Jonathan Lalou's Blog

Archive for the ‘en-US’ Category

Dimitris Kaklamanis, a lead software engineer at CodeHub, delivered an 11-minute talk at Devoxx Greece 2025, exploring how Angular micro-frontends revolutionize scalable web development.

Micro-Frontends Unveiled

Kaklamanis opened with a relatable scenario: a growing front-end monolith turning into a dependency nightmare. Micro-frontends, inspired by microservices, break the UI into smaller, independent pieces, each owned by a team. This enables parallel development, reduces risks, and enhances scalability. He outlined four principles: decentralization (team-owned UI parts), technology agnosticism (mixing frameworks like Angular, React, or Vue), resilience (isolated bugs don’t crash the app), and scalability (independent team scaling). A diagram showed teams building features in different frameworks, integrated at runtime via a shell app.

Pros and Cons

Micro-frontends offer scalability, tech flexibility, faster parallel development, resilience, and easier maintenance due to focused codebases. However, challenges include increased complexity (more coordination), performance overhead (multiple apps loading), communication issues (state sharing), and CI/CD complexity (separate pipelines). Kaklamanis highlighted Angular’s strengths: its component-based structure aligns with modularity, CLI tools manage multiple projects, and features like lazy loading and Webpack 5 module federation simplify implementation. Tools like NX streamline monorepo management, making Angular a robust choice.

Implementation in Action

Kaklamanis demonstrated a live Angular store app with independent modules (orders, products, inventory). A change in the product component didn’t affect others, showcasing isolation. He recommended clear module ownership, careful intermodule communication, performance monitoring, and minimal shared libraries. For large, multi-team projects, he urged prototyping micro-frontends, starting small and iterating for scalability.

Links

• CodeHub
• Devoxx Greece

Innovation’s lore lionizes lone geniuses, yet history hums with harmonies—cumulative currents cresting into cascades. Sarah Drasner, Google’s senior director of engineering for core web, Android, iOS, and multiplatform infrastructure, charted this choreography at dotJS 2025. A Vue core emerita, Netlify VP alumna, and O’Reilly scribe, Sarah traced frameworks’ flux—from Backbone’s bones to Angular’s avalanches—positing epicenters as convergence crucibles, birthing waves that buoy the brigade.

Sarah’s seascape: computers’ chronicle, from Jacquard’s loom to Turing’s theorem—ENIAC’s expanse atop Shannon’s switches, Colossus’s knobs yielding to Atanasoff’s binaries. JS’s journey mirrors: Knockout’s observables igniting reactivity, Backbone’s MVC mutating into Ember’s ambitions, React’s components catalyzing cascades. Angular’s arc: 2010’s directive deluge, RxJS’s reactive rivers, Ivy’s incremental ignition—each epoch echoing externalities, from mobile’s mandate to PWAs’ promise.

2025’s surge: signals’ symphony across Solid, Svelte, Vue—Angular’s zoneless zeal, deferrable views. Sarah spotlighted simplifications: routing’s brevity, docs’ dynamism—sandboxes, examples emergent. Future’s froth: DevEx elevations, injection’s alacrity, forms’ finesse—frameworks as flotillas, not fortresses.

This tidal tale: waves from winds of whim and wisdom, epicenters echoing eternally.

Historic Harmonies and Heuristics

Sarah surveyed swells: Knockout’s knots to React’s rivulets, Angular’s directives damming data flows—each innovation an eddy, externalities (mobile, PWA) eddying onward.

Angular’s Avalanche and Allies

Ivy’s ignition, signals’ spread—zoneless zephyrs, defer’s dispatch. Sarah’s stewardship: docs distilled, routing refined—frameworks’ fellowship fostering flux.

Links:

• Sarah Drasner on LinkedIn
• Google

Xavier Zhang, an RFID enthusiast and physical security researcher, delivered a concise yet impactful presentation at DEF CON 32, exposing vulnerabilities in HID iClass SE readers used in physical access control systems. By demonstrating cloning, downgrading, and emulation attacks, Xavier revealed how attackers can bypass secure credentials to gain unauthorized access to facilities. His interactive demos, leveraging tools like Proxmark3 and Flipper Zero, underscored the importance of mutual authentication and provided practical mitigation strategies to enhance physical security.

Exploiting iClass SE Vulnerabilities

Xavier opened by outlining the mechanics of HID iClass SE credentials, widely used in secure facilities. He detailed four attack vectors, starting with cloning, the simplest method, which exploits predictable facility codes in poorly configured systems. By analyzing publicly available documentation from a Canadian vendor, Xavier showed how attackers can replicate credentials without physical access, highlighting the risks of enabling legacy technologies on modern readers. His insights emphasized the need for robust configuration practices to prevent trivial exploits.

Advanced Attacks and Community Contributions

Transitioning to more complex techniques, Xavier demonstrated downgrading and emulation attacks that bypass iClass SE’s secure authentication. Using tools like Proxmark3 and Flipper Zero, he showcased how vulnerabilities, such as an authentication bypass discovered by the RFID hacking community, enable unauthorized access. Xavier acknowledged contributors like Eric Betts and Kate, whose work on iClass documentation and emulation code was instrumental. His live demos illustrated the real-world implications of these exploits, urging organizations to prioritize secure credential issuance.

Links:

• None available

Understanding PGO and Its Relevance

In the realm of high-performance software, optimizing applications for speed and efficiency is paramount. At OxidizeConf2024, Alexander Zaitsev, a seasoned developer with a background in C++ and extensive experience in compiler optimizations, delivered a comprehensive exploration of Profile-Guided Optimization (PGO) in Rust. PGO leverages runtime statistics to enhance software performance, a technique long supported by the Rustc compiler but fraught with practical challenges. Alexander shared his insights from applying PGO across diverse domains—compilers, databases, game engines, and CLI tools—offering a roadmap for developers seeking to harness its potential.

PGO operates by collecting runtime data to inform compiler optimizations, enabling tailored code generation that aligns with actual workloads. Alexander emphasized its applicability to CPU-intensive applications with complex branching, such as parsers, databases, and operating systems like OxideOS. By analyzing real-world benchmarks, he demonstrated significant performance gains, with speedups observed in open-source projects. These results, derived from practical workloads rather than synthetic tests, underscore PGO’s value in enhancing Rust applications, making it a vital tool for developers prioritizing performance.

Practical Applications and Performance Gains

Alexander’s presentation highlighted concrete examples of PGO’s impact. For instance, applying PGO to libraries like Serde resulted in notable performance improvements, with benchmarks showing reduced execution times for JSON parsing and other tasks. He showcased results from various applications, including databases and game engines, where PGO optimized critical paths, reducing latency and improving throughput. These gains were achieved by enabling PGO’s instrumentation-based approach, which collects detailed runtime profiles to guide optimizations like inlining and branch prediction.

However, Alexander cautioned that PGO’s effectiveness depends on workload representativeness. For databases, he used analytical workloads to generate profiles, ensuring optimizations aligned with typical usage patterns. This approach contrasts with manual optimization techniques, such as annotating hot paths, which Alexander argued are less adaptable to changing workloads. By automating optimization through PGO, developers can achieve consistent performance improvements without the maintenance burden of manual tweaks, a significant advantage in dynamic environments.

Navigating PGO’s Challenges and Ecosystem

While PGO offers substantial benefits, Alexander detailed several pitfalls. Common traps include profile mismatches, where training data does not reflect production workloads, leading to suboptimal optimizations. He also highlighted issues with link-time optimization (LTO), which, while complementary to PGO, is not universally adopted. To mitigate these, Alexander recommended starting with release mode optimizations (level three) and enabling LTO before applying PGO. For advanced users, sampling-based PGO or continuous profiling, as practiced by Google, can further enhance results.

The Rust ecosystem’s PGO support is evolving, with tools like cargo-pgo and community contributions improving accessibility. Alexander pointed to his “Awesome PGO” repository as a comprehensive resource, offering benchmarks and guidance across ecosystems, including C++. He also noted ongoing efforts to integrate machine learning into PGO workflows, citing tools like LLVM’s BOLT and Intel’s Thin Layout Optimizer. These advancements signal a bright future for PGO in Rust, though challenges like build system integration and community tooling maturity remain.

Links:

• Awesome PGO repository

Paco van Beckhoven, a senior software engineer at Hexagon’s HXDR division, delivered a comprehensive session at DevoxxUK2025 on improving code reviews to enhance code quality and team collaboration. Drawing from his experience with a cloud-based platform for 3D scans, Paco outlined strategies to streamline pull requests, provide constructive feedback, and leverage automated tools. Highlighting the staggering $316 billion cost of fixing bugs in 2013, he emphasized code reviews as a critical defense against defects. His practical tactics, from crafting concise pull requests to automating style checks, aim to reduce friction, foster learning, and elevate software quality, making code reviews a collaborative and productive process.

Streamlining Pull Requests

Paco stressed the importance of concise, well-documented pull requests to facilitate reviews. He advocated for descriptive titles, inspired by conventional commits, that include ticket numbers and context, such as “Fix null pointer in payment service.” Descriptions should outline the change, link related tickets or PRs, and explain design decisions to preempt reviewer questions. Templates with checklists ensure consistency, reminding developers to update documentation or verify tests. Paco also recommended self-reviewing PRs after a break to catch errors like unused code or typos, adding comments to clarify intent and reduce reviewer effort, ultimately speeding up the process.

Effective Feedback and Collaboration

Delivering constructive feedback is key to effective code reviews, Paco noted. He advised reviewers to start with the PR’s description and existing comments to understand context before diving into code. Reviews should prioritize design and functionality over minor style issues, ensuring tests are thoroughly checked for completeness. To foster collaboration, Paco suggested using “we” instead of “you” in comments to emphasize teamwork, posing questions rather than statements, and providing specific, actionable suggestions. Highlighting positive aspects, especially for junior developers, boosts confidence and encourages participation, creating a supportive review culture.

Leveraging Automated Tools

To reduce noise from trivial issues like code style, Paco showcased tools like Error Prone, OpenRewrite, Spotless, Checkstyle, and ArchUnit. Error Prone catches common mistakes and suggests fixes, while OpenRewrite automates migrations, such as JUnit 4 to 5. Spotless enforces consistent formatting across languages like Java and SQL, and Checkstyle ensures adherence to coding standards. ArchUnit enforces architectural rules, like preventing direct controller-to-persistence calls. Paco advised introducing these tools incrementally, involving the team in rule selection, and centralizing configurations in a parent POM to maintain consistency and minimize manual review efforts.

Links:

• Hexagon website
• Error Prone website
• OpenRewrite website
• Spotless website
• Checkstyle website
• ArchUnit website

Modern web applications operate in a hostile environment. Attackers exploit input handling, browser trust, and server connectivity to inject code (XSS), trigger unauthorized actions (CSRF), trick users into clicking hidden UI (clickjacking), abuse permissive cross-origin policy (CORS), or make the server itself fetch sensitive resources (SSRF). This article explains the mechanics of each threat and provides concrete, production-grade mitigation patterns you can adopt today.

<script>fetch('/api/session/steal', {credentials:'include'})</script>

GET /search?q=<script>alert(1)</script>

// Anti-pattern: innerHTML with untrusted input
const result = new URLSearchParams(location.search).get('msg');
document.getElementById('banner').innerHTML = result; // XSS sink

Content-Security-Policy: default-src 'none';
  script-src 'self' 'nonce-r4nd0mNonce';
  style-src 'self';
  img-src 'self' data:;
  connect-src 'self';
  base-uri 'self';
  frame-ancestors 'self';
  form-action 'self';

app.use((req, res, next) => {
  res.set('Content-Security-Policy',
    "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; base-uri 'self'; frame-ancestors 'self'");
  res.set('X-Content-Type-Options', 'nosniff');
  next();
});

<form action="https://bank.example/transfer" method="POST">
  <input type="hidden" name="to" value="attacker">
  <input type="hidden" name="amount" value="1000">
</form>
<script>document.forms[0].submit();</script>

// Pseudocode with csurf-like middleware
app.post('/transfer', requireAuth, verifyCsrfToken, (req, res) => {
  // process transfer
});

<iframe src="https://target.example/approve" style="opacity:0;position:absolute;top:0;left:0;width:100%;height:100%"></iframe>

X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'self'

add_header X-Frame-Options "DENY" always;
add_header Content-Security-Policy "frame-ancestors 'self'" always;

Header always set X-Frame-Options "DENY"
Header always set Content-Security-Policy "frame-ancestors 'self'"

Access-Control-Allow-Origin: https://app.example
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Expose-Headers: ETag, X-Request-Id
Vary: Origin

// Pseudocode: strict allowlist
const allowed = new Set(['https://app.example', 'https://admin.example']);
const origin = req.headers.origin;
if (allowed.has(origin)) {
  res.setHeader('Access-Control-Allow-Origin', origin);
  res.setHeader('Vary', 'Origin');
}

function safeFetch(userUrl) {
  const url = new URL(userUrl);
  // allowlist scheme
  if (!['https:'].includes(url.protocol)) throw new Error('Blocked scheme');
  // DNS resolve and block private IPs
  const ip = resolveToIP(url.hostname);
  if (isPrivate(ip) || isLinkLocal(ip) || isLoopback(ip)) throw new Error('Blocked destination');
  // enforce egress proxy
  return proxyHttpGet(url, { timeoutMs: 2000, maxBytes: 1_000_000, followRedirects: 3, revalidateIPOnRedirect: true });
}

The world of dependency management is often taken for granted in the JVM ecosystem. However, when venturing into the realm of Kotlin Native, the familiar comforts of JAR files and class loaders fade, giving way to a more intricate and challenging landscape. In his insightful talk, Tadeas Kriz, a senior Kotlin developer at Touchlab, demystified this complex topic, offering a detailed comparison between JVM and native dependency handling and providing practical solutions for common issues.

Tadeas began by drawing a clear distinction between the two worlds. The JVM handles the heavy lifting of linking and loading dependencies at runtime, a process that is largely transparent to the developer. In contrast, Kotlin Native produces a standalone binary, which means the developer must contend with the nuances of native linking and compilation. This fundamental difference introduces a new set of challenges, particularly for those accustomed to the JVM’s seamless “it just works” experience.

He delved into the specifics of native platforms, examining dependency management tools like CocoaPods and Swift Package Manager used on Apple platforms. By comparing their strengths and weaknesses, Tadeas provided valuable context for how Kotlin Multiplatform fits into this ecosystem. He underscored the importance of understanding the native build process, a step that is often abstracted away but is crucial for troubleshooting the cryptic errors that can arise when integrating dependencies. He emphasized that static linking is often the most reliable approach in Kotlin Native, offering a more predictable and robust solution.

A significant portion of the talk was dedicated to practical workarounds and tools to overcome these challenges. Tadeas introduced a key concept: cinterop bindings, which are used to interact with C libraries from Kotlin Native code. He explained how to handle dynamic and static libraries and provided guidance on navigating the complexities of header file inclusion and symbol visibility. He also highlighted the utility of specific tools and practices, such as meticulously heeding build warnings, as they often contain clues to underlying issues.

Tadeas also brought attention to Skie, an open-source tool he co-authored, which addresses a key pain point for developers: the quality of the Kotlin Multiplatform API exposed to Swift. He explained that Skie enhances the generated Swift API, making it more idiomatic and easier for iOS developers to work with. He positioned it as a valuable solution for teams looking to improve their development workflow and collaboration while waiting for future features like Swift export. His talk provided a comprehensive guide, arming developers with the knowledge and tools needed to navigate the complexities of dependencies in the Kotlin Native world with greater confidence and efficiency.

Links:

• Touchlab website
• Dependencies and Kotlin Native | Tadeas Kriz

Martin Doyhenard, a seasoned security researcher, captivated the DEF CON 32 audience with his exploration of innovative web cache exploitation techniques. Focusing on exploiting ambiguities in RFC standards, Martin unveiled two novel methods—Static Path Deception and Cache Key Confusion—that push the boundaries of web cache attacks. Through detailed case studies and a live demonstration, he showcased how these techniques can compromise application confidentiality, enable arbitrary cache poisoning, and even achieve full site takeovers, providing actionable insights for security practitioners to identify and mitigate such vulnerabilities.

Unveiling Web Cache Mechanics

Martin began by elucidating the inner workings of web caches, which store frequently accessed content to enhance website performance. He highlighted how caches rely on URL parsing to determine what to store and serve, yet inconsistencies in parsing across platforms create exploitable vulnerabilities. By leveraging ambiguities in RFC standards, attackers can manipulate cache behavior to serve malicious content or expose sensitive data. Martin’s clear explanation set the stage for understanding the sophisticated attacks that followed, emphasizing the critical role of URL parsers in web security.

Static Path Deception: Breaching Confidentiality

Delving into his first technique, Martin introduced Static Path Deception, a method that exploits cache handling of static file paths to compromise application confidentiality. Using a case study involving Nginx behind Cloudflare, he demonstrated how attackers can trick caches into serving sensitive content to unauthorized users. By crafting specific URL patterns, Martin showed how this technique bypasses traditional cache restrictions, exposing private data. His findings underscore the need for consistent cache configuration across content delivery networks and web servers to prevent such breaches.

Cache Key Confusion: Poisoning and Denial of Service

Martin then presented Cache Key Confusion, a technique exploiting discrepancies in how platforms like Microsoft Azure Cloud normalize cache keys. He illustrated how attackers can manipulate URL parsing to poison caches, serving malicious content to all users or triggering denial-of-service attacks. His live demo combined Cache Key Confusion with an open redirect vulnerability to execute arbitrary JavaScript, achieving a complete site takeover. This powerful demonstration highlighted the far-reaching impact of parser inconsistencies and the potential for significant disruption in cloud-based environments.

Mitigation and Community Engagement

Concluding, Martin shared practical strategies to counter these vulnerabilities, urging organizations to audit cache configurations and disable key normalization where possible. He introduced his open-source tool, Cache Killer, designed to detect parsing discrepancies, and encouraged the DEF CON community to contribute to its development. By sharing references to prior research and his own findings, Martin fostered a collaborative approach to improving web cache security, inspiring attendees to hunt for similar vulnerabilities in bug bounty programs and beyond.

Links:

• None available

Amid the arduous arena of application assurance, where integration inspections intersect infrastructure intricacies, Daniel Ward, a .NET navigator and testing tactician, torpedoes the tired trope of SQLite as EF Core’s ersatz examiner. With a penchant for precision and a portfolio of pragmatic patterns, Daniel decries the discrepancies—dialect drifts, devious defaults—that delude developers into dubious dependability. His herald: TestContainers, a titan of transient testing, tethering true-to-type databases to dotnet diagnostics, ensuring examinations echo environments exactly.

Daniel dives direct: SQLite’s siren song—simplicity’s shadow—seduces with speed yet sabotages similitude, spawning spurious successes in schema shadows. Real realms revel in PostgreSQL or SQL Server; sans such sentinels, tests tantalize with triumphs that tumble in truth. His thesis: TestContainers triumphs, turbocharging temporaries—containers conjured cleanly, configured crisply—for credible, containerized corroboration.

Ditching the Decoy: Drawbacks of Database Doppelgangers

SQLite’s shortcomings spotlight starkly: syntax schisms—TOP versus LIMIT—thwart translations; transaction treatments transmute, transactions toggling differently. Daniel details dev database dilemmas: devious dependencies, drift-prone data, deployment drudgery. False flags flourish: tests triumph trivially, only to falter in flight, fostering fragile faith.

His horror stories: SQLite’s solitary schema swallows specifics, sans stored procedures or sequences; in-memory imposters ignore indexes, inflating illusions. Daniel’s decree: discard decoys for doppelgangers divine—TestContainers delivers, Docker-driven duplicates that duplicate dynamics deftly.

Containers as Champions: TestContainers’ Triumphs

TestContainers, Daniel declaims, democratizes diligence: NuGet-nimble, it nurtures nodes—Postgres pods, SQL Server ships—spinning sans setup strife. Benefits burgeon: bit-for-bit fidelity, flakeless flurries, fleet-footed forays. Reusability reigns: withReuse() recycles realms, reining runtime rigorously.

Daniel demos deftly: dotnet add package Testcontainers.PostgreSql; a builder begets a beast, beckoning a bespoke bastion. Connection strings cascade, EF contexts calibrate, tests transact transparently—Respawn resets, restoring rectitude routinely.

Precision in Practice: Pitfalls and Panaceas

Pitfalls persist: parallelism’s pandemonium, port pandemonium—Daniel dispels with Docker Desktop’s discipline, orchestration’s oversight. His heuristic: harness health checks, heed horizons—hundreds hum harmoniously, hovering at half-minutes for hordes.

Respawn’s renaissance: rollback routines, resetting relations rigorously, rectifying residue. Daniel’s distillation: TestContainers transmutes testing from torment to triumph, true tests tempering temper tantrums.

Links:

• Daniel Ward on LinkedIn

At KotlinConf2024, Daniel Terhorst-North shared a heartfelt reflection on the traits of exceptional programmers, drawing from his 30-year career and a colleague who embodies these qualities. Without a formal degree, this programmer excels by starting tasks, prioritizing outcomes, simplifying solutions, choosing tools wisely, and fostering team growth. Daniel’s narrative, blending personal anecdotes and practical advice, inspires developers to cultivate curiosity, resilience, and empathy while building impactful software.

Starting with Action

Great programmers dive into tasks without hesitation. Daniel recounted how his colleague tackles projects by starting anywhere, embracing the unknown. This “just start” mindset counters procrastination, which Daniel admits to masking as research. By iterating rapidly—trying, failing, and learning—programmers overcome perfectionism and ego. Daniel likened progress to navigating a grid city, moving stoplight to stoplight, accepting delays as part of the journey, ensuring steady advancement toward solutions.

Prioritizing Outcomes Over Code

Building products, not just code, defines effective programming. Daniel emphasized that emotional investment should focus on outcomes, not code, which is merely a means. The best programmers write minimal, high-quality code, holding no attachment to it. Studying the domain reveals user needs, as Daniel learned during a financial project where ignorance of CDOs led to unintended consequences. Observing users’ frustrations, like manual data entry, uncovers opportunities to eliminate friction, enhancing product value.

Simplifying the Complex

Exceptional programmers see through complexity to find simple solutions. Daniel shared a story of his colleague bypassing bloated Java web servers by writing a lean one from the HTTP spec. In another case, a team debating JSON libraries was guided to implement a simple interface for nine serialized objects, avoiding heavy dependencies. Writing clear documentation, like a streamlined README, drives “embarrassment-driven refactoring,” ensuring solutions remain concise and maintainable, solving only what’s necessary.

Choosing Tools for the Problem

Tool selection should prioritize the product, not team familiarity. Daniel recounted a team learning Scala to sketch code quickly, despite no prior experience, proving adaptability trumps comfort. He advocated for polyglot programming, using Advent of Code to learn Rust and Go, which broadened his problem-solving perspective. By minimizing cognitive distance between problem and solution, as Rich Hickey’s “Simple Made Easy” suggests, programmers select tools that evolve with project needs, ensuring flexibility.

Fostering Team Care

Great programmers uplift their teams. Daniel finds joy in pairing and teaching, inspired by an XKCD comic about the “lucky 10,000” who learn something new daily. He creates environments for learning, drawing from jiu-jitsu’s teaching-first philosophy. Sending teams home to rest, as Daniel advocates, boosts effectiveness, while assuming positive intent—per Virginia Satir’s family therapy principle—builds empathy, transforming conflicts into opportunities for collaboration and growth.

Building Psychological Safety

Psychological safety, per Amy Edmondson’s research, is vital for high-performing teams. Daniel explained that safe teams encourage saying “I don’t know,” seeking help, and disagreeing without fear. A study of surgical teams showed high performers report more errors, reflecting trust, not incompetence. In software, this translates to teams where questions spark learning, help fosters collaboration, and dissent drives improvement, creating dynamic, challenging environments that fuel innovation.

Growing as a Programmer

Personal growth sustains programming excellence. Daniel urged developers to stay current through communities, contribute actively, and remain skeptical of trends like AI hype. Practicing via challenges like Advent of Code sharpens skills, as Daniel found when switching languages mid-puzzle. Balancing work with physical activities, like running, and prioritizing rest prevents burnout. By embracing continual learning and kindness, programmers evolve, as Daniel’s colleague demonstrates, into impactful, resilient professionals.

Links:

• KotlinConf website
• Kotlin website
• JetBrains website
• Daniel Terhorst-North’s Talk
• Kotlin on Twitter