Related
I got hired on as a junior developer at a company that does some e-commerce work. They are sending me to different training courses for Linux Fundamentals, Linux System Administration, and then to a Magento Bootcamp. With that being said I am hoping to be proactive about my training and how soak in as much as I can.
I was looking at Lynda, Pluralsight, TheOdinProject as well as many other sites and there isn't really an online learning path that suits the LAMP stack. Does anyone have recommendations? Maybe I should be looking at individual courses rather than the stack itself? If that is the case, which courses?
LAMP is Linux, Apache, MySQL and PHP. To learn this stack you should look for individual courses. Although they all go hand-in-hand, you will need to focus on them individually until you're working in an environment which uses the full stack (i.e. Magento).
I suggest learning these things: How to install the LAMP stack, basic linux terminal commands, basic MySQL commands and using MySQL from the command line, understanding what Apache is/does, understanding what MVC pattern is (Model, View, Controller) and also diving into the basics of PHP and Object-Oriented Programming methodology.
Magento is a very complex application with a lot of moving parts. Understanding LAMP is very different from understanding Magento and how to develop in it. Magento uses all these elements but is a deep framework which has its own way of doing things. I suggest learning the basics and have a general understanding of the LAMP components, this will help you a lot when you go to the Magento training.
I hope this was helpful!
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
my name is Tabetha and I have a question...
I am a web designer, but I always find that while designing the layout and coding the design I come up with great ideas for websites. I would like to know where I need to start in order to learn back-end programming not only for the knowledge, but also for the challenge of it.
I have searched online but can't seem to find the information I am looking for. If anyone can give me a simple, straight-forward "this is what language you need to learn" answer, or perhaps guide me in the right direction I would appreciate it ten-fold.
I am a complete noob when it comes to this, so even the most basic information is probably a pearl of wisdom for me. :)
With this type of question you will never one simple, straight-forward answer :) Are you a Mac person? If so, you'll probably want to learn PHP or Ruby on Rails for server-side programming, along with MySQL for your database. These technologies are widely used on other operating systems, including Windows. The Apache web server and PHP is included in Mac OS X; Rails is easy to set up. Most hosting providers will offer cheap LAMP hosting packages (Linux, Apache, MySQL, PHP) (Google "LAMP tutorial")
If you're a PC person, you might want to learn about .NET (VB or C#), SQL Server and IIS. There are many similarities in the development practices between the different technologies, with MVC being the recommended design pattern. Understanding MVC is important.
There are many other "back-end" technologies, including JAVA, ColdFusion, etc, but PHP/MySQL is the most common.
You could also learn about server-side content management systems, like Drupal, Wordpress or Joomla to name a few. These systems take care of much of the low level data handling, leaving you to focus more on the content and appearance, while sacrificing some flexibility.
Good luck!
Just to add my two cents. Programming language is in reality not as important as having general knowledge of the principles. Look at it this way: knowing how to program is the same as knowing how to design. Programming language is then only a tool, like photoshop, that you can excel in, but it won't make you a designer by itself.
The concepts that are important for web back-end development and actually a must-know if you're in for a challenge, are object-oriented programming, separation of presentation and computational logic, database abstraction, networking protocols (http specifically).
Understanding these essentials will pay off greatly as compared to learning the quick-and-dirty ways of combining php with html.
PHP is probably the most commonly used backend end language, and will probably give the least problems when setting it up in a server. I would recommend using a Framework (at least to start), both for ease of use and security issues. For this I'd recommend the Zend Framework. There's a great tutorial for getting started here: http://www.survivethedeepend.com/.
I am a heavy advocate of .NET languages for beginners. The .NET framework is nice and easy to wrap your head around because Microsoft is great with documentation, tutorials, and giving a complete package.
As you already have knowledge of HTML I would look into ASP .NET or ASP .NET MVC. This website from Microsoft will take you from start to finish in developing a website in ASP .NET and ASP .NET MVC.
Once you start programming with Visual Studio you will see how easy Microsoft makes it for you.
To get you started with backend development, i would suggest u learn how a database (db) works and the various database management systems (DBMS), particularly relational DBMS (RDBMS) such as MySQL, SQL server, oracle, postGRESQL, Microsoft Access, etc. You will come 2 know that most DBMS allow u to communicate with them and issues commands to them by speaking to them a language called Structured Query Language (SQL). So u will need to invest some time to learn the basics of speaking the SQL language to create a database, store new data or modify existing data, fetch data from the db, or even delete data that is no longer needed from your db. In particular i suggest u learn how MySQL works and issuing commands to MySQL since it is the most widely used DBMS in most web projects. Then, you will need to spend some time to learn about computer programming (issuing instructions to computer) and programming languages (the languages used for writing the instructions). You can zero down to learning how to speak a particular computer language such as PHP. The reason u have to learn how programming languages work is that u will need to speak a computer language (programming language) to write the logic for interacting with your database (e.g verifying that some conditions hold true before certain data can be fetched). I suggest u start by learning the PHP language as your backend programming language, since it is the most widely used in web projects. In the programming langnuage u have chosen to learn (e.g php), find out how to issue SQL commands to a RDBMS from that language. In summary, i recommend you learn the combination of PHP and MySQL since this combination is the most widely used for backend web development. But once u get a grasp of how things really work, you can always switch to whatever combination of technologies works best for your particular project. I hope this helps.
I used to be a programmer and unix sysadmin back in the 90's and early 00's. I wrote business software mostly in BBX, which was non-compiled, procedural BASIC. It was all text based when I started, and I only just got into GUI and OOP with ProvideX by the time I got out. I did do some SQL work and understand basic database concepts.
I've continually dabbled since and tried to keep up by running my own Debian web server here at the house, doing little script programs here and there, and most recently learning PHP and Python. But I would like to get versed in the current state of the industry and hopefully make myself employable in it again.
My current learning project is to write a db app that I can use when drag racing to log run data, report based on various combinations of variables, and predict vehicle performance. This should cover IO, data management, and some complex math. I do want to make is sellable, so it has to be in Windows since all other racing software is. My two options now are to write it in MSAccess, which isn't really programming, or to write a front end in Python and use MySQL for the data.
I assume I should go the Python path out of those two, or should I choose a third path that would pay more dividends toward a job? My biggest concern is wasting my time learning pointless stuff. I assume most of the work out there is db related and web based applications, so that would be my ultimate goal. Correct me if I am wrong on that.
Thanks for any input,
Dave
If your goal is to get back into software development, then I recommend that you first ask yourself what type of industry and development setting you'd like to work in. Learn something about the skills those industries are demanding... Then hit Monster and peruse the job qualifications for companies in those industries. Don't limit your view to just language names and broad job descriptions either, but really try to get an idea what sort of developer they're looking for and whether you'd fit in well.
You will be able to find many interesting technologies in lots of different business domains, but what do you really want to be working to help deliver? Python coding, for example, may be interesting, but I'm sure you'd be more interested if it were supporting your motorsport interest in some way versus, say, baby food. When you have the business domains narrowed down, then you can focus on the background required to get jobs in those industries.
You will find an endless set of recommended "hot" techologies if you search for them. I'm sure you can find a list, or post, which will confirm any bias you have on what to learn. But chasing the technology of the day may lead to an unfulfilling day-to-day job if what you're applying it to is not something you find interesting.
I would say that the answer depends on what type of job you want to do. The Fortune 500 company I worked at last summer had everything from mainframe c and cobol, java EE, .net to ruby on rails and python in applications. There are still alot of jobs maintaining legacy desktop applications. But the web atmosphere is obviously the future of business computing, and java EE and .NET are huge players in that arena. As for the project you are describing. I've done QT applications with python and there are python libraries for GTK that I've seen used to run apps in Windows. I've also used java swing and awt to build graphical applications and other than the learning curve for the layout system it works really well for building applications. I wrote a really basic windows application using visual studio and C# one time and that seemed to me to be very easy to write.
Enterprise level Java or .NET involve a fairly steep learning curve, so I would have those as a medium-long term goal rather than try and learn that tech immediately.
It seems to me that learning a high productivity web framework is the best way for you to go. "Ruby on Rails" seems to be a hot ticket at the moment. I've only had a small look at it, but it seems pretty quick and straightforward. Your drag racing app would be a good place to start.
Build a couple of websites for yourself using the tech. Then build a couple of websites for friends for a nominal fee. After that, see if you can find a real client (perhaps a local business). If you have 2 or 3 of those under your belt, then a potential employer will at least take notice.
One warning, though - people expect web sites to look nice. If you don't have good interface design skills yourself, it will be in your best interest to hire a designer to pretty up whatever you produce.
For a Windows desktop application, you can use C# and the various .NET APIs, and store your data in either a Microsoft-provided database, or SQLite, which is a reliable, server-free SQL implementation. (I don't know anything about Microsoft tech, hence the vagueness of my answer.) There is a lot of work available using C# and .NET, and it should be easy to pick up. You'll meet less resistance on the Windows platform with Microsoft's kit than with third-party languages like Python.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 9 years ago.
Improve this question
in these days, i'm interested in software security. As i'm reading papers i see that there are many attacks and researchers are trying to invent new methods for softwares to get more secure systems.
this question can be a general including all types of attacks.There are many experienced programmers in SO, i just want to learn what are using to check your code against these attacks ? Is there any tools you use or you don't care ?
For example i heard about static/dynamic code analysis and fuzz testing.
SQL injection attacks
Cross Site Scripting
Bufferoverflow attacks
Logic errors
Any kind of Malwares
Covert Channels
... ...
thanks
I'm going to focus on web application security here...
Really you want to get used to manually trawling through a website/application and playing with various parameters etc. so proxy tools are of great help (they allow you to capture and interact with forms, before they reach the server):
LiveHTTPHeaders - FireFox plugin.
Burp Proxy - Java based.
Obviously there becomes a point where manually crawling a whole website becomes rather time consuming/tedious and this is where automated scanning tools can be of help.
Black box:
WebSecurify - not used it but it's been created by a well known web app security guy.
Skipfish - Google released this recently so it's probably worth a look.
And there are many other commercial tools: WhiteHat Sentinel, HP Web Inspect and probably many others I can't remember.
White box:
A lot of the academic research I've seen is related to static code analysis tools; I've not used any because they all focused on PHP only and had some limitations.
Other resources:
ha.ckers.org - great blog, with an active forum related to web app sec.
OWASP - as perviously mentioned, there are lots of insightful articles/guides/tutorials here.
If you want to learn more about manually attacking sites yourself the Damn Vulnerable Web App is a nice learning project. By that I mean, it's a web application that is written to be deliberately insecure, so you can test your knowledge of web application security vulnerabilities legally.
I wrote a black box scanner in Perl for my third year dissertation which was quite an interesting project. If you wanted to build something yourself it really just consisted of:
crawler
parser
attacker
Something that you haven't mentioned but I think is important: code reviews.
When you're just trying to implement something as fast as you can it is easy to overlook a security issue. A second pair of eyes can pick up many problems or potential problems, especially if the reviewer is experienced at spotting typical security holes.
I believe that it is possible in many cases to do manual code reviews without special tools. Just sit together at the same computer or even print out the code and do the review on the paper copy. But since you specifically asked for tools, a tool to help with manual code review is Rietveld. I haven't used it myself, but it is based on the same ideas used internally at Google (and written by the same guy, who also happens to be the author of Python).
Security is definitely a concern and developers should at least be aware of common vulnerabilities (and how to avoid them). Here are some resources that I find interesting:
OWASP Top 10 for 2010
OWASP Guide for Secure Web Applications
OWASP Testing Guide v3
There are 2 types of software defects that can cause security problems: implementation bugs and design flaws.
Implementation bugs usually appear in a specific area in the code, they are relatively easy to detect and (usually) not too complicated to fix. You can detect (most) of these with automated tools that do static code analysis (tools like Fortify or Ounce) although these tools are expensive. With that said, you still have to remember that there are no "silver bullets" and you cannot not blindly rely only on the tool output without some sort of manual code review to confirm/understand the real risk behind the issues the tool reports.
The other problem is design flaws, that's another story. They are usually complex issues that are not consequence of a mistake in the code but poor choice in the design or architecture of the application. Those cannot be identified by an automated tool and really can only be detected manually, by a code/design/architecture review. They are usually very hard and expensive to fix passed the design phase.
So I recommend, reviewing your code for implementation bugs that can have impact on security (code review using automated tools like Fortify/Ounce + manual review of tool results) and reviewing your design for security flaws (no tools for this, has to be done by someone who knows about security).
For a good read on software security and the complexity behind designing secure software, check Software Security: Building Security In, by Gary McGraw (amazon link)
I use tools to aid in the hunt for vulnerabilities, but you can't just fire off some test and assume everything is okay. When I am auditing a project I look at the code and I try and get a feel for the programmers style and skill level. If the code looks messy then chances are they are a novice and they will probably make novice mistakes.
It is important to identify security related functions in a project and manually audit them. Tamperdata is very helpful for manual auditing and exploit development because you can build custom http requests. A good example for manual auditing for PHP is: Are they using mysql_real_escape_string($var) or are they using htmlspecialchars($var,ENT_QUOTES) to stop sql injection? (ENT_QUOTES doesn't stop backslashes which is just as dangerous as quote marks for mysql, mssql is a different story.) Security functions are also places for "Logic errors" to crop up, and no tool is going to be able to detect this, this requires manual auditing.
If you are doing web application testing then Acunetix is the best testing tool you can use. Wapiti is a very good open source alternative. Although any tool can be used improperly. Before you do a web application test make sure error reporting is turned on, and also make sure you aren't suppressing sql errors, such as with a try/catch.
If you are doing Automated Static Code Analysis for vulnerabilities such as Buffer Overflows then Coverity is the best tool you can use(Fortify is nearly identical to Coverity). Coverity costs tens of thousands of dollars, but big names like the Department Of Homeland Security uses it. RATS is a open source alternative, although Coverity is far more complex of a tool. Both of these tools will produce a lot of false positives and false negatives. RATS looks for nasty function calls, but doesn't see if its still safe. So RATS will report every call to strcpy() strcat() sprintf(), but these can be safe if for instance you are just copying static text. This means you will have to dig though a lot of crap, but if you are doing a peer review then RATS helps a lot by narrowing the manual search. If you are trying to find a single exploitable vulnerability in a large code base, like Linux, then Rats isn't going to help much.
I have used Coverity and their sales team will claim it will "detect ****ALL**** vulnerabilities in your code base." But I can tell you from first hand experience that I found vanilla stack based buffer overflows with peach that Coverity didn't detect. (RATS did however pick up these issues, along with 1,000+ other function calls that where safe...) If you want a secure application or you want to find an exploitable buffer overflow then Peach is the platform tool you can use to build the tools you need.
If you are looking for more exotic memory corruption issues such as Dangling Pointers then Valgrind will help.
There's bunch of web application security scanners in the market
Take a look at this list:
WASC - Web application security scanner list and Netsparker Community Edition : which is the free version of Netsparker.
A tool doesn't know if your code is insecure.
Only you do (and the attackers).
At best the tool will spot a few vulnerabilities of one type in your code and make you realize you never protected against that type of vulnerability, but you will still have to go clean up all the instances the tool missed.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
I am an IT student and I am now in the 3rd year in university. Until now we've been studing a lot of subjects related to computers in general (programming, algorithms, computer architecture, maths, etc).
I am very sure that nobody can learn every thing about security but sure there is a "minimum" knowledge every programmer or IT student should know about it and my question is what is this minimum knowledge?
Can you suggest some e-books or courses or anything can help to start with this road?
Principles to keep in mind if you want your applications to be secure:
Never trust any input!
Validate input from all untrusted sources - use whitelists not blacklists
Plan for security from the start - it's not something you can bolt on at the end
Keep it simple - complexity increases the likelihood of security holes
Keep your attack surface to a minimum
Make sure you fail securely
Use defence in depth
Adhere to the principle of least privilege
Use threat modelling
Compartmentalize - so your system is not all or nothing
Hiding secrets is hard - and secrets hidden in code won't stay secret for long
Don't write your own crypto
Using crypto doesn't mean you're secure (attackers will look for a weaker link)
Be aware of buffer overflows and how to protect against them
There are some excellent books and articles online about making your applications secure:
Writing Secure Code 2nd Edition - I think every programmer should read this
Building Secure Software: How to Avoid Security Problems the Right Way
Secure Programming Cookbook
Exploiting Software
Security Engineering - an excellent read
Secure Programming for Linux and Unix HOWTO
Train your developers on application security best pratices
Codebashing (paid)
Security Innovation(paid)
Security Compass (paid)
OWASP WebGoat (free)
Rule #1 of security for programmers: Don't roll your own
Unless you are yourself a security expert and/or cryptographer, always use a well-designed, well-tested, and mature security platform, framework, or library to do the work for you. These things have spent years being thought out, patched, updated, and examined by experts and hackers alike. You want to gain those advantages, not dismiss them by trying to reinvent the wheel.
Now, that's not to say you don't need to learn anything about security. You certainly need to know enough to understand what you're doing and make sure you're using the tools correctly. However, if you ever find yourself about to start writing your own cryptography algorithm, authentication system, input sanitizer, etc, stop, take a step back, and remember rule #1.
Every programmer should know how to write exploit code.
Without knowing how systems are exploited you are accidentally stopping vulnerabilities. Knowing how to patch code is absolutely meaningless unless you know how to test your patches. Security isn't just a bunch of thought experiments, you must be scientific and test your experiments.
Security is a process, not a product.
Many seem to forget about this obvious matter of fact.
I suggest reviewing CWE/SANS TOP 25 Most Dangerous Programming Errors. It was updated for 2010 with the promise of regular updates in the future. The 2009 revision is available as well.
From http://cwe.mitre.org/top25/index.html
The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.
A good starter course might be the MIT course in Computer Networks and Security. One thing that I would suggest is to not forget about privacy. Privacy, in some senses, is really foundational to security and isn't often covered in technical courses on security. You might find some material on privacy in this course on Ethics and the Law as it relates to the internet.
The Web Security team at Mozilla put together a great guide, which we abide by in the development of our sites and services.
The importance of secure defaults in frameworks and APIs:
Lots of early web frameworks didn't escape html by default in templates and had XSS problems because of this
Lots of early web frameworks made it easier to concatenate SQL than to create parameterized queries leading to lots of SQL injection bugs.
Some versions of Erlang (R13B, maybe others) don't verify ssl peer certificates by default and there are probably lots of erlang code that is susceptible to SSL MITM attacks
Java's XSLT transformer by default allows execution of arbitrary java code. There has been many serious security bugs created by this.
Java's XML parsing APIs by default allow the parsed document to read arbitrary files on the filesystem. More fun :)
You should know about the three A's. Authentication, Authorization, Audit. Classical mistake is to authenticate a user, while not checking if user is authorized to perform some action, so a user may look at other users private photos, the mistake Diaspora did. Many, many more people forget about Audit, you need, in a secure system, to be able to tell who did what and when.
Remember that you (the programmer) has to secure all parts, but the attacker only has to succeed in finding one kink in your armour.
Security is an example of "unknown unknowns". Sometimes you won't know what the possible security flaws are (until afterwards).
The difference between a bug and a security hole depends on the intelligence of the attacker.
I would add the following:
How digital signatures and digital certificates work
What's sandboxing
Understand how different attack vectors work:
Buffer overflows/underflows/etc on native code
Social engineerring
DNS spoofing
Man-in-the middle
CSRF/XSS et al
SQL injection
Crypto attacks (ex: exploiting weak crypto algorithms such as DES)
Program/Framework errors (ex: github's latest security flaw)
You can easily google for all of this. This will give you a good foundation.
If you want to see web app vulnerabilities, there's a project called google gruyere that shows you how to exploit a working web app.
when you are building any enterprise or any of your own software,you should just think like a hacker.as we know hackers are also not expert in all the things,but when they find any vulnerability they start digging into it by gathering information about all the things and finally attack on our software.so for preventing such attacks we should follow some well known rules like:
always try to break your codes(use cheatsheets & google the things for more informations).
be updated for security flaws in your programming field.
and as mentioned above never trust in any type of user or automated inputs.
use opensource applications(their most security flaws are known and solved).
you can find more security resource on the following links:
owasp security
CERT Security
SANS Security
netcraft
SecuritySpace
openwall
PHP Sec
thehackernews(keep updating yourself)
for more information google about your application vendor security flows.
Why is is important.
It is all about trade-offs.
Cryptography is largely a distraction from security.
For general information on security, I highly recommend reading Bruce Schneier. He's got a website, his crypto-gram newsletter, several books, and has done lots of interviews.
I would also get familiar with social engineering (and Kevin Mitnick).
For a good (and pretty entertaining) book on how security plays out in the real world, I would recommend the excellent (although a bit dated) 'The Cuckoo's Egg' by Cliff Stoll.
Also be sure to check out the OWASP Top 10 List for a categorization of all the main attack vectors/vulnerabilities.
These things are fascinating to read about. Learning to think like an attacker will train you of what to think about as you're writing your own code.
Salt and hash your users' passwords. Never save them in plaintext in your database.
Just wanted to share this for web developers:
security-guide-for-developershttps://github.com/FallibleInc/security-guide-for-developers