NEVER trust user input

I’ve had the joys recently of being part of a code audit for a potential client for a change or re-build of a system.  The code in itself was complete textbook…of how not to code a system.  It looked like it had been built long long ago when OO principles didn’t exist, and when no-one knew about security unless they were in that field.  Certainly developers knew nothing about security.

Continue reading “NEVER trust user input”

Developers still lack security know-how

Earlier this week I was looking into RESTFUL web services and how to create them, so I set myself a small project.  The idea was to do something very basic, but that could be useful for someone rather than just a proof of concept.  i had no real direction.  With the news recently being about Apple locked in a battle with the FBI about whether or not they should be breaking their security for the FBI to access data on a particular iPhone, I started thinking about how much bad security I have seen in software applications over the years.  From this, I decided to build a web service which would take a hash string, and provide the original string for that hash where possible.

Continue reading “Developers still lack security know-how”

Under Construction

I’ve left this site languish a little too long with no posts or improvement.  It’s time for that to change, so I’ve started some development on the back-end, which will hopefully lead to a better working front end.  Here’s a breakdown of what is in development:

  • Splitting “versions” of the site out into individual posts rather than one large post
  • normalising the database to introduce performance improvements
  • re-writing the gallery section completely from the mess it currently is
  • Adding some basic internal analytics (though I’ll still be using google analytics)
  • Updating the text editor I use for better code formatting

Once that’s done, some of the changes will be obvious on the front end, but I’ll then look at changing front end pages to improve the experience for all.

Enough for now, this code isn’t going to write itself…

Building my roadmap

Having just released version 5.1.4 of my website which brought in the ability to contact me, I thought about all the other features I want to build into this site.  I debated not putting that sort of detail on here as it might indicate how feature lacking this actually is, but then I realised that I’ve got nothing to hide.  This is a personal site, and the whole build is an education for me.  The code is never intended to be released for general use (it’s very bespoke and not even close to a CMS).  Putting them on here also means I have things to look forward to.

Continue reading “Building my roadmap”

Bug reports bugging me

In my life I’m no different to any other developer.  I make mistakes from time to time, and others around me make them too.  As a result, I occasionally get allocated some bugs to fix, either ones I’ve just managed to make myself, or long standing ones which have just been found.  Bugs are annoying for all concerned, I’m sure we can all agree on that.  They are annoying for the person who discovers them because it means the system can’t do what they wanted or expected it to.  They are annoying for anyone on a support desk, as it means they have to work through it and determine if it’s intended to work that way, or if it is doing something stupid.  And it’s annoying for the developer, because there’s usually a ton of other things to do besides fixing issues.  After all, our code is always perfect, so why can’t every other developer’s code be perfect?

Continue reading “Bug reports bugging me”

Are error messages evil?

A colleague of mine posted a question to us developers for our input.  They had read an article on LinkedIn which stated the following, and asked for our thoughts:

Error messages punish people for not behaving like machines. It is time we let people behave like people. When a problem arises, we should call it machine error, not human error: the machine was designed wrong, demanding that we conform to its peculiar requirements. It is time to design and build machines that conform to our requirements. Stop confronting us: Collaborate with us.

Continue reading “Are error messages evil?”