration>
                <skipTests>${unit-tests.skip}</skipTests>
                <excludes>
                    <exclude>**/*IT.java</exclude>
                    <exclude>**/*IT.kt</exclude>
                    <exclude>**/*IT.class</exclude>
                </excludes>
            </configuration>
        </plugin>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-failsafe-plugin</artifactId>
            <executions>
                <execution>
                    <goals>
                        <goal>integration-test</goal>
                        <goal>verify</goal>
                    </goals>
                </execution>
            </executions>
            <configuration>
                <skipTests>${integration-tests.skip}</skipTests>
                <includes>
                    <include>**/*IT.class</include>
                </includes>
                <runOrder>alphabetical</runOrder>
            </configuration>
        </plugin>
    </plugins> 

    <pluginManagement>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
                <version>2.22.1</version>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-failsafe-plugin</artifactId>
                <version>2.22.1</version>
            </plugin>
            <plugin>
                <groupId>org.jacoco</groupId>
                <artifactId>jacoco-maven-plugin</artifactId>
                <version>0.8.3</version>
            </plugin>
        </plugins>
    </pluginManagement>

... 
</build> 

Static code analysis with Detekt

Detekt static code analysis configuration as AntRun. There’s also unofficial Maven plugin for Detekt. It’s good to notice that there are some “false positive” findings on Detekt and you can either customize detekt rules or suppress findings if they are intentional such as @Suppress(“MagicNumber”).

Detekt code smells
Detekt code smells

pom.xml

<properties> 
    <sonar.kotlin.detekt.reportPaths>${project.build.directory}/detekt.xml</sonar.kotlin.detekt.reportPaths> 
</properties> 

<build> 
... 
<plugins> 
<plugin> 
    <groupId>org.apache.maven.plugins</groupId> 
    <artifactId>maven-antrun-plugin</artifactId> 
    <version>1.8</version> 
    <executions> 
        <execution> 
            <!-- This can be run separately with mvn antrun:run@detekt --> 
            <id>detekt</id> 
            <phase>verify</phase> 
            <configuration> 
                <target name="detekt"> 
                    <java taskname="detekt" dir="${basedir}" 
                          fork="true" 
                          failonerror="false" 
                          classname="io.gitlab.arturbosch.detekt.cli.Main" 
                          classpathref="maven.plugin.classpath"> 
                        <arg value="--input"/> 
                        <arg value="${basedir}/src"/> 
                        <arg value="--filters"/> 
                        <arg value=".*/target/.*,.*/resources/.*"/> 
                        <arg value="--report"/> 
                        <arg value="xml:${project.build.directory}/detekt.xml"/> 
                    </java> 
                </target> 
            </configuration> 
            <goals> 
                <goal>run</goal> 
            </goals> 
        </execution> 
    </executions> 
    <dependencies> 
        <dependency> 
            <groupId>io.gitlab.arturbosch.detekt</groupId> 
            <artifactId>detekt-cli</artifactId> 
            <version>1.0.0-RC14</version> 
        </dependency> 
    </dependencies> 
</plugin> 
</plugins> 
... 
</build> 

Dependency checks

Dependency check with OWASP Dependency-Check Maven plugin

OWASP Dependency-Check
OWASP Dependency-Check

pom.xml

<properties> 
    <dependency.check.report.dir>${project.build.directory}/dependency-check</dependency.check.report.dir> 
    <sonar.host.url>http://localhost:9000/</sonar.host.url> 
    <sonar.dependencyCheck.reportPath>${dependency.check.report.dir}/dependency-check-report.xml</sonar.dependencyCheck.reportPath>
    <sonar.dependencyCheck.htmlReportPath>${dependency.check.report.dir}/dependency-check-report.html</sonar.dependencyCheck.htmlReportPath>
</properties> 

<build> 
... 
<plugins> 
<plugin> 
    <groupId>org.owasp</groupId> 
    <artifactId>dependency-check-maven</artifactId> 
    <version>4.0.2</version> 
    <configuration> 
        <format>ALL</format> 
        <skipProvidedScope>true</skipProvidedScope> 
        <skipRuntimeScope>true</skipRuntimeScope> 
        <outputDirectory>${dependency.check.report.dir}</outputDirectory> 
    </configuration> 
    <executions> 
        <execution> 
            <goals> 
                <goal>check</goal> 
            </goals> 
        </execution> 
    </executions> 
</plugin> 
</plugins> 
... 
</build>

Sonar scanner to run with Maven

pom.xml

<build> 
... 
    <pluginManagement> 
        <plugins> 
            <plugin> 
                <groupId>org.sonarsource.scanner.maven</groupId> 
                <artifactId>sonar-maven-plugin</artifactId> 
                <version>3.6.0.1398</version> 
            </plugin> 
        </plugins> 
    </pluginManagement> 
... 
</build> 

Running Sonar with Kotlin plugin

Create a SonarQube server with Docker

$ docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 sonarqube 

There’s also OWASP docker image for SonarQube which adds several community plugins to enable SAST. But for our purposes the “plain” SonarQube works nicely.

Use the Kotlin plugin which comes with SonarQube (SonarKotlin) or install the sonar-kotlin plugin which shows information differently. If you want to use sonar-kotlin and are using the official Docker image for SonarQube then you’ve to first remove the SonarKotlin plugin.

Using sonar-kotlin

$ git clone https://github.com/arturbosch/sonar-kotlin 
$ cd sonar-kotlin 
$ mvn package  
$ docker exec -it sonarqube sh -c "ls /opt/sonarqube/extensions/plugins" 
$ docker exec -it sonarqube sh -c "rm /opt/sonarqube/extensions/plugins/sonar-kotlin-plugin-1.5.0.315.jar" 
$ docker cp target/sonar-kotlin-0.5.2.jar sonarqube:/opt/sonarqube/extensions/plugins 
$ docker stop sonarqube 
$ docker start sonarqube 

Adding dependency-check-sonar-plugin to SonarQube

$ curl -JLO https://github.com/SonarSecurityCommunity/dependency-check-sonar-plugin/releases/download/1.2.1/sonar-dependency-check-plugin-1.2.1.jar 
$ docker cp sonar-dependency-check-plugin-1.2.1.jar sonarqube:/opt/sonarqube/extensions/plugins 
$ docker stop sonarqube 
$ docker start sonarqube 

Run test on project and scan with Sonar

The verify phase runs your tests and should generate i.a. jacoco.xml under target/site/jacoco and detekt.xml.

$ mvn clean verify sonar:sonar

Access Sonar via http://localhost:9000/

Code quality metrics? So what?

You now have metrics on Sonar to show to stakeholders but what should you do with those numbers?

One use case is to set quality gates on SonarQube to check that a set of conditions must be met before project can be released into production. Ensuring code quality of “new” code while fixing existing ones is one good way to maintain a good codebase over time. The Quality Gate facilitates setting up rules for validating every new code added to the codebase on subsequent analysis. By default the rules are: coverage on new code < 80%; percentage of duplicated lines on new code > 3; maintainability, reliability or security rating is worse than A.

Monthly notes 39

Spring is just around the corner with sun warming our souls and calling us to go outside. Here’s monthly notes for March with topics from software development rewrite stories to code quality and OWASP videos.

Issue 39, 22.03.2019

Software development

Lessons from 6 software rewrite stories
Insightful rewrite stories of i.a. Netscape (Firefox), Basecamp, Visual Studio (VS Code) and FogBugz (Trello). “Functioning app should never, ever be rewritten from the ground up” is true. With a twist. Don’t rebuild the exact product. Don’t sunset. (from @walokra)

I ruin developers’ lives with my code reviews and I’m sorry
Story of how a developer understood that “I don’t do code review for the business, I just like showing the rookies their place. My skills have finally started to pay off.” And that the mentality should be “No big deal if the code’s not good, I can fix it myself it I need to. But I can’t fix the psyche of a guy broken by dozens of harsh reviews.”

Code quality

SE-Radio Episode 357: Adam Barr on Code Quality
Software Engineerin Radio talked with Adam Barr, author of “Why Smart Engineers Write Bad Code” about code quality. How developers learn to program on their own; how that influences their thinking about code quality; what code quality is, how is can (or cannot) be measured and whether some programming languages are more prone to bad code. The discussion continues with a discussion on standardization. Why does our profession lack a professional certificate like doctors and engineers have?

Syntax podcast talked about code quality tooling and tidying up code.
Hasty treat – Tidying up code
Hasty treat – Code quality tooling
Hasty treat – Code quality tooling part 2

Security

OWASP AppSec California 2019 presentation videos
46 videos of knowledge and experiences about secure systems and secure development methodologies.

The Anatomy of an AWS Key Leak to a Public Code Repository
Many of us working with any cloud provider know that you should never ever commit access keys to a public github repo. Some really bad things can happen if you do. The writeup shows you a real case that happened last week. tl;dr; Exposed keys are quickly attacked. The concept of least privilege is important. AWS scrapes the API of all public github commits but doesn’t automatically disable the key. To prevent keys leaking use tools like git-secrets or GitGuardian.

Password Managers: Under the Hood of Secrets Management
Password managers allow the storage and retrieval of sensitive information from an encrypted database. The paper proposes security guarantees password managers should offer and examines the underlying workings of five popular password managers targeting the Windows 10 platform: 1Password 7, 1Password 4, Dashlane, KeePass, and LastPass. They found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases.

Learning

30 seconds of interviews
Quick questions of web development.

AI and Machine Learning

AI Thinks Rachel Maddow Is A Man (and this is a problem for all of us)
A data-driven review of AI bias in production systems.

Something different

The Privateer is back for Season 2
Behind every top level athlete is a support team that helps them with everything from diet and exercise to product and equipment set up. When you’re a Privateer it’s up to you to fund your racing endeavours. Adam is back for another season of racing as The Privateer.


Best Practices of forking git repository and continuing development

Sometimes there’s a need to fork a git repository and continue development with your own additions. It’s recommended to make pull request to upstream so that everyone could benefit of your changes but in some situations it’s not possible or feasible. When continuing development in forked repo there’s some questions which come to mind when starting. Here’s some questions and answers I found useful when we forked a repository in Github and continued to develop it with our specific changes.

Repository name: new or fork?

If you’re releasing your own package (to e.g. npm or mvn) from the forked repository with your additions then it’s logical to also rename the repository to that package name.

If it’s a npm package and you’re using scoped packages then you could also keep the original repository name.

Keeping master and continuing developing on branch?

Using master is the sane thing to do. You can always sync your fork with an upstream repository. See: syncing a fork

Generally you want to keep your local master branch as a close mirror of the upstream master and execute any work in feature branches (that might become pull requests later).

How you should do versioning?

Suppose that the original repository (origin) is still in active development and does new releases. How should you do versioning in your forked repository as you probably want to bring the changes done in the origin to your fork? And still maintain semantic versioning.

In short, semver doesn’t support prepending or appending strings to version. So adding your tag to the version number from the origin which your version is following breaks the versioning. So, you can’t use something like “1.0.0@your-org.0.1” or “1.0.0-your-org.1”. This has been discussed i.a. semver #287. The suggestion was to use a build meta tag to encode the other version as shown in semver spec item-10. But the downside is that “Build metadata SHOULD be ignored when determining version precedence. Thus two versions that differ only in the build metadata, have the same precedence.”

If you want to keep relation the original package version and follow semver then your options are short. The only option is to use build meta tag: e.g. “1.0.0+your-org.1”.

It seems that when following semantic versioning your only option is to differ from origin version and continue as you go.

If you don’t need to or want to follow semver you can track upstream version and mark your changes using similar markings as semver pre-releases: e.g. “1.0.0-your-org.1”.

npm package: scoped or unscoped?

Using scoped packages is a good way to signal official packages for organizations. Example of using scoped packages can be seen from Storybook.

It’s more of a preference and naming conventions of your packages. If you’re using something like your-org-awesome-times-ahead-package and your-org-patch-the-world-package then using scoped packages seems redundant.

Who should be the author?

At least add yourself to contributors in package.json.

Forking only for patching npm library?

Don’t fork, use patch-package which lets app authors instantly make and keep fixes to npm dependencies. Patches created by patch-package are automatically and gracefully applied when you use npm(>=5) or yarn. Now you don’t need to wait around for pull requests to be merged and published. No more forking repos just to fix that one tiny thing preventing your app from working.

This post was originally published on Gofore Group blog at 11.2.2019.

Monthly Notes 38

Warm weather and cold Northern winds just call for a warm mug of cacao and something to read by the fireplace. Here’s monthly notes for February with topics from testing to software development project guidelines and from microservices to tips and tools. Also learning React App.

Issue 38, 19.02.2019

Testing

How to stop hating your tests
I’m not a fan of extensive ui tests. I think they should be mostly about seeing that the whole system functions when all systems are integrated and functional. This talk makes a good case out of it. If you want to skip right to this subject, it starts around at 18:50 or so.

Software development

My Opinionated Setup for Web Projects
“During the past few years, I have worked on multiple smaller and larger projects. In this blog post I explain my default project setup for a typical web frontend project.”

Project Guidelines
“While developing a new project is like rolling on a green field for you, maintaining it is a potential dark twisted nightmare for someone else. Here’s a list of guidelines we’ve found, written and gathered that (we think) works really well with most JavaScript projects here at elsewhen.”

Microservices

Introduction to Kubernetes
Introduces you to Kubernetes.

Building Microservices: Designing fine-grained systems (pdf)
“Distributed systems have become more fine-grained in the past 10 years,
shifting from code-heavy monolithic applications to smaller, self-contained microservices. But developing these systems brings its own set of headaches. With lots of examples and practical advice, this book takes a holistic view of the topics that system architects and administrators must consider when building, managing, and evolving microservice architectures.”

Microservices vs The World
“In the last 5 years microservices have been pretty much the topic on every architectural conversation. The idea is great, small, independent, cohesive, services that can be implemented, tested, maintained and released individually without much impact on the rest of the system. Microservices are then the holy grail of architectures all positives and almost zero negatives. If that is the case, why in the last 2-3 years our holy grail is getting bad press? Some engineers even suggest that a monolith is better. How can a monolith be better? Well, it all comes down to pros and cons and how the business is structured.”

Microservices architecture on paper sounds amazing but unless the business as a whole is not committed to it, then your department will end up with low morale, low productivity, and tones of code debt.

Microservices vs The World

Tools of trade

DockStation
“Application for managing projects based on Docker. Instead of lots of CLI commands you can monitor, configure, and manage services and containers while using just a GUI.” See running containers in histogram-type grapsh, monitor stats, connect with ssh to remote hosts, start/stop containers.

Scrolling inside Screen
Disable the alternate text buffer in the xterm termcap info inside screen so that you can use the scroll bars (and mouse wheel) to scroll up and down. 

~/.screenrc. # Enable mouse scrolling and scroll bar history scrolling termcapinfo xterm* ti@:te@ 

Learn

Learn React App
The goal of this tutorial is to quickly get you off the ground with React concepts. This tutorial has hands-on exercises which I consider to be the most important part of this tutorial.

Something different

MTB Trails Finale Ligure
I wish I was there shredding.

Notes from OWASP Helsinki chapter meeting 36

OWASP Helsinki chapter meeting number 36 was held 12.2.2019 at Veikkaus premises in Pohjois-Haaga. The theme for this meeting was about software security and the topic was covered with two talks and with a card game. Here’s my short notes.

What Every Developer and Tester Should Know About Software Security

The event started with “What Every Developer and Tester Should Know About Software Security” by Anne Oikarinen from Nixu. The main point was that information security isn’t something you can sprinkle over your applications – security needs to be baked in. Take security into account in every step of your software development process, focusing on design and development.

The talk was a great overview to software security and covered the topic from three perspectives: security requirements, threat modeling and security testing. It was nicely practical and theoretical and gave good tips to tools and how to approach the issue. The presentation slides can be seen on SlideShare.

#OWASPHelsinki meeting 36 at @veikkaus_fi started with “What Every Developer and Tester Should Know About Software Security” by @Anne_Oikarinen. Good practical overview to security requirements, threat modeling and security testing. Build security in. #infosec@OWASPHelsinki

@walokra
Building security in: start with security requirements and threat modeling
Venn diagram of building security in
Follow standards and best practices
Use tools for improving software security yourself

Security in Agile Development

Joakim Tauren from Visma continued the event with “Security in Agile Development”and told how they manage security in large scale. The sofware security team provides security as a service to produc teams and utilize OWASP SAMM to empower teams. The in-house built system to manage security maturity matrix was cool.

Next up at @OWASPHelsinki meetup was “Security in Agile Development” by @JoakimTauren from @Visma. Security as a Service. Empower teams. Transparency. In-house tool for security maturity matrix. Effective leadership of self-managing work teams. #infosec#OWASPHelsinki

@walokra
Security as a Service
Empowering teams
In-house built tool for managing security maturity index
You have tools to help you on the way

OWASP Cornucopia

The event was wrapped up with OWASP Cornucopia – a live card game session. The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories.

#OWASPHelsinki meetup 36 came to conclusion with a live game session of #OWASP Cornucopia: https://www.owasp.org/index.php/OWASP_Cornucopi …. Mechanism in game format to assist software development teams identify security requirements. @OWASPHelsinki had clever Star Wars themed system to audit. #infosec

@walokra

The game plays like card game with six suites and cards from one to ace like normal deck of cards. Cards have security themed questions and the players try to answer in the given context if the issue at hand is a problem to be look into. In this case the context was Death Star themed with given architecture diagram.

The card deck can be printed from OWASP site.

But what does cornucopia mean? In modern depictions, the cornucopia is typically a hollow, horn-shaped wicker basket filled with various kinds of festive fruit and vegetables. In this context it would relate to can of worms :)

OWASP Cornucopia in Death Star architecture

Monthly notes 37

January is turning over to February and Winter with freezing weather and lots of snow has enlightened our days. Here’s some reading for the moments when Winter wonderland is too much and warm mug of coffee and fireplace is the place to be.

Issue 37, 31.1.2019

Web and mobile development

PWAs on iOS 12.2 beta: the good, the bad, and the “not sure yet if good”
“The first beta of iOS 12.2: the first version since PWA support that responds to all the critics by offering solutions to the two biggest problems on PWAs on iOS.”

Hartington’s tweet’s thread has some information.

Microservices

Choose your tools wisely.

Tools of the trade

Lifehack.
“To test the flow of a potential scenario, storyboarding and comics can really add an extra dimension that your users can relate to (or not) and provide feedback on the types of activities, thoughts and feelings they would be experiencing along the way. “

Privacy and security


Something different

2018 Retrospective

The year has changed and it’s time for traditional retrospective of post done in 2018. By numbers 2018 was total of 23 articles which 11 articles were Monthly notes. I visited couple of conferences and some meetups, did software development and tested technology stuff. Business as usual and I presume that it’s going to continue this way also this year.

Monthly notes

It has been proved to be a good way to ensure that I keep reading what happens in software development and also think about it when I collect interesting articles to my Monthly notes series. The series continued with 11 posts.

Meetups

During the year I attended couple of meetups and if you follow me on Twitter you might have noticed that I went to more meetups than I wrote about. There are several interesting events in Helsinki you can attend almost monthly but you’ve to be quick to participate because usually events fill up quickly. But although the event seems to be full, there’s often spots left as some people don’t cancel if they can’t make it.

Information security related meetups are always interesting and I participated couple of OWASP Helsinki meetings.

OWASP Helsinki chapter meeting 34: Secure API told about “Perfectly secure API” and “Best friends: API security & API management”. The event gave good overview to the topics covered and was quite packed with people. Eficode’s premises were modern and there was snacks and beverages. And also a sauna.

Have you ever wondered how to become a bug bounty hunter or wanted to organize a bug bounty program? OWASP Helsinki chapter meeting 35: Bug Bounty programs told all about bug bounty programs from hacker and organizer point of views with topics of “Hunting for bounties in a web browser”, “How to become a bug bounty hunter” and “Running a successful bug bounty program”.

In August I attended React Helsinki August 2018 meetup at Smartly.io. Topics covered “Splitting React codebases for increased development speed”, “Making your own Ignite generator – for React Native” and “Use GraphQL!”. There are links to recordings of the presentations.

Meetups and conferences are also nice way to both freshen your thinking, hear how other’s do things, get new ideas and meet people working in the same field.

Conferences

Last year there was lots of interesting conferences in Helsinki. In the Spring there was React Finland 2018 conference which told what’s hot in the React world. The two day conference covered topics of React on day one and day two was React and React Native. The two conference days were packed with great talks and new information.

Where the React Finland was a conference from developers to developers, the opposite was Red Hat Forum Finland 2018 which was held at Finlandia-talo. The mainline was “Ideas worth exploring. Come with questions. Leave with ideas.” The event was divided to keynote and to four breakout sessions. I chose to get hands-on with OpenShift.

The developer conference theme continued in Autumn with GraphQL Finland 2018. The first of its kind event in Finland brought a day of workshops and a day of talks around GraphQL. The event was organized by the same people as React Finland and it showed, in good ways. The talks were interesting, atmosphere was cosy and after party was bookie. All of the talks were live streamed and they’re available on Youtube

Software development as usual

I managed to write couple of articles regarding software development and topics surrounding it.

Writing documentation is always a task which isn’t much liked and especially with diagrams and flowcharts there’s the problem of which tools to use. I wrote about generating documentation as code with mermaid and PlantUML as an alternative to crafty Draw.io. Using mermaid or PlantUML has the advantage that you can see the changes clearly in human readable text format and maintain source-controlled diagram.

Developing modern web applications you often come to around checking REST API responses and parsing JSON values. If you’re allowed to install extra tools or use Python then things get easier as you can use command line and combine jq and Python to extract JSON values. And a further note you can also use jp, command line interfacee to JSMESPath.

A more practical approach to visualize things was when I did a build monitor with Raspberry Pi and touch screen. Information is a great tool in software development and it’s useful to have easy access to it. Using build monitor to show continuous integration status and metrics from running services helps you notice problems and get them solved quicker.

And as we know learning and staying current in software development is important and expanding your horizons can be achieved with different ways. One good way I have used is following different news sources, newsletters, listening podcasts and attending meetups.

Awesome times ahead

Years change but the blog stays pretty much the same. Also this year plans are to continue as before, write about technology, collect interesting articles, learn new things about software development and of course ride mountain bike.

Stay tuned by subscribing to the RSS feed or follow me on Twitter. Check also my other blog in Finnish.


Monthly notes 36

Holiday season is soon here and it’s good to take a short break from work and maybe learn or code some new things while relaxing and enjoying the winter time outside. Here’s the monthly notes for December. Happy holidays!

Issue 36, 21.12.2018

Tips

How to Exclude an App From Dark Mode in macOS Mojave
“You can enable the old dark menu bar and dock look, you can also selectively exclude individual apps from dark mode.”

Learning

Tips of ppl who want to learn
ReaktorNow Development Discussion campaign shared some insights in the field of software engineering. “Always keep learning and expanding your skills, and remember to step out of your comfort zone.”

Beyond Cryptocurrencies
Intro to crypto talk at the a16z summit. (from @ljxie)

A novice’s guide to learning to code with CS50
“CS50 is the best learning experience I have ever had in my life.” Over 12 weeks you get two hour lecture to watch and a problem set for you to complete each week. Start with Scratch, continue on C and move to Python plus HTML, CSS, SQL, JavaScript, JQuery and JSON. (from @walokra)

Security

Taking Down an Insider Threat
Excellent story about pentesting from the inside. And of great digital forensics and incident response team and meticulously implemented security practices.

OWASP AppSec EU 2018 presentations
Presentations from OWASP AppSec EU 2018 are available from Youtube.

Software development

Everything about distributed systems is terrible
Hillel Wayne 38 minutes talk at Code Mesh LDN 18 titled “Everything about distributed systems is terrible” talks about TLA+, formal specification system designed by Leslie Lamport. The claim is that you can find bugs in your (distributed) system by model checking that could be practically impossible to find with testing or in production.

Learning and Staying Current in Software Development

Software development is one of the professions where you have to keep your knowledge up to date and follow what happens in the field. Staying current in the field and expanding your horizons can be achieved with different ways and one good way I have used is to follow different news sources, newsletters, listening podcasts and attending meetups. Here is my opinionated selection of resources to learn, share ideas, newsletters, meetups and other things for software developers. Meetups and some things are Finnish related.

News

There are some good sites to follow what happens in technology. They provide community powered links and discussions.

Podcasts

Podcasts provide nice resource for gathering experiences and new information how things can be done and what’s happening and coming up in software development. I commute daily about an hour and time flies when you find good episodes to listen. Here’s my selection of podcast relating to software development.

General

  • Software Engineering Daily: “The world through the lens of software” (iTunes)
  • Software Engineering Radio: “Targeted at the professional software developer. The goal is to be a lasting educational resource, not a newscast”. (feed)
  • ShopTalk: “An internet radio show about the internet starring Dave Rupert and Chris Coyier.” (iTunes)
  • Full Stack Radio: “Every episode, Adam Wathan is joined by a guest to talk about everything from product design and user experience to unit testing and system administration.” (feed)

Front-end

  • Syntax: “A Tasty Treats Podcast for Web Developers.” (iTunes)
  • The Changelog: “Conversations with the hackers, leaders, and innovators of software development.”
  • React Podcast: “Conversations about React with your favorite developers.”
  • Brainfork: “A podcast about mental health & tech”

In Finnish

  • ATK-hetki: “Vesa Vänskä ja Antti Akonniemi keskustelevat teknologiasta, bisneksestä ja itsensä kehittämisestä.”
  • Webbidevaus: “Puheradiota webbikehityksestä suomeksi! Juontajina Antti Mattila ja Riku Rouvila.”

Newsletters

Normal information overload is easily achieved so it’s beneficial to use for example curated newsletters for the subjects which intersects the stack you’re using and topics you’re interested at.

The power of newsletter lies in the fact that it can deliver condensed and digestible content which is harder to achieve with other good news sources like feed subscriptions and Twitter. Well curated newsletter to targeted audience is a pleasure to read and even if you forgot to check your newsletter folder, you can always get back to them later.

General

Mobile development

  • iOS Dev Weekly: Hand picked round up of the best iOS development links published every Friday
  • This Week In Swift: List of the best Swift resources of the week.
  • iOS Dev nuggets: Short iOS app development nugget every Friday/Saturday. Short and usually something you can read in a few minutes and improve your skills at iOS app development.

Java

Database

  • DB Weekly: A weekly round-up of database technology news and articles covering new developments, SQL, NoSQL, document databases, graph databases, and more.

HTML and CSS

  • HTML5Weekly: Weekly HTML5 and Web Platform technology roundup. Curated by Peter Cooper.
  • CSS Weekly: Roundup of css articles, tutorials, experiments and tools. Curated by Zoran Jambor.

Web development

  • Status code: “Keeping developers informed.” weekly email newsletters on a range of programming niches (links to JavaScript weekly, DevOps weekly etc.)
  • Web Development Reading List: Weekly roundup of web development–related sources, selected by Anselm Hannemann.
  • Versioning: “Daily knowledge devs and designers need to get ahead of the game.” SitePoint’s daily newsletter, which features the latest web development news.
  • Hacking UI: A weekly email with our favorite articles about design, front-end development, technology, startups, productivity and the occasional inspirational life lesson.
  • Scott Hanselman: Newsletter of Wonderful Things. Includes interesting and useful stuff Scott has found over the last few weeks and other wonderful things.
  • MergeLinks: Weekly email of curated links to articles, resources, freebies and inspiration for web designers and developers.
  • “How to keep up to date on: Front-End Technologies” page lists newsletters, blogs and people to follow.

JavaScript

  • JavaScript Weekly: Weekly e-mail round-up of JavaScript news and articles. Curated by Peter Cooper.
  • Node Weekly: Once–weekly e-mail round-up of Node.js news and articles.
    A Drip of JavaScript: “One quick JavaScript tip”, delivered every other Tuesday and written by Joshua Clanton.
  • SuperHero.js: Collection of the best articles, videos, and presentations on creating, testing, and maintaining a JavaScript code base.
  • State of JS: Results of yearly JavaScript surveys

User experience and design

  • UX Design Weekly: Hand picked list of the best user experience design links every week. Curated by Kenny Chen & published every Monday.
  • Sidebar.io: To satisfy your web aesthetics with list of the 5 best design links of the day. The content is manually curated by a couple great editors.
  • Userfocus: Monthly newsletter which shares an in-depth article on user experience.

Ops

  • DevOps Weekly: Weekly slice of devops news.
  • Web Operations Weekly: Weekly newsletter on Web operations, infrastructure, performance, and tooling, from the browser down to the metal.
  • Microservice Weekly: A hand-curated weekly newsletter with the best articles on microservices.

Twitter

Following fellow developers and other people and accounts on Twitter is good way to know what’s happening right now. Here’s a selection of accounts I (@walokra) follow. In no particular order.

Development

  • @ThePracticalDev: Great posts from the amazing dev.to community, with some opinion and humor mixed in.
  • @CommitStrip: The blog relating the daily life of developers. Official english account.
  • @baeldung: Author of restwithspring.com and learnspringsecurity.com, passionate about REST, Security, TDD and everything in between.
  • @martinfowler: Author and international public speaker on software development, specializing in object-oriented analysis and design, UML, patterns, and agile software development methodologies.

Infosec

  • @troyhunt: Pluralsight author. Microsoft Regional Director and MVP for Developer Security. Online security, technology and “The Cloud”. Creator of @haveibeenpwned.
  • @briankrebs: Independent investigative journalist. Writes about cybercrime. Author of ‘Spam Nation’, a NYT bestseller. Wrote for The Washington Post ’95-’09
  • @mikko: CRO at F-Secure ● TED Speaker ● Revɘrse Engineer ● Supervillain
  • @TinkerSec Infosec Hacker things
  • @Anakondantti: Mostly software security related, but occasionally other things too. I’m a white hat hacker at team ROT.
  • @SunTzuCyber: If Sun Tzu had written “The Art of Cyber War”, these would be his quotes.
  • @lennyzeltser: Advances information security. Grows tech businesses. Fights malware. // VP of Products @MinervaLabs. Author and Instructor @SANSInstitute.

React scene

  • @jevakallio: @FormidableLabs, React/Native engineer, comedian, speaker, writer, improviser, Twitter Developer Expert™. Artisanal small batch free range shitposting.
  • @bebraw: Award winning founder of @survivejs and @jsterlibs. I also organize @ReactFinland.
  • @ReactJSNews: The latest React news and articles.

Design / UX

  • @steveschoger: Designer for @TightenCo and @taylorotwell ❯ Maker of heropatterns , heroicons  and zondicons  ❯  ? Design Tips
  • @UX_Grant: ? Senior Designer @ booking.com . ? Creating, Learning, Sharing ? Maker: MakersMusic.co  ?
  • @jonikorpi: Making multiplayer games using the web platform, as @vuorodesign. Previously web design at @kiskolabs.
  • @lukew: Humanizing technology. Founded: Polar (Google acquired) Bagcheck (Twitter acquired) Wrote: Mobile First, Web Form Design, Site Seeing. Worked: Yahoo, eBay, NCSA.
  • @autiomaa: Helping people, with design & technology. Front-end development, visual design, photography. Learning something new every day.
  • @skrug: Best known as the guy who wrote Don’t Make Me Think (now in its 3rd edition!) and Rocket Surgery Made Easy.
  • @jnd1er: Don Norman. Design thinker, company advisor, professor, columnist, author, … Latest book: Design of Everyday Things, Revised and Expanded.
  • @mpietila: User experience etc. Occasional smart-assery & besserwisserism. I have a history of seeing what they did there. Head of design at @qvik.

Database

Miscellanous

Java

  • @mreinhold: Chief Architect, Java Platform Group, Oracle.
  • @jodastephen: Java Champion. Developer at OpenGamma. Occasional blogger and speaker. Best known for Joda projects and JSR-310

Technology News

Meetups

You can learn much from others and to broaden your horizon it’s beneficial to attend different meetups and listen how others have done things and watch war stories. Also free food and drinks.

Mostly Helsinki based

Tampere based

Community chats