Give me /events, not webhooks "This post clearly explains the benefits of using an /events endpoint + long polling. Simpler and more reliable than webhooks. On the web we don't have much of a choice, most platforms support webhooks and few support event streams. For internal applications don't go with webhooks as the first choice just because they're prevalent on the web." (from Weekend reading)
Docker is Updating and Extending Product Subscriptions "Docker Subscription Service Agreement includes a change to the terms for Docker Desktop: Docker Desktop remains free for small businesses (fewer than 250 employees AND less than $10 million in annual revenue), personal use, education, and non-commercial open source projects. It requires a paid subscription (Pro, Team or Business), starting at $5 per user per month, for professional use in larger businesses."
Automating App Store Screenshots "Whenever I mention using fastlane's snapshot tool for App Store screenshots, I justify it by saying it'll save you time if you have "ten screenshots for every device type in different localisations". In reality, even if you have just two screenshots in one language for your app, you'll still save so much time by doing this. Let Daisy Ramos show you how to make the best of this fantastic tool." (from iOS Dev Weekly)
Software development contains many aspects which the developer has to take care and think about. One of them is information security and secure code which affects the product and its users. There are different ways to learn information security and how to create secure and quality code and this time I'll shortly go through what Secure Code Warrior Secure Code Bootcamp has to offer.
Secure Code Warrior provides a learning platform for developers to increase their software security skills and guide each coder along their own preferred learning pathway. They have products, solutions and resources to help organization's development teams to ship quality code and also provide a free mobile app for early-career coder: Secure Code Bootcamp.
Application presents common vulnerabilities from the OWASP Top 10 and you get badges as you progress through each new challenge, unlocking new missions as your progress. It teaches you to identify vulnerable code with first short introductions and explanations for each vulnerability of how they happen and where. Each topic is presented as a mission with briefing and code inspection tasks.
The Secure Code Bootcamp covers 8 of the Top 10 list as the last two are more or less difficult to present in this gamified context, I think.
Mission briefing contains couple of minute theory lesson of the given vulnerability and teaches you what, where and how to prevent it.
After briefing you're challenged with code examples in the language you've chosen (Node.JS, Python:Django, Java:Spring, C# .NET: MVC). You practically swipe your way through code reviews by accepting or rejecting them. Reading code on mobile device screen isn't optimal but suffices for the given task. Works better for Node.js than for Java Spring.
Code inspection isn't always as easy as you would think even if you know what to look for. After succesfully inspected couple of codes you're awarded with a badge. The briefing tells you what to look for in the code but sometimes it's a guess what is asked for. The code inspection requires sometimes knowledge of the used framework and inspection is done without context for the usage. Almost every inspection I got 1 wrong which gave me 75% accuracy.
The approach to teaching security topics this way works ok if you're code oriented. You'll learn the OWASP Top 10 in practice by short theory lessons with pointers to how to prevent them and test your code inspection skills for noticing vulnerable aspects of code fragments. Having swiped through the bootcamp the code inspection parts were not always so useful.
The marketing text says "progress along multiple missions and build secure coding skills." and "Graduate with fundamental secure coding skills for your next step as a coder." and that is in my opionion a bit much to say. The bootcamp teaches the basic concepts of vulnerabilities and how they look on code but doesn't teach you to code securily.
In overall the Secure Code Bootcamp for OWASP Top 10 vulnerabilities is a good start for learning what, where, how and why vulnerabilities exists and learn to identify them. You can do the bootcamp with different languages available so replayability value is good.
For some time I've wanted to experiment with React Native and mobile development outside native iOS but there has always been something on the way to get really started with it. Recently I had time to watch React Europe 2020 conference talks and "On Expo and React Native Web" by Evan Bacon got me inspired.
"Expo: Universal React" talk showed what Expo can do and after some hassling around with Expo init templates I got a React Native app running on iOS for reading news articles from REST API with theme-support and some navigation written with TypeScript. And it also worked on Android, Web and as a PWA.
Expo is a toolchain built around React Native to help you quickly start an app. It provides a set of tools that simplify the development and testing of React Native app and arms you with the components of users interface and services that are usually available in third-party native React Native components. With Expo you can find all of them in Expo SDK.
Expo has good documentation to get you started and following the documentation (and choosing the managed workflow when initing an app) you get things running on your device or on iOS and Android simulators. If you don't have a macOS or iPhone you can use their Snack playground to see how it looks on iOS.
Expo comes with a client which you can use to send the app to your device or to others for review which is very useful when testing as you can see all changes in code in Expo client without creating apk or ipa files.
One great feature of Expo is that you can quickly test and show examples of solutions with the Snack editor and run the code either on the integrated simulator or on your device.
I've previously quickly used Ignite which has a different approach to get you running and compared to that Expo is more of a platform than just tools which has it's good and not so good points. One of the main points of Expo is that it practically binds you to Expo and their platform where as if you use only tools you're "more free".
The "Understanding Expo for React Native" post lists the following drawbacks in managed workflow. Some of those can be work aroud with bare workflow or with ejecting but then you lose the advantages of Expo workflow:
Can't add native modules written in Objective-C, Swift, Java, Kotlin
Can't use packages with native languages that require linking
App has a big size as it is built with all Expo SDK solutions
Often everything works well in Expo client but problems may occur in a standalone app.
This far I've just started with Expo and getting more adjusted to React Native and writing Highlakka news client has been insightful and good experience when comparing the same app, "Highkara", written in Swift for iOS. My plan is to implement some of the features in Highlakka as in Highkara and see how it works as an universal app. Especially the PWA is interesting option and Over the Air updates with Expo as shown in React Europe 2020 talk.
The Hailakka app is now "usable" and iOS app builds nicely with Expo Turtle. The PWA runs on Netlify which is great.
What about tools to help you with React Native development? Basically you can just use VS Code and go on with it.
Expo provides tools for building your application and Expo Dashboard shows your builds and their details. You can download the IPA packaged app when the build is ready and then upload it to App Store Connect.
You can build your application to different platforms with Expo cli. For example PWA with expo build:web and iOS with expo build:ios. And you can also do it from CI. Of course you still need Apple account for submitting the app to the App Store.
While your build is running you can check the queue from Turtle.
Analyzing code for compliance with guidelines is one part of the code quality assuarance and automating it with tools like ESLint and binding the checks with build process is common and routine operation. But what about validating GraphQL schema and queries? Here are some pointers to tools you can use to start linting your GraphQL schema.
apollo-tooling: Brings together your GraphQL clients and servers with tools for validating your schema, linting your operations and generating static types.
Using ESLint for GraphQL checks
Depending of you project structure and how you've created your schema and queries you can use different tools for linting it. eslint-plugin-graphql requires you to have the schema ready whereas graphql-eslint can do some checks and validation without the schema.
Using the graphql-eslint and configuration in package.json where the project uses code files to store GraphQL schema / operations:
Linting process can be enriched and extended with GraphQL type information, if you are able to provide your GraphQL schema.
Introspection Query and schema linting
GraphQL APIs are required to be self-documenting and every standard conforming GraphQL API needs to respond to queries about its own structure. This system is called introspection. The key for GraphQL validation is doing the introspection query and getting the schema in GraphQL Schema Definition Language format. The query gets you the JSON representation of the shape of the API which you can convert to SDL. See more about GraphQL Schemas.
You can use the apollo-tooling for the introspection. First start your GraphQL service and point the apollo to it.
npx apollo client:download-schema --endpoint=http://localhost:4444/graphql schema.graphql
The tooling outputs in this case the schema in GraphQL SDL format (.graphql) and you can also get it in JSON by using the schema.json filename.
Now that you have the GraphQL schema you can lint it by using graphql-schema-linter. Create config graphql-schema-linter.config.js in your project root folder.
CitySec Mayhem presentations playlist "Five Ways To Fail At Crime, Spotting the Storm: Attack Detection in the Cloud, Hunted: From Wanted Blackhat to Celebrated Whitehat, Plug - Silver Sparrow And The Tale Of The Mysterious Insu File, Forensics Crash Course, Find & kill your WordPress intruder with bare hands (and logs)"
Take a Ride With Me "Watch cyclists ride down hill form the comfort of your own saddle. Better with sound on. Website takes forever to load, so open in background, and check on it in a minute." (from Weekend Reading)
kubernetes-simulator "A distributed systems and infrastructure simulator for attacking and debugging Kubernetes: simulator creates a Kubernetes cluster for you in your AWS account; runs scenarios which misconfigure it and/or leave it vulnerable to compromise and trains you in mitigating against these vulnerabilities." (from Cloud Security Reading List)
Meet Stretch from Boston Dynamics "Prototype of robot designed to automate box moving tasks in warehouses and distribution centers: unloading trucks, building pallets of boxes and order building. Stretch makes warehouse operations more efficient and safer for workers."
lazydocker A simple terminal UI for both docker and docker-compose, written in Go with the gocui library.
Codetour "CodeTour is a Visual Studio Code extension, which allows you to record and playback guided walkthroughs of your codebases. It's like a table of contents, that can make it easier to onboard (or re-board!) to a new project/feature area, visualize bug reports, or understand the context of a code review/PR change."
Responsively "Develop responsive web apps 5x faster! A must-have DevTool for all Front-End developers."
Permissions A simple site to test permission-related UI for web APIs.
Simulator Status Magic "Modify the iOS Simulator so that it has a perfect status bar, then run your app and take perfect screenshots every time."