Skip to main content

Announcing 1.0.0-alpha.3 release: more powerful resource tracking, notifications and content sharing

· 5 min read
Aleh Zasypkin
Creator of Secutils.dev

Hello!

Earlier this week, I wrapped up the "Q3 2023 – Jul-Sep" iteration and cut a new 1.0.0-alpha.3 release of Secutils.dev. In this post, I would like to quickly walk you through the major changes since 1.0.0-alpha.2: notifications, more powerful web page resource tracker, sharing capabilities and more. Let’s dive in!

Running web scraping service securely

· 7 min read
Aleh Zasypkin
Creator of Secutils.dev

Hello!

In my previous post, I shared the update regarding the upcoming "Q3 2023 - Jul-Sep" milestone. While I briefly covered how I implemented the notifications subsystem in Secutils.dev, there are a few other important changes I've been working on for this milestone. One of these changes is related to the fact that I’m preparing to allow Secutils.dev users to inject custom JavaScript scripts into the web pages they track resources for (yay 🎉). As a result, I've spent some time hardening the Web Scraper environment's security and wanted to share what you should keep in mind if you’re building a service that needs to scrape arbitrary web pages.

Q3 2023 update - Notifications

· 5 min read
Aleh Zasypkin
Creator of Secutils.dev

Hello!

With just one month remaining in the "Q3 2023 - Jul-Sep" milestone (this is how I structure my roadmap), I wanted to provide a quick progress update. A significant deliverable for this milestone includes adding support for email notifications and other transactional emails.

Notifications, in general, and email notifications, specifically, are integral to any product that involves any monitoring or tracking activities. Secutils.dev already includes, and will continue to expand, features that require the ability to send notifications. Two notable examples include sending notifications for changes detected by the web page resources trackers and changes detected in the tracked content security policies (CSP).

The best application security tool is education

· 4 min read
Aleh Zasypkin
Creator of Secutils.dev

Hello!

NOTE

Although not directly related to this topic, I encourage you to take a look at the latest US national cyber security workforce and education strategy from July 31, 2023. The thumbnail picture for this post is taken from there. It's an interesting read!

As you might have guessed, I spend a lot of time thinking about application security - almost every day, in fact. At my day job, I'm constantly pondering how to enhance Kibana's security in a scalable manner without overburdening my already hardworking team. Outside of work, I'm equally dedicated to making Secutils.dev even more valuable to fellow engineers looking for better security tools.

While I'd love to tell you there's a magic tool or a combination of tools that can make your application completely secure, I don't believe it's quite that simple - at least not yet. If you're working within tight budget constraints, resist the urge to spend it all on solutions like Veracode, Snyk, Secutils.dev, or any other security tool. Also, don't obsess over supply chain security and penetration testing just yet. Instead, focus your initial investment on something absolutely critical - educating your engineers about security. You'll reap the rewards, and so will your team. Only once you have a solid educational program or processes in place should you consider investing in additional security-oriented tools.

Useful newsletters and podcasts

· 4 min read
Aleh Zasypkin
Creator of Secutils.dev

Hello!

I'm sharing a quick post today to highlight a few newsletters and podcasts that I find useful. Hopefully, they'll be of use to you too. This post is deliberately brief because I firmly believe that the most effective way to learn something new is to start doing it. Hands-on experience is and always was the master key to personal growth. There's no real shortcut, you can't absorb it all from reading a blog post or tuning into a podcast.

However, that doesn't mean I've sworn off reading, watching, and listening to learn new things or get inspired. I do partake, but I keep it to a bare minimum. In general, I try hard to focus on "creating" over "consuming." Now, let's get to it:

The cost of false positives in software security, Part 2: Large applications

· 5 min read
Aleh Zasypkin
Creator of Secutils.dev

Hello!

This is the second part of my reflection sparked by the recent “2023 State of Open Source Security” report from Snyk. It got me thinking about the price we pay for false positives in software security. In my previous post, “The Cost of False Positives in Software Security, Part 1: Small Applications”, I talked about how true and false positives affect smaller applications like Secutils.dev. Now, I want to take the same idea and apply it to a much larger software that’s a big part of my daily work: Kibana.

Saying that Kibana is one of the biggest Node.js apps you can find on GitHub would be no exaggeration. Just a quick glance at its monthly GitHub activity tells you all you need to know about its sheer size and scope!

Kibana Monthly Stat

The code size, complexity, and the multitude of use cases it serves, combined with the numerous teams working on it, make Kibana an ideal case study for this post.