kevinhakanson.com

When I write an AWS Lambda function in JavaScript/TypeScript that takes some sort of auth token in the , I take care to redact it from any logs. The code below is similar to what I use, using the parameter of JSON.stringify to replace the…

“Vibe coding” is the latest hype, so I thought I would give it a try. I was working with a customer to understand some security boundaries between an API Gateway HTTP API and a ALB target. Basically I wanted to “vibe architect” the CDK…

aws-jwt-verify uses Conditional exports to support both Node.js and browser environments. The primary unit tests use Jest and run under Node.js, which means the browser imports are not used. This is addressed by also testing with a Vite…

During a call with customer, they mentioned that “friends and family” testing of features often gives positive feedback. I thought this would be a fun use of generative AI so I asked Claude Haiku for some help “redefining” A/B testing: The…

Recently, I was working on a TypeScript code sample using @aws-sdk/client-bedrock-runtime. Since I like to have fun with my examples, I gave Claude a role with a system prompt along with my user prompt. System Prompt: You must always…

Are you trying to connect to your MySQL DB instance using IAM authentication using the AWS CLI and mysql client and getting this error? ERROR 1045 (28000): Access denied for user ‘user1’@‘172.31.9.140’ (using password: YES) Lucky you! Well…

Visual Studio Code can be customized and enhanced through the Extension API, as I have done with the Cedar policy language for Visual Studio Code. Running automated tests using GitHub Actions gave me errors like these: Failed to connect to…

Even while working for AWS as a Solutions Architect, I keep my Microsoft Azure certifications up to date. These free renewals happen every year on the Microsoft Learn platform. Certification title Certification number Earned on Expires on…

I’ve been working with a customer for several months on a cloud modernization project. We are just over a month from production and addressing blockers in our daily stand-up meetings. Every so often, some “big and scarry” issue appears…

I recently added tests for both prism-cedar and highlightjs-cedar using the File Snapshots feature of vitest. Each of these syntax highlight libraries uses a lot of regular expressions, and I immediately think of the joke about regex. Some…

The Cedar policy language extension for Visual Studio Code is available for installation from the Visual Studio Marketplace as well as open source on GitHub at cedar-policy/vscode-cedar. This extension supports syntax highlighting…

I’ve been collecting laptop stickers for a while, but only started affixing them to my laptop last year. I didn’t want to lose them when my work laptop was returned or replaced. My solution was to buy a hard shell case, which I can remove…

Release 16.0 of AWS Icons for PlantUML includes an experimental “dark mode” where will set the background/foreground colors and use icons which have a specific “dark” version. This was possible because the 2023-04-28 (16-2023.04.2…

Cedar is an open source policy language and evaluation engine. Cedar enables developers to express fine-grained permissions as easy-to-understand policies enforced in their applications, and decouple access control from application logic…

I was updating the Hello Go CDK sample project and looking for an easy way to get a CloudFormation stack output value for use in a CLI command. The AWS CLI describe-stacks command will get that value, but there is an entire page of JSON to…

I admit to being an AWS service icon snob - when I see outdated icons being used, I look down on the diagram. For example, this image with multiple versions of old AWS Lambda icons: However, these are a pain to update by hand. Last month…

I am working on a project that requires calling some Rust crates from a NodeJS runtime. I had a project with some working code (which I didn’t fully understand), so I wanted to start by implementing the classic “Hello World!” problem. Let…

I had a great time talking about Resilience on AWS at Code Freeze 2023 and wanted to share some links to related content. Some definitions from the AWS Well Architected Framework reliability pillar: Resilience - The ability of a workload to…

So much fun on the Build On AWS weekly - Code me some diagrams Twitch stream today talking diagrams-as-code with Darko, and surprising him with this: The PlantUML source code (except for the full base64 PNG). I also got to talk about…

I’m still having fun creating UML Sequence Diagrams using PlantUML. On August 19, 2022 I published Sequence Diagrams enrich your understanding of distributed architectures on the AWS Architecture Blog. The source files from that blog…

I’ve been looking at serverless, event-driven architectures using AWS Lambda and how to test individual components. In this post, I take an example AWS Lambda function using the Python runtime which was not designed for testability. I…

Posts on this blog have been fewer lately, but today my first official AWS Blog post was published: Partitioning and Isolating Multi-Tenant SaaS Data with Amazon S3

Last year with Adding AWS Icons to PlantUML Sequence Diagrams I started making my diagrams look a bit better. However, the native sprite format looked somewhat washed out to me. My investigations resulted in some Python coding and deeper…

I was building a Python-based AWS Lambda function similar to what was announced by New – Use Amazon S3 Event Notifications with Amazon EventBridge and the code looked similar to this - full of “magic strings” that I had to discover. Python…

What started as pull request #60, escalated to becoming a maintainer on aws-jwt-verify and releasing v3.0.0. AWS JWT Verify is a JavaScript library for verifying JWTs signed by Amazon Cognito, and any OIDC-compatible IDP that signs JWTs…

Today I learned about Emoji ZWJ Sequences and what it takes to create the “man technologist: light skin tone” emoji I often set in my slack status. This is actually multiple unicode characters “smashed” together using a Zero Width Joiner…

After I received my “Your December Search performance for kevinhakanson.com” email, I took a look at Search Console Insights. I have a #1 position search result on Google for my The Frozen Caveman Antipattern blog. Since this was fun for…

My current workstation setup includes a ThinkVision P27h-20 Flat Panel Monitor which offers a “full-functioned USB Type-C one cable solution with the capability to deliver up to 90W power delivery and an Ethernet signal.” There are a lot of…

I’ve blogged about UML Sequence Diagrams using PlantUML before, but now my Sequence Diagrams are more beautiful after using the AWS Icons for PlantUML and reading the PlantUML Sequence Diagram docs. Let’s start with a basic PlantUML…

Here it is - my very first AWS Lambda Function coded in C#. You can probably guess I didn’t write that code, but generated it from a template. There is .NET Core CLI support for creating .NET-based Lambda applications. Most of my Lambda…

While diving deep on AWS CloudFormation Linter (cfn-lint), I discovered Custom Rules support. The linter supports the creation of custom one-line rules which compare any resource with a property using pre-defined operators. To give it a try…

Today I start at AWS as a Sr. Solutions Architect at AWS. It is “Day 1” for me both in the English definition of the phrase as well as using the Amazon vernacular. “Day 1 is both a culture and an operating model that puts the customer at…

From previous blog posts like I’m a Microsoft Azure Solutions Architect Expert or I’m a Microsoft Azure Solutions Architect Expert you can see I like to celebrate when I pass another certification exam. I also link to the specific digital…

I wanted to get this Microsoft Azure Security Engineer Associate certification to pair with my AWS Certified Security – Specialty accomplishment, but I kept seeing how hard it was to pass the exam. I want to give credit a couple of my…

Last week I gave a presentation about a concept I decided to call Cloud State Monitoring. The premise was that much of cloud configuration monitoring is point-in-time evaluations, but there is additional value in monitoring the change in…

Today (December 1, 2020) is the day Amazon Alexa is deprecating the Echo Buttons Skill API. In 2018, I published a couple Alexa skills for Echo Buttons (Color Stumper; Rochambeau Buttons) and even have two unopened sets of buttons which I…

I can now add Microsoft Certified: Azure Solutions Architect Expert to my resume. This certification requires passing two exams, AZ-303 and AZ-304, both of which I completed this month. However, my certification journey was not as quick…

As part of studying for the Azure Architect exams using Microsoft Learn, I was experimenting with Managed Identities. Here is the definition from the What are managed identities for Azure resources? page of the Azure docs: There are two…

With the transition of SlideShare from LinkedIn to Scribd, I looked through my old tech conference presentation slide decks and wanted to highlight some of my slides that (maybe) were not as humorous as I planned. They say “If you have to…

I recently authored a presentation on adopting multi-cloud, and pulled together this list of 7 multi-cloud best practices as a quick summary of the session. While I don’t claim this is an exhaustive list, it is a good starting point for…

The OWASP® Foundation works to improve the security of software through its community-led open source software projects, including the OWASP Cyber Defense Matrix, a project initially created to help organize security technologies across the…

The NIST Cybersecurity Framework (NIST CSF) was created via a collaboration between the United States government and industry as a voluntary framework to promote the protection of critical infrastructure, and is based on existing standards…

After creating resources in the wrong subscription during some Azure training, I wrote Setting Subscription used inside Azure Cloud Shell. There I had used the PowerShell Get-AzContext cmdlet to determine my active Azure subscription. I…

In a conversation about cyber security or cyber defense, you might hear the terms CIS and security controls mentioned as a recommended best practice.  However, without some additional context this is just another TLA (Three Letter Acronym…

I noticed that terraform was one of the tools pre-configured in Azure Cloud Shell, so I decided to play around with it based on the Terraform Getting Started - Azure learning track. I created a file which would just create an Azure…

I’ve blogged about Redis Security Investigation on AWS before, so thought I would see what the defaults in Azure look like. It is nice to see a TLS connection is the default. I wanted to connect to this Redis instance but didn’t want to…

When I’m first exploring a new API, it is comfortable to use a GUI based API explorer tool. For the Microsoft Graph API, this is the Graph Explorer and a tool I enjoy working with. Try it out with this direct link which will query https…

Naming things is hard. Each of these “Azure” names appear somewhere (or at some time) in the documentation: Azure Microsoft Azure Azure Cloud Microsoft Cloud Windows Azure At the time of this post, Azure has 58 regions worldwide and…

Last week, I attended an Architecting for Machine Learning on AWS event at their Minneapolis office along with about 40 people. This three-day technical workshop is designed to provide architects and developers hands-on training for…

One of my original Lambda@Edge functions was still running on an old Node.js runtime, which I needed to update. That function dynamically generated images of a United States map with various states shaded based on the filename. This…

This week I am attending some Azure Architect training, listening to some lectures, and doing some labs. The course includes Azure credits provided as an Azure Sponsorships subscription, which meant I don’t need to use any of my monthly…

Since February 2019, I have been spending time in Microsoft Azure, primarily related to a “move and improve” project for a “.NET monolith” with heavy dependencies on SQL Server.  Through various proofs-of-concept and architecture design…

I finally took the time experiment with the ability of an AWS Application Load Balancer (ALB) to target a Lambda function for HTTP requests. I decided to start with some Python code based on the whatismyip example. I mapped the path to…

Back on 26 August 2019, I created a GitHub issue on veracode-python-hmac-example since it didn’t work with Python 3.7. I also reached out to Veracode Support who replied right away with a compatible file. Today I learned that the…

I received early adopter access to our JFrog Artifactory instances located at .  After you log in via SSO you are redirected to  (note that path segment as this is needed for API URLs).  I wanted to try CLI access so I started with a…

A few months ago, I was reviewing some code that was flagged by Veracode for multiple CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) flaws. When working with the development team, they…

The other day I ran across Use Postman to Call a REST API - Amazon API Gateway, which highlighted that Postman can generate AWS Signatures for authorization (see Authorization | Postman Learning Center).  When I wrote AWS Chalice, Amazon…

For a proof-of-concept I was working on, I needed to add an IP access restriction to an Azure App Service instance. This can easily be done in the Portal UI, but not via PowerShell according to Programmatic manipulation of access…

I’ve blogged before about text notation for UML Sequence Diagrams in WebSequenceDiagrams notation, but since we standardize on Lucidchart for diagrams, I found they have UML Sequence Markup support as well.  However, Lucidchart’s dialect…

The Cloud Center of Excellence at my company was beginning to strictly enforce the tagging standard, which meant that mis-tagged resources were going to be deleted. The CCoE gave reasonable lead time, and even provided a list of affected…

Since you can never have too many command lines and shells, today I thought about Installing PowerShell Core on macOS. After that, it was time for Setting up the AWS Tools for PowerShell Core on Linux or macOS X and making sure it worked…

Got the Oracle Java auto-update message on my Mac today, reminding me to “Remove” if installed for “commercial” use. So, I clicked remove and visited https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/macos-install.html to install…

I was researching photo apps when I came across the open source digiKam. Since I was going to download from a mirror site, I wanted to perform some file verification using one of the hash values. File information Filename: Mirrors for…

As a “security custodian” for some of my company’s AWS accounts, I review requests for what we call “service users,” including the AWS IAM Policy documents attached to those users. I prefer these to meet the Principle of least privilege but…

I was reading Automate analyzing your permissions using IAM access advisor APIs | AWS Security Blog and realized it would also be way see what AWS features one of my project teams (a.k.a. redacted-project) was using. So, I put together a…

Recently, I was asked to do an architecture review on a couple of projects - one was just getting started, and the other was a PoC demoed at a user conference.  Unfortunately, as with too many “agile” projects, existing architecture…

Notes from watching AWS re:Invent 2018: Amazon DynamoDB Deep Dive: Advanced Design Patterns for DynamoDB (DAT401) - YouTube (slides). A presentation worth watching to understand building DynamoDB solutions better. About 29:30 in speaker…

Last year I wrote CloudFront and Disaster Recovery based on the ability to use Lambda@Edge to “generate HTTP responses when CloudFront viewer request or origin request events occur.” This year Amazon CloudFront announces support for Origin…

A co-worker and I were investigating AWS Cloud9 and the ability to share environments.  However, when you do a Window - Share… from inside the environment, you get this dialog: However, we are not using IAM users, but roles assumed via…

I hadn’t been paying much attention to SignalR lately, but recently listened to .NET Rocks! SignalR with Anthony Chu and got excited.  I had always liked the idea of SignalR, and it worked great for .NET based web applications, but I saw…

“Caching is somebody else’s problem, until it’s not” - me (just now) OK, so that’s a dumb quote I just made up, until it’s not.  Microservices do their work, generate their HTTP, response and sent it to the browser.  Often, it isn’t until…

In mid-July it was reported that XSS protection disappears from Microsoft Edge and Find out what’s new in Windows and Office in October confirms this happened. Retired XSS Filter: We are retiring the XSS filter in Microsoft Edge beginning…

As a “ReadOnly” user, if you go to try and look at https://console.aws.amazon.com/waf/home#/ddp/onboard/info, you may get blocked with this message: Identity and Access Management (IAM) policies currently restrict your access to the console…

Welcome - AWS WAF lists separate API references for AWS WAF and AWS WAF Regional.  AWS WAF is “available for protecting Amazon CloudFront distributions” and AWSWAF Regional is “available for protecting Application Load Balancers.”  These…

A coworker and I were debugging incorrect results with our  Cloud Custodian policy.  Here is the filter that gave us 3 results when we were expecting 2: One of the extra items should have been excluded because of the SslPolicy clause, but…

One of the AWS Whitepapers is the 30-page AWS Best Practices for DDoS Resiliency (June 2018) which gives a overall summary of the topic as well as a good distinction where AWS Shield and AWS WAF fit. First, a definition and some key facts…

Practical Web Cache Poisoning had me wondering about header validation in one application I was consulting on. I decided to test against an internal endpoint that reflects back HTTP headers. I used ’s -H to lie about my and headers and…

The other week I had trouble creating an AWS Cloud9 environment, so I tried again today - and with success, because I actually met the requirements found at VPC Settings for AWS Cloud9 Development Environments and put the instance in a…

Redis Security highlights some items about selecting an AUTH token (password). It should be long enough to prevent brute force attacks for two reasons: Redis is very fast at serving queries. Many passwords per second can be tested by an…

In Redis Security Investigation, I recommended enabling both Encryption in-transit and Redis Auth.  Below is an ElastiCache Redis server I created to test against.  Note that instead of port 6379, I specified 6380 (which seems to be the…

The Securing Redis section from the Redis Quick Start stresses applying network level security (firewalls), the option (AUTH command), and SSL tunneling.  Additional details can be found by reading A few things about Redis security and…

Some people don’t like CSS because it’s not a “real” programing language like JavaScript; other people use CSS to exfiltrate data. Side-channel attacking browsers through CSS3 features | Security Research - Evonide We (co-)discovered a side…

Recently I started leading a virtual team of software engineers we called the “security guild.” Our job was to work with application teams to improve our security posture, not by writing policy documents, but by writing code and pairing…

From Content Security Policy (CSP) - HTTP | MDN Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks From…

I recently listened to Software Engineering Radio Episode 311: Armon Dadgar on Secrets Management from December 5, 2017 The show covers: what a secret is; the difference between secrets and sensitive data; what is secrets management; the…

I recently read Rotate Amazon RDS database credentials automatically with AWS Secrets Manager and learned… Secrets Manager offers built-in integrations for MySQL, PostgreSQL, and Amazon Aurora on Amazon RDS, and can rotate credentials for…

While diving into BIG-IP iRules code researching HTTP to HTTPS Redirection, I ran across this snippet: Reaching out to one of the DevOps team to learn more, he directed me to a process document on how to block IP address in our data center…

Amazon has multiple Elastic Load Balancing products: Application Load Balancer is best suited for load balancing of HTTP and HTTPS traffic and operates at the individual request level (Layer 7). Network Load Balancer is best suited for load…

The recent efforts related to Google and Mozilla are Deprecating Existing Symantec Certificates had me revisit another HTTPS topic:  HTTP to HTTPS Redirection. Redirection is one of the items checked by Observatory by Mozilla and supported…

Some web facing AWS services that provide HTTP access, allow you to enable “Access Logs” written in a W3C extended log file format. Access Logs for Your Application Load Balancer - Elastic Load Balancing Access Logs for Your Classic Load…

Adoption of HTTP Security Headers on the Web looked at HTTP Archive data to do some analysis of the adoption of various HTTP security headers.  Here is a summary table of usage. The analysis deep dives into each header, and which values…

Chromium Blog: A secure web is here to stay put a deadline for marking HTTP as “Not Secure”: Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”. What if you want that behavior today?  Below…

What defines a known open source vulnerability? is an excerpt from Securing Open Source Libraries by Guy Podjarny that contains some interesting points I would like to highlight: A “known vulnerability” seems obvious… At the most basic…

Referrer-Policy is one the security focused HTTP headers checked during Observatory by Mozilla scans.  Scott Helme talks about this in A new security header: Referrer Policy, but his comment that you can set Referrer Policy via the Content…

Today in an Architecture Strategy and Planning meeting, we were talking about a “Maintenance Mode” page that would indicate when our application was down (for planned or unplanned outages).  As fate would have it, I happened to see the…

I ran across Understanding And Using REST APIs — Smashing Magazine, which is an entry level article explaining REST APIs and uses the GitHub API v3 in its examples. By default, all requests to https://api.github.com receive the v3 version…

Note:  If you need a refresher on CloudFront, start with What Is Amazon CloudFront? After reading Lambda@Edge Now Supports Content-Based Dynamic Origin Selection, Network Calls from Viewer Events, and Advanced Response Generation (Posted On…

As a background, please review Out with HPKP, in with CAA? to re-familiarize yourself with HTTP Public Key Pinning (HPKP) and Certificate Authority Authorization (CAA). Today, I saw How to Prepare for AWS’s Move to Its Own Certificate…

In Creating and Using an AWS Virtual MFA Device with the AWS SDK for Python, some Python code was used to add a Virtual MFA Device to IAM User  as well as use that to call .  This document uses the AWS CLI to call  using the Virtual MFA…

Some scenarios, like on-premise servers that need access to AWS resources, require AWS IAM Users to be created.  These “service users” are given Access Keys, which serve as long term credentials and needed to be protected.  An additional…

The working security model for on-premise servers to access AWS resources is an IAM User which should only assume an IAM Role.  This makes the behavior similar to the Role-based permissions used by EC2 or Lambda.  This IAM User cannot log…

Enabling distributed digital business with API-first architecture (Google Cloud Next ‘17) was a good, high-level overview of API strategies, and reminds me of our internal Customer Experience Model and Customer Experience Principles goals…

I recently read The Blockchain Man (Or A Speculative Sociology of Our Blockchain Future) and still processing what it means and with what parts I agree or disagree.  Instead of trying to analyze or summarize the whole document, I will list…

At some point, I received a free copy of the Legion audiobook from Audible.  Legion is a novella, so the unabridged audio is just over 2 hours. It was released in 2012, but I finally listened to it on a recent road trip.  The main character…

Take a look at the screenshot below.  What’s the name of this policy? If you said “trust relationships policy” or “trusted entities policy” then good luck finding the API to update it, where it is called the “assume role policy” document…

I was querying CloudTrail event history for a specific user, , and it only listed two events when I knew there were more. The AWS Console had a message explaining why: Your event history contains the create, modify, and delete activities…

This post is going to enumerate some customer data encryption-at-rest options for those customers asking about specific key management choices.  Examples below will refer to AWS specific technologies. No Encryption Although this option may…

I hadn’t looked at HTTP Public Key Pinning (HPKP) in detail at until Pokemon Go vs. Certificate Pinning, and later realized how bad things could get with HPKP and RansomPKP.  Now, as I read I’m giving up on HPKP from Scott Helme (@Scott…

As a follow up to Amazon RDS and Tag-Based Permissions, this document digs into an IAM policy that restricts by tag value. Took a look at the AWS Managed (Predefined) Policies for Amazon RDS, including  (see Using Identity-Based Policies…

I’ve wanted to take a hands-on look at Amazon API Gateway and the recent 1.0 release of aws/chalice: Python Serverless Microframework for AWS pushed me over the edge. The python serverless microframework for AWS allows you to quickly create…

That “clickbait” headline is a reference to Unfrozen Caveman Lawyer and based on my favorite part of nealford.com • Knowledge Breadth versus Depth.  However, the most relevant part is the lead up to this pyramid, which illustrates “enhanced…

Update: Might be obsolete based on Datadog + OpenTracing: Embracing the open standard for APM from December 6, 2017 Do the DataDog APM tracing headers to see if they match Zipkin () or OpenTracing or AWS X-Ray () or anything else? Of course…

Update:  Bitcoin Segwit2x hard fork suspended | ZDNet First read The ultimate, 3500-word, plain English guide to blockchain all the way to the end where the author talks about a “51% Attack.” The ability of someone controlling a majority of…

Have a read through A hacker stole $31M of Ether — how it happened, and what it means for Ethereum, but make sure to get to section 3 where it compares the mantra of “move fast and break things” vs. the irrevertible code in a smart contact…

Software Security Initiative Capabilities: Getting Started mentions three common security capabilities: Penetration testing Code review Some sort of secure design review (e.g., threat modeling) Tools can help some - Dynamic Analysis (DAST…

Definitions from Magic Quadrant for Application Security Testing  Gartner defines the application security testing (AST) market as the buyers and sellers of products and services designed to analyze and test applications for security…

You may have read recent news about millions of Verizon customers having their data exposed (see Experts Warn Too Often AWS S3 Buckets Are Misconfigured, Leak Data). Possibly, people are confused about what the Authenticated Users group…

Do you remember Internet mapping turned a remote farm into a digital hell | Fusion? Some summary points from the article: When MaxMind was first choosing the default point on its digital map for the center of the U.S., it decided to clean…

I’ve mentioned capitalone/cloud-custodian: Rules engine for AWS management before but hadn’t taken it for a “test drive” yet. However, instead of following the instructions, I wanted to use the Anaconda distribution of Python, so I used…

I wanted to understand Authenticated Encryption better as a follow up to my research on Encrypted Properties and AWS IAM Roles. I decide to try and learn interactively, so I saved some “sensitive” data into a file. Then using aws kms…

I was working on a pattern for application teams to secure and encrypt sensitive properties like database passwords. Below is an interaction flow where the DBA for project 204503 can encrypt a property that only the intended microservice…

The Creating and Configuring Amazon Elasticsearch Service Domains documentation shows the Elasticsearch HTTP methods could be controlled using IAM policies: Amazon ES supports the following actions for HTTP methods. You can attach a…

This post is a research summary of tasks relating to creating an IAM role via the CLI: The “trust policy” only included an explicit single member of the role: kevin.hakanson@example.com Test if it works via the CLI, and it does. Update  to…

AWS Identity-Based, Resource-Based, Resource-Level, and Tag-Based Permissions contains a link to AWS Services That Work with IAM - AWS Identity and Access Management, which has the table of services supporting tag-based permissions. Amazon…

In Overview of AWS IAM Permissions - AWS Identity and Access Management, they introduce identity-based and resource-based permissions: Permissions can be assigned in two ways: as identity-based or as resource-based. They also introduce the…

In wondering how to restrict roles to only allowed to be assumed from specific EC2 instances, I found Actions and Condition Context Keys for AWS Security Token Service - AWS Identity and Access Management, which lists the key that is used…

The following code uses the  from the to put an encrypted object into an S3 bucket. Note: When you view this object in the S3 console, it shows “Encryption” as “None” because it was client-side encryption and not server-side. Object Key…

If you aren’t scared about JavaScript libraries and security, you will be after reading Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web, which is a summary of http://www.ccs.neu.edu/home/arshad…

I was reading Techniques and Tools for Better Serverless API Logging with Amazon API Gateway and AWS Lambda when I came across a reference to the x-amzn-RequestId HTTP response header.  This appears to be a common way for Amazon services to…

When I run a CLI based SAML log in (using an internal tool), I can select from the roles available to my account (e.g., PowerUser or ReadOnly).  I think of these as user roles.  However, IAM roles can also be created and assigned to EC…

I was looking at the source code for The AWS X-Ray SDK for Node.js and saw these code snippets: Whenever I see in JavaScript for performance timings, my Spider-Sense tingles. Browsers have  for this, which always returns values that…

HTTPS - it isn’t just for breakfast authentication anymore. Yeah, I stole that from a Florida Orange Juice 1979 TV commercial. So, what are Secure Contexts anyway? Secure Contexts - Web security | MDN provides full info, but some key…

I saw this book review on Twitter today:  Production-Ready Microservices: Building Standardized Systems Across An Engineering Organization By Susan J. Fowler  And when I saw it was an O’Reilly book, I knew I was be able to access it…

In researching browser component UX timings for a project, I found some a slow requests. Here is the likely culprit: Well, not Kevin Hakanson the person, but his profile photo which is base64 encoded and included in the body of the JSON…

The other day, I was having a Slack conversation with a co-worker when he replied “true” in agreement with a statement I was making.  My first instinct was to respond “Double True!” due to the SNL Digital Short: Lazy Sunday. Full lyrics…

In Zipkin JS Investigation and Zipkin JS Investigation (Part 2), I took a simple Express (Node.js) based web application and added zipkin tracing. I updated that application with support for AWS X-Ray (Preview).   The code snippet below was…

Earlier this week, I was investigating the preview of AWS X-Ray – Distributed Tracing System and got quite a scare.  After I deployed my sample app to AWS Elastic Beanstalk, I went into the AWS X-Ray Console to look at my trace data and saw…

While attending AWS re:Invent 2016, I participated in the AWS re:Invent Alexa Skill Contest.  I didn’t win the $10,000 grand prize but was one of the finalists. See Crowning the New Amazon Alexa Champ at AWS re:Invent for a recap of the…

The other day, my daughter had me search for zigzagoon on Wolfram|Alpha: Computational Knowledge Engine.  Apparently, there is a full Pokédex loaded because it knew details like number, type, size, and generation. So, I tried this…

I recently got a new personal iPhone and realized that none of my accounts stored in Google Authenticator were restored via the iCloud backup restore process.  I thought it might be time to switch authenticator apps to something like Authy…

The other day, I ran across Why “Relationship Workers” will replace “Knowledge Workers”.  After only reading the title, my first humorous thought was this scene in Office Space. But as I read the article, I understood the core premise…

In Pokemon Go vs. Certificate Pinning I explored RFC 7469 - Public Key Pinning Extension for HTTP and the HPKP header.  This looked like something that was complicated to implement if you didn’t have a very mature key management process…

I saw this post from Facebook on their new open source compression algorithm: Smaller and faster data compression with Zstandard | Engineering Blog | Facebook Code. We’re thrilled to announce Zstandard 1.0, a new compression algorithm and…

I was investigating the types of CloudTrail events that are available for S3.  However, when I was comparing Services Supported by CloudTrail API Activity History against the s3api — AWS CLI 1.10.58 Command Reference, I noticed something…

While investigating how to secure S3 buckets using IAM Roles, I was curious how the IAM Role assigned to my EC2 instance became the credentials an AWS based application could use.  IAM Roles for EC2 are the recommended practices, but how…

Medidata.ZipkinTracerModule is a “A .NET implementation of the Zipkin Tracer client.”  I built a simple Web Api 2 service, similar to the code from the Zipkin JS Investigation.  The service recursively calls itself base on the count…

“Security” as a topic or category can be confusing without additional context. This document attempts to categorize information security topics using industry standard groupings. My internal cloud security group has created a plan which…

The continuing story from my Zipkin JS Investigation My zipkin-js issue was fixed a couple days ago when zipkin-js/packages/zipkin-transport-http landed, so I decided to revisit my test project and see how it works. I updated my to use…

Saw this Tweet from @notdan about the Pokémon Go video game and their lack of certificate pinning: At first, I thought “duh, of course, they should have” but then I realized that I need to understand Certificate and Public Key Pinning…

Building customizable systems is strategic to selling multi-tenant software. Ideally these system support a number of factors while avoiding decreasing technical health. Global growth with a scalable localization model Customer specific…

To better understand the concepts behind Zipkin, I took a look at Zipkin JS (a Zipkin instrumentation implementation for Node.js), including submitting Pull Request #10 and Issue #11 to that project. I wrote this (ugly but) simple Node.js…

Since the 2025 Customer Challenge last fall, I have been interested in the current state of speech interfaces, especially how they could be exposed to browser-based web applications.  I put some of my research into presentation format and…

In a recent meeting with the corporate security team, it was mentioned that a Web Application Firewall (WAF) might be the recommendation for cloud projects to protect against XSS and SQL Injection.  The Cloud Security Workstream has done…

I have a decent understanding of keyword search from developing research applications for professionals and building a simple RSS search engine for an Information Retrieval course in graduate school.  I’v heard of encrypted keyword search…

Good article and video interview explaining microservices and container technologies by Mark Russinovich, the CTO of Azure.  Most of the information is cloud provider neutral and explains the transition from a monolithic application model…

In a review of the technology goals, it was reinforced that products “will test DR” which triggered a flashback to Liam Neeson’s speech from the 2008 movie Taken. “I don’t know who you are. I don’t know what you want. If you are looking for…

https://www.websequencediagrams.com/ supports notation for synchronous calls, asynchronous calls, return calls and activations.  These features are useful for documenting complex interactions with some of the operations happening in the…

AWS DynamoDB (managed NoSQL database) appears to lag behind AWS RDS (managed relational database) w.r.t. some disaster recovery features: Backup/Restore Cross Region Replication Encryption at Rest Related Videos: AWS re:Invent 2014 | (SDD…

I’ve started using Visual Studio Code for my web projects because it is the right balance between IDE features and lightweight text editor, multi-platform, and open source. One interesting feature of Code is the lightweight program menu…

Ran across this series of posts on DevOps: DevOps and the Myth of Efficiency, Part I | Java Code Geeks DevOps and the Myth of Efficiency, Part II | Java Code Geeks They draw a distinction between “complicated” and “complex” and make…

I read Next Generation Session Management with Spring Session wondering if there was overlap.  However, it looks more like a cloud native drop-in for your existing Java session aware code with easier ways to hook into “non web requests…

Chrome Dev Summit 2015 Notes is a summary by Daniel O’Connor of the presentations from the Chrome Dev Summit 2015, along with links to the videos.  The term “RAIL” appeared in many of the session titles and is defined below: RAIL: Response…

For my company’s 2025 Customer Challenge, my finalist pitch included a live demo.  Teams were allowed 3 minutes of pitch time, and I allocated about 30 seconds for this demo.  Things didn’t go exactly as planned, but they did work out in…

During the introductions of an internal Search Experience Community meeting, a product was mentioned that uses the Google Search Appliance (GSA) and was looking to move off of that platform onto Elastic. Some of our products also use a GSA…

September 18 was the close of my company’s 2025 Customer Challenge, and I got my idea submitted right before the deadline:  Algorithmic Business Development Utilizing Intelligent Agents The premise of the innovation challenge was about…

Microsoft Azure Search became generally available in March.  To learn more, I watched some of the videos, including: Azure Search 101 - Getting started with Azure Search with Liam Cavanagh Azure Search 102 - Searching and Mapping Spatial…

During a product design session, we had a discussion on Global Search covering “what search is” and “what search should be.” I used the following example of question answering as where I see “global search” heading: I can search Google for…

When searching for a definitive reference for SaaS customization, I found this CommitStrip Just an exception they said… comic: On a more serious note, I did find a SaaS Maturity Model from Microsoft (circa 2006) with four levels. Ad Hoc…

WebStorm 10 now has updated TypeScript support including a built-in TypeScript 1.4 compiler with TypeScript 1.5 support already in the WebStorm 10.0.2 EAP.  To test this out, I opened a simple, sample project where I was playing with…

On a call we “discussed” if IP address could be considered a second factor, including the spoof-ability of IPs. Some excerpts from a Security Stack Exchange question: network - Can IP address be a component of 2-factor authentication…

I have my eye on two new client-side, data-access technologies that will be open sourced “soon”.  They are both trying to solve redundancy and coupling concerns between client-side code/data models and server-side code/HTTP endpoints.  How…

You may (or may not) have seen: Kevin Hakanson on Twitter: “@richcampbell @jhusain great show; I especially liked the comment selected (thanks for the mug) On 21 January 2015, I was listing to Todd Gardner (@toddhgardner) on .NET Rocks…

Open your JavaScript console and try this: You may ask yourself Is floating point math broken?.  The answer is that JavaScript uses floating point math based on the IEEE 754 standard, the same as Java’s . If you want the details on what…

My company’s “Application Security Testing Standard” requires assessing application code with Static Code Analysis or Dynamic Analysis.  The tools currently used for this are from Veracode Static Application Security Testing (SAST), or…

If you didn’t hear about the open sourcing of .NET announced at Microsoft’s Connect(); event, read Microsoft takes .NET open source and cross-platform, adds new development capabilities with Visual Studio 2015, .NET 2015 and Visual Studio…

Logging is an important component of monitoring an application. AngularJS provides $log which is documented as: Simple service for logging. Default implementation safely writes the message into the browser’s console (if present). The main…

For a project I am consulting on, we were looking at globalization topics in the browser, including support for Hindi.  I have mostly worked with Latin based character sets in my internationalization efforts, so I wanted to dig into the…

I often present at developer-focused conferences and user groups on JavaScript and web platform topics.  One presentation I give is on JavaScript Internationalization (initially at the 2013 internal Technology Unconference and most recently…

Our 2008 era Cobalt.js JavaScript code looks a bit substandard compared to what we would write today: We used a common Cobalt object off the global namespace, convention based private variables/functions prefixed by , and (gasp) synchronous…

I am taking an online Leadership & Influence for Architects training series with about 20 architects across the company.  The facilitator requested full attention and to avoid the temptation to multi-task.  Of course, I complied, but I…

During the last Front-End group call, we were discussing JavaScript combination/minification when the topic of using a Content Delivery Network (CDN) came up.  This is a well-known performance “best practice” on the internet, but I…

I was reading through my latest Dr. Dobbs Update email, and saw an interesting article on Firefox Release Engineering. The article talks about their release mindset, including the importance of release automation and a “Release Coordinator…

If you know me, you won’t be surprised that I love to talk. What you may not know, is that I hate to type. Between my poor spelling and my constant typos, I think the key accounts for about 50% of my keystrokes. In fact, typing class was…

Last week I was a speaker at cf.Objective() 2014: The World’s Only Enterprise ColdFusion Conference, giving my Developer’s Guide to JavaScript and Web Cryptography presentation.  It took place May 13-16, 2014 at the Radisson Blu - Mall of…

Saw a link to JSON-LD is an official Web Standard on Twitter - took me a bit to realize LD was Linked Data.  I could see this being useful in our REST APIs that return JSON. JSON-LD has reached the status of being an official…

An internal project was using the name “link resolver” so I was looking for string matches and found one in the Wikipedia OpenURL description: OpenURL is a standardized format of Uniform Resource Locator (URL) intended to enable Internet…

A couple of recent postings on the IEBlog were IE11 for Windows 7 Globally Available for Consumers and Businesses and IE11 Automatic Update Blocker Toolkit Available for Windows 7.  If you have a browser testing VM that you want to stay at…

Since Chrome Frame was pushed out to employees to support Workday, we have been seeing some odd browser issues with a few of our applications.  This has led us to “disable” Chrome Frame support by setting the maximum IE version used to IE…

I recently downloaded and installed Windows 8.1 Preview to take a look at IE 11 Preview and check out the new “web standards” based features.  One of these standards supported is Ecma-402 or the ECMAScript Internationalization API…

The Software Engineering Institute (SEI) Architecture Technology User Network (SATURN) Conference took place at the Marriott City Center in Minneapolis, Minnesota from April 29 to May 3, 2013.  I attended the keynotes and sessions on May…

As newer products are dealing more with uploaded user content than just searching and displaying company content, I was curious about how fast their internet connections are.  I know my online backup trickles compared to my download speeds…

Traditionally, reuse at the browser layer for a new product has been thought as “we want it just like product X, but” replace some images, logos, and icons change the color palette, some text sizes, and fonts use CSS to hide unwanted items…

In the process of converting some JavaScript code which creates an object from a JSON string from using (the evil) eval to using JSON.parse (which is native in IE8 and Firefox 3.5), a strange bug was encountered.  Take the following…

Recently I have run across several items where the solution to the problem was a proper understanding of encoding and escaping.  One issue was with the YUICompressor having problems with some of our JavaScript files.  The core issue was…

Back in May 2009, I created my first jQuery ticket: Use native JSON.parse if available inside ajax.httpData In jQuery.ajax.httpData, would you consider using the native JSON support (​http://www.json.org/js.html) if available? Below is some…

If you have everything set up, you can use Visual Studio to debug JavaScript errors when you hit them in IE7 (IE8 will have debugging built into the developer tools).  You just click “Yes” when the dialog appears.  However, I have don’t…

Last week, I attended the Ajax Experience 2008 in Boston.  There were a lot of interesting sessions, and I talked with many of the speakers.  Here is a recap of some of the more exciting things I learned. I spent Monday morning at the Dojo…