I love static websites. And that love has only grown over time. I started my career building dynamic websites with database backends and those are great, but they require a lot more mental energy to build and secure. Static website, on the other hand, require very little effort and are very resilient to being attacked. So this article explains how I build static websites these days. It may not be what you use and that’s fine, we can both celebrate our differences. ...
As you can probably tell, the site has been redesigned for 2020. It has been 7 years since I made the initial design and I felt it was time for it to be refreshed, as well as provide a better experience for readers on mobile devices. I used Bulma for the CSS framework and VueJS for interactivity. I really like working with Bulma, I find it has a more simple grammar than Bootstrap and is more tweakable as well. The elements and components that can be made aren’t as feature-rich as Bootstrap, but overall I find that I don’t need them for what I do. I used Bulma first on my resume and since that was a breeze, I have started using it on other projects as well. But I held off on using it on this website as the original design wasn’t my best work, so I had to first bush-whack through bad Sass and HTML. Thankfully, ripping out Bootstrap and replacing it with Bulma was so easy that I got it done in 4 hours. ...
This post will be a living document that stores all my favourite quotes. At this point, I’m not going to comment on the quotes themselves, or why I find them good. I typically keep these in a private document, but I want to just share them with you and maybe you will think about how they fit into your mindset. Or maybe the quote means nothing to you and you move on. That’s fine too. ...
These are the songs I was listening to this year. Where Are You Now? – Lady Leshurr, Wiley – Where Are You Now? Mad Love – Sean Paul, David Guetta, Becky G – Mad Love One Click Headshot – Feed Me – Feed Me’s Escape from Electric Mountain Love Is All I Got – Feed Me, Crystal Fighters – Calamari Tuesday Be Nice – Black Eyed Peas, Snoop Dogg – Be Nice Summer Days – Martin Garrix, Macklemore, Fall Out Boy – Summer Days Intoxicated – Martin Solveig, Good Times Ahead – Intoxicated Get Up (Rattle) – Bingo Players, Far East Movement – Get Up (Rattle) Chameleon – PNAU – Chameleon Instruction – Jax Jones, Demi Lovato, Steffion Don – Snacks Work Bitch – Britney Spears – Britney Jean Drop That Low (When I Dip) – Tujamo – Drop That Low (When I Dip) I Love It – Icona Pop, Charli XCX – THIS IS… ICNOA POP Five More Hours – Deorro, Chris Brown – Good Evening I Like It - Dillon Francis Remix – Cardi B, Bad Bunny, J Balvin, Dillon Francis – I Like It Way To Break My Heart – Ed Sheeran, Skrillex – No.6 Collaborations Project Antisocial – Ed Sheeran, Travis Scott – No.6 Collaborations Project Freelance – Toro y Moi – Outer Peace Harder – Jax Jones, Bebe Rexha – Snacks When the Rain Beings to Fall – Jermaine Jackson, Pia Zadora – Jermaine Jackson Moonlight – Gaullin – Moonlight And that’s it for 2019! See you next year! ...
I recently tweeted about how people new to programming, or companies that look for candidates and give them programming tests, don’t understand that the first code one writes is just a draft. It can take several edits (so-called “refactors”) to tease out a good, workable, testable, and ultimately simple solution. So here’s a story of how I recently refactored my code 3 times before arriving at a final solution. This happened over the span of a day as I thought about and shaped the code into a format that can be easily tested and understood by others. The code is from a private project, so I am only presenting snippets here and some of the package names and variables have been changed for privacy. ...
UPDATE 2019-10-07: There is a bug in CloudFormation when outputting the LogGroup ARN. See the change below in 4. Define a Policy. UPDATE 2020-06-16: Thanks to jplock, I have fixed an error in the ARN syntax for log-group, where a / should have been a :. I notice that the AWS documentation and even their managed policies (e.g. AWSLambdaBasicExecutionRole) all provide users with insecure examples of how to setup permissions for their Lambda functions to emit their logs to CloudWatch Logs. The permissions are not least privilege, meaning they provide more permission to the Lambda function than are necessary and can lead to unintended consequences. Let’s look at the common example given to users: ...
I love using CloudFormation for provisioning AWS services but one of the more annoying aspects about working with it is that setting up the initial CloudFormation stack is an all-or-none endeavour. This is in contrast to when a stack exists and is being updated, where changes are reversible and the stack is almost always left in a working state. This annoyance is compounded when I write a stack definition with multiple resources and, as it inevitably happens, there is a typo somewhere. CloudFormation dutifully creates all the resources, trips on the error, and rolls back the entire stack to nothingness. Then I need to delete the stack and start again instead of issuing an update or changeset request. It’s a time-sink and I wanted to find a better way. ...
I have been writing a lot of code in Go lately and recently I was asked by someone why I write in Go. Being put on the spot, I didn’t really have an answer, but it did get me thinking about why I like this language over the other languages I work with (Java, Ruby, Python, JavaScript). So without any further ado, here are some things I like about working with Go. ...
Recently I was approached by an internal recruiter looking for someone who dabbles in Cloud, software development, infrastructure and security (so-called “Cloud DevSecOps”). The initial conversations went extremely well and I was moved onto the next stage where I was told my AWS skills would be “assessed.” The Setup To my surprise, the assessment meant that I would be given a take-home test, which is an odd way to test someone’s Cloud security skillset. After all, what could they do, grant me access to their AWS account and start racking up charges as I harden the system? All I was given in the preparatory materials was the idea that I would be integrating a third-party SSO provider into a Web application. Okay, this sounds oddly vague but, in a way, it may have a bit to do with Cloud Security. I set aside what limited free time I have these days and submitted a form that informs me that the test will begin and a timer will start. ...
A common pattern I see used by Engineering teams when I provide security consulting is them creating Lambda function and hosting their code in their own S3 buckets. This S3 bucket means the Engineering team needs to secure the bucket, which means the following controls are active and maintained: no public S3 access (bucket or object) access logging (logs are sent to yet another bucket!) default encryption of all objects access control and monitoring backups failover region segregation of code written by different departments …and that’s just the start. All of that is tedious and creates security busy-work, not to mention you are still responsible for those code assets. Since AWS is hosting my Lambda function, they can host my code too. Here’s how you do it. ...