HTML5/CSS guru, prolific webcaster and blogger, banjo player and all-round International Man of Mystery Chris Coyier is one of my fellow BarCamp Tour members and a friend of Shopify. He joined our friends at Wufoo, makers of web forms par excellence, who have since been acquired by SurveyMonkey.
If you get the chance to catch Chris at one of the upcoming BarCamps on the BarCamp Tour, do it! He’s a great presenter with lots of teach and an entertaining style in which to teach it. You can get a taste of a Chris Coyier presentation at CSS Tricks, where his 101st screencast, Let’s Suck at Github Together, walks you through Github with very little pain.
I caught the afternoon sessions of MeshU, the day of workshops that precedes the Mesh Conference. MeshU had three tracks – Design, Development and Management – and I chose to attend the sessions in the Development track.
Leigh provided an informative and entertaining summary of the most common security vulnerabilities in applications and the recommended best practices for writing secure apps. Here’s a photo of her slide showing OWASP’s ten principles that you should follow in order to write secure applications:
The ten principles are:
Minimize attack surface area
Establish secure defaults
Defense in depth
Don’t trust services
Separation of duties
Avoid security through obscurity
Keep security simple
Fix security issues correctly
She also covered what OWASP considers to be the current top ten vulnerabilities:
Malicious file execution
Insecure direct object references
Cross-site request forgeries
Information leakage / improper error handling
Broken authentication and improper error handling
Insecure cryptographic storage
Failure to restrict URL access
At the end of her presentation, Leigh listed a couple of books that she considered to be valuable security references. One of them was Writing Secure Code, Second Edition, written by Michael Howard and Steve Lipner and published by Microsoft Press.
This was a surprise to many people in the audience, the majority of whom were not building apps on Microsoft technologies and generally (and often mistakenly) think of the term “Microsoft” being synonymous with “insecure”. A number of people chatted with me after the presentation and it seemed like this was one of many things from Microsoft that caught them by surprise, along with other unexpected things including the MS-PL license, CodePlex and the Open Source Lab, the new emphasis on standards and interoperability…and hey, even taking on “unlikely” evangelists such as David Crow and me.
Pete’s presentation covered the options that developers have when building iPhone apps. For the curious, here’s the deck he used:
The one thing that he wanted you to take away from his presentation is, in his own words:
Consider iPhone web applications and side-stepping the iTunes Application Store (and their 30% gross cut) completely.
The one thing that I took away from the presentation (in addition to the one above) was that it’s not all smiles and sunshine in iPhone development land. Yes, the iPhone provides an excellent user experience and the App Store has been a hit with the customers and many developers. However, a good chunk of Pete’s presentation was about how some of the biggest obstacles for iPhone developers come from Apple itself; I’ve heard that there were similar grumblings at an iPhone developer meetup that took place later in the week. I think that there are some things that Windows Mobile developers (and the Windows Mobile team at Microsoft) can learn from these obstacles, and I’m going to write about them in a later article.
Chris explained that GitHub was an answer to a problem that he and his friends had: they were working on a number of open source projects, so many that managing them was “beginning to wear them down”. GitHub was created as a solution to that problem: it took care of the tedious parts of source code management so that they could focus on their code.
Although GitHub hosts a number of open source projects and uses Git, which is open source, it is not open source. Chris explained that managing an open source project takes up more time that he or the others on the team have. “Ironically,” he said, “starting GitHub has given me less time to work on open source.” After hinting at his dissatisfaction with the GNU General Public License, an audience member asked "Does the GPL cause you nightmares?"
“Yes,” he replied, after which he endorsed his preferred open source license. “MIT license all the way,” he said.
To promote GitHub, they took an approach that was closer in spirit to evangelism than standard marketing. “Companies still believe in old-school advertising, and they also think that what works offline works online,” he said. So they rely on the standard offline methods of promoting their wares: advertisements and marketing campaigns. In the online world, people trust their peers, so they opted for an approach that he called “guerilla marketing”: instead of spending money on ads, they spent money to hang out with developers, buy them beer and pizza and provide “a human face” to GitHub. He summed up the approach with a good one-liner: “Who knew that actually spending time with your customers would be good for business?" A great point, especially in today’s word-of-mouth-y, interconnected world.