Short notes on tech 2/2022

Week 2 of 2022

JavaScript for impatient programmers
"This book makes JavaScript less challenging to learn for newcomers, by offering a modern view that is as consistent as possible."

Software architecture patterns
Take a deep dive into several common software architecture patterns.

Checklist Design
A collection of the best design practices. (from Web Design Weekly)

How to mentor software engineers
(from Hacker Newsletter)

Hacker laws
Laws, Theories, Principles and Patterns that developers will find useful. (from Hacker Newsletter)

Documentation Guide
"Collective wisdom of the Write the Docs community around best practices for creating software documentation."

misbrands
"The world's most hated IT stickers"

Careen ladders
For a quick look what the career ladder could look like it's worth to check Rent the Runway (spreadsheet) which takes a fun D&D inspired Dex/Str/Wis/Cha stats based evaluation, corresponding to technical skill, productivity, impact, and communication/leadership. Management track is also included, with more focus on architecture, hiring, organizational skills, and leadership/salesmanship.

Notes from Microsoft Ignite Azure Developer Challenge

Microsoft Azure cloud computing service has grown steadily to challenge Amazon Web Services and Google Cloud Platform but until now I hadn't had a change to try it and see how it compares to other platforms I've used. So when I came across the Microsoft Ignite: Cloud Skills Challenge November 2021 I was sold and took the opportunity to go through one of the available challenges: Azure Developer Challenge. Here are my short notes about learning minor part of Azure.

The Azure Developer Challenge was for developers interested in designing, building, testing, and maintaining cloud applications and services on Microsoft Azure. Each challenge was based on a collection of Microsoft Learn modules. If you completed your challenge before it ended, you got one free Microsoft Certification exam like "AZ-204: Developing Solutions for Microsoft Azure".

Microsoft Ignite: Azure Developer Challenge

"This challenge is for developers interested in designing, building, testing, and maintaining cloud applications and services on Microsoft Azure."

Microsoft Ignite

The Azure Developer Challenge consisted of following products in Azure:

  • Azure App Service
  • Azure Functions
  • Azure Cosmos DB
  • Azure Blob storage
  • Virtual machines in Azure
  • Azure Resource Manager templates
  • Azure Container Registry
  • Azure Service Bus
  • Azure Queue storage
  • Azure Event Hubs
  • Event Grid

Learning to use those different products were done by different exercises which showed you how to do things and checked that you had done it correctly. The exercises used Azure portal where the Learn module gave you free learning environment to use. Towards the end I got my free development environment credits used for the day and had to skip some of the practicalities.

Exercise with Sandbox

After going through the introduction to different parts of Azure the Learn module practically teached you to use Azure Functions. And not much more. With Azure Functions the exercises teached to create serverless logic, execute functions with triggers, chain functions and have durable functions. You also learned to develop functions on your local machine. Azure Functions were used i.a. with Cosmos DB, webhooks and for creating an (serverless) API. The last module was about building serverless apps with Go.

In overall the learning experience was nice and the practical exercises forced you to click through the Azure Portal and get the hang of how things work. I was in a bit of a hurry to go through all of the 33 modules which was calculated to take around 21 hours. I think it took me about 10-12 hours.

Now the last step is to actually take the Certification exam. Also as the learning modules for different topics are still available I will maybe go through some more. At least the "Azure Admin Challenge" looked interesting for my purposes.

Azure Portal with Console and VS Code

Short notes on tech 50/2021

Week 50 of 2021

Developer Tools secrets that shouldn’t be secrets
Write-up of a talk at CityJS covering i.a. console.log and VS Code. (from Web Design Weekly)

2021 Design Tools Survey
Overview of the most used design tools during 2021

Meet The Man Who Shoots At Birds All Day To Keep Them Off A Toxic Pit
"If migrating species land on the Berkeley Pit for more than a few hours, they get cooked from the inside out. Now, miners use a rifle, drones, and lasers to scare the birds away."

Short notes on tech 45/2021

Week 45 of 2021

Software Development

Software Architecture Patterns: 5 minute read
Some of the most important parts of the Software Architecture Patterns by Mark Richards. (from Hackernewsletter)

React Aria: A headless UI component library
A library of React Hooks that provides accessible UI primitives for your design system. "You structure your DOM and css however you want, and react-aria provides hooks that return props to spread onto your elements to make them come alive."

Coding font
"gamified experience to help you find your true love of coding fonts" (from Hackernewsletter)

Cloud

How to improve your Docker containers security
"Containers are no security devices. That's why we've curated a set of easily actionable recommendations to improve your Docker containers security. Check out the one-page cheat sheet." (from Cloud Security Reading List)

Github Actions Security Best Practices
"Some of the key security concerns you should be aware of when using Github Actions. We will also cover the best practices that Salesforce Heroku follows." (from Cloud Security Reading List)

Information Security

Attacking and Securing CI/CD Pipeline
"Comprehensive summary of both the attack methods often used against CI/CD pipelines and our insights in securing the CI/CD infrastructure." ATT&CK-like Threat Matrix for CI/CD Pipeline. (from Cloud Security Reading List)

Protect your open source project from supply chain attacks
tl;dr; Follow the SLSA framework and OpenSSF Scorecards rubric, and many can be implemented automatically by using the Allstar project. (from Cloud Security Reading List)

Java

New language features since Java 8 to 17
(from Hackernewsletter)

Worklife

Doing a job
"Human experience shows that people, not organizations or management systems, get things done."

Short notes on tech 42/2021

Week 42 of 2021

Software development

How to win at CORS
Interactive learning of CORS with The CORS Playground.

Cloud

No, we don’t use Kubernetes
Ably runs a large scale production infrastructure with Docker but uses "just" AWS EC2 instances and writes about should they use Kubernetes as their primary deployment platform at some point.

Top 20 Dockerfile best practices
TL;DR; rootless, distroless, copy, image scanning, healthcheck.

History

The Insane Innovation of TI Calculator Hobbyists
"In the mid-to-late 2000s there was in fact a thriving scene of hackers who had bent graphic calculators to their will, writing games, math software, and more generally hacking on the platform just for the sake of it."

Tools

Vite
"Next Generation Frontend Tooling"

ESBuild
"An extremely fast JavaScript bundler". Hackernews thread

Nginx playground
"It's like codepen for nginx -- you paste in an nginx config, and then a server starts nginx for you and runs any curl or http command you want against that nginx server."

Antora
"The multi-repository documentation site generator for tech writers who love writing in AsciiDoc."

Replay
"Record and replay web applications with familiar browser dev tools."

Short notes on tech 37/2021

Week 37 of 2021

Software development

Give me /events, not webhooks
"This post clearly explains the benefits of using an /events endpoint + long polling. Simpler and more reliable than webhooks. On the web we don't have much of a choice, most platforms support webhooks and few support event streams. For internal applications don't go with webhooks as the first choice just because they're prevalent on the web." (from Weekend reading)

Writing JavaScript, but with types!
"I’ve often run into a situtation in which I’ve wished my JavaScript code would have types and they would be enforced. This would save me from a lot of runtime headache that can happen." But you can't use TypeScript to enforce it. The article explain one option to help your development.

Containers

A Security Review of Docker Official Images: Which Do You Trust?
This research demonstrates the importance of keeping track of the images that you use, and not assuming that even official images from Docker Hub will be maintained in perpetuity. (from Cloud Security Reading List)

Docker is Updating and Extending Product Subscriptions
"Docker Subscription Service Agreement includes a change to the terms for Docker Desktop: Docker Desktop remains free for small businesses (fewer than 250 employees AND less than $10 million in annual revenue), personal use, education, and non-commercial open source projects. It requires a paid subscription (Pro, Team or Business), starting at $5 per user per month, for professional use in larger businesses."

Cloud

So You Inherited an AWS Account
"Many engineers have found themselves in the unenviable position of being handed the keys to an AWS environment with absolutely no explanation of its contents, documentation, or training." (from Cloud Security Reading List)

Top things to do when setting up a new Org
"What you should do when setting up a new AWS Organization from scratch." (from Cloud Security Reading List)

Web development

How I Experience Web Today

Level up your CSS linting using Stylelint
"Lint all the things" (from CSS Weekly)

iOS

Automating App Store Screenshots
"Whenever I mention using fastlane's snapshot tool for App Store screenshots, I justify it by saying it'll save you time if you have "ten screenshots for every device type in different localisations". In reality, even if you have just two screenshots in one language for your app, you'll still save so much time by doing this. Let Daisy Ramos show you how to make the best of this fantastic tool." (from iOS Dev Weekly)

Something different

Branded in Memory
Iconic brands drawn from memory

Create secure code with Secure Code Bootcamp

Software development contains many aspects which the developer has to take care and think about. One of them is information security and secure code which affects the product and its users. There are different ways to learn information security and how to create secure and quality code and this time I'll shortly go through what Secure Code Warrior Secure Code Bootcamp has to offer.

For the record other good resources I've come across are Kontras application security training for OWASP Top 10 and OWASP Top 10 API, hands-on approaches like Cyber Security Base MooC, Wargames, Hack the Box and Cybrary.

Secure Code Bootcamp

Kick-start your journey to creating more secure, quality code with Secure Code Bootcamp - our free mobile app for early-career coders.

Secure Code Bootcamp

Secure Code Warrior provides a learning platform for developers to increase their software security skills and guide each coder along their own preferred learning pathway. They have products, solutions and resources to help organization's development teams to ship quality code and also provide a free mobile app for early-career coder: Secure Code Bootcamp.

Application presents common vulnerabilities from the OWASP Top 10 and you get badges as you progress through each new challenge, unlocking new missions as your progress. It teaches you to identify vulnerable code with first short introductions and explanations for each vulnerability of how they happen and where. Each topic is presented as a mission with briefing and code inspection tasks.

OWASP Top 10 are:

The Secure Code Bootcamp covers 8 of the Top 10 list as the last two are more or less difficult to present in this gamified context, I think.

Mission briefing contains couple of minute theory lesson of the given vulnerability and teaches you what, where and how to prevent it.

After briefing you're challenged with code examples in the language you've chosen (Node.JS, Python:Django, Java:Spring, C# .NET: MVC). You practically swipe your way through code reviews by accepting or rejecting them. Reading code on mobile device screen isn't optimal but suffices for the given task. Works better for Node.js than for Java Spring.

Code inspection isn't always as easy as you would think even if you know what to look for. After succesfully inspected couple of codes you're awarded with a badge. The briefing tells you what to look for in the code but sometimes it's a guess what is asked for. The code inspection requires sometimes knowledge of the used framework and inspection is done without context for the usage. Almost every inspection I got 1 wrong which gave me 75% accuracy.

Summary

The approach to teaching security topics this way works ok if you're code oriented. You'll learn the OWASP Top 10 in practice by short theory lessons with pointers to how to prevent them and test your code inspection skills for noticing vulnerable aspects of code fragments. Having swiped through the bootcamp the code inspection parts were not always so useful.

The marketing text says "progress along multiple missions and build secure coding skills." and "Graduate with fundamental secure coding skills for your next step as a coder." and that is in my opionion a bit much to say. The bootcamp teaches the basic concepts of vulnerabilities and how they look on code but doesn't teach you to code securily.

In overall the Secure Code Bootcamp for OWASP Top 10 vulnerabilities is a good start for learning what, where, how and why vulnerabilities exists and learn to identify them. You can do the bootcamp with different languages available so replayability value is good.

Short notes on tech 28/2021

Week 28 of 2021

CSS

CSS system colors
"Jim Nielsen reveals the system colors we can use in CSS and how useful this can be for light and dark mode themes." (from WDRL)

Cloud

The Gamer Guide to Playing Amazon Web Services (AWS)
"This is such a nice article, sharing a getting started guide for AWS, in a similar style to the getting started guides that many experienced MMORPG players write for new players." (from Cloud Security Reading List)

Best practices for securing Identity and Access Management on AWS
"Post looking at different approaches to help keep IAM configuration tidy, auditable and right-sized." (from Cloud Security Reading List)

Uncomplicate Security for developers using Reference Architectures
"Walk through some of the salient features of a meaningful security reference architecture and the process required to develop one." (from Cloud Security Reading List)

Software development

A curated list of books on Software Architecture

Starting with React Native and Expo

For some time I've wanted to experiment with React Native and mobile development outside native iOS but there has always been something on the way to get really started with it. Recently I had time to watch React Europe 2020 conference talks and "On Expo and React Native Web" by Evan Bacon got me inspired.

All the talks in React Europe 2020 can be found in their playlist on Youtube

Universal React with Expo

Expo is an open-source platform for making universal native apps for Android, iOS, and the web with JavaScript and React.

Expo

"Expo: Universal React" talk showed what Expo can do and after some hassling around with Expo init templates I got a React Native app running on iOS for reading news articles from REST API with theme-support and some navigation written with TypeScript. And it also worked on Android, Web and as a PWA.

Expo is a toolchain built around React Native to help you quickly start an app. It provides a set of tools that simplify the development and testing of React Native app and arms you with the components of users interface and services that are usually available in third-party native React Native components. With Expo you can find all of them in Expo SDK.

Understanding Expo for React Native

You can use the Expo Snack online editor to run you code in iOS, Android and Web platforms. And if you need vector icons, there's and app for searching them. Also Build icon app is crafty.

Expo has good documentation to get you started and following the documentation (and choosing the managed workflow when initing an app) you get things running on your device or on iOS and Android simulators. If you don't have a macOS or iPhone you can use their Snack playground to see how it looks on iOS.

Expo comes with a client which you can use to send the app to your device or to others for review which is very useful when testing as you can see all changes in code in Expo client without creating apk or ipa files.

One great feature of Expo is that you can quickly test and show examples of solutions with the Snack editor and run the code either on the integrated simulator or on your device.

I've previously quickly used Ignite which has a different approach to get you running and compared to that Expo is more of a platform than just tools which has it's good and not so good points. One of the main points of Expo is that it practically binds you to Expo and their platform where as if you use only tools you're "more free".

Drawbacks

The "Understanding Expo for React Native" post lists the following drawbacks in managed workflow. Some of those can be work aroud with bare workflow or with ejecting but then you lose the advantages of Expo workflow:

  1. Can't add native modules written in Objective-C, Swift, Java, Kotlin
  2. Can't use packages with native languages that require linking
  3. App has a big size as it is built with all Expo SDK solutions
  4. Often everything works well in Expo client but problems may occur in a standalone app.

Feelings

This far I've just started with Expo and getting more adjusted to React Native and writing Highlakka news client has been insightful and good experience when comparing the same app, "Highkara", written in Swift for iOS. My plan is to implement some of the features in Highlakka as in Highkara and see how it works as an universal app. Especially the PWA is interesting option and Over the Air updates with Expo as shown in React Europe 2020 talk.

The Hailakka app is now "usable" and iOS app builds nicely with Expo Turtle. The PWA runs on Netlify which is great.

Tools

What about tools to help you with React Native development? Basically you can just use VS Code and go on with it.

Flipper DevTool Platform for React Native talk at React Europe 2020 by Michel Weststrate and "Flipper — A React Native revolution" post shows one option. It's baked into React Native v0.62 but isn't yet available with Expo 41 (there's feature request for it and suggestions to use what Expo offers like React Native debugger and Redux devTools integration).

Build tools

Expo provides tools for building your application and Expo Dashboard shows your builds and their details. You can download the IPA packaged app when the build is ready and then upload it to App Store Connect.

You can build your application to different platforms with Expo cli. For example PWA with expo build:web and iOS with expo build:ios. And you can also do it from CI. Of course you still need Apple account for submitting the app to the App Store.

While your build is running you can check the queue from Turtle.

Short notes on tech 26/2021

Week 26 of 2021

Team

An incomplete list of skills senior engineers need, beyond coding

  1. How to run a meeting, and no, being the person who talks the most in the meeting is not the same thing as running it
  2. How to write a design doc, take feedback, and drive it to resolution, in a reasonable period of time
  3. How to mentor an early-career teammate, a mid-career engineer, a new manager who needs technical advice
    (from Weekend Reading)

Learn

How to Handle Secrets on the Command Line
"Keeping secrets secret on the command line requires some extra care and effort."

Something different

Myths Debunked: Wide Tires Are NOT Slower