Salmagundi for Thursday, December 15, 2011

salmagundi smallSalmagundi? That’s the word for a seventeenth-century English dish made of an assortment of wildly varying ingredients. Typically, they include some cut-up hard-boiled egg, but then after that, anything goes: meat, seafood, fruits and veg, nuts and flowers and all manner of dressings and sauces. The term comes from the French “salmigondis”, which translates as “hodgepodge”.

In this case, I’m using “salmagundi” as a term for a mixed bag of new items that you might find interesting as a developer.

The Tangled Web: A Guide to Securing Modern Web Applications

tangled web

I’m currently in the middle of reading Michal Zalewski’s new book, The Tangled Web: A Guide to Securing Modern Web Applications and it’s been a fascinating, enlightening and enjoyable read. At first glance, you might be tempted to simply sum it up as a “security book”; I think it’s more accurate to describe it as “a great review of how browsers, their protocols, programming languages and security features work, and how to write secure apps given this knowledge”. Given that web security is a rapidly moving target, especially with the browser vendors – even the formerly-pokey Microsoft – cranking out versions at a faster rate, Zalewski’s approach to the topic is the right one: make sure the reader is clear on the basic principles, and then derive the security maxims from them, giving the knowledge contained within the book a much longer “shelf life”.

The Tangled Web is divided into three parts:

  1. Anatomy of the web. A tour of the web’s building blocks, from URL structure, HTTP and HTML to how it’s all rendered: CSS, client-side scripting languages, non-HTML documents and plug-ins.
  2. Browser security features. All the mechanisms that keep the malware from 0wnz0ring your system – the same-origin policy, frames and cross-domain content, content recognition mechanisms, dealing with rogue scripts and extrinsic site privileges (that is, privileges that aren’t derived from the web content, but from settings within the browser).
  3. A glimpse of things to come. A look at some of the proposed security mechanisms and approaches that may or not become standard parts of the web.

Each chapter except the last ends with a “Security Engineering Cheat Sheet”, which functions as both a summary of the material within the chapter and a security checklist. The last chapter is titled Common Web Vulnerabilities and lists vulnerabilities specific to web application, problems to keep in mind when designing web apps and common problems unique to server-side code.

I’m going to be showing The Tangled Web around the office (especially now, since I’m physically in Shopify’s headquarters this week). I’m sure the developers know a lot of this stuff, but they’re a bunch who are always eager to learn, review and “sharpen the saw”, so I think they’ll find it useful. If you develop web apps, whether for fun or to pay the rent, you’ll want to check out this book as well.

CUSEC 2012: Montreal, January 19 – 21

turing complete

Ah, CUSEC: the Canadian University Software Engineering Conference. This for-students-by-students conference punches well above its weight class. I’ve been to tech conferences put on by so-called full-time “professionals” that can’t hold a candle to what the students behind CUSEC do every year in addition to their course loads.

Better yet is the caliber of speakers they’ve been able to bring in: Kent Back, Joel Spolsky, David Parnas, Greg Wilson, Chad Fowler, Kathy Sierra, Dave Thomas, Venkat Subramanian, Jeff Atwood, Tim Bray, John Udell, Avi Bryant, Dan Ingalls, Giles Bowkett, Leah Culver, Francis Hwang, Doug Crockford, Matt Knox, Jacqui Maher, Thomas Ptacek, Reg Braithwaite, Yehuda Katz, of course Richard M. Stallman, in whose auction I made the winning bid for a plush gnu, which I paid with my Microsoft credit card.

alan turingThis year’s CUSEC theme is “Turing Complete” in honor of 2012 being the 100th anniversary of Alan Turing. He established his place in history as the father of computer science by formalizing concepts like “algorithm” and “computation” with the concept of the Turing Machine, proposing the Turing Test in an attempt to answer the question “Can machines think?”, working as a codebreaker at Bletchley Park (I like to say “He beat the Nazis…with math!”) and coming up with one of the first designs for a stored-program computer. He even found his way into pop culture by getting name-checked in Cryptonomicon and The Social Network.

Once again, Shopify will be there as a sponsor and once again, I will be hosting the DemoCamp at CUSEC. If you’re a university student studying computer science or computer engineering, you should come to Montreal from January 19th through 21st and catch one of the best conferences you’ll ever attend. Bring your resume: we’re looking for talented programmers who want to work us!



Cat pictures meet motivational posters meet HTTP status codes! It’s the Perfect Storm!


This article also appears in the Shopify Technology Blog.


.NET Rocks’ Live Weekend

dot net rocks live weekend

If you’re developing (or thinking of developing) on the .NET platform, you should make the .NET Rocks! show part of your regular podcast listening. Hosted by Carl Franklin and Richard Campbell, .NET Rocks! has nearly 600 episodes going all the way back to 2002 covering all sorts of .NET development topics for all sorts of developers, from newbie to grizzled veteran.

This week, .NET Rocks! is doing something special – they’re holding a Live Weekend filled with three days’ worth of live conversations with people from inside and outside the .NET world. It’s not just all geek talk, either: during breaks, they’ll play music produced at Pwop studios and on Monday night from 9:30 to midnight, Carl’s band, Solvo, will play.

You can call in! The “inside the US” toll-free number is 877-492-6751 and the “outside the US” number is 860-447-8832 (you can try the “inside the US” number in Canada and see if it works). If you’d rather write in, send an email to or tweet using the #dnrlive hashtag.

Click here to listen to .NET rocks live weekend

The Schedule

Saturday, June 26th

Time What’s On
8 – 9 a.m. Patrick Hynds
9 – 10 a.m. Michele Leroux Bustamante
10 – 11 a.m. Rob Howard
11 a.m. – 12 noon Stephen Toub
12 noon – 1 p.m. Music and Comedy
1 – 2 p.m. James Kovacs
2 – 3 p.m. Don Demsak
3 – 4 p.m. Daniel Egan
4 – 5 p.m. Brian Randell
5 – 6 p.m. Tim Huckaby
6 – 7 p.m. Chris Sells
7 – 8 p.m. Music and Comedy
8 – 9 p.m. Daniel Simmons
9 – 10 p.m. Brian Noyes
10 – 11 p.m. Patrick Hynds (repeat)
11 – 12 midnight Michele Leroux Bustamante (repeat)


Sunday, June 27th

Time What’s On
12 midnight – 1 a.m. Rob Howard (repeat)
1 – 2 a.m. Stephen Toub (repeat)
2 – 3 a.m. James Kovacs (repeat)
3 – 4 a.m. Don Demsak (repeat)
4 – 5 a.m. Daniel Egan (repeat)
5 – 6 a.m. Brian Randell (repeat)
6 – 7 a.m. Tim Huckaby (repeat)
7 – 8 a.m. Chris Sells (repeat)
8 – 9 a.m. Carl and Richard
9 – 10 a.m. Charles Petzold
10 – 11 a.m. Sahil Malik
11 a.m. – 12 noon Mark Dunn
12 noon – 1 p.m. Music and Comedy
1 – 2 p.m. Andrew Brust
2 – 3 p.m. Glenn Block
3 – 4 p.m. Ethan Winer
4 – 5 p.m. Mary Jo Foley
5 – 6 p.m. Kent Alstad
6 – 7 p.m. Keith Elder
7 – 8 p.m. Music and Comedy
8 – 9 p.m. Mark Miller
9 – 10 p.m. John Bristowe
10 – 11 p.m. Daniel Simmons (repeat)
11 – 12 midnight Brian Noyes (repeat)


Monday, June 28th

Time What’s On
12 midnight – 1 a.m. Carl and Richard (repeat)
1 – 2 a.m. Charles Petzold (repeat)
2 – 3 a.m. Sahil Malik (repeat)
3 – 4 a.m. Mark Dunn (repeat)
4 – 5 a.m. Andrew Brust (repeat)
5 – 6 a.m. Glenn Block (repeat)
6 – 7 a.m. Ethan Winer (repeat)
7 – 8 a.m. Mary Jo Foley (repeat)
8 – 9 a.m. Kent Alstad (repeat)
9 – 10 a.m. Jonathan Zuck
10 – 11 a.m. Jeffrey Palermo
11 a.m. – 12 noon Steve Evans
12 noon – 1 p.m. Music and Comedy
1 – 2 p.m. Scott Stanfield
2 – 3 p.m. Ted Neward
3 – 4 p.m. Tim Heuer
4 – 5 p.m. Miguel Castro
5 – 6 p.m. Les Pinter
6 – 7 p.m. Billy Hollis
7 – 8 p.m. Music and Comedy
8 – 9 p.m. Rocky Lhotka
9:30 p.m. – 12 midnight Solvo (Carl’s Band) Live!


Tuesday, June 29th

Time What’s On
12 midnight – 1 a.m. Keith Elder (repeat)
1 – 2 a.m. Mark Miller (repeat)
2 – 3 a.m. John Bristowe (repeat)
3 – 4 a.m. Jonathan Zuck (repeat)
4 – 5 a.m. Jeffrey Palermo (repeat)
5 – 6 a.m. Steve Evans (repeat)
6 – 7 a.m. Scott Stanfield (repeat)
7 – 8 a.m. Ted Neward (repeat)
8 – 9 a.m. Tim Heuer (repeat)
4 – 5 p.m. Miguel Castro (repeat)
5 – 6 p.m. Les Pinter (repeat)
6 – 7 p.m. Billy Hollis (repeat)
8 – 9 p.m. Rocky Lhotka (repeat)
3 – 6 p.m. Solvo (Carl’s Band) Live!


This article also appears in Canadian Developer Connection.


Ignite Your Coding, Episode 3: Jeremy Miller

Jeremy MillerLast week, John Bristowe and I interviewed Jeremy Miller — “the Shade Tree Developer” – in a live Ignite Your Coding webcast. Jeremy holds the title of Chief Software Architect at Dovetail Software, Austin’s coolest ISV, and we talked about open source in the .NET world, StoryTeller, dependency injection and many other topics.

imageIn case you were wondering what Ignite Your Coding is all about: It’s all about helping you, the software developer, find ways to stay on top of the technological, economic and social changes that affect you and your work every day. We got our hands on some of the biggest thinkers and doers in our field and asked them if they’d like to chat about the industry, how they got started, where they see the opportunities are, how they deal with change and how to be generally awesome. We got some big names from the Microsoft/.NET world, but we also went farther afield and got some people from beyond that world as well, because a different perspective is often helpful.

The recording of our webcast with Jeremy (which took place on March 18th, 2010) is linked below, and we’ll set up RSS, Zune and iTunes feeds shortly.

Direct Download:

MP3 - click here to download

This article also appears in Canadian Developer Connection.


Ignite Your Coding, Episode 2: Glenn Block

Joey deVilla, Ward Bell dressed up as Elvis, Glenn Block

A couple of weeks ago, my coworker and Ignite Your Coding co-host John Bristowe and I did a live webcast interviewing Glenn Block, a Program Manager for .NET FX at Microsoft. Glenn’s one of the go-to guys on Prism, Unity, MEF and ways of building maintainable and reconfigurable applications out of pieces that you can assemble and rearrange in general. We’ll talked about building composite applications, design patterns, dependency injection and why it’s good for you, and other aspects of good object-oriented design as we understand it these days.

imageIgnite Your Coding is a series of webcasts in which John and I talk to some of the bright lights of the software industry about how they got started, what they’re doing, how they cope with the change that affects our industry constantly and whatever else they want to talk about, all with the goal of informing and inspiring you.

The recording of our webcast with Glenn (which took place on March 10th, 2010) is linked below, and we’ll set up RSS, Zune and iTunes feeds shortly.

Direct Download:

MP3 - click here to download

This article also appears in Canadian Developer Connection.


Ignite Your Coding, Episode 1: Andy Hunt

Andy Hunt

Ignite Your Coding

Andy Hunt has been behind some of the biggest ideas in everyday software development in the past decade. From co-authoring the Agile Manifesto and The Pragmatic Programmer to starting The Pragmatic Bookshelf, one of the most influential developer book publishers, to helping bring about the rise of MVC web frameworks, chances are that he’s had some influence on your day-to-day work. In this one-hour webcast, we’ll talk with Andy about the ideas in his latest book, Pragmatic Thinking and Learning. We’ll discuss why your brain is where software development really happens, how you can refactor your thinking and as he puts it, “just the plain old weirdness that is people”.

You can listen to the recording of the webcast (recorded on March 4, 2010) in a couple of ways:

 Direct Download:

MP3 - click here to download

Subscribe to the podcast: (so you don’t miss an episode)

RSS Feed   Subscribe with Zune   Subscribe with iTunes

As always, if you have questions, comments or suggestions on how to make Ignite Your Coding better, we want to hear from you! Feel free to email either of us – John Bristowe and Joey deVilla.

About Ignite Your Coding

Ignite Your Coding is a series of interviews where Microsoft Canada Developer Evangelists John Bristowe and Joey deVilla talk with some of the brightest lights in the professional programming world about their areas of interest, dealing with the constant change in the industry and their suggestions on how to be a better software developer.

Podcast Participants: Andy Hunt, John Bristowe and Joey deVilla.

Music: Win This Race by picadillyCircus Sound Design, courtesy of iStockphoto.

This article also appears in Canadian Developer Connection.


Yes, There WILL be an “Ignite Your Coding” RSS Feed

ignite your coding rss

For those of you who’ve been wondering if we’ll be setting up an RSS feed for recordings of Ignite Your Coding, the answer is “yes”.

Here’s how Ignite Your Coding works:

  • On the actual day of the Ignite Your Coding live event, we do the interview live, as implied by the phrase “live event”. From 2:00 p.m. to 3:00 p.m. (Eastern) on that day, we chat with our guest and you can listen to it as it happens if you’ve got a Windows machine running the Live Meeting client (available for free from the Live Meeting download page). The Live Meeting client also lets you see what visuals we’re putting up – mostly just information about our guest – and you can also use it to type in questions for us to ask our guest.
  • After the live Ignite Your Coding event, we take the recording of the event, do a tiny bit of post-production (adding an intro and outro, checking sound levels and so on) and post the interview in MP3 form, with a link to the recording in an RSS feed so that your favourite podcatching application or system can grab them.

I’ve got my plate full with more than the usual amount of tech evangelism activities, so there’s a team doing all this stuff. Once they tell me where they’re putting the recording and RSS feed, I’ll tell you. I’m told it’ll be soon.

Want to know about the upcoming guests on Ignite Your Coding? Check out the Ignite Your Coding site!

This article also appears in Canadian Developer Connection.


Hanselman Podcast on IronPython / A Great Book Deal

This article also appears in Canadian Developer Connection.

Cover of "IronPython in Action"

When I got into web development, I considered myself a latecomer to the game, and that was in 1999. In the five years I’d been working professionally as a developer, my apps were strictly desktop – multimedia CD-ROM stuff done in Director (then a product of Macromedia) and business productivity apps written in pre-.NET VB and Java-a-la-JBuilder.

The company with whom I’d landed a contract had a contrarian tech lead. It seemed that the web app world was building their stuff on Linux, Perl and MySQL, and this guy was all about BSD, Python and PostgreSQL. In 1999 terms, he was a freak even amongst the freaks.

I had a pretty full schedule that summer, followed by a one-week vacation at Burning Man, followed by the start of my contract at this new company. The tech lead wanted me to be ready to do some coding on my first day in, so I brought a copy of O’Reilly’s Learning Python along with my laptop to Black Rock Desert, hoping to squeeze in some hacking time at the big desert bacchanal. Luckily, Burning Man is pretty mellow during the day, and in an additional stroke of luck, the neighbouring camp was sharing AC power from their “eggbeater” windmill. I learned Python by writing sample apps in an extremely distracting environment, and because of that, I fell quite in love with the language. Any language that you can learn while naked people playing the tuba on unicycles are circling you has to be a good one.

That’s why I’m glad to see that implementations like IronPython exist, and that they tie into things like the .NET framework and Silverlight. IronPython’s performance is quite close to standard Python, and I use it along with IronRuby as my scripting language for automating tasks and doing little “housekeeping” things on my systems. I’m not using IronPython to the degree that Michael Foord is – he’s using it for full-on .NET applications instead of C# or VB! Scott Hanselman talks with him about working with IronPython as his primary development language in the latest edition of his Hanselminutes podcast.

As an added bonus, the blog entry for the podcast has a special limited-time coupon code that will save you 40% off the price of Manning Publications’ IronPython in Action (which Foord co-wrote), and the discount applies to both the dead-tree and PDF versions of the book. At 40% off, the PDF version is a mere USD$16.50 (CAD$20.14 at the time of this writing).