Life A New Chapter Nearly four years ago, I moved West [https://www.coffeeonthekeyboard.com/my-new-job-257/] to join Mozilla. About a year later, I moved East [https://www.coffeeonthekeyboard.com/moving-to-new-york-452/] to come home to New York. I consider those two of the best changes I’ve ever made. Now Spring is here again
django Mozilla's Security Best Practices This list of resources is meant as a companion to the talk I gave at DjangoCon 2012, but it should stand on its own as a useful list for Django developers. Best Practices? What are “best practices,” anyway? The internet loves to debate these things. For us, think of it
django Mass Assignment - Security Part 10 NB: This is the tenth post in a series [https://www.coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. > “Mass assignment”? That’s a Rails [http://rubyonrails.org/] thing! GitHub [https://github.com/] was the recent, high-profile target of an “attack”—it wasn’t so much a vicious
django Stay Up to Date - Basic Security Part 9 NB: This is the ninth post in a series [https://www.coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. Rounding out this week is the last, but perhaps most important part of the basic security series: staying up to date. Keeping everything up-to-date is a pain. You have to
click-jacking Click-Jacking and a little Phishing - Basic Security Part 8 NB: This is the eighth post in a series [https://www.coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. Click-jacking is a process of “stealing” clicks on your site, redirecting them to other places, either by using an XSS vector [https://www.coffeeonthekeyboard.com/xss-cross-site-scripting-basic-security-part-2-711/] to replace the targets
django Server Configuration - Basic Security Part 7 NB: This is the seventh post in a series [https://www.coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. Configuring a server correctly is both 1) hard and 2) critical. You’ve probably spent a bunch of time configuring Apache [http://httpd.apache.org/] or nginx [http://nginx.org/
django Session Fixation and Hijacking - Basic Security Part 6 NB: This is the sixth post in a series [https://www.coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. 1. Don’t put session IDs in the URL. Django explicitly does not support [https://docs.djangoproject.com/en/dev/topics/http/sessions/#session-ids-in-urls] this because it’s just dangerous.
access control Access Control - Basic Security Part 5 NB: This is the fifth post in a series [https://www.coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. Proper access control is an absolutely key part of web app security and is easily overlooked—possibly because it’s so easy. In Django, to hide a link from someone,
django Injections, SQL and otherwise - Basic Security Part 4 NB: This is the fourth post in a series [https://www.coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. SQL Injection SQL injection is a vector that lets a user insert their own SQL into a statement sent to your database server. The typical example is: 1. "SELECT
csrf CSRF: Cross-Site Request Forgeries - Basic Security Part 3 NB: This is the third post in a series [https://www.coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. The quintessential example of a CSRF (sometimes pronounced “sea-surf”) is a bank that naively does transfers over a GET request without any other security: http://badbank.com/transfer?from=act1&
django XSS: Cross-Site Scripting - Basic Security Part 2 NB: This is the second post in a series [https://www.coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. XSS covers a number of various attacks, but the common thread is that someone gets to execute code in the context of your web page and domain. Doing that, they
django Password Storage - Basic Security Part 1 NB-1: This is the first post in a series [https://www.coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. NB-2: Fred [http://fredericiana.com/] wrote a great post on password storage [https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/]. You should read it. I’m assuming we’re
django Best Basic Security Practices (Especially with Django) Or: Locking Your Doors This goes along with a talk I gave at Django-NYC [http://www.djangonyc.org/events/70626822/] in July 2012, but is meant to stand on its own. It is the first in a series of posts, because I realized it was too big for one. Security
django Putting My Slides Where My Mouth Is I’m giving a talk tonight [http://www.djangonyc.org/events/70626822/] at GetGlue [http://getglue.com/] on web app security, particularly with Django. Over the next several days—starting tonight—parts of that talk will be posted here as blog posts (I’ve realized there’s too much material
meetup Calling all Mozilla Community Members in New York! Are you a Mozillian? Are you an add-on author or web developer or an avid Firefox user? Do you think of yourself as part of the Mozilla Community, and are you in or around New York City? Then I’m talking to you! We have a Meetup group [http://www.
Code Where are James' Slides? I give a lot—well, I give some—talks, but I never give the slides out. And, as far as I can remember, no one has ever asked for them. I know people, people who speak a lot more than me [http://stevesouders.com/], who put all their slide decks
Code Why Django Sucks, Except When It Doesn't Ken Reitz [https://twitter.com/kennethreitz] is a smart man. Very smart. Smarter than me. He’s responsible for some of the best [https://github.com/kennethreitz/flask-sslify], most widely-used [https://crate.io/packages/requests/] Python libraries out there. So when he talks, I listen. And recently, he talked about
mozilla Performance is a Feature What do I mean when I say “performance is a feature?” For a long time, I got this wrong. When I explained myself, I’d say that performance was as important as any other feature and worth spending as much time on as any other feature, and you shouldn’t
apple Thank You, Steve Thank you, Steve [http://www.apple.com/stevejobs/]. I didn’t really realize until today exactly what I owe to Steve Jobs’ vision and dedication. So much of my life and career has been influenced and guided by an interest in screwing about with computers that goes back to the
developers So You Want Me to Hire You I vacillated quite a bit on the title of this post. It is, after all, not me that is hiring you. Nor do I have the power to hire folks at will: it’s a team decision. But I also don’t want to claim to speak for anyone else,
continuous deployment Acronyms you should know: MTTD and MTTR If you’re a SUMO [https://support.mozilla.com/] contributor, there are two acronyms you will start to hear more often from us developers: MTTD andMTTR. They mean “mean time to detect” and “mean time to resolve,” respectively, and they refer to how long it takes to detect an issue
damnproud Pride and Joy: Firefox 4 is Out! Since it was officially released around 7 hours ago, Firefox 4 [http://www.mozilla.com/] has been downloaded nearly 2.4 million times [http://glow.mozilla.org/]. I feel many things today. I’m deeply proud and humbled to be a part of the Mozilla community and contribute in my
continuous deployment A brief SumoDev update A little while ago [https://www.coffeeonthekeyboard.com/sumo-in-q2-563/], I said that I thought we got a B in Q1, but we could move up to an A with a little more work. (This is my favorite grading system: everyone starts at 0 and works up.) Well, we landed two
mozilla Weekly Update for 11/3/11 Been a busy week! * Helped run down an issue with our ads on Reddit. * Updated django-multidb-router [https://github.com/jbalogh/django-multidb-router]. - Learned a little about ContextDecorator [http://docs.python.org/dev/whatsnew/3.2.html#contextlib]and how to do that in Python 2.6. * Shipped SUMO 2.6.
mozilla Weekly Update 04/03/2011 OK, in line with my 2011 goals [https://www.coffeeonthekeyboard.com/2011-goals-520/] and because I’m sick of not remembering what I did last week, I’m restarting the weekly update posts. I hope you like hearing about the minutia of my job! (Just kidding. I write these for me.
