Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Search - "what is security"
Fuck the memes.
Fuck the framework battles.
Fuck the language battles.
Fuck the titles.
Anybody who has been in this field long enough knows that it doesn't matter if your linus fucking torvalds, there is no human who has lived or ever will live that simultaneously understands, knows, and remembers how to implement, in multiple languages, the following:
- jest mocks for complex React components (partial mocks, full mocks, no mocks at all!)
- token cancellation for asynchronous Tasks in C#
- fullstack CRUD, REST, and websocket communication (throw in gRPC for bonus points)
- database query optimization, seeding, and design
- nginx routing, https redirection
- build automation with full test coverage and environment consideration
- docker container versioning, restoration, and cleanup
- internationalization on both the front AND backends
- secret storage, security audits
- package management, maintenence, and deprecation reviews
- integrating with dozens of APIs
- fucking how to center a div
and that's a _comically_ incomplete list; barely scratches the surface of the full range of what a dev can encounter in a given day of writing software
have many of us probably done one or even all of these at different times? surely.
but does that mean we are supposed to draw that up at a moment's notice some cookie-cutter solution like a fucking robot and spit out an answer on a fax sheet?
recruiters, if you read this site (perhaps only the good ones do anyway so its wasted oxygen), just know that whoever you hire its literally the luck of the draw of how well they perform during the interview. sure, perhaps some perform better, but you can never know how good someone is until they literally start working at your org, so... have fun with that.
Oh and I almost forgot, again for you recruiters, on top of that list which you probably won't ever understand for the entirety of your lives, you can also add writing documentation, backup scripts, and orchestrating / administrating fucking JIRA or actually any somewhat technical dashboard like a CMS or website, because once again, the devs are the only truly competent ones - and i don't even mean in a technical sense, i mean in a HUMAN sense of GETTING SHIT DONE IN GENERAL.
There's literally 2 types of people in the world: those who sit around drawing flow charts and talking on the phone all day, and those WHO LITERALLY FUCKING BUILD THE WORLD
why don't i just run the whole fucking company at this point? you guys are "celebrating" that you made literally $5 dollars from a single customer and i'm just sitting here coding 12 hours a day like all is fine and well
i'm so ANGRY its always the same no matter where i go, non-technical people have just no clue, even when you implore them how long things take, they just nod and smile and say "we'll do it the MVP way". sure, fine, you can do that like 2 or 3 times, but not for 6 fucking months until you have a stack of "MVPs" that come toppling down like the garbage they are.
How do expect to keep the "momentum" of your customers and sales (I hope you can hear the hatred of each of these market words as I type them) if the entire system is glued together with ducktape because YOU wanted to expedite the feature by doing it the EASY way instead of the RIGHT way. god, just forget it, nobody is going to listen anyway, its like the 5th time a row in my life
we NEED tests!
we NEED to know our code coverage!
we NEED to design our system to handle large amounts of traffic!
we NEED detailed logging!
we NEED to start building an exception database!
BILBO BAGGINS! I'm not trying to hurt you! I'm trying to help you!
Don't really know what this rant was, I'm just raging and all over the place at the universe. I'm going to bed.20
Manager: Hey fullstackchris, the maps widget on our app stopped working recently...
Dev: (Skeptical, little did he know) Sigh... probably didn't raise quota or something stupid... Logs on to google cloud console to check it out...
Google Dashboard: Your bill.... $5,197 (!!!!!!) Payment method declined (you think?!)
Dev: 😱 WTF!?!?!! (Calls managers) Uh, we have HUGE problem, charges for $5000+ in our google account, did you guys remove the quota limits or not see any limit reached warnings!?
Managers: Uh, we didn't even know that an API could cost money, besides, we never check that email account!
Dev: 🤦♂️ yeah obviously you get charged, especially when there have literally been millions of requests. Anyway, the bigger question is where or how our key got leaked. Somewhat started hammering one of the google APIs with one of our keys (Proceeds to hunt for usages of said API key in the codebase)
Dev: (sweating 😰) did I expose an API key somewhere? Man, I hope it's not my fault...
Terminal: grep results in, CMS codebase!
Dev: ah, what do we have here, app.config, seems fine.... wait, why did they expose it to a PUBLIC endpoint?!
Long story short:
The previous consulting goons put our Angular CMS JSON config on a publicly accessible endpoint.
WITH A GOOGLE MAPS API KEY.
JUST CHILLING IN PLAINTEXT.
Though I'm relieved it wasn't my fault, my faith in humanity is still somewhat diminished. 🤷♂️
Oh, and it's only Monday. 😎
DEAR CTOs, PLEASE ASK THE DEVELOPER OF THE SOFTWARE WHICH YOU ARE PLANNING TO BUY IN WHAT LANGUAGE AND WHAT VERSION THEY ARE WRITTEN IN.
Background: I worked a LONG time for a software company which developed a BIG crm software suite for a very niche sector. The softwary company was quite successfull and got many customers, even big companies bought our software. The thing is: The software is written in Ruby 1.8.7 and Rails 2. Even some customer servers are running debian squeeze... Yes, this setup is still in production use in 2022. (Rails 7 is the current version). I really don't get it why no one asked for the specific setup, they just bought it. We always told our boss, that we need time to upgrade. But he told every time, no one pays for an tech upgrade... So there it is, many TBs of customer data are in systems which are totally old, not updated and with possibly security issues.9
I think what would help is to teach them these things:
- awareness for security in code
- how to use a fucking VCS like Git and how it works
Other team lead: Hi DevOps Team, We need you to deploy this app to production. It's maintainers gave up on it in 2019, but we looked at it and it feels right.
Me: Uhm. That's not going to work. It'll fail the security scan before you can even finish the build in CI.
Other team lead: Yeah, this app is the right thing to do, and we needed it last week, but since that won't work, we'll just use this other very very infant technology that was just born yesterday. It's not stable in production, or on MySQL, or in AWS at all, but it's the other direction we can to go.
Me: What problem are you trying to solve in the first place?
Other team lead: Oh, we need access to the read from the production database.2
I f&#king hate it here. I am just eyeing to exit as soon as 1 year of my contractual obligation is over. My employer is a good employer. Provides good benefits but I just can't take the bureaucrazy in here. Just yesterday, had to ask another team to deploy objects on our behalf as they are the schema owner. They did it and asked us to review it today. But how? We don't even have manual access to the schema, because we are not the content owner and security! But that's fine, I can always query the catalog views and check the metadata and should be able to conclude the deployment. Right? NOOOO. Because security! Of what? Column names?
Prev rant: https://devrant.com/rants/5145722/...2
so... the next step from programmer/developer is always an entrepreneur/business?
i see my daily work : i open my laptop, i see tickets from my company which include bug fixes, new feature development, some discussions , etc. i fix the bugs, make the features, add my points in discussion and the day is done.
from company's point of view, i am an ideal developer. in some years i will become a senior dev, which i guess involves similar stuff but different weightage (or is it different? please comment) . after that, we become tech lead , then engineering lead , then mts1 then mts 2... etc
i am guessing you guys must have similar trajectories in your company. from what i know, some people don't continue this trajectory (from boredom, lust for money , other reasons) and instead go on building a new product / starting a company , going into managerial/ entrepreneurial role.
so this is one kind of goal : "i will learn tech enough to launch my own company and be a ceo of it". i can't relate much to it. why go into tech when you wanna launch a product? why not just go into business schools from the day1 and get business knowledge?
anyways the above are the questions that i don't really want an answer for, those are just my criticisms.
but my main question is : what about those people who DON'T want to go on launching some business?
- do you people exist?
- what's your goal? is it around the lines of "learning all the tech of the world to be the cto or chief engineer of a company"
- how do you plan to achieve it?
honestly i want to be the second kind of person, i.e the one who always codes/ aims to code but can't seem to find a proper path/goal to it. plus the job security that i have seen with businesses/entrepreneurs throughout my life, my introvert mind fails to see "just coding" as a success.
i am 23 , but i fear that when i am 40 and my 5 yo kids comes to home seeing his dad sitting against laptop "just coding" , they will feel more insecure against their friends whose father has some shop or founder of some funded startup
(40 yo dads, share your views on life too , please )7
Salesforce lightning web components have such bullshit limitations that they claim is because of security but it's just because it's overengineered garbage.
Want to use web components? Nope.
Want to pass in a value to a function in a click listener expression? Nope.
Want to use scss? Nope, compile it to css yourself.
Want to use the fucking document object? Guess what it's overridden except for very specific third party frameworks.
Who in the fuck thought it was a good idea to override the document object? Your app isn't more secure, literally the entire internet uses the document object and it still becomes available in runtime anyway so what the fuck??
LWC is the biggest garbage I've ever seen, you know a framework's a big red flag when there are developers solely for the framework.
There is a new security release coming out that apparently removes some of these nuances (understatement) so there might be some light at the end of the tunnel.4
I've been in IT for a while now, maybe 15ish years. Was always into security, networking, programming. Worked my way up, so to speak, to field I wanted. A while back I got what I considered a "dream job" and now I am not so sure. Many parts of it are not what I expected: people, workflow, work quality. The thing is, I don't think I want to be in my specific field anymore, maybe not even tech. I have considered a career change but I'm unsure of what I'd want to do and feel like I'll be fumbling around and going backward.
Has anyone gotten out of a situation like this, changed careers or sub-career even?3
CORS is shit
Stupid useless shit that protects from nothing. It is harmful mechanism that does nothing but randomly blocks browser from accessing resources - nothing more.
Main idea of CORS is that if server does not send proper header to OPTIONS request, browser will block other requests to that server.
What does stupid cocksuckers that invented CORS, think their retarded shit can protect from?
- If server is malicious, it will send any header required to let you access it.
- If client has malicious intents - he will never use your shit browser to make requests, he will use curl or any ther tool available. Also if server security bases on something as unreliable as http headers it sends to the client - its a shit server, and CORS will not save it.
Can anyone give REAL examples when CORS can really protect from anything?32
The it manager said that the site on my private vps where we are using a small tool as reference, is a security issue and what if it may be hacked... Well, from this point of perspective all the websites shall be switched off. The tool lovered the problem resolution from 30 to 2 minutes.. I have asked for on premise server before but noone gave a shit so I hosted on my private vps. I wont give it back for free, its a sure thing. Soon they will start to get the complains that its offline because the customer is using it for debugging too. I feel like IT and dev is really moving appart. They act as bunch of pathetic jelous guys who couldn't learn programming and ended up in installing windows on machines...7
So, I've been with my current employer four years now, three and a half of which have been spent working as a time material developer for a huge fashion company. I've been trying to get out of It for the past six months only for my exit to be postponed everytime. There's also no clear idea as to what I would be moved to, going forward. Nobody Is telling me a thing and I think other developers will be moved to different projects before I do.
That's why I took matters into my own hands and started getting back into the recruitement process. I'm about to receive an offer. A fairly better one.
The thing is, I wanna use such offer to see if my current employer can reedem himself and propose to me a good counter offer. I'm not in the mood of starting over, but I want security and management to have a fucking idea of what my future Is gonna be like at this fucking company.
What do you guys think? Am I playing with Fire?1
hey guys . i want to learn and make spring based backend that would provide endpoints for db and also serve some webpages . any good /modern resources that could build upon my current knowledge and explain me in a sequential manner?
I make android apps in java/kotlin which uses gradle for compiling dependencies, so i kinda understand some basic java software architecture.
i would prefer gradle/kotlin based tutorials but maven+ java tutorials are also not a problem. my main problem is to get an idea of the various "built in stuff" :
- how the app works?
- how the security works? what are those configs? how can i provide role based access, google authentications, associate security with user based db, etc... (i also don't have much idea about any general backend stuff so theoretical knowledge will also help greatly)
how do beans work? can we avoid their xmls and/or customize them from java code
- how do application.properties work?
i have a lot of questions but every article i read starts with "add this dependency in your project" , "override this class" . like am i just supposed to enable some flags and features automatically get added to my project? doesn't this limit the customisation options?and if they are limited then how much are those customisation options ? i wanna understand them all and then choose the ones that are essential2