Software Security Features

Security is paramount when developing applications for the web. The best way to achieve a truly secure web application is to build that application with security in mind from the start. Whatever which programming language you are using.

As one popular web application language, PHP improved its  enhanced security feature in PHP 7, which help you building truly secure web applications with confidence and aptitude.

Here I listed some security topics you should pay attention on:

  • Configuration authoriation
  • Session Security
  •  Cross-Site Scripting
  • Cross-Site Request Forgeries
  • SQL Injection
  • Remote Code Injection
  • Email Injection
  • Filter Input
  • Escape Output
  • Encryption, Hashing algorithms
  • File uploads
  • Password hashing API

As a programmer or developer, you should know some security concepts, so you can keep it in mind during the development.

Some high frequency security concepts you can search via Google or Bing, like:

  • Defense in Depth
  • Security Rules
  • Building Secure Web Applications Guidelines
  • Open Web Application Security Project (OWASP)
  • Web Application Exploits
  • Risk Management
  • Injection

Security strategy is kind of like playing offence-defense game. So you have to understand below Attacks:

  • SQL Injection
  • XSS Injection
  • Cross-Site Forgeries (CSRF)
  • Brute Force
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Security Misconfiguration
  • Insufficient Cryptographic Storage
  • Missing Function-Level Access Control
  • Using Components with Known Vulnerabilities
  • Invalidated Redirects and Forwards

Once you know the methods of Attacks, you can build up prevention system:

  • Secure Configuration
  • Authentication Techniques
  • Password Cryptography
  • Hermetic Filtering/Validation/Escaping Techniques
  • Handling Asynchronous Web Calls (AJAX)
  • Lock down Database Security
  • Employing Access Controls and Handling Account Lockouts (ACL)
  • White Listing Techniques
  • Using an API Framework (Apigility)
  • Creating a stand review process
  • Captchas, Tokens and Session Management
  • Cryptographic Storage Techniques
  • Extension Evaluation
  • Securing File Uploads
  • Logging
  • Web Server Security
Advertisements
Posted in Computers and Internet | Leave a comment

Being a Full-stack Developer

A full-stack developer is a person who is comfortable working with all the technologies required to get an idea to a finished product. Full-stack developer must be familiar with all the layers of software development.

Being a full-stack developer means to have an open mind towards new technologies, having your hands dirty in each one and to have an understanding of how a web application gets done from a concept to design to the finished product.

A full-stack developer is capable of performing tasks at any level of the technical stack in which they reside. It means:

  • Designing a business object model, and using a popular framework to build prototype of application from scratch.
  • Working with systems infrastructure (knowing what hardware to ask for, what OS to install, how to prepare the system and dependencies for all software)
  • Understanding, creating, manipulating, and querying databases
  • Can performance tune a system, and estimate work load.
  • API/back-end code in one or more languages, e.g. Java, Python, PHP, etc.
  • Front-end code in one or more languages, e.g. HTML, Javascript, etc.
  • Project management/client work, e.g. gathering requirements, creating technical specifications and architecture documents, creating good documentation, managing a project timeline (e.g. knows Agile/SCRUM/Kanban)

In general a full-stack developer has knowledge that is a mile wide, but not necessarily very deep, and has core competencies in the pieces of the stack in which they work most.

However in the 2010s, since API first and Single page apps have become popular,  it requires for-stack web developer as well, and old LAMP full-stack developer become rare.

full-stack

So Let’s try to beak down and categorize the main technology stacks that are required for a full-stack developer today (may be changed after 2020, :)) (source by George Fekete)

System administration:

  1. Linux and basic shell scripting
  2. Cloud computing: Amazon, Rackspace, etc.
  3. Background processing: Gearman, Redis
  4. Search: Elasticsearch, Sphinx, Solr
  5. Caching: Varnish, Memcached, APC / OpCache
  6. Monitoring: Nagios

Linux powering most of the Internet, it’s a de-facto operating system in web development (not to dismiss .NET). In addition, a full-stack developer should know how cloud hosting works, Amazon / Rackspace or other providers and its APIs.

Search is an integral part of most websites – a developer should know how to set up and use search servers such as Sphinx or Elasticsearch.

Caching is also important, Varnish, reverse proxy, Memcached and opcode caching. He needs to know what each of these is and how to use it.

Web development tools:

  1. Version control: Git, Mercurial, SVN
  2. Virtualization: VirtualBox, Vagrant, Docker

Today, it’s unnaceptable not to use version control, even if you’re a solo developer.

With virtualisation tools, having separated development environments on a per project basis is really nice to have, and easy to set up with VirtualBox and Vagrant at least.

If you want to work with Vagrant you also need to know the basic syntax of Ruby and shell scripts as well.

Back-end tech:

  1. Web servers: Apache, Nginx
  2. Programming language: PHP, NodeJS, Ruby
  3. Database: MySQL, MongoDB, Cassandra, Redis, SQL / JSON in general

Apache and Nginx are the norm for web development. A full-stack developer should know how to set up these applications and serve the contents of his website.

PHP is what needs to be mastered on a high level, NodeJS, Ruby is nice to know as well.

In addition to web server and programming languages, database management is also a requirement for a full-stack developer which in itself is another beast.

Relational (such as MySQL, PostgreSQL) vs non-relational databases (like MongoDB, Redis or Cassandra) are differences the full-stack developer needs to know, along with knowing the syntax of XML / JSON.

Front-end tech:

  1. HTML / HTML5: Semantic web
  2. CSS / CSS3: LESS, SASS, Media Queries
  3. JavaScript: jQuery, AngularJS, Knockout, etc.
  4. Compatibility quirks across browsers
  5. Responsive design
  6. AJAX, JSON, XML, WebSocket

Here comes the fun part. If you want to present your website, you’d better know these and all their quirks.

JavaScript was a joke in the early days, grown into one of the most popular and powerful languages today. New methodologies and frameworks are popping up each day, MVC, MVVM, MVP, Angular, Knockout, Ember, etc.

Alongside HTML, CSS, Javascript, a full-stack developer should also know about responsive design and how to work with media queries and CSS preprocessors like LESS and SASS.

One should also know how to communicate with the back-end via AJAX or WebSockets.

Design:

  1. Converting website design into front-end code
  2. UI
  3. UX

In addition to front-end technologies, a full-stack developer also understands what is possible and what not to create with the constraints of HTML / CSS / Javascript and convert the design (Photoshop/Illustrator files) accordingly.

With many of the mentioned technologies a developer can get away with not knowing to code or use, such as Ruby or specific JavaScript libraries, but all these are interconnected in one way or another.

For example if you want to set up Vagrant you need to know Ruby’s syntax, as simplified as it is or if you want to manipulate DOM elements, jQuery is a good to know technology.

One other category that deserves mentioning is mobile technologies. It’s a very dynamic industry and closely related to web development:

  1. iOS
  2. Android
  3. Hybrid: PhoneGap, Appcelerator

One of the biggest disparities today is between web and mobile development, but the gap is rapidly closing.

A full-stack developer should know about these technologies as well.

 

Posted in Computers and Internet, Uncategorized | Leave a comment

10 hottest AI technologies:

Source: http://www.forbes.com/sites/gilpress/2017/01/23/top-10-hot-artificial-intelligence-ai-technologies/#53a1fec742de

Based on Forrester’s analysis, here’s my list of the 10 hottest AI technologies:

  1. Natural Language Generation: Producing text from computer data. Currently used in customer service, report generation, and summarizing business intelligence insights. Sample vendors: Attivio, Automated Insights, Cambridge Semantics, Digital Reasoning, Lucidworks, Narrative Science, SAS, Yseop.
  2. Speech Recognition: Transcribe and transform human speech into format useful for computer applications. Currently used in interactive voice response systems and mobile applications. Sample vendors: NICE, Nuance Communications, OpenText, Verint Systems.
  3. Virtual Agents: “The current darling of the media,” says Forrester (I believe they refer to my evolving relationships with Alexa), from simple chatbots to advanced systems that can network with humans. Currently used in customer service and support and as a smart home manager. Sample vendors: Amazon, Apple, Artificial Solutions, Assist AI, Creative Virtual, Google, IBM, IPsoft, Microsoft, Satisfi.
  4. Machine Learning Platforms: Providing algorithms, APIs, development and training toolkits, data, as well as computing power to design, train, and deploy models into applications, processes, and other machines. Currently used in a wide range of enterprise applications, mostly `involving prediction or classification. Sample vendors: Amazon, Fractal Analytics, Google, H2O.ai, Microsoft, SAS, Skytree.
  5. AI-optimized Hardware: Graphics processing units (GPU) and appliances specifically designed and architected to efficiently run AI-oriented computational jobs. Currently primarily making a difference in deep learning applications. Sample vendors: Alluviate, Cray, Google, IBM, Intel, Nvidia.
  6. Decision Management: Engines that insert rules and logic into AI systems and used for initial setup/training and ongoing maintenance and tuning. A mature technology, it is used in a wide variety of enterprise applications, assisting in or performing automated decision-making. Sample vendors: Advanced Systems Concepts, Informatica, Maana, Pegasystems, UiPath.
  7. Deep Learning Platforms: A special type of machine learning consisting of artificial neural networks with multiple abstraction layers. Currently primarily used in pattern recognition and classification applications supported by very large data sets. Sample vendors: Deep Instinct, Ersatz Labs, Fluid AI, MathWorks, Peltarion, Saffron Technology, Sentient Technologies.
  8. Biometrics: Enable more natural interactions between humans and machines, including but not limited to image and touch recognition, speech, and body language. Currently used primarily in market research. Sample vendors: 3VR, Affectiva, Agnitio, FaceFirst, Sensory, Synqera, Tahzoo.
  9. Robotic Process Automation: Using scripts and other methods to automate human action to support efficient business processes. Currently used where it’s too expensive or inefficient for humans to execute a task or a process. Sample vendors: Advanced Systems Concepts, Automation Anywhere, Blue Prism, UiPath, WorkFusion.
  10. Text Analytics and NLP: Natural language processing (NLP) uses and supports text analytics by facilitating the understanding of sentence structure and meaning, sentiment, and intent through statistical and machine learning methods. Currently used in fraud detection and security, a wide range of automated assistants, and applications for mining unstructured data. Sample vendors: Basis Technology, Coveo, Expert System, Indico, Knime, Lexalytics, Linguamatics, Mindbreeze, Sinequa, Stratifyd, Synapsify.
Posted in Computers and Internet | Leave a comment

Peaceful,Jan 20th

Just hope everything is peaceful tomorrow, Jan 20, 2017. It’s the inauguration day of new president Donald Trump. All news press do not spread hate, do not let US people against US people. Strong together, makes America great.

Posted in Uncategorized | Leave a comment

Book Review: IT Project Management — A Geek’s Guide to Leadership

PM World Journal Volume VI, Issue 1 January 2017

Introduction

This book is an IT geek’s guide to IT leadership, and it’s written by a geek.

Geeks are some of the most brilliant people on the planet, so they can write the book totally different with others. This book is the one of them, which is full of attractive stories, and I could not stop it after I stepped into the first chapter.

The information in this book will help geeks progress in their careers by being aware of leadership expectations and adapting their styles accordingly. And the book author, Byron A. Love, who obtained top-tier IT certifications, such as the (ISC)2 Certified Information Systems Security Professional (CISSP) certification, and top-tier management certification, such as the PMI program Management Professional (PgMP) certification. So Byron is definitely qualified to address the topic of IT leadership, and his book helps geeks in leadership roles better understand leadership and makes the transition to better leaders.

Byron wrote this book to address the leadership issues in the IT industry, unlike other leadership books that provide a one-size-fits-all approach to leadership. This book focuses on the unique challenges that IT practitioners face, especially some interesting topics, like why we need IT geeks to lead IT geeks

As many other books discussed, IT projects are complex, risky, and more prone to failure. The IT geeks who attempt to develop, deliver, and maintain these solutions must be brave and emotionally resilient, they must be able to visualize a successful outcome and motivate their teams to fight through the setbacks and obstacles in order to achieve this success. All these require IT geeks to behave in ways outside of their comfort zone, and this book will equip IT geeks with leadership integration and stand out as leaders.

Overview of Book’s Structure

The book provides geek leaders with resources to assist them to continually improve their leadership abilities, so all chapters are designed to coach an IT geek to learn to become a leader

In Chapter 1, Initiation, described the characteristics required to succeed as a geek leader. And in Chapter 2, Why Geek Leadership is Different, defined leadership role, and gave a good example of Bill Gates, also included a leadership Assessment Questionnaire that can help reader analyze and understand their leadership strengths and weaknesses

Then it leads to Chapter 3, Emotionally Intelligent Communications, which providing geek leaders with tools to improve their understanding of others and to help others understand them.

More…

To read entire Book Review, click here

Posted in Project Management | Leave a comment

一句话总结

川普通过任用小布什总统时期的内阁人员,邀请到了前总统小布什参加就职典礼,继而顺理成章的邀请了不会有健康原因的前总统克林顿参加典礼,希拉里也就堂而皇之的在受邀之列。 这样就成功化解了困扰已久的典礼难题。

Posted in News and politics | Leave a comment

NPA-NXX-xxxx

Source: https://en.wikipedia.org/wiki/North_American_Numbering_Plan

The NANP number format may be summarized in the notation NPA-NXX-xxxx:

Component Name Number ranges Notes
NPA Numbering Plan Area Code Allowed ranges: [2–9] for the first digit, and [0-9] for the second and third digits. When the second and third digits of an area code are the same, that code is called an easily recognizable code (ERC). ERCs designate special services; e.g., 888 for toll-free service. The NANP is not assigning area codes with 9 as the second digit.[19] Covers Canada, the United States, parts of the Caribbean Sea, and some Atlantic and Pacific islands. The area code is often enclosed in parentheses.
NXX Central Office(exchange) code Allowed ranges: [2–9] for the first digit, and [0–9] for both the second and third digits (however, in geographic area codes the third digit of the exchange cannot be 1 if the second digit is also 1). Often considered part of a subscriber number. The three-digit Central Office codes are assigned to a specific CO serving its customers, but may be physically dispersed by redirection, or forwarding to mobile operators and other services.
xxxx Subscriber Number [0–9] for each of the four digits. This unique four-digit number is the subscriber number or station code.

For example:

  • 234-235-5678 is valid
  • 234-911-5678 is invalid, because the central office code must not be in the form N11. (For non-geographic area codes like +1-800, 9-1-1 remains invalid, but other N-1-1 codes are valid exchange prefixes[citation needed])
  • 314-159-2653 is invalid, because the office code must begin with 2-9.
  • 123-234-5678 is invalid, because NPA cannot begin with 0 or 1
  • 281-234-5678 is valid.
Posted in Telecom, Telecomm | Leave a comment