AAR pt 14 (Security)
If you have not had a chance to read the first entry in the series for context, you can do so here
This first part of this post will focus on security specifically. The second half will cover lessons learned with software tools in general, in a similar vein to my last Tools AAR entry.
Security
- In security SHA1 = 160 bits, SHA2 = 256 or 512 bits, and SHA3 is the same size as SHA2 with some additional protections included.
- In Oauth2.0 there are implicit and authorization code grant types. The latter requires a client secret and token url, the former does not.
- In database security “Salt” is just random data input into a SHA, normally for hashing passwords. A new salt is randomly generated for each password. It is concatenated with the password prior to hashing. The hashed salt/password is then stored in the database. The salt can be stored in the same row as the hashed password.
- A “Pepper” in database security is also concatenated with the password prior to hashing, but is not unique and is not stored with the hashed password. Instead it generally exists in the environment variables or configuration file of the application.
- SSLLabs can tell you if a certificate is valid, and if not, what’s wrong with it.
- You can download the Sourcefogre .zip “dex2jar” and run it to convert an android apk file to a jar. From there you can run the java Decompiler to examine the code the former apk contained.
- Most Jetbrains IDE’s (IntelliJ, Rider, Android Studio, etc.) support pasting a stacktrace from an external source such as a logger and interpretting it as if it was generated locally.
- When viewing backgrounded apps on iOS and Android you’re actually viewing screenshots of each app when they were backgrounded.
- You can erase cached credentials in Postman by clicking the “cookies” button, right next to the “code” button.
Tools
- Postman includes “/r” and “/n” characters in its curl code export. Make sure to remove t hem before actually executing
- To set a variable to the result of a function in curl wrap the function and arguments in a “$(…)” block.
- If debugging curl with Charles, add “–proxy 127.0.0.1:8888 –insecure” after the url block in the terminal command.
- You can export Charles proxy debugging sessions to assist teammates in troubleshooting server errors.
- You can vpn into a machine as long as you have it’s ip address and password. Just open the terminal and type “open vnc://0.0.0.0” (replace the 0’s with your desired machines IP address)
- To unzip a file on MacOS from the terminal you can type “unzip " and then drag & drop the file into the terminal window.
- SQLIte (Used on iOS and Android) does not support the DROP COLUMN command.
- In Postgres always use VARCHAR instead of CHAR. CHAR will append whitespace to match the maximum length specified by the database.
- Redis is an in memory database commonly used as part of a microservices stack. You can flush a redis cache by running redis-cli and executing “flushall”. The primary use case for Redis is as a fast page cacher of dynamically generated HTML.
- Zeplin and Sketch now support flows, removing the need for apps like proto.io.
- In design “desire lines” are the worn game trails of consumers. Ideally you see where they form first and then build the sidewalks to accommodate them.
- In design “feature dilution” is that idea that every new feature weakens the impact of existing features, including the core value propositions.
- The 5 point rule in design is the idea that you shouldn’t exceed more than 5 unique fonts, colors, or text-sizes on a page.
- You should avoid boxes within boxes in layout design wherever possible.
- The integration of animations into a boring workflow can make it more engaging and reduce user drop-off.
- Animations can also be used in a design to enable progressive disclosure of information (drill-down interfaces).
- PaintCode allows you to generate dynamic UI in a sketch-like environment and then export them as autogenerated Swift or Java code.
- MacOS has a built-in tool called “Digital Color Meter” that allows you to get RGB colors from the screen.
- If your Mac crashes with a kernel panic every 30 minutes try emptying your hard drive with the Mac Daisy Disk application.
- You can evaluate an expression while debugging in Visual Studio Code by using the “Debugger Console” window and typing in expressions to evaluate by the caret.
- Whenever you instantiate or upgrade a microservices stack make sure to double check the stack’s tag, especially when the orchestration framework that you are using has an ‘auto-upgrade’ feature.
- Use mapShapes.com to render and manipulate svg map shapes quickly.
- D3 (Data-Driven Documents) allow you to represent data in svgs through javascript functions.
- You can use “npm install tree” to get a hierarchical directory display in the terminal.
- NewRelic is another crash reporting service, similar to Firebase Crashlytics.
- AppFollow allows you to track App Store & Google Play reviews. It also has an optional integration with slack.
Image credit of unsplash-logoJohn Salvino
comments powered by Disqus