Aiming for (at least minimum) quality software

Posted by Bart Klinge on January 12, 2024

In the summer of 2022, I had a child; a beautiful son who can’t stop trying to get himself hurt, or worse. Luckily, next to us being vigilant all the time, the world tries to help us a bit. A recent, real-life example I saw was a stuffed elephant. Either they put warnings on their product (like 3+), or they make sure that it is a suitable quality for their sweet spot customer. For my kid (3-), this means that his toy is safe and has no small parts that can almost be swallowed. Because he likes to break things, the toy should also be robust, perform well and, last but not least, be accessible. Kids tend to be on the tiny side, so their hands need to be able to grab the toy.  

For TOPdesk this isn’t any different. To have our product suitable for our customers it should adhere to a certain level of quality. It should have no security leaks that put a lump in your throat, no crashing environments, and be accessible for a wide group of users. Next to that, as TOPdesk, we want to build one product that is consistent throughout all the different components. This means we need to have a quality baseline that is shared among all teams.  

Read more

Why you should go to a conference in person

Posted by Joep Weijers on September 12, 2023

TOPdesk provides each developer a budget and time to broaden and deepen their knowledge. I recommend to invest such a budget into visiting a conference in person.

Why attend conferences?

TOPdesk SEE conference
TOPdesk SEE conference

In an industry that is changing as fast as the software industry, it is imperative to keep your knowledge up to date. A conference is one of the tools to stay informed on what is happening in the industry. Other examples include reading blogs, following industry leaders on Twitter, or listening to podcasts. A conference bundles a year worth of innovations and best practices and offers then in a one or multi day package.

Read more

Summer Internship Development 2023: TOPdeck

Posted by Violeta Chatalbasheva on August 28, 2023

Working during the summer? That is an idea that most of us students would immediately throw out the window. And indeed, I would agree if I had not done the Development Summer Internship at TOPdesk! Not only have I never imagined how much fun one can have at the workplace, but also, I would have never believed that such a brief period, 2 months, could teach me so much about programming and working in a team. And I have only TOPdesk to thank for this! If you think this is too good to be true, let me convince you otherwise. 

Software Development Interns
Teams Enigma and Sanderellas
Read more

Upgrading from JavaEE to JakartaEE using OpenRewrite

Posted by Joep Weijers on April 26, 2023

In our software, we have transitive dependencies on code from Java’s Enterprise Edition (JavaEE). The code is typically in javax.* packages. The owner of Java, Oracle, opensourced the JavaEE specification and has donated it to the Eclipse foundation. This however came with one very impacting condition: that the trademarked Java name is no longer used in the specifications. The specification rename to JakartaEE was pretty easy. Renaming all the packages to jakarta.* was not. This means that all code depending on JakartaEE has to be updated to use the new packages. Although some libraries manage to handle both javax.* and jakarta.* packages at the same time, you really only want to have only one of them. That also means that all libraries that you use have to be updated to use jakarta.* packages before you can successfully update your own code. Here is how we did it:

Read more

Six Questions for a Quick & Easy Root Cause Analysis

Posted by Hollis Hazel on March 8, 2022

What’s a Root Cause Analysis?

When an issue is found at a customer, my team first solves the issue. Then we take a closer look at how the issue occurred to see how we can prevent the same thing from happening again.

How do I do one?

A Root Cause Analysis is otherwise known as a bug retrospective. There are many models and frameworks available, like the Five Why’s or Fishbone Diagrams. But at its core, a Root Cause Analysis is very straightforward. You just want to know two things:

  1. What happened?
  2. How can we prevent this from happening again?

To help you get started, I want to share my guide to a Quick and Easy Root Cause Analysis.

Read more

Language and accessibility on the internet.

Posted by Floris Claassens on February 17, 2022

A gathering of research, bad opinions and some extra curiosities

Screen readers are a great piece of software that help people with a visual impairment navigate the digital world. Though screen readers can interpret a lot of web content without any help, from time to time they do need some cues from developers on how to interpret the content. One of those cues is the language of the page. Many people will consume multilingual content at some point in their life. Screen readers need a way to find out which language to use for their pronunciation.

On the internet screen readers use the “lang” attribute (short for language) which can be set on the html element of the page. As the value of this attribute developers can use a (usually) two to four letter code to designate the main language of the page. The first two letters depict the language, and the last two letters depict the dialect. For example, fr-fr is the code for metropolitan French while fr-ca is the code for Canadian French. If you are familiar with SEO (search engine optimization) you might also have heard about the “hreflang” attribute, which uses the same language codes. Though they might seem very similar, they serve a very different purpose.

Read more

Solving the “artifact has been relocated” warnings in Maven 3.8.3

Posted by Joep Weijers on January 21, 2022

After updating to Maven 3.8.3, we have several warnings regarding the relocation of artifacts in our Maven builds. See for example the output of using Maven’s dependency plugin to analyze the dependency usage of an empty Maven project:

$ mvn dependency:analyze
[INFO] --- maven-dependency-plugin:2.8:analyze (default-cli) @ relocation-messages ---
[WARNING] The artifact xml-apis:xml-apis:jar:2.0.2 has been relocated to xml-apis:xml-apis:jar:1.0.b2
[INFO] No dependency problems found
Read more

Understanding Java Native Calls

Posted by David McCann on March 4, 2021

When programming in Java, you usually don’t have to care about how the JVM interacts with the operating system. However, there are cases where a basic understanding of these mechanisms can be useful. In this blog post, I will give a brief overview of how Java native calls work. I’m going to show you how to use that knowledge to track down bugs in your application.

Read more

How Screen reader users read the web

Posted by Anna Maier on December 14, 2020

When making a web site accessible, you inadvertently run into the topic of screen readers. Screen readers help people with visual impairments understand what is on the screen.

Few people think about the implications of having visual content translated into an auditory representation. In this article, I want to explain how screen reader users “hear” the web, what strategies they apply when confronted with a new web site and how you can make their life a bit easier.

Read more

Extracting a Heap Dump from a running OpenJ9 Java process in Kubernetes

Posted by Joep Weijers on November 26, 2020

At TOPdesk we run many Java services in our Service Architecture. We use the AdoptopenJDK OpenJ9 JRE as base image for our services running in Kubernetes. In this post we will find out how to get a Java Heap Dump from a Java application running on OpenJ9 JRE.

A Java Heap Dump is a snapshot of all the objects that are in memory in the JVM at a certain moment. Typically, a heap dump is created at the moment a Java application crashes because it runs out of memory. The heap dump can then show you what the application was doing in its dying moments, providing insight into potential memory leaks.

Read more

Difficulties in API design: Resource State

Posted by Riaas Mokiem on November 2, 2020

In this series of articles, I’d like to address some of the difficulties that occur during the design of REST APIs. This article is about difficulties with designing a resource that behaves differently under different circumstances. We call these circumstances its state. A REST API should present the resource state in a fundamentally different way than what most developers would already be familiar with. Because of this, developers will often present the resource state in a way that doesn’t adhere to the REST constraints. This in turn means we don’t get the benefits intended by those constraints.

Read more

Summer Internship Development 2020: Workload Forecasting

Posted by Yash Mundhra on August 28, 2020

You have probably heard it a ton of times by now: “2020 has been an unforgettable year”. However, the summer of 2020 is truly unforgettable for us, mostly due to the TOPdesk Summer Internship. Together with a bunch of talented students from different backgrounds we started our journey with similar goals in mind; to improve our software development skills, make some money and of course, enjoy the summer holidays!

Team Fortune Tellers
Read more

Difficulties in API design: Domain

Posted by Riaas Mokiem on April 24, 2020

In this series of articles, I’d like to address some of the difficulties that occur during the design of REST APIs. This article is about difficulties with determining and understanding the domain. In the previous article, I discussed the difficulties with resources, which you should express in terms of the domain. This requires you to determine what domain is relevant to your API and understand it fairly well. This makes the domain an important part of API design.

Read more

The technical aspect of public speaking: coming on stage

Posted by Joep Weijers on February 7, 2020

Your presentation starts in a few minutes. It is your time to shine. You plug in your laptop and nothing happens. No slides on the big screen behind you. An already stressful moment becomes even more stressed. You’re starting to lose your audience.

Nobody wants to be in this situation. Here are some tips to make getting on stage a smooth process, even if unexpected events occur.

Read more

The technical aspect of public speaking: preparing slides

Posted by Joep Weijers on January 29, 2020

Public speaking can be pretty stressful. All eyes will be on you and the last thing you wish to happen is a problem with your slides or microphone. A flawless presentation requires proper preparation. We have gathered some best practices, drawn from practical experience, to help you prepare your presentation. With these tips and tricks you will confidently walk on-stage, knowing that slides and sound will not hamper your presentation.

Read more

Testing Accessibility with Accessibility Insights

Posted by Anna Maier on December 9, 2019

There are many tools out there that help you check if your website or webapp is accessible. Most of them do an automatic check based on some accessibility guidelines. Some also provide functionality to do checks yourself, for example, to check the color contrast. The open source tool Accessibility Insights takes a different approach: on top of the usual automated checks there is a set of guided manual checks. This makes it a great tool to learn about accessibility testing and programming.

Read more

“We take your Security Seriously” – part 3

Posted by Martijn van Lambalgen on October 29, 2019

At first, the title of this blog sounds like an excuse. It’s that sentence that almost every company uses ‘after’ they got hacked. (Don’t worry, we didn’t!). According to me it’s a bad excuse if you present it after everything has fallen apart and only then start working on it. You need to work on it every day.

In this series of 3 blog posts we’d like to share a bit of the Serious work we’re doing at TOPdesk to Secure our customers’ data. We’re doing this not just to keep the data safe, but also because Security is an amazingly interesting and fun topic to work on.

In part 1 and part 2 we talked about making all our colleagues aware of the risks, and how we help Developers write Secure code. In this part we’d like to tell you how we’re continuously monitoring our software for suspicious behavior and how we can respond if something needs our attention.

Read more

“We take your Security Seriously” – part 2

Posted by Martijn van Lambalgen on October 14, 2019

At first, the title of this blog sounds like an excuse. It’s that sentence that almost every company uses ‘after’ they got hacked. (Don’t worry, we didn’t!). According to me it’s a bad excuse if you present it after everything has fallen apart and only then start working on it. You need to work on it every day.

In this series of 3 blog posts we’d like to share a bit of the Serious work we’re doing at TOPdesk to Secure our customers’ data. We’re doing this not just to keep the data safe, but also because Security is an amazingly interesting and fun topic to work on.

In part 1 we talked about making all our colleagues aware of the risks. In this part we’d like to tell you how we’re helping our fellow Developers to actually build Secure software.

Read more

“We take your Security Seriously” – part 1

Posted by Martijn van Lambalgen on October 1, 2019

At first, the title of this blog sounds like an excuse. It’s that sentence that almost every company uses ‘after’ they got hacked. (Don’t worry, we didn’t!). According to me it’s a bad excuse if you present it after everything has fallen apart and only then start working on Security. It’s something you need to work on every day. And once you think you’re doing fine, you probably still need to speed up, because attackers continuously improve their skills too.

Although we have no intention of getting hacked anytime soon, we’d like to share with you some of the Serious things we’re doing to take care of your Security. Today the first of three blog posts, in which we’ll talk about awareness and training.

Read more

Summer Internship Development: Improving the release notes webpage

Posted by Juris Majors on August 30, 2019

Motivation

During our summer internship in Tilburg, we worked on improving the current release notes website and the process of distributing release notes information to customers. Currently, release notes for each quarter are manually formatted, translated to PDF’s and then distributed to the customers. Our goal was to improve the website so that process would become less cumbersome.

Furthermore, the quarterly release notes are available only for a fraction of all 13 TOPdesk languages. Partially this is because the notes have always been manually translated and that takes a lot of time. Therefore, we experimented with different services and translator models to see if automatic translations are viable.

After the bootcamp, we spent the remaining 6 weeks of the internship on developing these functionalities.

Enough blabbering… how did we do all of it in one summer?

Read more

First batch of TOPdesk Summer Interns in Tilburg

Posted by Juris Majors on

During the free summer months, a lot of students take up a summer job. Foregoing the sun-filled beaches to make some extra money during their holidays. However, what if you could earn some money and gain valuable experience as a developer? (And still go to the beach during the best internship outing!) 

Well, if this sounds good already, read on to learn about our experience as Software Engineering Interns at the TOPdesk branch in Tilburg.

Who are we?

We are Team Spaghet, the team that has been working on improving the release notes website this summer. We are three students, all with a background in Computer Science and Artificial Intelligence. Our goals during this project were to deliver a great product, have a taste of the life of software developers and learn as much as we can along the way. 

Read more

Building AIKI: the Smart Suggestion AI

Posted by Maxim Marchal on

Developing an AI prototype

Group picture of the team. 6 people smiling

TL;DR: If you want to brush up on your programming skills, make some nice money and work in an environment with clever, friendly people: go do the Development Summer Internship!!

Introduction

Artificial intelligence is the buzzword of the decade, no question about it. While it used to be very difficult to develop an AI product from scratch (unless you were an experienced researcher), now the entry barrier is so low that even students can implement something meaningful. This was the premise of this year’s TOPdesk Development Summer Internship: get a handful of young people with affinity for programming and let them develop a technical product from scratch. The only common denominator for this year’s group was that everyone was highly motivated and a student with at least some experience with programming; besides this, the group was a nice blend of different nationalities, personalities and skillsets.

Read more

Summer Internship Development: The road to RoomSense

Posted by Lucie Oude Luttikhuis on

Imagine, you’re sitting behind your desk, exhausted after building a difficult piece of code. You really need some time to relax. Luckily, TOPdesk has specific game rooms for this purpose, so you ask some colleagues and head to the room. Arriving there you notice that it is occupied, and the people inside mention that they just started their game. It would’ve been nice to know that before your walk. Unfortunately, you didn’t, so even more frustrated you try to get back to work.

As Summer Interns, this is the situation we were trying to solve during this summer. Only six weeks ago, we arrived fresh from our universities to get some working experience. Most of our team members only coded in their computer science courses. Now, we’re almost done with creating a fully working website.

Read more

Success Criteria of WCAG 2.1 Summarized

Posted by Joppe Kroon on July 15, 2019

The WCAG 2.1 update published in 2018 was a backwards compatible, additions only version. It adds 12 new A and AA (and 2 AAA) level success criteria focused on mobile accessibility, people with low vision, and people with cognitive and learning disabilities.

Reading through all the documentation can be intimidating, whereas a checklist can be too brief. Inspired by the session on WCAG 2.1 at NCDT of 2019, this post summarizes each success criterion; hopefully creating a middle ground between the full specifications and a checklist.

At the end of each section you’ll find a link to the “Understanding” document of the success criterion. Here you’ll find all exemptions, recommended techniques, and more.

If you are in fact looking for a checklist, WebAIM has created a checklist of all 2.x success criteria. Alternatively, the How to Meet WCAG (Quick Reference) is always a good place to start.

Read more

Frontend Testing with Jest – Mocks

Posted by Anna Maier on July 5, 2019

Jest is a popular unit testing framework for Javascript. In an earlier post, we have looked in detail on how you can use assertions in Jest unit tests. In this post, let’s look into using mocks in Jest tests.

So, what are mocks?

In unit tests, you want to focus on one functionality only and ignore the logic of functionality you are dependent on. This is where mocks come into the picture. They make it easy to provide dummy objects for dependencies . Additionally, mocks keep track of all interactions with the mock. This way, you can check if your code calls the dependent code in the right way.

Read more

Testing: bugs and emotions

Posted by Bart Klinge on June 5, 2019

While reading the ISTQB handbook (not something I advise you to do) you will sometimes come across stories of testers having difficulty talking to the people who do the coding and how to deal with that. Having to tell the coder that what they created contains bugs or is missing a feature somehow is possibly problematic and how to tell them is supposed to be a skill testers should have or develop.

Read more

Raising awareness about Accessibility

Posted by Anna Maier on May 24, 2019

“Software programs should be usable by everyone.”

I think everyone can agree with that statement. Unfortunately, there is some extra work needed to make a program truly accessible. Even worse, this is often only thought of in the last bit of a project. This leads to accessibility often being cut out because of time and budget constraints. If accessibility would be considered from the start, it could be built in more easily. But how can we make us as developers more aware so that we actively think about accessibility when building the software?

Our answer: let’s experience first hand how (in)accessible our software is!

We decided to host an accessibility challenge for our colleagues. Read below how this turned out…

Read more

Frontend Testing with Jest – Assertions deep dive

Posted by Anna Maier on April 29, 2019

When it comes to frontend testing, most developers think of slow tests using selenium and a connected browser in an error prone setup. With more and more logic moving to the frontend, this picture is now slowly changing. Modern javascript testing frameworks make it possible to run tests fast and reliably.

Read more

Preparing (and cheating on) an ignite talk

Posted by Joep Weijers on February 5, 2019

An igniting matchIn an ignite talk, a speaker has 20 slides to present a topic to you. The slides automatically advance every 15 seconds, so they have exactly 5 minutes to get their point across. Topics typically include quick pitches of software tools, methodologies, but fun topics are also game: I’ve seen a speed course Dutch, and a talk about coffee.
Read more

What all Developers Need to Know about: Threat Modeling

Posted by Martijn van Lambalgen on December 11, 2018

— This post is part of a series of blog posts about all kinds of Security topics for Developers —

Threat modeling is a process which far too few developers know about. It is a process that does what the name suggests: It helps you to model all threats to your application. Basically you make a list of threats, but in a structured way, such that you can assess the risks, and decide what to do about them.

Read more

6 ways to make your alerting less boring (and more effective!)

Posted by Joep Weijers on November 8, 2018

Imagine you are a developer and you have just pushed a change that breaks the build. The Continuous Integration system, Jenkins in our case, sends you an email to notify you about this failure. BORING! Here are six examples that you can use to spice up your alerting and motivate your Development and Operations teams to react to alerts faster.
Read more

What all Developers need to know about: Data Security vs. Data Privacy

Posted by Martijn van Lambalgen on November 5, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

Recently I’ve been doing a lot of work for Data Privacy at TOPdesk. Since May 2018 the GDPR is in effect, so our developers need to be aware of the consequences. Since I’m mostly a security guy, I was wondering about the differences and similarities between Data Security and Data Privacy. Do they have the same goal? Can you use the same approach? Or is there a trade-off?

Read more

What all Developers need to know about: CORS

Posted by Simon Lenz on October 2, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

In today’s article, we want to have a closer look at cross-origin resource sharing to see how it can help making your web application a little safer. Or more correctly, help giving you more control over the security of your application.
But before we can dive into talking about CORS, we need to explain the SOP.

Read more

GDPR – What do Developers need to Think about?

Posted by Martijn van Lambalgen on September 20, 2018

GDPR

Since May 25th 2018 the European privacy law GDPR is effective. Although everybody knows this is all about privacy and respecting the customer’s data, it may not always be clear for you as a developer what is expected of you. Basically there are 6 principles in the GDPR that we need to follow. I’ll try to shed some light on the principles with practical examples to make you understand better what to think of during your daily work.

Read more

What all Developers need to know about: Session management

Posted by Martijn van Lambalgen on September 3, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

The HTTP protocol is stateless, meaning that the server is not required to store state information for a conversation. This simplifies the protocol a lot, but there are often situations where keeping state is desired. For example, you don’t want users to send their login credentials with each request. To prevent having to reauthenticate all the time, sessions were invented. Sessions are great because they allow the user to authenticate once, and then stop thinking about it. However, hackers also find them great, because if sessions leak, the hacker doesn’t need to authenticate either to use your account. So, how do we do proper session management and prevent session data from falling into the wrong hands?

Read more

Resources for Exploratory Testing

Posted by Hollis Hazel on August 30, 2018

What is Exploratory Testing?

In scripted testing you follow a script that tells you where to click, what to enter, and what to expect. Freestyle exploratory testing does not rely on scripts, but rather on the experience and intelligence of the tester. As you go you change your plan and approach based on what you have seen so far, just as you would when exploring an island or a new city.

Exploratory testing is not ‘just clicking around randomly’. It is quite the opposite. Good exploratory testing demands critical thinking, an eye for detail, a good deal of imagination and a natural curiosity for “what if”’s. It takes expertise, intuition and practice.

Exploratory testing is perhaps the most difficult and skilled form of manual testing. So I’ve gathered a few of my favourite resources to help you on your way.

 

Read more

How to Organise a Bug Hunt in Six Easy Steps

Posted by Hollis Hazel on August 29, 2018

In this blog, I want to share my experiences in organising a bug hunt. Testers at my organisation formed teams, who then set about testing a piece of the software that my own team had developed. It was a great learning experience for everyone involved, and something I’d highly recommend.

 

What is a Bug Hunt?

During a bug hunt, a Test Owner presents two teams (of two or more people) with a piece of software to be tested. The Test Owner provides some basic information, and the teams get to work testing the product. At the end of the session, they report their findings back to the Test Owner. The activity can be seen as training in how to organise and communicate testing, but is also a fun way to learn a new piece of software.

 

How Do You Organise a Bug Hunt?

Here are a few insights from my first experience as Test Owner. One of the hardest things for me was estimating how complex to make the test object. The most enriching on the other hand was seeing other testers dissect software that I had helped build. Because the teams were distributed, I also picked up tips on how to make working remotely go smoother.

Your experience will undoubtedly be a personal one. Nevertheless, the tips below will make the first time much easier.

Read more

One software, many customers – Are you truly agile?

Posted by Tobias Spöcker on August 2, 2018

Does your company consider itself to do agile development?

Is the Software you produce delivered to a huge customer base?

Have you ever wondered if you and your organization really follow the practices of the agile manifesto?

If yes then this is a good read for you. At TOPdesk we reached the size of a company that can no longer be labeled small. With over 600 employees across 14 countries we list ourselves as a mid size company. Although we are not a large-scale enterprise yet I figured we are already facing the downsides such an organization comes with.

Before I go into more detail about that, I would like to briefly state the agile manifesto’s core values before I set them into contrast with the practices in our company.

Read more

What all Developers need to know about: Security Headers

Posted by Martijn van Lambalgen on August 1, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

Adding security headers is usually a quick win when improving the security of your web application, but nowadays there’s so many to choose from. Or shouldn’t you choose at all? Why not add all of them? How does this work? We tried to make an overview of which headers improve your security, and what they actually try to achieve for you.

Let’s start at the beginning. The HTTP protocol tells you to specify the HTTP protocol version, add a bunch of headers and optionally include a body for your request/response. The response headers can be thought of as meta data to the response, or as additional instructions for the browser. E.g. it tells the browser which content type the reponse page has, what server handled the request, or how long the requested resource can be cached. Below is an example of an HTTP response. The relevant security headers are marked in red.

Read more

What all Developers need to know about: Leaking version information

Posted by Yannick Mortier on July 9, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

Security experts, penetration testers, developers, administrators, and anyone else who creates or deploys software will often ask the question “Just how closely should I guard the version numbers of software and libraries that I use?”

Today, we are going to look at some answers to that question, and why we might choose one approach over another.

Read more

What all Developers need to know about TLS 1.0

Posted by Martijn van Lambalgen on June 4, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

TLS stands for Transport Layer Security and it is a cryptographic protocol to secure communication over a network. This is what is used when you type ‘https’ instead of ‘http’ in your browser to communicate with a server, but it is also used to secure other end-to-end communications like email, voice-over-IP or DNS. TLS is the successor of SSL (Secure Sockets Layer). Many people still use the word SSL when they actually mean a TLS connection. SSL is old and deprecated. Just like SSL, TLS 1.0 has been found to be insecure. This is why TOPdesk is slowly going to drop support for this protocol version in favor of version 1.2 (and soon also 1.3).  Here we’ll discuss what you need to know of TLS 1.0.

Read more

What all Developers need to know about: Reverse Tabnabbing

Posted by Martijn van Lambalgen on May 2, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

It’s been a while ago when I first heard about reverse tabnabbing. Initially I didn’t think much of it, because exploits are not always straightforward. At TOPdesk we fixed any potential issues some time ago, but recently it’s getting more attention. I always applaud it when security topics get more attention, and therefore I’d like to explain here how we approach this at TOPdesk.

“Reverse tabnabbing” you say? What are you talking about? Never heard of this thing. Okay, so apparently it hasn’t gotten enough attention yet. Reverse tabnabbing can easily lead to some nasty phishing attacks. I originally read this article by Mathias Bynens on rel=noopener. It explains (and demonstrates) that if a site has a link to an external domain, and when you click the link, the site on the other domain gets full control over the parent’s  window object.

Read more

What all Developers need to know about: Password guidelines

Posted by Martijn van Lambalgen on April 4, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

It’s time for our monthly security blog again.  Almost a year ago NIST published a new version of their password and digital identity recommendations. What are those recommendations, and why have they changed?

The new recommendations put an end to many of the crappy guidelines that we all hated, like requiring all kinds of special characters in your password, or having to change the password every x weeks. Slowly, people start to understand that these were not very good guidelines as they weren’t very well aligned with human behaviour.

Are you an ambulance driver, and need a password? Try ‘ambulance’. If the system also requires numbers, what about ‘ambulance1’? Special characters? Good chance that you will select ‘ambulance1!’. And next month, when the password needs to be changed, it will be ‘ambulance2!’, and so on. That’s what happens when you try to annoy people with these requirements. It gets ‘less’ secure, instead of ‘more’.

Read more

What all Developers need to know about: CSRF

Posted by Yannick Mortier on March 19, 2018

— This post is part of a series of blog posts about all kinds of Security topics for Developers —

Imagine the following: You set up your blog a while ago. Everything is running smoothly. You add a few plugins here and there to make managing it easier, and you are using a custom theme so it looks enticing to new visitors.

One day, on a routine check of the comments you received, you decide to investigate one comment a bit more closely since it contains a link. You don’t want to end up supporting spam messages, so you decide to click the link and see what it’s all about.
Read more

What all Developers need to know about: Cookie Security

Posted by Martijn van Lambalgen on February 13, 2018

— This post is part of a series of blog posts about all kinds of Security topics for Developers —

Cookies are small packets of data which a server can send to your browser to store some configuration or personal data. The browser automatically sends them along with all requests to that same server. The contents are usually very interesting to hackers, so it’s important to know how to secure these cookies. Fortunately there are a lot of things you can do to improve cookie security. So… what do you need to know?

Read more

What all Developers need to know about: Clickjacking

Posted by Martijn van Lambalgen on January 17, 2018

— This post is part of a series of blog post about all kinds of Security topics for Developers —

Clickjacking is still one of those amazingly simple attacks that are also easy to prevent. That is, if you know what clickjacking is, because considering the amount of websites that are vulnerable, not many developers know about this.

In a clickjacking attack, an attacker attempts to ‘hijack’ clicks by making the user think he is clicking something else. The basic idea here is that the attacker loads the thing he wants you to click on in an invisible iframe and then shows you something else. For example, you may see a button ‘Click here to get a Free iPad’, but when trying to click it the button, the click-event goes to a ‘Transfer $1000,- from my creditcard’ button in the invisible iframe. Clickjacking may cause all kinds of harm to the user. E.g. the hacker may get access to your webcam, steal money, send emails on your behalf, or worse… It is possible to hijack basically any type of event in the browser (like mouse events or key strokes) if the website that executes that action is not properly secured.

Read more