Salmagundi for Thursday, December 15, 2011

salmagundi smallSalmagundi? That’s the word for a seventeenth-century English dish made of an assortment of wildly varying ingredients. Typically, they include some cut-up hard-boiled egg, but then after that, anything goes: meat, seafood, fruits and veg, nuts and flowers and all manner of dressings and sauces. The term comes from the French “salmigondis”, which translates as “hodgepodge”.

In this case, I’m using “salmagundi” as a term for a mixed bag of new items that you might find interesting as a developer.

The Tangled Web: A Guide to Securing Modern Web Applications

tangled web

I’m currently in the middle of reading Michal Zalewski’s new book, The Tangled Web: A Guide to Securing Modern Web Applications and it’s been a fascinating, enlightening and enjoyable read. At first glance, you might be tempted to simply sum it up as a “security book”; I think it’s more accurate to describe it as “a great review of how browsers, their protocols, programming languages and security features work, and how to write secure apps given this knowledge”. Given that web security is a rapidly moving target, especially with the browser vendors – even the formerly-pokey Microsoft – cranking out versions at a faster rate, Zalewski’s approach to the topic is the right one: make sure the reader is clear on the basic principles, and then derive the security maxims from them, giving the knowledge contained within the book a much longer “shelf life”.

The Tangled Web is divided into three parts:

  1. Anatomy of the web. A tour of the web’s building blocks, from URL structure, HTTP and HTML to how it’s all rendered: CSS, client-side scripting languages, non-HTML documents and plug-ins.
  2. Browser security features. All the mechanisms that keep the malware from 0wnz0ring your system – the same-origin policy, frames and cross-domain content, content recognition mechanisms, dealing with rogue scripts and extrinsic site privileges (that is, privileges that aren’t derived from the web content, but from settings within the browser).
  3. A glimpse of things to come. A look at some of the proposed security mechanisms and approaches that may or not become standard parts of the web.

Each chapter except the last ends with a “Security Engineering Cheat Sheet”, which functions as both a summary of the material within the chapter and a security checklist. The last chapter is titled Common Web Vulnerabilities and lists vulnerabilities specific to web application, problems to keep in mind when designing web apps and common problems unique to server-side code.

I’m going to be showing The Tangled Web around the office (especially now, since I’m physically in Shopify’s headquarters this week). I’m sure the developers know a lot of this stuff, but they’re a bunch who are always eager to learn, review and “sharpen the saw”, so I think they’ll find it useful. If you develop web apps, whether for fun or to pay the rent, you’ll want to check out this book as well.

CUSEC 2012: Montreal, January 19 – 21

turing complete

Ah, CUSEC: the Canadian University Software Engineering Conference. This for-students-by-students conference punches well above its weight class. I’ve been to tech conferences put on by so-called full-time “professionals” that can’t hold a candle to what the students behind CUSEC do every year in addition to their course loads.

Better yet is the caliber of speakers they’ve been able to bring in: Kent Back, Joel Spolsky, David Parnas, Greg Wilson, Chad Fowler, Kathy Sierra, Dave Thomas, Venkat Subramanian, Jeff Atwood, Tim Bray, John Udell, Avi Bryant, Dan Ingalls, Giles Bowkett, Leah Culver, Francis Hwang, Doug Crockford, Matt Knox, Jacqui Maher, Thomas Ptacek, Reg Braithwaite, Yehuda Katz, of course Richard M. Stallman, in whose auction I made the winning bid for a plush gnu, which I paid with my Microsoft credit card.

alan turingThis year’s CUSEC theme is “Turing Complete” in honor of 2012 being the 100th anniversary of Alan Turing. He established his place in history as the father of computer science by formalizing concepts like “algorithm” and “computation” with the concept of the Turing Machine, proposing the Turing Test in an attempt to answer the question “Can machines think?”, working as a codebreaker at Bletchley Park (I like to say “He beat the Nazis…with math!”) and coming up with one of the first designs for a stored-program computer. He even found his way into pop culture by getting name-checked in Cryptonomicon and The Social Network.

Once again, Shopify will be there as a sponsor and once again, I will be hosting the DemoCamp at CUSEC. If you’re a university student studying computer science or computer engineering, you should come to Montreal from January 19th through 21st and catch one of the best conferences you’ll ever attend. Bring your resume: we’re looking for talented programmers who want to work us!



Cat pictures meet motivational posters meet HTTP status codes! It’s the Perfect Storm!


This article also appears in the Shopify Technology Blog.


The Mobile Dev Rap Battle: Native Code vs. Web Apps

I’ve heard the back-and-forth debate about whether you should write your phone app as a native app or as a web app more times that I care to recall, but it’s never been done as well as Jason Alderman and Matthias Shapiro do it…rap battle style!

Here’s the pre-recorded version:

and in true 8 Mile style, here they are doing it live at the last Ignite Salt Lake:

By the bye, if you’re building stuff for WPF, Silverlight or Windows Phone, you really should be reading Matthias’ blog, Designer Silverlight. I’ve already bookmarked it, and so should you!

And for the truly nerdcore, here are the lyrics:

You bought three coding books for reading on your Kindle,
They never got read, the whole deal is a swindle,
Pony annual fees for app sales, then they tax it,
I’m telling you man, that app store is a racket!
You are MUCH better off with HTML–
The web page markup that I know you know well–
The latest spec lets you store data on phones
Even when offline, but the browser phones home!
Your iPhone, Android, Palm, soon Blackberry:
Local data storage! SQL! it’s no worry!

Cross platform apps are a real seduction
But you give up your form, and most of your function
And your app, it hobbles in the passing lane
Like a one-legged zombie but with far less brains
Running your crap on the web, no performance
Mine is greased lightning, you run like a tortoise
You don’t understand the mental model users are adopting
They don’t want to hit the web, they want one-stop shopping
Here’s how you make an application fun
Turn it on, do your thing, turn it off and you’re done

When the iPhone came out, sure the browser was slow,
But the new smartphones? half a gigahertz or mo’
That’s faster than the box on which your mom does her taxes
Pretty snappy–WinME!–, but now it’s like molasses
In praxis? I already write scripts, it’s easy
Better than compiling native code till my teeth bleed
Time that I saved, I put in media queries,
add UserAgent switch statement, stylesheets fear me!
Custom chrome, each phone? Modus operandi.
Willy Wonka’s schooled by my custom eye candy!

Did that school teach usability cause I think you missed it
With apps for devices the use is holistic
Gotta look act like you belong, not draw their attention
Like a steam punker crashing an Avatar convention
Use is more than just Chrome and colors, look at navigation
Modern users look for standard gestures, menus, animations,
And what about the richness of movement & location
Do you want to surf the web or record your whole vacation?
When I tilt your web app, it’s just stuck in a groove
With my purely native code I can bust a move.

But that’ll only improve–heck, web apps get location
And if the case came where I needed acceleration
I’d wrap my web app in the library Phonegap–

Excuses, excuses, You’re giving mobile a bum rap
Try adding 3D to your list of what apps do
Or write a game that’s not scrabble, chess or sudoku
And you know CSS competes with OpenGL
Like a cub scout against 10 marines with a 50 cal
Boom! 3D mushroom cloud filling the room
Now go back your text adventure version of Doom

Sure games make money, but think of their use,
They’re casual, waiting in line at Jamba Juice,
You’re making the mistake of the hardcore PSP,
When a simple DS meets the goal just as easily
Heavy duty third-dimension graphics drain the life
Of your battery, more than the scripts I’m paid to write.
But, hey, if you want 3-D page flip transitions,
Perspective transforms of element positions,
Web apps can do that, CSS has you covered,
To your Mel Gibson, C-S-S is Danny Glover!
(I’m too old for this!)

CSS animations, are you out of your gourd?
That’s a terrible sin in the eyes of the web lord.
Every time I bring up something hard
You just dance around it, pulling out your library card
Or some spec or framework only halfway done
As if javascript and CSS are rainbows and fun
Look, there’s only one way that this thing can go
Build your web apps for free or jump into the cash flow
Advertising won’t help you survive
But just one little iFart can get you set for life
No app store, no eyeballs, no business plan.
Making just enough dough to pay the rent on your trash can
I hate to play the role of Scrooge McDuck
But without a good market you’re pretty much… well, you know

Trash can? Your app waits in limbo for a month,
You’re stuck eating ramen, watching reruns of Monk.
Your funk? Only lifted if the app store approves it
And we both know the king of the process is ruthless!
The truth is, even if it does get approved
There’s a chance that your make-it-rich dream comes unglued
When a bug in your app that slipped through the process
Makes users hate it, they leave lots of comments,
And you fix it real quick, test patches and submit it
But it still takes a month, so your app gets attritted
From all the top ten lists, losing all worth,
It’s a digital coaster, like "Battlefield Earth"!
My apps sell anywhere, and update on the fly.
You can’t have your cake OR eat it, ’cause the cake is a lie.

Thanks to John Bristowe for finding this!

This article also appears in Canadian Developer Connection.