Test-Driven Development (TDD) is a development methodology that prioritizes writing tests for code before the code itself, followed by writing the code to pass those tests. This approach not only ensures the functionality of the code but also presents an opportunity to address security concerns, particularly validation bugs, early in the development process.

In the last blog we talked about what everyone assumed was the most boring topic that you could talk about, keeping your dependencies up to date. But I think I’ve got it topped this time, this time we are going to be talking about that number one thing that all developers love spending their time working on... Logging.

The differences between application security and developer security are simple enough in principle, but go significantly further as soon as you get past the surface. Many people in the cyber security community seem to place a great emphasis on the effectiveness of application security but in many cases, will completely negate the secondary portion of this which is securing the individual who is responsible for introducing security bugs to the software. I'm not saying that to be harsh, mistakes are a simple part of life and without the proper tooling and education it is very easy to continue to produce mistakes especially when greeted with constricted timelines and consistent budget crunch.

If you are allowing MFA from SMS you should probably not do that.

"The Protecting Internet Freedom Act would also ensure that the United States maintains sole ownership of the .gov and .mil top-level domains, which are vital to national security."

I almost did a spit take...

I agree with this. I like being able to know that a site is trustworthy based on it having a .gov domain name.

I mean... do you really want to have to guess whether congress.gov is run by the government, or some random country which decided to sell of .gov TLDs for extra cash?

Or, potentially more deceptively to consumers, "healthcare.gov", etc.

is it really so bad to do what everyone not in the US does and add an extra 3 characters? .gov.us; SOLVED

I agree this is a problem worth solving. But shouldn't it be solved for every country, not just the US?

As a non-US citizen, I find it strange that matters of global internet governance are discussed with apparently mostly arguments about US-specific issues.

As a US citizen, I find it strange as well. But our Republican Party seems to believe we're special and should be treated differently. We aren't and we shouldn't be.

The other option is not giving it over to some random country. As I understand it, the other option would be giving the assignment of top-level domains to ITU or some similar agency within UN, which would then delegate .gov and .mil and other things to US.

The same people who would have problems with "some random country" would have even more problems with the UN.

I'm generally less critical of the UN, but I would agree that the UN is pretty much the last body that should be invested with any sorts of power.

Agree, I have no problem with this. By not limiting these to government uses and ownership, you are only opening the door for malicious websites to fool users...

I had to prove I was a student multiple times by sending / receiving mail at .edu address. It's not unreasonable for people to assume that if you control a .gov domain you're a legitimate US government agency. I think Internet control should become less US-centric, but I agree with them there'll need to be some effort to deal with the .gov TLD issue.

Yes, and think how unfair it is to students at universities in other countries that they don't get .edu addresses. Why should the US have this monopoly?

My university has offered courtesy mail forwarding to alumni since ~2000 (probably a good bit earlier).

Yeah, it's written like if this law doesn't pass, China will be have full access to the NSA.

Yeah I don't understand the reasoning behind this at all.

My guess, this prevents DNS poisoning attacks.

Somewhere, somehow, there is critical infrastructure tied to a .gov or .mil [email/web] address.

George Carlin would be proud...

I think he'd be disappointed. Here is his extended list of dirty words: https://www.youtube.com/watch?v=TSlbEq0roEM#t=35s or https://www.youtube.com/watch?v=N0ee4wqZvf8 (try the closed captions button!)

I'm especially fond of bearded clam, and i've actually used 'gleet' in a poem.

#2 is there in some forms, but #5 is surprisingly absent!

So are they attempting to say that the work done by students as a form of homework, is actually the property of the university?

No, often when assignments are given out you'll also give students large chunks of code or libraries to modify or work with.

The DMCA says that is what the infringement is.

Would a diff/patch be DMCA-proof then? Or would it fall under derivative works?

I'm guessing it is more likely that these repositories were searched for by staff/professors than fully specific code was searched for.

I don't think you can claim that changing code absolves you of copyright issues, it might make it harder to find though.

APIs shouldn't be copyrightable as they're necessary for interfacing. The solution to a homework problem shouldn't be a derivative work of the problem, and so it should be possible to distribute the solution in a way that doesn't infringe on the university's copyright.

When I call the water company, I don't talk to some guy in India who has never heard of my state, let alone my city. When the power and water go out, the service isn't great but compared to my internet provider it would be a huge improvement. YMMV.

I don't think net neutrality will dictate that support staff be located in America.

The statement was more in the direction that when it's a utility local people / municipality are responsible for the maintenance of that system, local people means that there is a far greater chance of getting local, mostly because there is someone local with _responsibility_ for keeping it working.

I worked at a utility, the phone company (GTE), in the mid-90s. Our call centers, while domestic, were certainly not local.

Customers in Muskegon, MI were always shocked that we didn't know what local street they were talking about. How could we? We were in Pennsylvania.

I don't think anyone has run a truly local call support center, for anything, in decades.

No, but part of the idea is that you will get small local providers again (like you did fifteen to twenty years ago), and five-man companies don't usually outsource tech support to India.

That ship has sailed. There's be no margin in the business. That's why you don't have little water utility startups popping up everywhere.

I always use project Euler for the learning a language, once you pass that stage I usually go for pet projects.