Ibuildings blog

Programming guidelines - Part 4: Messages

In the previous parts of this series we looked at how to get rid of complexity at the level of algorithms. After discussing the problem of nulls in your code, we looked at object lifecycles and how to encapsulate them properly. Now that we have objects that can be constructed and changed only in valid ways, we need to look at how they communicate with each other and how we can improve our code with regard to that aspect.

Read more

Programming guidelines - Part 3: The life and death of objects

In the first part of this series we looked at ways to reduce the complexity of function bodies. The second part covered several strategies for reducing complexity even more, by getting rid of null in our code. In this article we'll zoom out a bit and look at how to properly organize the lifecycle of our objects, from creating them to changing them, letting them pass away and bringing them back from the dead.

Read more

Programming guidelines - Part 1: Reducing complexity

PHP is pretty much a freestyle programming language. It's dynamic and quite forgiving towards the programmer. As a PHP developer you therefore need a lot of discipline to get your code right. Over the years I've read many programming books and discussed code style with many fellow developers. I can't remember which rules come from which book or person, but this article (and the following ones) reflect what I see as some of the most helpful rules for delivering better code: code that is future-proof, because it can be read and understood quite well. Fellow developers can reason about it with certainty, quickly spot problems, and easily use it in other parts of a code base.

Read more

Hidden in plain sight: Brute Forcing Slack private files

Last year we switched to using Slack for all our internal communication and it's working out nicely. It's very developer centric in that it offers integrations with lots of services like Travis CI, GitHub, etc.

When we started using Slack one of our developers was sending a file, had his Developer console open and noticed that even though he'd not chosen to share the file public, the API gave back a public URL anyway. Much to his dismay when he tried it out in a new private browsing window he could download his file without authentication!

Everything you share on Slack automatically becomes available on a public url.

Concerned with the security of our communications (we don't share financials or credentials through Slack fortunately, but we may share company or customer sensitive information) I decided to look into it and make it a teachable moment on 'secret URLs'.

Read more

Using A JavaScript Style Guide

Using a style guide helps keep code more readable, which makes it more maintainable. It can also prevent you from introducing bugs which can be hard to spot (by making semicolons mandatory for example). Enforcing code styles is hard.

Read more

    Which Drupal modules can you trust?

    Software we build depends on an aweful lot of other software, our framework (Drupal), third party modules, libraries (server side and client side!), PHP and it's extensions, Webserver (Nginx / Apache), OS (Linux), etc.

    The question with security audits is always, how far do we goWhat third party software should and shouldn't we audit?

    For an application that uses Drupal, it's pretty clear that we should audit the custom configuration and code as well as verify that all third party library versions used do not contain known vulnerabilities. But should we audit Drupal? Should we audit a popular third party module like Views? How about a less popular one like the Feeds REGEX Parser? What if a Alpha, Beta or Devel version is used?

    To help with decision making we built and released the Ibuildings Drupal Security Audit tools.

    Read more

      A PHP Developers look back at OWASP AppSec.eu 2013

      • april 16, 2014

      "So tell me, why do you use PHP, really?"

      I'm sitting at the conference dinner, in the cargo room of the Cap San Diego in Hamburg Germany, supposedly the 'largest cargo ship seaworthy museum in the world'. Across from me is a German student and OWASP volunteer. We've been talking for a while now, he looks forward to a future in pentesting so he volunteered to help with OWASP AppSec Research 2013. AppSec is a conference for Application Security, hosted by the Open Web Application Security Project (OWASP). Sometimes they add 'Research' to it to encourage researchers to come and speak.

      'Sigh. Here we go again' I think as I hear conversation around us stop, people listening in.

      Read more

      4 HTTP Security headers you should always be using

      What started as a dream for a worldwide library of sorts, has transformed into not only a global repository of knowledge but also the most popular and widely deployed Application Platform: the World Wide Web.
      The poster child for Agile, it was not developed as a whole by a single entity, but rather grew as servers and clients expanded it's capabilities. Standards grew along with them.

      While growing a solution works very well for discovering what works and what doesn't, it hardly leads to a consistent and easy to apply programming model. This is especially true for security: where ideally the simplest thing that works is also the most secure, it is far too easy to introduce vulnerabilities like XSSCSRF or Clickjacking.

      Because HTTP is an extensible protocol browsers have pioneered some useful headers to prevent or increase the difficulty of exploiting these vulnerabilities. Knowing what they are and when to apply them can help you increase the security of your system.  

      Read more

      Co-development teams

      Bij onze software development trajecten werken wij met projectteams. Afhankelijk van het soort en de omvang van het project wordt een team samengesteld op basis van de specifieke technische kennis en kunde van de developers. Vaak bestaat een team volledig uit developers van Ibuildings, maar we werken ook in co-development teams waarbij naast developers van Ibuildings ook eigen developers van de klant aan het project werken. 

      Bij zo’n co-development traject is het noodzakelijk om extra aandacht te besteden aan een goede fundering voor het project. Naast een introductie in de tools die Ibuildings gebruikt bij software development projecten, moet er ook overeenstemming zijn over de werkwijze die aan het project ten grondslag ligt. Met andere woorden, ervoor zorgen dat we als team dezelfde taal spreken.

      Read more

        Ready steady cook

        Afgelopen woensdag hadden we de laatste interne workshop van het jaar en deze ging over de best practices met Vagrant en Chef.

        Read more

          Workshops, workshops everywhere

          Ibuildings organiseert regelmatig een interne workshop. Hierbij worden (veelal) technische onderwerpen behandeld en aan de hand van een opdracht verder uitgewerkt.

          Maar hoe maak je een workshop over Symfony 2 en Domain Driven Design (DDD) interessant voor iedereen?

          Read more

          Secure your REST API with OAuth2 Implicit Grant

          These last few years have seen the rise of some amazing frameworks oriented towards Single Page Application (SPA) like ExtJS, AngularJS, Backbone, Ember, etc. Following the trend where Front-end and Back-end separate. Client side technologies are now being managed by one team and Back-end services by another. This Separation of Concerns is wonderful for implementors as you only need a specification of the API and you can develop functionality concurrently. However all this client-side functionality often leaves the question: How are we going to secure the API if, at least in theory, it should be open for the browser of any device anywhere on earth? (no, we do not support the ISS).

          Read more

            ETags for the Uninitiated

            Yet, ETags are one of the features that are the hardest to get right. Sometimes it’s not even clear how they work and while there’s a lot out there on the subject, it can also be difficult to put it all together. Developers frequently play either client and server roles in this exchange, which can make the responsibilities even more confusing.

            In this series of blog posts, we’re going to look at ETags from both perspectives: First, a client trying to consume an ETag-enabled API. By focusing on the client side, we can focus on the features ETags offer and learn how these are supposed to look in a perfectly implemented world. In a later post, we’ll look at the gory details of how that API implements ETags and does the appropriate checks.

            Read more