Salmagundi for Thursday, December 15, 2011

salmagundi smallSalmagundi? That’s the word for a seventeenth-century English dish made of an assortment of wildly varying ingredients. Typically, they include some cut-up hard-boiled egg, but then after that, anything goes: meat, seafood, fruits and veg, nuts and flowers and all manner of dressings and sauces. The term comes from the French “salmigondis”, which translates as “hodgepodge”.

In this case, I’m using “salmagundi” as a term for a mixed bag of new items that you might find interesting as a developer.

The Tangled Web: A Guide to Securing Modern Web Applications

tangled web

I’m currently in the middle of reading Michal Zalewski’s new book, The Tangled Web: A Guide to Securing Modern Web Applications and it’s been a fascinating, enlightening and enjoyable read. At first glance, you might be tempted to simply sum it up as a “security book”; I think it’s more accurate to describe it as “a great review of how browsers, their protocols, programming languages and security features work, and how to write secure apps given this knowledge”. Given that web security is a rapidly moving target, especially with the browser vendors – even the formerly-pokey Microsoft – cranking out versions at a faster rate, Zalewski’s approach to the topic is the right one: make sure the reader is clear on the basic principles, and then derive the security maxims from them, giving the knowledge contained within the book a much longer “shelf life”.

The Tangled Web is divided into three parts:

  1. Anatomy of the web. A tour of the web’s building blocks, from URL structure, HTTP and HTML to how it’s all rendered: CSS, client-side scripting languages, non-HTML documents and plug-ins.
  2. Browser security features. All the mechanisms that keep the malware from 0wnz0ring your system – the same-origin policy, frames and cross-domain content, content recognition mechanisms, dealing with rogue scripts and extrinsic site privileges (that is, privileges that aren’t derived from the web content, but from settings within the browser).
  3. A glimpse of things to come. A look at some of the proposed security mechanisms and approaches that may or not become standard parts of the web.

Each chapter except the last ends with a “Security Engineering Cheat Sheet”, which functions as both a summary of the material within the chapter and a security checklist. The last chapter is titled Common Web Vulnerabilities and lists vulnerabilities specific to web application, problems to keep in mind when designing web apps and common problems unique to server-side code.

I’m going to be showing The Tangled Web around the office (especially now, since I’m physically in Shopify’s headquarters this week). I’m sure the developers know a lot of this stuff, but they’re a bunch who are always eager to learn, review and “sharpen the saw”, so I think they’ll find it useful. If you develop web apps, whether for fun or to pay the rent, you’ll want to check out this book as well.

CUSEC 2012: Montreal, January 19 – 21

turing complete

Ah, CUSEC: the Canadian University Software Engineering Conference. This for-students-by-students conference punches well above its weight class. I’ve been to tech conferences put on by so-called full-time “professionals” that can’t hold a candle to what the students behind CUSEC do every year in addition to their course loads.

Better yet is the caliber of speakers they’ve been able to bring in: Kent Back, Joel Spolsky, David Parnas, Greg Wilson, Chad Fowler, Kathy Sierra, Dave Thomas, Venkat Subramanian, Jeff Atwood, Tim Bray, John Udell, Avi Bryant, Dan Ingalls, Giles Bowkett, Leah Culver, Francis Hwang, Doug Crockford, Matt Knox, Jacqui Maher, Thomas Ptacek, Reg Braithwaite, Yehuda Katz, of course Richard M. Stallman, in whose auction I made the winning bid for a plush gnu, which I paid with my Microsoft credit card.

alan turingThis year’s CUSEC theme is “Turing Complete” in honor of 2012 being the 100th anniversary of Alan Turing. He established his place in history as the father of computer science by formalizing concepts like “algorithm” and “computation” with the concept of the Turing Machine, proposing the Turing Test in an attempt to answer the question “Can machines think?”, working as a codebreaker at Bletchley Park (I like to say “He beat the Nazis…with math!”) and coming up with one of the first designs for a stored-program computer. He even found his way into pop culture by getting name-checked in Cryptonomicon and The Social Network.

Once again, Shopify will be there as a sponsor and once again, I will be hosting the DemoCamp at CUSEC. If you’re a university student studying computer science or computer engineering, you should come to Montreal from January 19th through 21st and catch one of the best conferences you’ll ever attend. Bring your resume: we’re looking for talented programmers who want to work us!



Cat pictures meet motivational posters meet HTTP status codes! It’s the Perfect Storm!


This article also appears in the Shopify Technology Blog.


Silverlight Salmagundi

A salmagundi made of hard-boiled eggs, lettuce, cheese, red peppers, meat and pickles.

Here’s a salmagundi of information and links covering the just-released Beta of the up-and-coming Silverlight 4.

(In case you were wondering, I’m using the term salmagundi to refer to a mishmash of little things. A salmagundi is an salad dish dating back to England in the 1600s made of meat, seafood, vegetables, fruit, leaves, nuts and flowers.)

What’s New in Silverlight 4 Beta?

silverlight logo

The short answer is: a lot. The long answer is provided by Tim Heuer (one of the program managers for Silverlight), who’s written a blog article titled Silverlight 4 Beta – A Guide to the New Features, which are:

The Tools You Need

 A set of wrenches in various sizes.

Here’s a quick list of what you need to get started with developing with Silverlight 4 Beta.



  • Windows and Mac Developer Runtimes. If you installed the Silverlight 4 Beta Tools for Visual Studio 2010 above, you’ll have the Windows runtime. These runtimes are for test machines. Please note that these are developer runtimes – there aren’t any ready-for-average-user-consumption Silverlight 4 runtimes yet!
  • Microsoft Expression Blend for .NET 4 Preview. If you’re serious about building user interfaces with Silverlight 4 (and WPF 4, if you’re using the full-on Visual Studio 2010 Beta or Visual C# Express 2010), you’ll want to use Blend in conjunction with Visual Studio 2010/Visual Web Developer Express.
  • Silverlight Toolkit. This provides additional open source controls for Silverlight applications.
  • WCF RIA Services. These simplify building n-tier apps by pairing ASP.NET on the server side with client-side Silverlight. They provide a pattern in which you write application logic running on the mid-tier, control access to data, and end-to-end support for common tasks like data validation, authentication and roles using ASPNET’s services.


Getting Started with Silverlight Development

Mustang starter button labelled

If you’re new to Silverlight development, Tim Heuer’s got a great series of articles on his blog that will get you up and running quickly! You can see the index in his entry titled Getting Started with Silverlight Development or you can hit one of the individual links below:

Silverlight 4 Videos

If you’re an experienced Silverlight developer, you’ll probably want to check out these videos, which show you how to use the new features in Silverlight 4:

Silverlight’s Commitment to the Mac

A MacBook Pro standing in front of a Cinea Display monitor, showing both Windows 7 and Mac OS X.Jesse Liberty’s MacBook Pro and Cinema Display, running both Win7 and Snow Leopard.

The org chart at The Empire describes Jesse Liberty as the Senior Program Manager of the Silverlight Development Team, but both his business card and he himself will tell you that his title is “Silverlight Geek”. No matter which title you choose, it’s clear that he is the keeper of the Silverlight flame.

In a recent entry on his blog, he wrote:

When I joined Microsoft and started talking about Silverlight, many in the Mac community expressed skepticism about Microsoft’s long-term commitment to the Mac platform. In its most rabid form, the concern was that we were supporting the Mac only preemptively and would drop our support for the Mac as soon as enough Mac developers embraced it (!)

So, 2.5 years later, with the worst not having happened, I have renewed my personal pledge to make sure, to the best of my ability, that Silverlight not only continues to work on the Mac but looks and feels like a Mac app.

And what’s his machine? It’s a MacBook Pro, running both Windows 7 and Snow Leopard, hooked to a 24” Cinema Display. He writes:

I absolutely understand company loyalty (and loving the Mac is not disloyal to Microsoft) but I tend to believe that we do best in recognizing the strengths of our allies and our competition.

This article also appears in Canadian Developer Connection.


Salmagundi for Tuesday, October 21, 2008

Like Being on a Deserted Island

The Lord of the Flies from "The Lord of the Flies"

Evan “First Blogger, then Odeo, now Twitter” Williams says “Starting a company is like landing on the shore of a deserted island”. The first question that came to mind was “Is that a regular deserted island or a special Lost-style deserted island?”

The simile is apt. Earlier this year, I was in a start-up that was pretty much like Gilligan’s Island or the one in Lord of the Flies.

Geeks vs. Suits

The techie view of a company vs. the business view

In the blog pl patterns, Jonathan Tran writes about Techies vs. The Business, in which he compares the ways techies and suits look at the same business:

For technical people, they know computers. They know software. Given the right resources, they can make a computer do anything — anywhere, anytime. Their deep-rooted belief is that passive income can be achieved by writing software once (a fixed cost) and distributing it to millions who each pay a fee (variable income).

For business people, they know cashflow. They know the symbiotic relationship between employees and business owners. And in this day and age, there will always be people looking for jobs. Given the right resources, they can employ people to do anything — anywhere, anytime. Their deep-rooted belief is that passive income can be achieved by creating a repeatable business process once (a fixed cost) and teaching it to thousands who each execute the process (bringing in variable income).

What technical-minded and business-minded people are doing is essentially the same. What differs is their belief in what scales.

Future Creep

Zapp brannigan from "Futurama"

Over at 37signals’ blog, Jamis Buck says Beware of Future Creep, warning us about the dangers of adding infrastructure to your products in preparation for features that may or may not be added later. It’s a variation on the YAGNI (You Ain’t Gonna Need It) principle.