Pages

What Programming Language Should I Use to Build a Startup?

Often entrepreneurs ask me 'What technology should I build my startup on?' There is no right or wrong answer to this question. It's a decision every company makes for itself, depending on what it's trying to build and the skills of its cofounders. Nonetheless, there are a few rules that one should adhere to. We discuss them in this blog post.

Incident Response Policy

What happens in your company when a production incident occurs? Usually in a typical startup, you will see engineers running around frantically trying to resolve the problem. However, as soon as the incident is resolved, they forget about it and go back to their usual business. A good incident response policy can help bring order into chaos. We provide a sample template in this blog post.

Why Software Deadlines Never Make Sense

We discuss why software deadlines usually don't make sense.

Analyzing Front-End Performance With Just a Browser

We discuss a number of freely available online tools which can be used to analyze bottlenecks in your website.

Why Smaller Businesses Can't Ignore Security and How They Can Achieve It On a Budget

In this article, we show that security is both important and achievable for smaller companies without breaking a bank.

Monday, July 30, 2012

Three Bogatyrs: Chrome, Firefox, and Internet Explorer.



Sunday, July 1, 2012

Google Compute vs Amazon EC2 Price Comparison

A few days back, Google launched Google Compute Engine cloud, which will provide hosted Linux virtual machines. I was curious to compare the pricing between Google Compute and Amazon EC2.
For comparison, I have used on-demand EC2 Linux instances hosted in Virginia. Other locations (US West, Cali, APEC) have identical or higher pricing. 



Overall, Google Cloud has better pricing and you get more 'bang for the buck', so it will prove to be a formidable competitor to Amazon EC2: 


(click to maximize)


The sticking points that need to be resolved before widespread adoption will be:
1. Will Google Cloud have better stability than EC2, which has recently been plagued by outages?
2. Will Google eventually provide Windows instances?
3. Will Google stick with its initial pricing or raise prices down the road as it did with Google App Engine?
4. Do customers feel Google provides better security than EC2?



Why Smaller Businesses Can't Ignore Security and How They Can Achieve It On a Budget


A repost of an earlier blog that I wrote a few years back. 

Overview
In the back of the Pizza Schmizza restaurant in Vancouver, Washington sat humming an old computer. An unwitting customer would walk into the restaurant to order a slice of pizza, and the next day his credit card number will go on sale at a hacker’s forum. A few years and millions of dollars later, the FBI learned the root cause of the breach: The computer was running old unpatched software, which made it remotely accessible without a password by a hacker Max Butler (aka “IceMan”) (as detailed in Kevin Poulsen’s book “The Kingpin”).

This story is not unique. We often hear of security compromises of large companies such as Sony or TJX in the news, but we don’t hear about daily compromises of thousands of small to mid-sized businesses. One of the reasons is that many of those businesses, such as startups, motels, mom and-pop shops, pizza shops, never find out that they were compromised in the first place. Another reason is that disclosing these compromises can often be catastrophic for their survival. According to a study from Price Waterhouse Coopers, 70 percent of smaller companies that get hacked go out of business within a year.

Smaller businesses often have no security personnel on staff. They prefer baking pizza or building a UI prototype for investors rather than fixing security holes. They think that they are too small to get hacked and that they have nothing to lose or that security is a distraction, which is too time-consuming and too costly.  Others argue that their biggest security risk is “running out of money.”

In this article, we dispel these misconceptions. We show that security is both important and achievable for smaller companies without breaking a bank.

Why Should You Care?

If you think your company is too small for hackers to notice, think again.
Most home invasions don’t happen in castles with moats and armed guards, but happen in regular houses next door. Similarly, majority of security attacks in 2011 decreased in sophistication and targeted smaller businesses. Your company is the target and there are two reasons you should be worried.

First, regardless of your company’s size, it all boils down to its reputation.
Customers need to feel you will do a good job protecting their personal data. If you don’t then they will take their business elsewhere. Depending on what information is exposed, you could also be a subject to expensive government fines.


Second, the phrase "time is money” is true here. Let’s assume you are an owner of a small startup, which doesn’t store any customer data or intellectual property, and then one day you get hacked. How much damage do you suffer? Most typically, you will hear the answer “none” which is why security is never a priority for these companies. In reality, you will have to repair your systems, find the cause of the breach, possibly reinstall operating systems, etc.- all of which can take months.   For a small startup, not focusing on their core product for months could be tantamount to a bankruptcy.


What Can You Do?

Despite what vendors would like you to believe, you don’t need to buy their security technologies to protect your company. You can become a more secure company for free without impeding business agility. I now describe six simple rules for achieving that.

1.      There needs to be an executive buy-in for your security strategy to be successful. Many companies hire a CISO and think they magically became secure. A year later a frustrated CISO quits and they get hacked because security is always put to the side of business objectives. When there is executive buy-in, your CISO will have the backing to get things done. Hyundai Capital CEO Ted Chung said, “IT security needs a philosophy and only the CEO can make that kind of a decision.”

2.      Make sure that no weak or default passwords are used in your company. In 2011, almost half of the data breaches, reported by Verizon, involved weak or stolen passwords.  Don’t assume that stringent password policies ensure your employees will select good passwords. Often users choose a dictionary word or a company name and add “123” or “!” at the end just to satisfy a password policy. Any hacker worth his salt knows these tricks and will circumvent them. Teach your users how to use mnemonics to generate secure passwords (e.g. a phrase “I love chocolate 24x7!” results in a secure password Ilc24x7!”). Wear the bad guy’s hat for a day and try to break into your company’s servers. There are many free tools available, such as Hydra (http://www.thc.org/thc-hydra/) that you can use to brute-force guess the passwords.

3.      Institute security awareness training for all company employees.
No computer in the world operates without some form of human intervention. That’s why security education should be a pivotal tool in the security strategy of any company. Security can be a very dry subject. Have some fun with it! (Don’t tell people that it’s dangerous to download malicious attachments. Show them a screenshot of a user downloading Hallmark greeting card on his computer, and a screenshot of a bad guy across the globe getting access to user’s computer as he opens the greeting card.)   The awareness training should be mandatory for all employees, which will be easy to achieve if you follow recommendation #1.

4.      Contrary to what security vendors want you to believe, there are plenty of free alternatives to commercial products.  To give a flavor:
-          Immunet offers free anti-virus (http://www.immunet.com/main/index.html) which you can install on all your computers.
-          Snort is a free intrusion detection system for your network, albeit it could be tricky to properly configure (http://www.snort.org).
-          TrueCrypt offers full-disk encryption for your employees’ laptops for free. (http://www.truecrypt.org)
-          You can perform static analysis of your source code for security bugs using YASCA (http://www.scovetta.com/yasca.html)
The list goes on, but it illustrates that most security products have free counterparts.

5.      Secure coding training for developers.
If your company develops its own software, make sure to train all developers on secure coding principles. Familiarize them with the OWASP Top 10 (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) list of web application security bugs.

6.      Finally, stay proactive. When people started leaving laptops unattended at Cinchcast offices, we began walking the floors and taking the laptops away. When we felt that people aren’t engaged enough, we established a “security champion award” for the person outside of Security team, who contributed the most to company’s security.  At Gilt Groupe, we set up a “Hack Day” where any employee is challenged to break into the company’s website in order to win the coveted IPad. By engaging people, we managed to thwart many attacks.

Conclusion

Smaller companies have a misconception that security is hard to achieve because it’s expensive and time-consuming. In this article, we have described six simple rules by following which you can dramatically improve security in your company.
The 80-20 rule applies as much to security. By focusing on the basics, such as ensuring that no weak passwords are used, all employees have attended security awareness trainings, and developers are trained in secure coding principles, your organization can become more secure without spending any money or impeding business agility.

Interactive Programming Tutorials (.NET, Java, Ruby, Python, JavaScript, SQL, NOSQL)


I have a favorite proberb: "I Hear And I Forget; I See And I Remember; I Do And I Understand."  I have always learned programming languages by trying them out, failing, biting my nails, and then remembering not to repeat the same mistakes twice.
Reading thick programming manuals was never my favorite pastime. I always jumped in and experimented.

Recently, multiple interactive programming tutorials sprung up on the web. In these tutorials, you are typically presented with an interactive shell on a webpage, which allows you to learn a new programming language by experimenting with it. I expect these learning sites to continue to multiply and expand to other areas besides programming, such as learning SEO or Google Analytics.   In fact, TechCrunch just announced the launch of HackerRank, a social site for hackers to compete, which also uses an interactive tutorial format.


Figure 1: Screenshot of SQLZOO.NET interactive tutorial for learning SQL

Below, I have assembled a list of such interactive tutorials.
If you have others that you'd like me to add to the list, leave a comment.

Topic
Interactive Tutorial
REDIS key-value store
MongoDB NOSQL database
SQL
Python
Python
Ruby
Haskell
Scala
Python, Ruby, Javascript
.NET
UNIX
Fun social platform for collaborating
Regular Expressions

Figure 2: List of interactive programming tutorials