Weekly developer news – January 12th 2018

So, welcome to the 15th edition of developer news. And yes, I know it’s actually the 13th of January, so I’m a day late, but yesterday was a busy day, with lots of client work and battling with AWS!

1 : CPU Fixes & Anti Virus Vendors

The aftermath of the Meltdown and Spectre CPU security issues continues, and this first post is about how the Microsoft’s security fixes require anti virus vendors to certify compatibility.

This is due to how anti virus vendors intercept system calls and make assumptions about memory locations.

As security issues seem ever more present, this is a good reminder to look at the security of your systems. I know that many production systems I work on are not update to date with all relevant security patches.

More details on this is here.

2: Harvesting Credit Card Numbers From Web Sites

This second item is a fictional piece showing how a developer could if they chose inject code into npm packages which would allow them to perform malicious actions on any site they are used on, including potentially steal credit card details.

It’s a great write up that should remind us to be careful what third party packages we choose to use in our code. npm does make it very very easy to publish and use packages, and in the JS world, it’s something we all do.

But maybe before selecting a package that looks like it solves our needs, we should at least inspect the code so we can be sure it is safe to use. And one other thing that many developers also forget to check is the licence of any packages we make use of.

3 : npm operational incident

Keeping with the npm and security theme, the third link for this week is a report by npm on a brief operational incident they encountered which resulted in a small number of packages being unavailable for three hours.

The cause of this is related to their own automated systems that attempt to perform static security analysis on any packages to prevent malicious code from being published.

It’s great to see that this is something they perform, and I always find it interesting to look at writeup of issues like this to see if there are any lessons to be learned I can apply to any projects I am working on.

4 : AMP Letter

Finally for this week, I want to point out the AMP letter site if you haven’t seen it. It’s a ‘letter’ by a community of developers raising concern for Google’s AMP (Accelerated Mobile Pages). It raises concerns, not about the AMP spec itself, but with their implementation, which puts Google in a very strong position of being in control of your content.

As well as the short letter itself, which highlights some very valid concerns, it’s worth checking out resulting discussions on hacker news and reddit.

So, that’s it for this week.

If you have any articles, announcements, tutorials, or anything else you think should be included next week, then just drop me an email.

Leave a Reply