Hi,
This month, we look at: The OSWASP Top 10, Software Design Bias, Functional Programming, IDE setup for Rust, and Setting up an AI experiment to play Tetris. Enjoy!
The Codurance Team
P.S Missed our last newsletter? Catch up here.
Our Opinion On ... OWASP Top 10
Since the publication of the last Codurance newsletter, the Open Web Application Security Project (OWASP) has released the latest version of the renowned OWASP Top 10.
The OWASP Top 10 is a periodically updated document, designed to promote an awareness of the most common and critical security risks to web applications. The list is compiled by a project team which includes a variety of security experts from around the world.
Although injection flaws (such as SQL, NoSQL, OS, and LDAP injection) remain at the top of the list, since its last revision in 2013, three new risks have been added — XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging and Monitoring. This last item, Insufficient Logging and Monitoring, is particularly interesting.
Unfortunately, I have seen many projects where logging and monitoring tasks have been given a lower priority than the building of features deemed to be delivering direct business value. In reality though, retrofitting a sufficient logging and monitoring solution into a modern complex and distributed system is hugely time-consuming and error-prone. The more complex and distributed that a system becomes, the more critical comprehensive logging and monitoring are for supporting the application in production, further compounding the problem.
In addition to production support requirements, studies have shown that the time to detect a system breach is typically over 200 days and, shockingly, such breaches are more often detected by external parties than by internal processes such as monitoring or automated anomaly detection. This extended time from breach to detection gives attackers freedom to further attack systems, gather or destroy sensitive data and find further exploits.
At Codurance we advocate building a Walking Skeleton as the first phase of any software project. Logging and monitoring should be implemented as part of this phase and in such a way as to make it easy for developers to record activities such as login, access control failures, and server-side input validation failures, with sufficient user context for application support systems to easily detect and investigate important incidents.
The Author
Steve is a Principal Craftsman and author with over 18 years professional experience. During his career, Steve has worked on projects in a wide variety of sectors including retail e-commerce, finance, education, media, government and healthcare, developing large-scale, resilient, distributed systems on an assortment of platforms. He currently specialises in solutions built on the Microsoft .Net stack, with a particular interest in cloud computing using the Microsoft Azure platform.
All of the videos from SC London are now published and available to watch here. You can also subscribe for updates (http://sc-london.com/#subscribe) on SC London 2018, to gain updates on super early bird tickets and speaker announcements.
Christian Panadero Martinez looks at why Recursion is a very useful technique in functional programming and how it can help us.
A curated list of awesome reversing resources.
Carlos Morera de la Chica shares two new intuitions that he's gained from the book, Haskell Programming from first principles.
First post in our series looking at different ways of setting up your Rust development environment. It's time for VSCode! By Cyryl Płotnicki.
The second part of our series on setting up different Rust development environments. This time it's IntelliJ. By Dan Cohen.
Microsoft blog post on the introduction of Nullable Reference Types in C#, which aims to identify null-related bugs before they blow up at runtime.
Sergio Rodrigo Royo reflects on his recent experience of learning Machine Learning, and how he's having fun along the way.
Part 2 of Alessandro Di Gioia's series exploring Functional Programming and Reactive Architectures.
Any of us who has programmed in a language that permits null references will have experienced what happens when you try to dereference one. Whether it results in a segfault or a NullPointerException, it’s always a bug.' By Richard Wild
Matthew Butt's walkthrough of how to refactor a Factory, moving from a sequence of ifs to a dictionary implementation, and using delegates as a type alias for my object creation methods.
'This week we had a software design night at Codurance. We spent almost three hours talking about many interesting things but there were a few things that really stuck with me: We all have software design bias.' By Sandro Mancuso
Mashooq Badar explores the notion of Fractured Skill within software development, and why it's critical that all roles within a team have a broad appreciation of skills used, with their own depth of knowledge.
Jorge Gueorguiev Garcia recently posted about functional calisthenics (https://codurance.com/2017/10/12/functional-calisthenics/) . In this post, he provides additional rules/premises/requirements for three katas.
In this experiment, Dan Cohen attempts to implement an evolutionary algorithm with no crossover to evolve a neural network with the intention of having it learn to play Tetris.
An interactive guide that aims to provide a few suggestions on how to improve your online security posture.
Sergio Rodrigo Royo's post looks at Lambda Calculus, which isn't as arcane or just applicable to Functional Wizards as we may think.
Luciano Palma reflects on the Legacy Code retreat that was hosted at Codurance via the LSCC back in October.
Christian Panadero Martinez reflects on Side Effects within Functional Programming.
Raquel M Carmena reflects on Lambda World Conference 2017, two intense days of workshops, sessions and open spaces focusing on Functional Programming.
Our Chance to say 'We're Hiring'
We're hiring Software Craftspeople that share the same values of Professionalism, Pragmatism and Pride in Software Development that we do. If you're ready for autonomy, mastery and purpose in your career, then click here