CodeIsGo.com

Learn the basics of FastAPI, how to quickly set up a server and secure endpoints with Auth0. By Mark Halpin.

FastAPI is a relatively new Python framework that enables you to create applications very quickly. This framework allows you to read API request data seamlessly with built-in modules and is a lightweight alternative to Flask.

The article then deals with:

• Get started with FastAPI
• Create a private endpoint
• Set up Auth0 an API
• Add JSON Web Token (JWT) validation
• Validate an Auth0 access token

You will learn the basics of FastAPI by implementing two endpoints - one public, one private. You will see how simple it is to make requests to both of these endpoints. You will also create a verification class and saw how PyJWT helps you validate an Auth0 access token, and you will learn what JWKS is. Nice one.

I was writing a tiny website to display statistics of how much sponsored content a Youtube creator has over time when I noticed that I often write a small tool as a website that queries some data from a database and then displays it in a graph, a table, or similar. But if you want to use a database, you either need to write a backend (which you then need to host and maintain forever) or download the whole dataset into the browser (which is not so great when the dataset is more than 10MB). By phiresky’s blog.

So how do you use a database on a static file hoster? Firstly, SQLite (written in C) is compiled to WebAssembly. SQLite can be compiled with emscripten without any modifications, and the sql.js library is a thin JS wrapper around the wasm code.

In the past when I’ve used a backend server for these small side projects at some point some external API goes down or a key expires or I forget about the backend and stop paying for whatever VPS it was on. Then when I revisit it years later, I’m annoyed that it’s gone and curse myself for relying on an external service - or on myself caring over a longer period of time.

Hosting a static website is much easier than a “real” server - there’s many free and reliable options (like GitHub, GitLab Pages, Netlify, etc), and it scales to basically infinity without any effort. So I wrote a tool to be able to use a real SQL database in a statically hosted website!

sql.js only allows you to create and read from databases that are fully in memory though - so I implemented a virtual file system that fetches chunks of the database with HTTP Range requests when SQLite tries to read from the filesystem: sql.js-httpvfs. From SQLite’s perspective, it just looks like it’s living on a normal computer with an empty filesystem except for a file called /wdi.sqlite3 that it can read from. Of course it can’t write to this file, but a read-only database is still very useful.

Here’s a demo using the World Development Indicators dataset - a dataset with 6 tables and over 8 million rows (670 MiByte total). Good read!

The automotive industry is well known for its security standards regarding the road safety of vehicles. All processes regarding vehicle development – from drawing board to sales – were standardized and refined over the years. Both internal tests, as well as globally renowned companies like NHTSA or EuroNCAP, are working hard on making the vehicle safe in all road conditions – for both passengers and other participants of road traffic. By Adam Kozłowski and by Marcin Wiśniewski.

Safety engineering is currently an important part of automotive engineering and safety standards, for example, ISO 26262 and IEC 61508. Techniques regarding safety assessment, like FTA (Fault Tree Analysis), or FMEA (Failure Mode and Effects Analysis) are also standardized and integrated into the vehicle development lifecycle.

But the security is not limited to crash tests and driver safety. In parallel to the new ADAS systems, the connected car concept, remote access, and in general, vehicle connectivity moved forward. Secure access to the car does not only mean car keys but also network access and defense against cybersecurity threats.

And the threat is real. 6 years ago, in 2015, two security researchers hacked Jeep Cherokee driving 70mph on a highway by effectively disabling its breaks, changing the climate control and the infotainment screen display. The zero-day exploit allowing that is now fixed, but the situation immediately caught the public eye and changed the OEMs mindset from “minor, unrealistic possibility” to “very important topic”.

All of these resulted in the definition of the new standard called ISO 21434 Road vehicles — cybersecurity engineering. The work started last year, but currently, it’s at the “Approval” phase, so we can quickly go through the most important topics it tackles.

The document also lists the best practices regarding cybersecurity design:

• Principle of least privilege
• Authentication and authorization
• Audit
• E2E security
• Architectural Trust Levels
• Segregation of interfaces
• Protection of Maintainability during service
• Testability during development (test interface) and operations10
• Security by default

The requirements do not end on the architectural and design level. They can go as low as the hardware (identification of security-related elements, documentation, and verification for being safe, as they are potential entry points for hackers), and source code, where specific principles are also listed. Nice one!

A web server is a piece of software that accepts a network request from a user agent, typically a web browser, and returns either the appropriate response for the request or an error message. Two dominant solutions for HTTP servers today are Apache and Nginx. However, a new player in the space, Caddy Web Server, is gaining traction for its ease of use. By Ayooluwa Isaiah.

Nginx is currently being utilized on over 40 percent of the top 10,000 websites. When you consider that Cloudflare Server also utilizes Nginx under the hood for content delivery, the figure is even higher. Caddy is an open source web server platform designed to be simple, easy to use, and secure. Written in Go with zero dependencies, Caddy is easy to download and runs on almost every platform that Go compiles on. In terms of performance, Caddy has been shown to be competitive with Apache but behind Nginx both in terms of requests handled per second and stability under load.

The article then compares configuration and performance of Apache, Nginx and Caddy.

If your primary concern is performance, or you plan to serve a large amount of static content, Nginx is likely your best option. While Caddy is easy to configure and performant for most use cases, if you need flexibility and customization, Apache is your best bet. Easy read!

Using the microservices architecture has many benefits. It has become the norm for many large-scale applications. However, Microservices also comes with several challenges. One such challenge is handling transactions that span across multiple services. By Chameera Dulanga.

Therefore, we need a centralized communication and coordination mechanism to ensure all the transactions are completed successfully, and that’s where the Saga pattern comes in.

So, in this article, author will discuss how we can overcome this by using Saga Pattern:

• Why we need Saga Pattern?
• Introduction to Saga Pattern
• What is Saga Execution Controller?
• Implementing Saga Pattern
  • Orchestration-based Saga
  • Choreography-based Saga
• Build with independent components, for speed and scale

In this article, author discussed what is Saga pattern is and different approaches for implement it. The Saga pattern’s main advantage is to maintain data consistency when transactions span across Microservices. Good read!

If you’re making an HTTP request in Node.js there’s a good chance you’ll want to cancel it if it takes too long to receive a response. Or perhaps you have a slightly more complex situation where you’re making multiple requests in parallel, and if one request fails you want to cancel all of them. By Simon Plenderleith.

const controller = new AbortController();
const signal = controller.signal;

signal.addEventListener("abort", () => {
  console.log("The abort signal was triggered");
}, { once: true });

controller.abort();

Fortunately there’s a JavaScript API which gives us a standard way to cancel asynchronous tasks such as an in-flight HTTP request: the Abort API.

The article then goes and describes:

• The Abort API
• Cancelling an HTTP request with an AbortSignal
• Support for cancelling HTTP requests
• Libraries
• Node.js core API methods

An interesting note from author: I’m pretty sure we’re going to see a lot more of the Abort API as other libraries, as well as methods in Node.js core, add support for it. Good read!

Older but still valid article by Jason Kitcat. Business cases are not a good way to make decisions. They give us false certainty and almost invariably mislead some or all of an organisation’s leadership.

Business cases are lies. Not wilful lies usually, but they end up with the same results: misleading, misinforming and hiding reality.

The ability to observe, orient, decide and act continuously is not the norm when business cases live among us. Let’s unpack our example:

• The Requirements – The idea that we can capture all our requirements and then share them with suppliers to get answers is fantastical, and wrong.
• The Cost – Software should not be a capital expenditure. It is a continuously changing, living thing that needs constant care and maintenance.
• The Time – Building a bridge or a school? Then a fixed timeline (with padding for slippage) makes sense. Trying to change complex systems issues like integrating health and social care? Then a fixed time business case is the wrong tool for the job.

And author notes: I understand that the ‘certainty’ and ‘process’ surrounding business cases can be comforting for colleagues. But we’re fooling ourselves, we need to be courageous and hold the uncertainty as we explore the problems we face in open, collaborative ways. How interesting!

Border Gateway Protocol (BGP) is an enormous protocol with a nearly endless list of features, knobs and capabilities. BGP’s mechanism for choosing the best path is complex but also well known. You should brush up on that algorithm if you’re out of practice. By Nicholas Russo.

The article covers following topics:

• Use the Multi Exit Discriminator (MED)
• Use AS-path prepending
• Use longest-match routing
• Reference configurations

This blog explores a lesser-known but powerful traffic engineering technique using BGP communities and the local-preference value. You should have basic familiarity with BGP and IP routing in general to realize the most value from this blog. Good read!

In this post author will cover different tunneling features as supported by OpenSSH, which helps achieve security use cases such as remote web service access without exposing port on the internet, accessing server behind NAT, exposing local port to the internet. OpenSSH is the most widely used open-source SSH server. It comes pre-installed by default with the vast majority of Linux distributions. By Sakshyam Shah.

If you are looking for a modern open-source alternative to OpenSSH that is optimized for elastic multi-cloud environments and supports other access protocols in addition to SSH, make sure to check out Teleport.

The article then pays attention to:

• What is SSH tunnelling?
• Local port forwarding
• Dynamic port forwarding
• SSH TUN/TAP tunneling
• Bonus - SSH tunnel over TOR
• Security concerns of SSH tunnelling

Source: @goteleport.com https://goteleport.com/blog/ssh-tunneling-explained/

Although the default behavior of an SSH server is to return a remote server’s shell over an encrypted channel, SSH supports sending and receiving binary data over SSH. Transporting arbitrary data streams over SSH sessions is also known as SSH tunneling. Very good!

Security operations has seen non-stop evolution and growth for many years, but the past 18 months has been particularly impactful on security operations teams. In addition to the drastic transformation brought on by the COVID-19 pandemic, there have also been some significant breaches that have shifted perspectives and highlighted some key areas of concern. By pwheiler.

The report is based off the experiences of 520 security operations executives, managers and decision makers, hailing from seven different countries across North America, Europe, Asia, and Australia.

The report identifies Major SOC Challenges:

• Monitoring security across a growing attack surface
• Expanding workloads to cloud/hybrid environments
• Pre-emptively detecting threats to reduce exposure

In addition to these challenges, the report found that 97% of organizations are reporting a need for additional skilled staff on their security operations teams, suggesting that the long-standing talent war in security operations has continued.

Overall, the current state of SecOps globally suggests a need for greater cyber resilience in the face of expanding attack surfaces, significant workforce transformation, ever-evolving threats and other drastic changes. Organizations should invest the necessary resources to identify gaps in their cybersecurity posture and evaluate their overall cyber resilience. Interesting read!