Dr. Sally Leivesley is explaining Catastrophic Risk to us at @pulse_innovate conference. She’s explaining the concept of digital twins. Making a digital version of an entire city, then testing potential failures, attacks, recovery, etc. fascinating.

A thread 🧵 on why we use source control.

Years ago I went to fix a bug on someone else's classic ASP app (he was away). When I ran the app locally it looked completely different than what I saw in prod. I quickly realized the copy in source control was 3 years out of date After looking a bit more closely I realized that he had been updating his app on the prod server, live, for YEARS. I checked his other ASP apps and it was all the same. I kinda freaked out.

Thread 🧵about yelling

In my early twenties I had a boss that yelled and screamed at people. I was new, but had heard it happen to others. One day I reported a design flaw to him, for a new app we were about to build.
He started to get upset, like he was going to yell. I personally feel that people yelling and screaming is completely unprofessional in an office setting. It is losing control and not regulating your emotions, making others sufferas a result.

That said, I was in a hardcore band at the time, and I CAN yell very loud.

2/?

Thread for Software Developers who want to know about this #Log4J thing.

Lots of people are talking about how this affects servers, but you want to know about your apps. Let's talk about what the problem is, how to figure out if you have it, then what to do about it. Problem: this java logging dependency has a vulnerability in it that allows an attacker to take over your web server and run commands from it. They can run this attack before a login screen (unauthenticated). This is the "most scary possible" from a security viewpoint.

Short threat on securing your APIs, thanks for a client asking me questions recently. :-D

APIs need to receive all the same security attention as a regular web app. This means: security requirements, a threat model, secure coding,

1/? run a code review (Any SAST and SCA should be used) and/or linting tool on it (I tend to use @42crunch IDE plugin for this), I put it behind an API gateway, and I do DAST scanning with something like @NeuraLegion, @zaproxy, @Burp_Suite or similar.

2/?

#minilesson The difference between applications and infrastructure;

Infrastructure is the operating system that applications live on. Think windows, linux, containers, and so much more. Sometimes hardware is included in this category (depending on who you talk to). Infrastructure is necessary to run an application. Operating systems are also all standardized, not unique in nature. If we’re both running SQL server 2012 R2, we both have the same options for patches, configuration, etc. Operating systems are software that speak to hardware.

My significant other doesn’t work in IT, but we often discuss our days. Today I explained the difference between refactoring an application and rewriting one. Refactoring means the app works, but it’s not great. There are issues, probably technical debt, and refactoring… Will improve the app, make it easier to maintain and extend its life. It’s still the original app, looks the same to users, but it’s probably faster and more stable.

Rewriting the app means completely replacing it. Writing a brand new app, from scratch, with more modern tech…

When Google bought fitbit all they bought was the data. Not the dumb bracelet. Mark my words.

They never responded to me about sending me an email AFTER the merger, when I had explicitly requested all of my data be removed BEFORE the merger. The "investigation" went nowhere. Who here gets the "GPS nag screen"? If you have GPS tracking disabled it asks every time you use it. Also, if you reinstall or update it... It turns it back on!

I liked my dumb bracelet. :-\

Story: Years ago I was in a dev meeting and found out one of your devs had been editing code live on the server for years, and that the code in our repo was completely out of date. There was no backup of this prod app. I lost my shit.

The dev told me that

1/? The dev told me "It's faster to do it this way. I did nothing wrong."

I explained that having no backup meant we could lose the entire app. He said he took backups of the server, so that wouldn't happen. He asked why he had to "waste time" using a repo.

2/?

Story:

I used to work for the federal government in Canada, and so did my mom, but different departments. One single time, I got to work with her, and do an interdepartmental project. I WAS SO EXCITED.

1/? I worked at the Department of Justice (DOJ), and we wanted to take part of the tax refund from parents who owed a significant amount of child support, and then send it to the owed parent. My mom worked at the Canada Revenue Agency (CRA).

2/?