Types of Test Data You Should Use for Your Software Tests

Testing is an integral and vital part of creating software. In fact, test code is as important as your production code. When you create test code, you need to generate test data for your code to work against. This post is about the different types of test data that are used in software testing. I’ll elaborate on each type and explain what test types are used in which scenarios. Types of Test Data Valid Data As the name implies, this is the data that your program expects and should operate on. You …

Spring Broken Object Level Authorization Guide: Examples and Prevention

If a malicious user gains access to functionality that only system administrators should have access to, there can be dire consequences. This post is about a specific type of vulnerability called broken object level authorization, or BOLA. This happens when an attacker gains access to API methods that should be restricted. In addition to talking about what this is, I’ll discuss ways to mitigate this attack in general, and specifically in Java Spring Boot. Broken Object Level Authorization Defined Back-end APIs are basically a set of functions that return answers to requests. …

Spring Broken Authentication Guide: Examples and Prevention

Broken authentication vulnerability was recognized as one of the OWASP’s top 10 vulnerabilities. Broken authentication vulnerability essentially is when an attacker gains unsolicited access to restricted data and/or functionality. It can lead to identify theft, data leakage and, in worst-case scenarios, give total control of the compromised system to the attacker. This post will cover broken authentication vulnerability in general and in Java Spring in particular. What Is Broken Authentication Vulnerability? Broken authentication means an attacker can gain access to restricted data by pretending to be a different user. The attacker provides …

Cordova vs. React Native: A Detailed Analysis

Mobile apps have exploded in popularity over recent years. The introduction of the iPhone 3G in 2008 spawned a new industry overnight. App development is now an industry that generates more than $34 billion in revenue. To reach all potential users, developers need to develop applications for (at least) the two leading platforms: Android and iOS. Since the development for the platforms is time-consuming and requires different expertise (Swift/iOS vs. Java/Kotlin), cross-platform solutions were introduced over the years. Among them, Unity, Ionic, Cordova, and React Native. Those solutions ideally allow you to …

How to Conduct a Developer Performance Review

Performance reviews are a common and well-established practice in almost all companies, from startups to large enterprises. In this post, I’ll give my take on how to conduct an effective performance review for developers. I’ll provide general guidelines that apply to any profession. In addition, I’ll provide some tips that apply specifically to conducting performance reviews with developers. What Performance Reviews Do Regardless of the type of company you work for, performance reviews accomplish the following: The employee can give feedback about their general well-being and attitude toward their particular position and …

Spring XML External Entities (XXE) Guide: Examples and Prevention

XML is a markup language that we use to define and categorize data. Data stored in XML format can move between multiple servers or between a client and a server. Once a server receives an XML input, it parses it via an XML parser. XML external entities are basically references in the XML document to files or URLs outside of the XML document. Essentially, it’s an XML standard feature that enables accessing and/or loading external resources. However, this feature can be dangerous, as it can allow malicious actors to retrieve unauthorized sensitive …

RDS Instance Types Explained & How to Choose and Size Yours

Introduction Cloud computing provides us with the ability to deploy infrastructure as code. Not so long ago, to deploy a new database server you had to buy physical hardware: a hard disk, CPU, RAM, power supply, etc. Afterward, you had to install the database server, make it run once the machine starts, provision replicas, set up a backup policy and allocate space for it, handle errors, and routinely update it with security patches and new versions. Wow, it took a while even to write what’s required if you manage databases yourself. Just …

Spring CSRF Protection Guide: Examples and How to Enable

A Cross-Site Request Forgery (CSRF) is one a common malicious attacks because it requires little technical expertise. The combination of the ease of execution, low barriers for executing it, and the prevalence of targets requires active measures against it. Let’s start with a few definitions. Cross-Site Request Forgery As explained in OWASP, a CSRF, also known as a one-click attack or session riding, is a popular attack vector on a website or SaaS application. It’s a type of malicious exploitation of a website where unauthorized commands are submitted from a user that the web …

Spring CORS Guide: What it Is And How To Enable It

Introduction A cross-domain call is an HTTP request done via the browser from domain A to domain B via AJAX. An “origin” in the context of a cross-domain call is the combination of the request’s protocol, port, and domain. Originally proposed in the early 2000s, it’s now a standard across all modern browsers. In this post, I’ll explain what CORS is, why it’s important, and how to properly work with it in Spring. Why Use CORS? Before CORS Let’s start by describing the situation before CORS was implemented. Before CORS, a request …

Spring SQL Injection Guide: Examples and Prevention

Introduction As hackers find increasingly creative ways to attack applications, organizations must try to stay one step ahead in protecting themselves, even from the most common types of attacks and across a variety of frameworks. Let’s start this post with a few definitions. SQL Injection SQL injection is a common way that hackers and users with malicious intentions attempt to hack applications. In an SQL injection, they “inject” values into a database query in order to gain visibility into the database’s structure and eventually gain access to personal data stored in the …