Category: Tech Education

I finished several online courses last week on the subject of computer application security and how to properly handle sensitive cardholder data.   Very interesting!

The courses were offered through Security Innovation, a company that specializes in cybersecurity standards, education, and assessment.

PCI DSS stands for Payment Card Industry Data Security Standard. These are some common security standards put together by the PCI Security Standards Council, which was formed in 2004 by the large credit card companies: Visa, MasterCard, American Express, Discover, and JCB.

I completed the following courses, offered together in a PCI Developer bundle:

COD 222 – PCI DSS v3.2 Best Practices for Developers
DES 221 – OWASP Top 10 – Threats and Mitigations
ENG 301 – How to Create an Application Security Threat Model
ENG 312 – How to Perform a Security Code Review

Some basic take-aways:

• build security into an application from the requirements / architecture stage: the very beginning!
• create a detailed security threat model to identify all security threats and then define appropriate mitigations
• when transmitting data over an untrusted network, always encrypt data with strong cryptography
• do not store cardholder data unless absolutely necessary!
• validate / sanitize all user input!

Infrastructure as Code – use a single code template to create, update, or delete multiple cloud resources.  CloudFormation and Terraform are two valuable tools for achieving this on AWS.

CloudFormation – covers all parts of AWS

Terraform – covers main parts of AWS and other (non-AWS) services as well

A good comparison of the two services is here on Cloudonaut.io.

React.js is a JavaScript library created and maintained by Facebook for building user interfaces.  React maintains a virtual “DOM” in memory and makes updates to the real DOM only as needed.

React Native applies the same principles to cross-platform UI development for iOS and Android.

React.js components are typically written in JSX, a JavaScript extension syntax that allows inlining HTML with code, among other features.  JSX is optional and not required to use React.

Thoughts?  I really like how UI elements and state are componentized and non-global.  I don’t like how there are now two DOMs – the real one and the React-managed one.

The React tutorial is a Tic Tac Toe game; here’s my completed version.

In newer versions of JavaScript (ECMAScript 5 +) we have the wonderful Array.map() method, and in even newer versions (ECMAScript 6+ aka ECMAScript 2015) we have the new arrow function expressions.

This allows for concise and powerful code like the following:

// an Array of integers
var array1 = [1, 4, 9, 16];

// create a new Array from the original Array using a function
const map1 = array1.map(x => x * 2);

// display; expected output: Array [2, 8, 18, 32]
console.log(map1);

Node.js brings JavaScript to the server side, and is designed with an event-driven architecture capable of asynchronous I/O.

It’s easy to get started: download Node.js and install it so that it runs from your command line.

Today I will look at the NoSQL concept and specifically Amazon’s DynamoDB.

NoSQL stands for “No SQL”, which means you don’t use SQL (Structured Query Language) to manage the database.  Data is not arranged into relational tables (with relational indices that point to other tables), but is arranged in a variety of data models, including document, graph, key-value, and columnar.

NoSQL was born because of the need for scalability and performance.  In the early 2000s it was discovered that relational databases do not scale well at a reasonable cost.