Security Hygiene for Software Professionals

As software makers, we face a unique threat model. The computers or accounts we use to develop and deliver software are of more value to an attacker than what ordinary computer users have—cloud service keys can be stolen and used for profit, and the software we ship can be loaded with malware without our knowledge. And that’s before we consider that the code we write has a tremendous value of its own and should be protected.

Padlock by Moyan Brenn. Used with permission under CC BY 2.0.

Taking responsibility for our security hygiene is, thankfully, not very difficult. Today, most tools we need are either already present in our operating systems or can be added without much effort. In this post, I’ll take you down a list of things you should consider.
Read more on Security Hygiene for Software Professionals…

The Security Spectrum of curl | sh

A growing number of organizations are delivering software, generally for macOS, with a very Unix-y but also controversial pattern: using curl(1) to download a script and piping the output directly to sh (a.k.a. Bash(1)). There’s even a blog tracking the phenomenon, with the pointed description, “People telling people to execute arbitrary code over the network.” Read more on The Security Spectrum of curl | sh…

Easy Secure Web Serving with OpenBSD’s acme-client and Let’s Encrypt

As recently as just a few years ago, I hosted my personal website, VPN, and personal email on a computer running OpenBSD in my basement. I respected OpenBSD for providing a well-engineered, no-nonsense, and secure operating system. But when I finally packed up that basement computer, I moved my website to an inexpensive cloud server running Linux instead. Read more on Easy Secure Web Serving with OpenBSD’s acme-client and Let’s Encrypt…

[Video] Command Injection: How the Shell Makes You Vulnerable

Most web developers are familiar with SQL injection, an all-too-common web vulnerability. The problem typically arises from assembling SQL queries by concatenating strings, without considering they’re allowing whoever supplies the parameters (typically, a consumer of a web API) to write their own SQL code. But SQL isn’t the only place you can get code injected. SQL injection has a close cousin that’s not nearly as well-known, but it’s just as—if not more—deadly: command injection.
Read more on [Video] Command Injection: How the Shell Makes You Vulnerable…

Date Math Across Time Zones with Moment.js

Time zones—two words that strike fear deep in the heart of every developer. And rightly so. Humans started keeping time over a century ago, pegging their concept of “noon” to the point in the day when the sun is directly overhead. Since then, the world has steadily been moving to where we are now, with humans and computers communicating with each other in sub-millisecond time around the globe. This situation has created a morass of rules that no programmer could reasonably expect to keep in their head. Read more on Date Math Across Time Zones with Moment.js…

Why You Shouldn’t “npm install -g”

I’ve been doing some reading lately on new (to me) tools in the Node.js ecosystem. This ecosystem is certainly vibrant, with lots of interesting things going on all the time, but I’m concerned about a pattern that I see popping up when people write about it.

It’s an old pattern—one I’ve seen many times in many different contexts over my decades of working on Unix-like systems—but it seems even more common now that OS X is the development platform of choice. The pattern’s telltale sign: npm install -g.
Read more on Why You Shouldn’t “npm install -g”…

JavaScript Promises – How They’ll Work Someday

In my last two posts, I showed you how JavaScript Promises, an ES6 API that streamlines and simplifies asynchronous programming, work—and how they can break.

In this final post in the series, I will show you how you can reduce the pain of working with Promises using new JavaScript language features–if your target environment supports them. Read more on JavaScript Promises – How They’ll Work Someday…

JavaScript Promises – How They Break

In my previous post, I took you through an introduction and gave a peek under the hood for ES6 Promises, showing you how they work and how to use them. Today, I’m going to talk about how JavaScript Promises can break. Hopefully, this will equip you to track down Promise bugs in code that fails in mysterious ways. Read more on JavaScript Promises – How They Break…

JavaScript Promises – How They Work

JavaScript literally cannot do two things at once—it is single-threaded by design. To operate in the browser, where lots of tasks are going on concurrently at all times, it uses events. All you have to do is register an event handler that will execute when something interesting happens.

But the event model, while quick and easy for responding to things like user input, becomes unwieldy when chaining together sets of “do this, wait for that” tasks.

In ES6, we have a standard model for this: the Promise object. Read more on JavaScript Promises – How They Work…

Precision Decimal Math in JavaScript with decimal.js

On my current project, we’re doing a lot of math with dollars and cents on a Node.js server. We’re not just adding, but calculating discounts and taxes and the like. Typically, one would do money math in JavaScript by representing the amounts as decimal numbers and using floating-point math.

Unfortunately, floating-point math is not as precise as we’d like it to be, especially when it’s dealing with lots of operations. Read more on Precision Decimal Math in JavaScript with decimal.js…