Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Search - "audit"
You know what?
Young cocky React devs can suck my old fuckin LAMP and Objective-C balls.
Got a new freelance job and got brought in to triage a React Native iOS/Android app. Lead dev's first comment to me is: "Bro, have you ever used React Native".
To which I had to reply to save my honor publicly, "No, but I have like 8 years with Objective-C and 3 years with Swift, and 3 years with Node, so I maybe I'll still be able help. Sometimes it just helps to have a fresh set of eyes."
"Well, nobody but me can work on this code."
And that, as it turned out was almost true.
After going back and forth with our PM and this dev I finally get his code base.
"Just run "npm install" he says".
Like no fuckin shit junior... lets see if that will actually work.
Node 14... nope whole project dies.
Node 12 LTS... nope whole project dies.
Install all of react native globally because fuck it, try again... still dies.
Node 10 LTS... project installs but still won't run or build complaining about some conflict with React Native libraries and Cocoa pods.
Go back to my PM... "Um, this project won't work on any version of Node newer than about 5 years old... and even if it did it still won't build, and even if it would build it still runs like shit. And even if we fix all of that Apple might still tell us to fuck off because it's React Native.
Spend like a week in npm and node hell just trying to fucking hand install enough dependencies to unfuck this turds project.
All the while the original dev is still trying TO FIX HIS OWN FUCKING CODE while also being a cocky ass the entire time. Now, I can appreciate a cocky dev... I was horrendously cocky in my younger days and have only gotten marginally better with age. But if you're gonna be cocky, you also have to be good at it. And this guy was not.
Lo, we're not done. OG Dev comes down with "Corona Virus"... I put this in quotes because the dude ends up drawing out his "virus" for over 4 months before finally putting us in touch with "another dev team he sometimes uses".
Next, me and my PM get on a MS Teams call with this Indian house. No problems there, I've worked with the Indians before... but... these are guys are not good. They're talking about how they've already built the iOS build... but then I ask them what they did to sort out the ReactNative/Cocoa Pods conflict and they have no idea what I'm talking about.
Well, one of these suckers sends a link to some repo and I find out why. When he sends the link it exposes his email...
This Indian dude's emails was firstname.lastname@example.org...
We'd been played.
Company sued the shit out of the OG dev and the Indian company he was selling off his work to.
I rewrote the app in Swift.
So, lets review... the React dev fucked up his own project so bad even he couldn't fix it... had to get a team of Indians to help who also couldn't fix it... was still a dickhead to me when I couldn't fix it... and in the end it was all so broken we had to just do a rewrite.
None of you get npm. None of you get React. None of you get that doing the web the way Mark Zucherberg does it just makes you a choad locked into that ecosystem. None of you can fix your own damn projects when one of the 6,000 dependency developers pushes breaking changes. None of you ever even bother with "npm audit fix" because if security was a concern you'd be using a server side language for fucking server side programming like a grown up.
Mine are still working.34
A dude with a THICK Russian accent just called me offering server security services.
After I politely declined, he insisted on a free audit of my servers. I declined that as well.
Now I’m backing up our DB’s and going through my nginx logs.
Am I being racist?20
In a user-interface design meeting over a regulatory compliance implementation:
User: “We’ll need to input a city.”
Dev: “Should we validate that city against the state, zip code, and country?”
User: “You are going to make me enter all that data? Ugh…then make it a drop-down. I select the city and the state, zip code auto-fill. I don’t want to make a mistake typing any of that data in.”
Me: “I don’t think a drop-down of every city in the US is feasible.”
Manage: “Why? There cannot be that many. Drop-down is fine. What about the button? We have a few icons to choose from…”
Me: “Uh..yea…there are thousands of cities in the US. Way too much data to for anyone to realistically scroll through”
Dev: “They won’t have to scroll, I’ll filter the list when they start typing.”
Me: “That’s not really the issue and if they are typing the city anyway, just let them type it in.”
User: “What if I mistype Ch1cago? We could inadvertently be out of compliance. The system should never open the company up for federal lawsuits”
Me: “If we’re hiring individuals responsible for legal compliance who can’t spell Chicago, we should be sued by the federal government. We should validate the data the best we can, but it is ultimately your department’s responsibility for data accuracy.”
Manager: “Now now…it’s all our responsibility. What is wrong with a few thousand item drop-down?”
Me: “Um, memory, network bandwidth, database storage, who maintains this list of cities? A lot of time and resources could be saved by simply paying attention.”
Manager: “Memory? Well, memory is cheap. If the workstation needs more memory, we’ll add more”
Dev: “Creating a drop-down is easy and selecting thousands of rows from the database should be fast enough. If the selection is slow, I’ll put it in a thread.”
DBA: “Table won’t be that big and won’t take up much disk space. We’ll need to setup stored procedures, and data import jobs from somewhere to maintain the data. New cities, name changes, ect. ”
Manager: “And if the network starts becoming too slow, we’ll have the Networking dept. open up the valves.”
Me: “Am I the only one seeing all the moving parts we’re introducing just to keep someone from misspelling ‘Chicago’? I’ll admit I’m wrong or maybe I’m not looking at the problem correctly. The point of redesigning the compliance system is to make it simpler, not more complex.”
Manager: “I’m missing the point to why we’re still talking about this. Decision has been made. Drop-down of all cities in the US. Moving on to the button’s icon ..”
Me: “Where is the list of cities going to come from?”
<few seconds of silence>
Dev: “Post office I guess.”
Me: “You guess?…OK…Who is going to manage this list of cities? The manager responsible for regulations?”
User: “Thousands of cities? Oh no …no one is our area has time for that. The system should do it”
Me: “OK, the system. That falls on the DBA. Are you going to be responsible for keeping the data accurate? What is going to audit the cities to make sure the names are properly named and associated with the correct state?”
DBA: “Uh..I don’t know…um…I can set up a job to run every night”
Me: “A job to do what? Validate the data against what?”
Manager: “Do you have a point? No one said it would be easy and all of those details can be answered later.”
Me: “Almost done, and this should be easy. How many cities do we currently have to maintain compliance?”
User: “Maybe 4 or 5. Not many. Regulations are mostly on a state level.”
Me: “When was the last time we created a new city compliance?”
User: “Maybe, 8 years ago. It was before I started.”
Me: “So we’re creating all this complexity for data that, realistically, probably won’t ever change?”
User: “Oh crap, you’re right. What the hell was I thinking…Scratch the drop-down idea. I doubt we’re have a new city regulation anytime soon and how hard is it to type in a city?”
Manager: “OK, are we done wasting everyone’s time on this? No drop-down of cities...next …Let’s get back to the button’s icon …”
Simplicity 1, complexity 0.17
The look on a client's face when they realised that I program[med] sex toys for a living was pretty priceless.
Their attitude change, however, cost them a contract. Programming sex toys is no different from programming anything else.
Why do you have to bring in your religious views or my previous contracts into the conversation? All I'm doing is a network audit for your company. I'm not gonna hide a dildo in your closet, or something. I'm supposed to only be around for a few days, too.
Guess I had too many cooties, with how harsh they burnt that contract and bridge.
Me (Lead Developer), Boss (Head of IT), CEO
> enter stage left CEO
CEO > "Alright Boss, give it to me straight. Are we going to be able to release app x by this date?"
Boss > "Yup we'll have a beta release on that date"
> exit stage right CEO
Me > types long email to Boss outlining exactly why we won't be able to release app x anywhere near that date, beta or otherwise, because:
1. We have a development team of 2
2. I've never developed an iOS app before
3. Developer 2 is still trying to understand git, because
3a. Developer 2 isn't even a developer (but he's doing iOS front-end so w/e)
4. We don't have the required database systems in place
5. Or CRM
6. Or CPQ
7. We'll need to conduct a security audit
Boss > "yeah, but CEO is gonna need to hear that date a few more times before he can fully understand"
Me > *internally screaming BUT YOU HAVEN'T TOLD HIM THAT AT ALL*
"ok cool just glad we're on the same page on that one"5
!rant Decided to use the DevTools audit thing to try to improve my personal website. An embarrassing number of hours later and I finally have to tell the perfectionist in me to chill.14
Boss hands over to me an old security audit report and tells me "Go through this and check if all the problems mentioned have been resolved". Quick glance through the report shows all expected issues - SQLi, plaintext transmission and storage etc. I tell him that I need access to the application both from admin and a user with restricted privileges.
He hands me the admin credentials and tells me, "After you login in, just go the "Users" tab. You'll find the profiles of all the users there. You can get the emails and passwords of any user you want from there."
I had to hold back a chuckle. There's nothing to verify. If they haven't resolved storing plain text passwords in the database (AND displaying it IN PLAIN TEXT in the website itself (which to my surprise wasn't mentioned in the audit)), they probably haven't even looked at the report.2
a stored XSS vuln in a banner-like component, visible in ALL the pages in the portal. Anyone can attack anyone.
HOWEVER this was not discovered by 3rd-party security specialists during latest security audit. I have escalated this to my manager and got replied that unless client actively requests this to be fixed should I do anything about it.
FFS.. it's only 2 lines of code.. And there's nothing I can do about it.
Eventualy I was transfered to another project. Now it's not my problem anymore.5
*tries to SSH into my laptop to see how that third kernel compilation attempt went*
… From my Windows box.
Windows: aah nope.
"Oh God maybe the bloody HP thing overheated again"
*takes laptop from beneath the desk indent*
… Logs in perfectly. What the hell... Maybe it's SSH service went down?
$ systemctl status sshd
> active (running)
Well.. okay. Can I log in from my phone?
*fires up Termux*
*logs in just fine*
What the fuck... Literally just now I added the laptop's ECDSA key into the WSL known_hosts by trying to log into it, so it can't be blocked by that shitty firewall (come to think of it, did I disable that featureful piece of junk yet? A NAT router * takes care of that shit just fine Redmond certified mofos).. so what is it again.. yet another one of those fucking WanBLowS features?!!
condor@desktop $ nc -vz 192.168.10.30 22
Connection to 192.168.10.30 22 port [tcp/ssh] succeeded!
ARE YOU FUCKING FOR REAL?!
Fucking Heisen-feature-infested piece of garbage!!! Good for gaming and that's fucking it!
Edit: (*) this assumes that your internal network doesn't have any untrusted hosts. Public networks or home networks from regular users that don't audit their hosts all the time might very well need a firewall to be present on the host itself as well.17
$ npm audit
> found 19 vulnerabilities (10 low, 5 moderate, 3 high, 1 critical)
$ npm audit fix
> fixed 0 of 19 vulnerabilities in 11987 scanned packages
> (use `npm audit fix --force` to install breaking changes; or do it by hand)
$ npm audit fix --force
> npm WARN using --force I sure hope you know what you are doing.
Me too, buddy. Me too.1
I just got four CSV reports sent to me by our audit team, one of them zipped because it was too large to attach to email.
I open the three smaller ones and it turns out they copied all the (comma separated) data into the first column of an Excel document.
It gets better.
I unzip the "big" one. It's just a shortcut to the report, on a network share I don't have access to.
They zipped a shortcut.
Sigh. This'll be a fun exchange.3
I've caught the efficiency bug.
I recently started a minimum wage job to get my life back in order after a failed 2 year project (post mortem: next time bring more cash for a longer runway)
I've noticed this thing I do at every job, where I see inefficiency and I think "how can I use technology to automate myself out of this job?"
My first ever application was in C++ for college (a BASIC interpreter) and it's been so long I've since forgotten the language.
But after a while every language starts to look like every other language, and you start to wonder if maybe the reason you never seriously went anywhere as a programmer was because you never really were cut out for it.
Code monkey, sure. Programmer? Dunno, maybe I just suffer from imposter syndrome.
So a few years back I worked at a retail chain. Nothing as big as walmart, but they have well over 10k store locations. They had two IBM handscanners per store, old grungy ugly things, and one of these machines would inevitably be broken, lost or in need of upgrade/replacement about once a year, per location. District manager, who I hit it off with, and made a point of building report with, told me they were paying something like $1500 a piece.
After a programming dry spell, I picked up 'coding' with MIT app inventor. Built a 'mostly complete' inventory management app over the course of a month, and waited for the right time.
The day of a big store audit, (and the day before a multi-regional meeting), I made sure I was in-store at the same time as my district manager, so he could 'stumble upon' me working, scanning in and pricing items into the app.
Naturally he asked about it, and I had the numbers, the print outs, and the app itself to show him. He seemed impressed by what amounted to a code monkeys 'non-code' solution for a problem they had.
Long story short, he does what I expected, runs it by the other regionals and middle executives at the meeting, and six months later they had invested in a full blown in house app, cutting IBM out of the mix I presume.
From what I understand they now use the app throughout the entire store chain.
So if you work at IBM, sorry, that contract you lost for handscanners at 10k+ stores? Yeah that was my fault (and MIT app inventor).
They say software is 'eating the world' but it really goes to show, for a lot of 'almost coders' and 'code monkeys' half our problem is dealing with setup and platform boilerplate. I think in the future that a lot of jobs are either going to be created or destroyed thanks to better 'low code' solutions, and it seems to be a big potential future market.
In the mean while I've realized, while working on side projects, that maybe I can do this after all, and taken up Kotlin. I want to do a couple of apps for efficiency and store tracking at my current employer to see if I'm capable and not just an mit app-inventor codemonkey after all.
I'm hoping, by demonstrating what I can do, I can use that as a springboard into an internal programming position at my current gig (which seems to be a company thats moving towards a more tech oriented approach to efficiency and management). Also watching money walk out the door due to inefficiency kinda pisses me off, and the thought of fixing those issues sounds really interesting. At the end of the day I just like learning new technologies, and maybe this is all just an excuse to pick up something new after spending so long on less serious work.
I still have a ways to go, but the prospect of working on B2B, and being able to offer technological solutions to common and recurring business needs excites the hell out of me..as cringy and over-repeated as that may sound.5
That awkward moment you beat Goolgle at its own game.
Inspired by @NotHappy's post https://devrant.com/rants/2301137/... to fix my issues,
Now what do i do?19
I used to do audits for private companies with a team. Most of them where black box audits and we were allowed to physically manipulate certain machines in and around the building, as long as we could get to them unnoticed.
Usually when doing such jobs, you get a contract signed by the CEO or the head of security stating that if you're caught, and your actions were within the scope of the audit, no legal action will be taken against you.
There was this one time a company hired us to test their badge system, and our main objective was to scrape the data on the smartcards with a skimmer on the scanner at the front of the building.
It's easy to get to as it's outside and almost everyone has to scan their card there in order to enter the building. They used ISO 7816 cards so we didn't even really need specified tools or hardware.
Now, we get assigned this task. Seems easy enough. We receive the "Stay-out-of-jail"-contract signed by the CEO for Company xyz. We head to the address stated on the contract, place the skimmer etc etc all good.
One of our team gets caught fetching the data from the skimmer a week later (it had to be physically removed). Turns out: wrong Building, wrong company. This was a kind of "building park" (don't really know how to say it in English) where all the buildings looked very similar. The only difference between them was the streetnumber, painted on them in big. They gave us the wrong address.
I still have nightmares about this from time to time. In the end, because the collected data was never used and we could somewhat justify our actions because we had that contract and we had the calls and mails with the CEO of xyz. It never came to a lawsuit. We were, and still are pretty sure though that the CEO of xyz himself was very interesed in the data of that other company and sent us out to the wrong building on purpose.
I don't really know what his plan after that would have been though. We don't just give the data to anyone. We show them how they can protect it better and then we erase everything. They don't actually get to see the data.
I quit doing audits some time ago. It's very stressful and I felt like I either had no spare time at all (when having an active assignment) or had nothing but spare time (when not on an assignment). The pay also wasn't that great.
But some people just really are polished turds.4
Manager: what is the estimations for this task A nd B?
Me: Task A: 3 months for 1 guys, and task B: 2 Months
Manager: ok, u can have a fresher, and finish task A, and u urself can pick task B, u can train him and bring him up to pace...
Me: (trying to recalibrate my estimations)...
Manager: oh and u have 3 weeks to deliver production ready scalable quality code with junits, documentation and testing done...
Me: then why the fuck did u bother for the estimates?
Manager: oh that is just for the process complaince...I don't want any trouble in audit...5
This is the most hilarious stackoverflow rant ever, quote:
"Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use."
My team manager showed me a web application of a new client and asked me if I can find vulnerabilities in it to push for a better product contract. She showed me the system architecture and asked me if I could try finding something from their login page. I politely refused since we don't have written permission to conduct a security audit (it's also a ministry website). She was pretty disappointed and idk if I'm doing the right thing not helping the company (I'm an intern but still). I'm sure I can scan in stealth but I don't think it's ethical on a corporate level. Thoughts?12
`npx create-react-app blah`
`cdls blah && npm audit`
good fucking job.
To be fair, they're all minor, but they're all *exactly* the same, caused by the same freaking package. Update your dependencies already!
`npm i --save formik && npm audit`
68 vulnerabilities, three of them critical.
OMFG I don't even know where to start..
Probably should start with last week (as this is the first time I had to deal with this problem directly)..
Also please note that all packages, procedure/function names, tables etc have fictional names, so every similarity between this story and reality is just a coincidence!!
Here it goes..
Lat week we implemented a new feature for the customer on production, everything was working fine.. After a day or two, the customer notices the audit logs are not complete aka missing user_id or have the wrong user_id inserted.
Hm.. ok.. I check logs (disk + database).. WTF, parameters are being sent in as they should, meaning they are there, so no idea what is with the missing ids.
OK, logs look fine, but I notice user_id have some weird values (I already memorized most frequent users and their ids). So I go check what is happening in the code, as the procedures/functions are called ok.
Wow, boy was I surprised.. many many times..
In the code, we actually check for user in this apps db or in case of using SSO (which we were) in the main db schema..
The user gets returned & logged ok, but that is it. Used only for authentication. When sending stuff to the db to log, old user Id is used, meaning that ofc userid was missing or wrong.
Anyhow, I fix that crap, take care of some other audit logs, so that proper user id was sent in. Test locally, cool. Works. Update customer's test servers. Works. Cool..
I still notice something off.. even though I fixed the audit_dbtable_2, audit_dbtable_1 still doesn't show proper user ids.. This was last week. I left it as is, as I had more urgent tasks waiting for me..
Anyhow, now it came the time for this fuckup to be fixed. Ok, I think to myself I can do this with a bit more hacking, but it leaves the original database and all other apps as is, so they won't break.
I crate another pck for api alone copy the calls, add user_id as param and from that on, I call other standard functions like usual, just leave out the user_id I am now explicitly sending with every call.
Ok this might work.
I prepare package, add user_id param to the calls.. great, time to test this code and my knowledge..
I made changes for api to incude the current user id (+ log it in the disk logs + audit_dbtable_1), test it, and check db..
Disk logs fine, debugging fine (user_id has proper value) but audit_dbtable_1 still userid = 0.
WTF?! I go check the code, where I forgot to include user id.. noup, it's all there. OK, I go check the logging, maybe I fucked up some parameters on db level. Nope, user is there in the friggin description ON THE SAME FUCKING TABLE!!
Just not in the column user_id...
WTF..Ok, cig break to let me think..
I come back and check the original auditing procedure on the db.. It is usually used/called with null as the user id. OK, I have replaced those with actual user ids I sent in the procedures/functions. Recheck every call!! TWICE!! Great.. no fuckups. Let's test it again!
OFC nothing changes, value in the db is still 0. WTF?! HOW!?
So I open the auditing pck, to look the insides of that bloody procedure.. WHAT THE ACTUAL FUCK?!
Instead of logging the p_user_sth_sth that is sent to that procedure, it just inserts the variable declared in the main package..
WHAT THE ACTUAL FUCK?! Did the 'new guy' made changes to this because he couldn't figure out what is wrong?! Nope, not him. I asked the CEO if he knows anything.. Noup.. I checked all customers dbs (different customers).. ALL HAD THIS HARDOCED IN!!! FORM THE FREAKING YEAR 2016!!! O.o
Unfuckin believable.. How did this ever work?!
Looks like at the begining, someone tried to implement this, but gave up mid implementation.. Decided it is enough to log current user id into BLABLA variable on some pck..
Which might have been ok 10+ years ago, but not today, not when you use connection pooling.. FFS!!
So yeah, I found easter eggs from years ago.. Almost went crazy when trying to figure out where I fucked this up. It was such a plan, simple, straight-forward solution to auditing..
If only the original procedure was working as it should.. bloddy hell!!8
11 months ago I was tasked to audit 58 computer and 6 servers including network speed analysis. In the meeting with the client & stakeholders, they asked my boss how we will achieve this. He replied... "Pen and Paper. We have interns to capture all info into a spreadsheet ". GEEEEEEEZUS!!!4
Today I'm ranting about Windows. No, it's not "WiNdOwS sUcKs!", it's more like "But why!?"
See, I'm an IT guy for the year, and in my office they use Windows. Now once upon a time, they had Active Directory and all that (well, actually, they still do) but then they got some new computers running Windows 10, and for some reason they just couldn't join them to the domain!
Why can't they, you ask? Well, Microsoft only allows Win 10 Pro and up to join a Domain, and since these computers came with Win 10 Home, that wasn't possible.
Long story short, I now have some 30 computers that need to be upgraded (possibly from 7) to Win 10 Pro, and joined to the Domain.
Thing is, I would like to do that all in one go, so I look into how to automatically setup Windows.
"Ah! Got it, provisioning packages!"
Lest you think they work let me spare you now: they don't. Just like real computers where everything is different, provisioning packages failed to work twice, and after wasting about a week trying to make it work, I gave up.
So now I realized that I need to try a different method, a custom windows image. Issue is, I've got no clue how to make one. See, microsoft decided to go all in on the provisioning packages thing (they do have advantages in certain use cases), and seemed to decide that making custom images was no longer necessary, so they documentation was nearly impossible to find.
But after a lot of searching, I figured out how to do it:
1. Install Windows in a VM.
2. Put it in audit mode.
3. Install your stuff.
4. Create an unattend.xml file with certain customizations.
5. Put the unattend in Windows\System32\Sysprep
6. Generalize the image.
7. Boot WinPE.
8. Open the console.
9. Capture the image.
10. Wait an hour or two.
I'm over simplifying, it was a huge PITA, and yet there were still issues.
Maybe another time I'll talk about those.27
I never thought clean architecture concepts and low complicity, maintainable, readable, robust style of software was going to be such a difficult concept to get across seasoned engineers on my team... You’d think they would understand how their current style isn’t portable, nor reusable, and a pain in the ass to maintain. Compared to what I was proposing.
I even walked them thru one of projects I rewrote.. and the biggest complaint was too many files to maintain.. coming from the guy who literally puts everything in main.c and almost the entire application in the main function....
Arguing with me telling me “main is the application... it’s where all the application code goes... if you don’t put your entire application in main.. then you are doing it wrong.. wtf else would main be for then..”....
Dude ... main is just the default entry point from the linker/startup assembly file... fucken name it bananas it will still work.. it’s just a god damn entry point.
Trying to reiterate to him to stop arrow head programming / enormous nested ifs is unacceptable...
Also trying to explain to him, his code is a good “get it working” first draft system.... but for production it should be refactored for maintainability.
Uggghhhh these “veteran” engineers think because nobody has challenged their ways their style is they proper style.... and don’t understand how their code doesn’t meet certain audit-able standards .
You’d also think the resent software audit would have shed some light..... noooo to them the auditor “doesn’t know what he’s talking about” ... BULLSHIT!10
A vendor gave us what is turning out to be a very stable storage appliance/software, so we're happy for that. But even so, disks fail. So we need an automated way to identify, troubleshoot, isolate, and begin ticketing against disk failures. Vendor promised us a nice REST API. That was six months ago. The temporary process of SSHing(as root) to every single appliance(60-200 per site, dozens of sites) to run vendor storage audit commands remains our go-to means of automation.7
There comes that dreaded time in the life of a developer working in a conservative, borderline medieval corporate, where darkness sweeps over the land and the evil lords rummage through every peasant's hovel searching for the forbidden - AKA software audit.
So I made a list of all the unauthorized open source code we desperately rely on, and we decided as a team to go down in flames and gloriously fail the audit, a legend of sacrifice that shall be passed on in hushed voices.3
I'm so thrilled!! I am not a GUI person & I am rly rly slow & bad when it comes to minor changes on that part..
But today I finally finished GUI, client logic, server side logic & db shiiit for some audit interface I was making.. ..from scratch, meaning it wasn't some changese here & there, no copy pasta no nothin.. I did the whole thing by myself..did a lot of things for the first time & it didn't take me ages!! Wiiiiii!!! Having a total 'I iz so proud of myself' moment!! // I usually am not the boasting/confident/happy with myself type..3
We have a badly out of shape but functional product , the result of a "if its not broke don't fix it" mentality. The only thing manangement cares is our next release and making meetings to plan other meetings...
Now comes the time of the security Audit (PCI)...
Manager : oh noooo the audit will fix this issue, quickkk fix it !
Us : welllll its a lengthy process but doable, we just gotta do a,b,c,d,e . Part a is essentially what we need the rest are refactoring bits of the system to support part a since the performance would be shit otherwise
Manager: can you do part a before the audit starts ?
Manager: do it . Oh and pop those other issues on JIRA so we can track em
Manager: so we got through ok?
Us : 👍 yep
Manager: okayy, take those other issues..... and stick em at the bottom of the back log...
Us : huh ? *suspicious faces*..... okay but performance is gonna be poor with the system as it is cuz of part A....
Manager: yeaaahhh * troll face* ....about that.... roll it back and stick that too at the bottom of the log. We got to focus our next release. Lemme schedule a meeting for that 😊
Us : faceplam4
This is irritating. Fuck you stitchfix. If I were convicted of a felony and did time, my odds of finding a job are basically zero. But for some reason (I can only surmise weaponized wokeness, or has an executives sex tape) they want to keep this fuck on who maliciously deletes half of Cisco's AWS service infra, pleads guilty and is looking at 5 years and $250k in fines.
This isn't even the first time their sourcing of resources has become a problem. Deloitte nailed them just last year with an audit that said their outsourcing had led to effectively no way for them to control their financials or secure customer data. And their response is apparently, double down.
Fucking MBA fucks.3
We had 1 Android app to be developed for charity org for data collection for ground water level increase competition among villages.
Initial scope was very small & feasible. Around 10 forms with 3-4 fields in each to be developed in 2 months (1 for dev, 1 for testing). There was a prod version which had similar forms with no validations etc.
We had received prod source, which was total junk. No KT was given.
In existing source, spelling mistakes were there in the era of spell/grammar checking tools.
There were rural names of classes, variables in regional language in English letters & that regional language is somewhat known to some developers but even they don't know those rural names' meanings. This costed us at great length in visualizing data flow between entities. Even Google translate wasn't reliable for this language due to low Internet penetration in that language region.
OOP wasn't followed, so at 10 places exact same code exists. If error or bug needed to be fixed it had to be fixed at all those 10 places.
No foreign key relationships was there in database while actually there were logical relations among different entites.
No created, updated timestamps in records at app side to have audit trail.
Small part of that existing source was quite good with Fragments, MVP etc. while other part was ancient Activities with business logic.
We have to support Android 4.0 to 9.0 of many screen sizes & resolutions without any target devices issued to us by the client.
Then Corona lockdown happened & during that suddenly client side professionals became over efficient.
Client started adding requirements like very complex validation which has inter-entity dependencies. Then they started filing bugs from prod version on us.
Let's come to the developers' expertise,
2 developers with 8+ years of experience & they're not knowing how to resolve conflicts in git merge which were created by them only due to not following git best practice for coding like only appending new implementation in existing classes for easy auto merge etc.
They are thinking like handling click events is called development.
They don't want to think about OOP, well structured code. They don't want to re-use code mostly & when they copy paste, they think it's called re-use.
They wanted to follow old school Java development in memory scarce Android app life cycle in end user phone. They don't understand memory leaks, even though it's pin pointed by memory leak detection tools (Leak canary etc.).
Now 3.5 months are over, that competition was called off for this year due to Corona & development is still ongoing.
We are nowhere close to completion even for initial internal QA round.
On top of this, nothing is billable so it's like financial suicide.
Remember whatever said here is only 10% of what is faced.
- An Engineering lead in a half billion dollar company.7
So one of my clients had a different company do a penetrationtest on one of my older projects.
So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.
So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.
Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.
And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.
Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.
I get a reaction. Everything is perfect now, good job!
In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD
But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.
And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.
Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.
2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.2
Impossible deadline experience?
A few, but this one is more recent (and not mine, yet)
Company has plans to build a x hundred thousand square feet facility (x = 300, 500, 800 depending on the day and the VP telling the story)
1. Land is purchased, but no infrastructure exists (its in a somewhat rural area, no water or sewage capable of supporting such a large facility)
2. No direct architectural plans (just a few random ideas about layout, floor plans, parking etc)
3. Already having software dev meetings in attempt to 'fix' all the current logistical software issues we have in the current warehouse and not knowing any of the details of the new facility.
One morning in our stand-up, the mgr says
Mgr: "Plans for the new warehouse are moving along. We hope to be in the new building by September."
Me: "September of 2022?"
<very puzzled look>
Mgr: "Um, no. Next year, 2021"
Me: "That's not going to happen."
Mgr: "I was just in a meeting with VP-Jack yesterday. He said everything is on schedule."
Me: "On schedule for what?"
<I lay out some of the known roadblocks from above, and new ones like the political mess we will very likely get into when the local zoning big shots get involved>
Mgr: "Oh, yea, those could be problems."
Mgr: "What's that?"
Me: "That's the sound of a September 2021 date flying by."
Mgr: "Funny. Guess what? We've been tasked with designing the security system. Overhead RFID readers, tracking, badge scans, etc. Normally Dan's team takes care of facility security, but they are going to be busy for a few weeks for an audit. Better start reaching out to RFID vendors for quotes. Have a proposal ready in a couple of weeks."
Me: "Sure, why not."1
If I had to audit my current code I'd definitly stick a cactus up my arse shouting in the mirror:
ALL YOUR CODE IS GOOD FOR IS ULTIMATE DELETION. YOU FILTHY MAGGOT! LEARN TO CODE... *rage quit*
Really, coding shit because of spare time simply makes me ripping my face of 💀
So... has anyone yet made a comment about now exHead AMD Chief of GPU division Raja Koduri joining Intel?
Now this is awkward after I made this OC image not so long ago :/
Also in other news can we comment that Systemd has pretty much took over most linux distros? is this the new NSA backdoor? (before someone points out is open source, have anyone been able to properly audit it?)4
Some Project Manager outsourced a redundant RADIUS setup with MySQL backend. We got 2 copies of a daloradius appliance running on Ubuntu 10.04. Once I saw this, I started to get a bit suspicious and requested to audit the system and database redundancy. With the system in production, and without getting back any documentation, I got into the VMs using the default root password. This was not even the worst part, as I found. One server was using a local MySQL instance, while the other was also using the first one's MySQL instance. When I reported this, I was told to comment clearly any changes to the configuration files, which resulted in commenting the word SHAME above each change.1
Create a full open-source company based on no-knowledge services to compete with the data hogs that pretty much own the internet as it stands4
So today a colleague confessed to an attempt to troll my computer by SSHing into it and playing random songs. Thankfully he did not manage but he would just happen to do it the day we have a security audit.
There is this friend of mine, total business profile, working in banking audit for MNEs. The guy is in trouble with his PowerPoint, asking me if I can assist because "as you working in IT". I'm a Golang distributed system engineer for a major delivery company. Be sure I will call you next time I need to open a bank account.1
TLDR: I need advice on reasonable salary expectations for sysadmin work in the rural United States.
I need some community advice. I’m the sysadmin at a small (35 employee) credit card processing company. I began as an intern and have now become their full time sysadmin/networking specialist. Since I was hired in January I have:
-migrated their 2007 Exchange server to Office 365
-Upgraded their ailing Windows server 2003 based architecture to 2012R2
-Licensed their unlicensed VMware ESXi servers (which they had already paid for license keys for!!!) and then upgraded them to 6.5 while preventing downtime on hosted VMs using tricky transfers and deployments (without vMotion!)
-Deployed a vCenter server to manage said ESXi servers easier
-Fixed a three month gap in their backups by implementing Veeam, and verifying its functionality
-Migrated a ‘no downtime’ fileserver to a new hypervisor host, implemented a ‘hot standby’ server as a backup kept up to date by the minute with DFS replication.
-Replaced failing hard drives in a RAID array underlying their one ‘business critical’ fileserver, which had no backups for 3 months at that time
-Reorganized Active Directory and Group Policy deployment from a nightmare spiderweb of OUs and duplicate policies
-Documented the entire old network and now the new one as I’ve been upgrading this
-Audited the developers AWS instances and removed redundant machines, optimized load balancing on front end Nginx servers, joined developer run Fedora workstations to the AD domain and implemented centralized syslog monitoring on them.
-Performed network scans and rewrote firewall exceptions to tighten security
There’s more, but you get the idea. I’ve now been tasked with taking point on an upcoming PCI audit which will be my first.
I’m being paid $16/hr US, with marginal health benefits. This is roughly $32,000 a year, before taxes.
I have two years previous work experience managing a third party Apple repair facility (SimplyMac) and every Apple certification for warranty repair and software troubleshooting. I have a two year degree in general sciences, with about 4 years of college credit (Two years of a physics education and two years of computer science after I switched focus) I’m actively pursuing a CCNA and MCSA server 2016 with exams paid for and scheduled.
I’m going into a salary negotiation in two months. What is a reasonable salary to request, from your perspective, for someone in my position?
Thanks in advance!6
Ever have one of those moments where you're running a service you built to update about a decade worth of police records, realize about halfway through that you fucked the loop and you're copying data from the first record onto every other record, and then just really wish that you had checked things better in test before running this on the prod server?
I'm sure the only reason I'm still here is because the audit log contained the original values and I'm good at pulling data out of it.1
-4 Domain Administrators in my organization-
Me, a Doman Administrator: "Boy, I sure hope the FDIC IT Audit goes well!"
Braindead FDIC Examiner: "So let me get this straight, you use your administrator account to do things on a day-to-day basis?"
Me: "Uhh, I'm an admin so yeah, my account has admin privileges."
Examiner: *gives disapproving glare* "And your personal account has administrative rights?"
Me: "...I'm an admin... So I thought that'd be fairly obvious."
Examiner: "I'm sorry, but that is unacceptable. How can we tell which admin made what change when?"
Me: *dumbfounded* "...I'm sorry, what?"
Examiner: "You're going to need separate accounts, 1 normal user account and 1 admin account per domain admin."
Me: "You do realize that everything I do while I'm working requires elevation of SOME kind, don't you?"
Examiner: "I'm sorry, but you need to make this change. Thank you."
Me: *stares at the short pile of braindead shit as he walks away*8
Just give me anything BUT coding to work on and I'm instantly in the zone for coding. End of Year Review, access reviews for Audit, any other kind of paperwork, which is most of what my job is these days, and I have some brilliant insight into a problem on my back burner, or a brilliantly simple way to implement a feature I've been stewing on for weeks.
It's my procrastinating nature to not want to do the thing I HAVE to do.
Maybe I should volunteer for more paperwork?1
So, as you may be aware, I work as solo dev for small company. There is easly enough work for team, but I digress..
So, they wanted to stay updated whats progress on some projects. We use slack. I use git. I set up account for them so they can come into my git and controll if issues are solved, etc. I wont get started about any dev ever beeing judged by how much code is outputted, beyond scope of this.
So they started bitching about that git is too technical and too complicated and shit. They made bizzare bullshit google excel (not even in polish) and stupidass form to "audit issues". Hmm.. wtf. I just didnt use it becouse it was slowing me down and was just frustrating, how one can replace git + issue tracker with fucking spreadsheet?!
Okay, so having that aside, I complained about that so they were like "okay, so you want to use git and we want to be notified. whats your solution" me "oh, you want to stay notified, thats easy, I can plug my git into slack"
Now our slack is spammed to oblivion with git notifications.
Now they are annoyed that they are too notified. (Yes I consulted with them what will be plugged into slack)
I wasn't hired to do a dev's job (handled sales) but they asked me to help the non-HQ end with sorting transaction records (a country's worth) for an audit.
Asked HQ if they could send the data they took so I wouldn't need to request the data. We get told sure, you can have it. Waits for a month. Nothing. Apparently, they've forgotten.
Asks for data again. They churn it out in 24 hours. Badly Parsed. Apparently they just put a mask of a UI and stored all fields as one entire string (with no separators). The horror!
Ended up wasting most of a week simply fixing the parsing by brute force since we had no time.
Good news(?): We ended up training the front desk people to ending their fields with semi-colons to force backend into a possibly parsed state.
So i work in support (do dev stuff in my own time). Spent 3 months seconded to another team supporting in project clients.
First issue i had in that team was a client with serious data issues which took about 30 hours +/- to diagnose and write some scripts to resolve.
After they went live and got handed over to support they had the same issue again but instead of support picking it up they sat on it till i came back on Monday.
Ive spent about another 10 hours or so picking through audit logs. I get all the shit no one else can either be bothered or capable of doing and to top it off i didnt get the promotion i was going for because i hadnt closed enough tickets, because they keep giving me all the shit to fix for everybody else
I "love" when tables in database have columns such as UpdatedBy, Updated and this is the only audit that system has.11
I am trying to "invent" secure client-side authentication where all data are stored in browser encrypted and only accessible with the correct password. My question is, what is your opinion about my idea. If you think it is not secure or there is possible backdoor, let me know.
- test string (hidden, random, random length)
- password again
- hash test string with sha-512
- encrypt test string with password
- save hash of test string
- decrypt test string
- hash decrypted string with sha-512
- compare hashes
- create password hash sha-512 (and delete password from memory, so you cannot get it somehow - possible hole here because hash is reversible with brute force)
// DATA PROCESSING
- encrypt/decrypt with password hash as secret (AES-256)
EDIT: Maybe some salt for test string would be nice8
I'm way past the point of being pissed now....
So there's some software (API's, mobile app + website) that I wrote to manage supplier incentive programs in a big hurry last year - which lead to a bunch of stuff being hard-coded in to launch on time. So after last years promotion was done I took down all the services etc was very fucking clear that in order to finish & deploy it to run again I would need at least around 4 months notice.
On the surface its pretty simple but it has quite a large user base and controls the distribution of enough cash & prizes to buy a small country so the setup of the incentives/access/audit trails is not something to be taken lightly.
Then once I'm done with the setup I have to hand it over to be "independently audited" by 3 of the larger corporate behemoths who's cash it distributes (if I get a reply from one in 3-4 weeks it's pretty fast).
I only happened to find out by chance an hour ago that we are apparently launching an even larger program this year - ON FUCKING MONDAY. I literally happened to over hear this on my way for a smoke - they have been planning it since last year November and not one person thought it might be kinda important to let me know because software is "magic" and appears and works based on the fucking lunar cycle.
npm audit has gone wild since GitHub (aka Microsoft) acquisition, they surely found a way to influence the community.
Now, guys, embrace the creeping evil until deno is really out.5
Every meeting that contains one or more of the following points:
- "I don't think it belongs in the meeting, but"
- "Didn't get the meeting notes"
- "When's the food coming?"
- "I know we've said no technical discussion, but..."
- "Why is he so strict, this is no fun meeting at all :("
- "I think it's unfair to include risk assessment, you blame US before XY is finished"
- "The admins / the Team XY / ZX didn't talk with us, so we don't talk with him / her / them..."
- "Why are we here?"
- "Why is it so bad when production is down?"
- "I didn't know we do security / audit checks... Why hasn't anyone told us?"
- "Not happening. I'm against it"
- "I don't want to work with XY - he doesn't do it like I want it"
I could add thousand more things here.
I had countless meetings where I really thought that I was an alien who got broadcasted in a comedy reality TV soap...9
Few years ago I was asked to give advice on a project. There was an intern doing all the work and I even gave him almost ready code to use. And he didn't use it even properly.
And best part is that they thought at the time that it would be finished in couple of months.
After few months I took over and had to deal with the "intern code". Almost all of the code is rewritten.
Status of the project is now very good. We are implementing new features and it has even passed strict security audit done by other company.
Sadly I can't drop any names etc due to NDA.4
Sooooo I came in to work yesterday and the first thing I see is that our client can't log on to the cms I set up for her a month ago. I go log in with my admin credentials and check the audit logs.
It says the last person to access it was me, the date and time exactly when we first deployed it to production.
One month ago.
I fired a calm email to our project managers (who've yet to even read the client complaint!) to check with ops if the cms production database had been touched by the ops team responsible for the sql servers. Because it was definitely not a code issue, and the audit logs never lie.
Later in the day, the audit log updated itself with additional entries - apparently someone in ops had the foresight to back up the database - but it was still missing a good couple weeks of content, meaning the backup db was not recent.
If only NPM' security team (so pretty much NSP's) would inform the package owners as soon as they discover vulnerabilities and give them the standard 30-90 days to fix them and release a new version before going public, instead of straight out publishing the security audits which generates noise on the terminal (obviously when using npm) and on Github
Good code is a lie imho.
When you see a project as code, there are 3 variables in most cases:
- people / human resources
Every variable plays a certain role in how the code (project) evolves.
Time - two different forms: when certain parts of code are either changed in a high frequency or a very low frequency, it's a bad omen.
Too high - somehow this area seems to be relentless. Be it features, regressions or bugs - it takes usually in larger code bases 3 - 4 weeks till all code pathes were triggered.
Too low - it can be a good sign. But it should be on the radar imho. Code that never changes should be reviewed at an - depending on size of codebase - max. yearly audit. Git / VCS is very helpful here.
Why? Mostly because the chances are very high that the code was once written for a completely different requirement set. Hence the audit - check if this code still is doing the right job or if you have a ticking time bomb that needs to be defused.
If a project has only person working on it, it most certainly isn't verified by another person. Meaning that only one person worked on it - I'd say it's pretty bad to bad, as no discussion / review / verification was done. The author did the best he / she could do, but maybe another person would have had an better idea?
Too many people working on one thing is only bad when there are no rules ;)
Rules. There are two different kind of rules.
Styling / Organisation / Dokumentation - everything that has not much to do with coding itself. These should be enforced at a certain point, otherwise the code will become a hot glued mess noone wants to work on.
Coding itself. This is a very critical thing.
Do: Forbid things that are known to be problematic in the programming language itself. Eg. usage of variables in variables, reflection, deprecated features.
Do: Define a feature set for each language. Feature set not meaning every feature you want to use! Rather a fixed minimum version every developer must use and - in case of library / module / plugin support - which additional extras are supported.
Every extra costs. Most developers don't want to realize this... And a code base that evolves over time should have minimal dependencies. Every new version of an extra can have bugs, breakages, incompabilties and so on.
Don't: don't specify a way of coding. Most coding guidelines are horrific copy pastures from some books some smart people wrote who have no fucking clue what you're doing and why.
If you don't know how to operate on people, standing in an OR and doing what a book told you to do would end in dead person pretty sure. Same for code.
Learn from mistakes and experience, respect knowledge from other persons, but always reflect on wether this makes sense at this specific area of code.
There are very few things which are applicable to a large codebase on a global level. Even DRY / SOLID and what ever you can come up with can be at a certain point completely wrong.
Good code is a lie - because it can only exist at a certain point of time.
A codebase should be a living thing - when certain parts rot, other parts will be affected too.
The reason for the length of the comment was to give some hints on what my principles are that code stays in an "okayish" state, but good is a very rare state
Was an internal auditor translating department process to a technical spec for a programmer. We were going to leverage an external company's API which would replace our need to use their slow and buggy web app.
During a meeting, an audit teammate suggested something be changed with the external service we were using. I said we could bring it up with the company but we shouldn't rely on it because we were a small customer even during out busiest month (200 from us vs 10000+ from big banks).
Teammate said we should have our programming team fix it. I made it clear that it was not our side and that to build out the service on our side was beyond our scope. Teammate continued to bring it up during the meeting then went back to desk after meeting and emailed us all marked up screenshots of the feature.
I ignored this and finished writing up the specs, sending them over to the programmer building out the service.
30 minutes later I get a call from programmer's manager who was quite angry at an expanded scope that was impossible (engineers were king at this company. Best not to anger them). Turns out my teammate had emailed his own spec to the programmers full of impossible features that did not reference the API docs.
I feel bad about it now but I yelled at my teammate quite loudly. I said he was spending time on something that was not reasonable or possible and when they continued to talk about their feature I yelled even louder.
Didn't get fired but it definitely tagged me as an asshole until I left. Fair enough :)
The most important thing my mentor taught me was “ in an audit if the auditor asks ‘do you have the time?’ And you do simply respond ‘yes’” it done me well so far!2
Oh! Damn No No Nooooo
Our team was working on upgrading our infrastructure for PCI Compliance for two months. Did all assesments and testing and waiting for long approvals. Finally, we finished all upgradation smoothly.
After we submitted our report to Infrastructure and that guy comes with Audit reports stating that the PCI Compliance requirements has changed.
And we were like we just upgraded a few hours and how come it changed. And we have to the whole job again. Just want to flip tables now.1
When you're just waiting around for the designer to finish their audit of your build so you can get back to work.
Well, the new audit tool in the chrome dev tools seems to be nice and shiny, but even google does not pass its tests completly...3
Google is like the parent or teacher who is never happy with your work. I've never seen something so unattainable in a world where non-technical clients rely on CMSes, theme templating, server-side page rendering, and external scripting as Google's mobile PageSpeed recommendations. Especially under the Lighthouse audit in Chrome Inspector. Unless I go back to pre-2001 web development methods, and never have external scripting, and make every page have its own CSS file with only critical path CSS for each page, I will never get all the high scores I'm expected to have to rank well for mobile. When and how will Google get called out on this B.S.?9
I think I found a way to audit college courses without paying for them. Find someone that is taking the courses and get paid doing their homework (for cheap/free). Make sure they take good notes and provide access to all materials. Do their homework of course. If taken to the extreme you could have a CS/CE/Math background while possibly making money on the deal. Any time you want to take a course you advert that you will do the homework. You could even wrangle the victim to record the lectures so you can reference as needed.
At the end you won't have a degree, but will be able to do everything the degree demands.
Obviously there are issues with this, one being a moral issue.4
Another newbie question
Is ruby on rails worth learning now and is it dead ? I am a bit of a newbie to backend. I did create a site for a friend a year or two ago with django but still it was pretty simple. My horrible code is available here :- https://github.com/akshaytolwani123...
Also is this course on coursera for free on audit decent for the basics https://coursera.org/learn/... or should I just use freecodecamp or similar.5
Sifting through data soothes my brain. I decided to audit my own phone records and I am like what the hell, who have I been talking to?!??
3 days when I had to complete documentation for an audit. I only returned to my room to shower and change clothes for the next day. That too I left at 8AM and returned at 09:30AM.
2 days when I had to complete setting up the office network over the weekend. Note that this was over a weekend.
And this is without counting the many hours I've spent semi-working at hackathons. I've gone up to 60 hours without sleep, coding the shit out of my brains.2
Does anyone have experince with UPnP audit/hacking tools like miranda? I need to show my prof how to do it and either show it live or record it and show the video. Do you know some good tutorials or sites?1
9 Ways to Improve Your Website in 2020
Online customers are very picky these days. Plenty of quality sites and services tend to spoil them. Without leaving their homes, they can carefully probe your company and only then decide whether to deal with you or not. The first thing customers will look at is your website, so everything should be ideal there.
Not everyone succeeds in doing things perfectly well from the first try. For websites, this fact is particularly true. Besides, it is never too late to improve something and make it even better.
In this article, you will find the best recommendations on how to get a great website and win the hearts of online visitors.
Take care of security
It is unacceptable if customers who are looking for information or a product on your site find themselves infected with malware. Take measures to protect your site and visitors from new viruses, data breaches, and spam.
Take care of the SSL certificate. It should be monitored and updated if necessary.
Be sure to install all security updates for your CMS. A lot of sites get hacked through vulnerable plugins. Try to reduce their number and update regularly too.
Ride it quick
Choose a quality hosting provider
In many respects, both the security and the speed of the website depend on your hosting provider. Do not get lost selecting the hosting provider. Other users share their experience with different providers on numerous discussion boards.
Content is king
Content is everything for the site. Content is blood, heart, brain, and soul of the website and it should be useful, interesting and concise. Selling texts are good, but do not chase only the number of clicks. An interesting article or useful instruction will increase customer loyalty, even if such content does not call to action.
Broadcasting should not be one-way. Make a convenient feedback form where your visitors do not have to fill out a million fields before sending a message. Do not forget about the phone, and what is even better, add online chat with a chatbot and\or live support reps.
Refrain from unpleasant surprises
Please mind, self-starting videos, especially with sound may irritate a lot of visitors and increase the bounce rate. The same is true about popups and sliders.
Next, do not be afraid of white space. Often site owners are literally obsessed with the desire to fill all the free space on the page with menus, banners and other stuff. Experiments with colors and fonts are rarely justified. Successful designs are usually brilliantly simple: white background + black text.
With such a dynamic pace of life, it is important to always keep up with trends, and the future belongs to mobile devices. We have already passed that line and mobile devices generate more traffic than desktop computers. This tendency will only increase, so adapt the layout and mind the mobile first and progressive advancement concepts.
Your visitors should be your priority. Use human-oriented terms and concepts to build navigation instead of search engine oriented phrases.
Do not let your visitors get stuck on your site. Always provide access to other pages, but be sure to mention which particular page will be opened so that the visitor understands exactly where and why he goes.
The site can be compared to a house - you always need to monitor the performance of all systems, and there is always a need to fix or improve something. Therefore, a technical audit of any project should be carried out regularly. It is always better if you are the first to notice the problem, and not your visitors or search engines.
As part of the audit, an analysis is carried out on such items as:
● Checking robots.txt / sitemap.xml files
● Checking duplicates and technical pages
● Checking the use of canonical URLs
● Monitoring 404 error page and redirects
There are many tools that help you monitor your website performance and run regular audits.
I hope these tips will help your site become even better. If you have questions or want to share useful lifehacks, feel free to comment below.
recently, I was working on a project to playback archived call recordings, and another developer was hired. part of my job is also to support a third party automation framework for customers, so I got "seconded" to support a proof of concept. the original project had now been messed up, it works, however, the functionality that made it secure has been MASSIVELY compromised for the sake of effort. I've tried to cause a stink as we have a major customer who will fail the next PCI audit. opinions on the situation. the other developer has a lot more experience, but seems to have chosen to satisfy management on deadlines over the original spec...