The latest articles on Forem by Akshat Sharma (@shrmaky). https://forem.com/shrmaky https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F306334%2F77953e00-acc4-4b8b-96b9-b469212a1ac1.jpeg https://forem.com/shrmaky en Akshat Sharma Thu, 16 Apr 2020 16:43:10 +0000 https://forem.com/shrmaky/why-let-was-introduced-in-javascript-1caf https://forem.com/shrmaky/why-let-was-introduced-in-javascript-1caf <p>See this code<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>use strict function f() { if (true) { var x = 1 } return x } </code></pre></div> <p>Try to run this function, and it will return '1'</p> <p>Now see this<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>use strict function f() { if (true) { let x = 1 } return x } </code></pre></div> <p>Try to run this function, and it will throw error.</p> <p>Why?</p> <p>Logically anything scoped inside if shouldn't be accessible outside, but 'var' was accessible outside, thats why in ECMA2015 JS introduced 'let' to achieve this.</p> javascript todayilearned Akshat Sharma Thu, 16 Apr 2020 06:18:49 +0000 https://forem.com/shrmaky/are-you-logging-your-applications-right-l4g https://forem.com/shrmaky/are-you-logging-your-applications-right-l4g <h1> Log Management &amp; Monitoring </h1> <p>This document is the baseline for setting up the strategy for Logging &amp; Monitoring.</p> <h2> Table of Content </h2> <ul> <li> What to Log <ul> <li>Basics</li> <li>Events to Log</li> </ul> </li> <li> How to Log <ul> <li>Actionable's</li> <li>Log Management</li> <li>Security Aspects In Details</li> </ul> </li> <li> Roles &amp; Responsibilities <ul> <li>Log types</li> <li>What to never log</li> </ul> </li> <li> Next ToDo’s <ul> <li>Select Logging Framework for Frontend/Backend/Infra etc</li> <li>References</li> </ul> </li> </ul> <h2> What to Log </h2> <h3> Basics </h3> <ul> <li>Only log what Legislation allowed <ul> <li>Example GDPR</li> </ul> </li> <li>Maintaining Confidentiality | Only Public Records <ul> <li>Password &amp; Encryption Keys</li> <li>Payment Details</li> <li>Detailed System Information etc</li> <li>Information exposure through Error Messages</li> </ul> </li> <li>Sufficient Logging | NOT Logging Everything <ul> <li>CWE-779 Logging Excessive Data</li> </ul> </li> <li>Optimization Strategy: Right set of Training &amp; Utilization <ul> <li>Not Determining what to monitor &amp; how</li> <li>Right Training &amp; Documentation</li> <li>Putting right practice for Alerting</li> </ul> </li> </ul> <h3> Events to Log: </h3> <ul> <li>Authentication Events <ul> <li>All Success &amp; Failure</li> <li>Building a security policy</li> <li>Access control violations</li> <li>Incorrect Logins</li> <li>Policy for Internal Employees</li> <li>User Authentication(Failed/Reset/Successful) for all services including k8, Applications, Internal Systems</li> </ul> </li> <li>Authorization Events <ul> <li>Failure of Tokens &amp; Internal Access Violation</li> </ul> </li> <li>Application Errors <ul> <li>All Application Errors</li> <li>Startup &amp; Shutdown Events</li> <li>Configuration Changes</li> <li>Application State Information</li> <li>Input &amp; Output validation(maintaining signal to noise ratio)</li> </ul> </li> </ul> <h2> How to Log </h2> <h3> Actionable's </h3> <ul> <li>Deciding where to record log files <ul> <li>Local Logs(Not a good practice)</li> <li>Not to log locally, but if its required, log in separate partition &amp; enable access control.</li> <li>Access Control</li> <li>Logging Remotely or Centralized Log-Server <ul> <li>Full Encryption</li> <li>Access Control Mechanism</li> <li>Integrity Checks for Log Files</li> <li>Fail-over system</li> <li>Setting up regular backups</li> <li>Adding alerting</li> </ul> </li> </ul> </li> <li>Format of log files <ul> <li>Metadata requirements</li> <li>what has happened</li> <li>when it happened <ul> <li><a href="https://medium.com/easyread/understanding-about-rfc-3339-for-datetime-formatting-in-software-engineering-940aa5d5f68a">timestamp with Timezone</a></li> <li>source</li> <li>destination</li> <li>Synchronize Time Sources</li> </ul> </li> <li>where it happened <ul> <li>source address</li> <li>originating source(ipv4/ipv6)</li> </ul> </li> <li>who is responsible for the action <ul> <li>Logged on/Attempting User</li> <li>Unique identifier</li> </ul> </li> <li><a href="https://tools.ietf.org/html/rfc5424">Standard Logging Format</a></li> <li>Timestamp</li> <li>Encoding - UTF8</li> <li>Severity Levels(Standards) <ul> <li>0 - Emergency - System crash</li> <li>1 - Alert - action must be taken</li> <li>2 - Critical - critical condition such as load</li> <li>3 - error - error conditions</li> <li>4 - warning</li> <li>5 - Notice</li> <li>6 - Informational</li> <li>7 - Debug</li> </ul> </li> </ul> </li> <li>Handling Personal Data <ul> <li>Encrypting Personal Data</li> <li>Pseudonymization(Privacy Enhancing Techniques)</li> <li>Consulting Legal</li> </ul> </li> </ul> <h3> Log Management </h3> <ul> <li>Log Aggregation <ul> <li>Consolidate Duplicate Events</li> <li>Add Structure to the Docs</li> <li>Remove sensitive Data through filters</li> <li>Pseudonymization</li> <li>Security</li> <li>Input validation(XSS also possible in log files)</li> <li>Encoding(Safeguard against injection attacks)</li> <li>Filtering</li> </ul> </li> <li>Log Analyzing <ul> <li>Baselining</li> <li>Anomaly Detection</li> <li>Attack Signatures</li> </ul> </li> <li>Log Archiving</li> </ul> <h3> Security Aspects In Details </h3> <ul> <li>Information exposure through Error Messages</li> <li>Unsuccessful login attempts should be monitored</li> <li>Never, ever log credentials, passwords or any sensitive information.</li> <li>Detecting Network Intrusion</li> <li>ELK Login to be Employee should be strong &amp; unique password to prevent</li> <li>Following OWASP Top-10</li> </ul> <h2> Roles &amp; Responsibilities </h2> <ul> <li>IT Leadership <ul> <li>Assigning responsibilities</li> <li>Tools &amp; Trainings</li> <li>Incident response</li> </ul> </li> <li>Software/DevOps Lead <ul> <li>Defining what to log &amp; monitor. (Generally this happens in after Planning phase)</li> <li>Clear Documentation</li> <li>Common Format of log files</li> <li>Optimization or tweaking monitoring during operational phase</li> <li>Maintaining the policy</li> <li>Action on Log</li> <li>Adding Logging/Monitoring to release notes &amp; continuously monitoring behaviour in production</li> </ul> </li> <li>DevOps <ul> <li>Defining Response strategy</li> <li>Setting up Infra &amp; Enabling</li> <li>Common Format of log files</li> <li>Continuous Monitoring &amp; Alerting</li> <li>Verifying Pattern such as continuous login attempts</li> <li>Defining Response strategy</li> <li>Reporting policy violations</li> <li>Generating regular reports</li> </ul> </li> <li>Legal Department <ul> <li>Validating the information logged &amp; stored in database</li> </ul> </li> </ul> <h2> Log types </h2> <ul> <li>Application logs[http request/response log, application level error </li> </ul> <div class="highlight"><pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">'id'</span><span class="w"> </span><span class="err">:</span><span class="w"> </span><span class="err">'unique</span><span class="w"> </span><span class="err">request</span><span class="w"> </span><span class="err">id</span><span class="w"> </span><span class="err">for</span><span class="w"> </span><span class="err">tracing'</span><span class="p">,</span><span class="w"> </span><span class="err">'req'</span><span class="w"> </span><span class="err">:</span><span class="p">{},</span><span class="w"> </span><span class="err">//Generated</span><span class="w"> </span><span class="err">by</span><span class="w"> </span><span class="err">Logger</span><span class="w"> </span><span class="err">'res':</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="err">//Generated</span><span class="w"> </span><span class="err">by</span><span class="w"> </span><span class="err">Logger</span><span class="w"> </span><span class="err">'level':'error'</span><span class="p">,</span><span class="w"> </span><span class="err">'message':'There</span><span class="w"> </span><span class="err">is</span><span class="w"> </span><span class="err">an</span><span class="w"> </span><span class="err">error'</span><span class="p">,</span><span class="w"> </span><span class="err">'timestamp':</span><span class="w"> </span><span class="err">'</span><span class="mi">2016-06-12</span><span class="err">T</span><span class="mi">05</span><span class="err">:</span><span class="mi">00</span><span class="err">:</span><span class="mi">00</span><span class="err">'</span><span class="p">,</span><span class="w"> </span><span class="err">'timezone':</span><span class="w"> </span><span class="err">'Pacific/Auckland'</span><span class="p">,</span><span class="w"> </span><span class="err">'context':'exception</span><span class="w"> </span><span class="err">trace'</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <p><a href="https://www.npmjs.com/package/express-winston">Reference</a></p> <ul> <li>db log [query,error] </li> </ul> <div class="highlight"><pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"severity"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"component"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"context"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span><span class="nl">"dbStats"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="err">//Generated</span><span class="w"> </span><span class="err">by</span><span class="w"> </span><span class="err">Logger</span><span class="w"> </span><span class="nl">"serverStatus"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="err">//Generated</span><span class="w"> </span><span class="err">by</span><span class="w"> </span><span class="err">Logger</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <ul> <li>container level log </li> </ul> <div class="highlight"><pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"container"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">ecs</span><span class="w"> </span><span class="err">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <p><a href="https://demo.elastic.co/app/kibana#/dashboard/19e7fae0-92a6-11e8-8fa2-3d5f811fbd0f">See the demo for reference</a></p> <h2> What to never log </h2> <ul> <li>Customer Confidential Information</li> <li>Payment Records such as Credit Card</li> <li>Banking Information</li> </ul> <h2> References </h2> <ul> <li><a href="https://www.datadoghq.com/blog/monitoring-mean-stack-applications-with-datadog/">https://www.datadoghq.com/blog/monitoring-mean-stack-applications-with-datadog/</a></li> <li>Database Logs <ul> <li> <a href="https://docs.mongodb.com/manual/reference/command/serverStatus/#server-status-locks">https://docs.mongodb.com/manual/reference/command/serverStatus/#server-status-locks</a> -<a href="https://docs.mongodb.com/manual/reference/command/dbStats/#dbcmd.dbStats">https://docs.mongodb.com/manual/reference/command/dbStats/#dbcmd.dbStats</a> </li> </ul> </li> <li>K8 Logging <ul> <li><a href="https://itnext.io/logging-best-practices-for-kubernetes-using-elasticsearch-fluent-bit-and-kibana-be9b7398dfee">https://itnext.io/logging-best-practices-for-kubernetes-using-elasticsearch-fluent-bit-and-kibana-be9b7398dfee</a></li> </ul> </li> <li> <a href="https://github.com/pimterry/loglevel"></a><a href="https://github.com/pimterry/loglevel">https://github.com/pimterry/loglevel</a> </li> <li> <a href="https://medium.com/@davidmcintosh/winston-a-better-way-to-log-793ac19044c5"></a><a href="https://medium.com/@davidmcintosh/winston-a-better-way-to-log-793ac19044c5">https://medium.com/@davidmcintosh/winston-a-better-way-to-log-793ac19044c5</a> </li> <li> <a href="https://stackoverflow.com/questions/5817738/how-to-use-log-levels-in-java"></a><a href="https://stackoverflow.com/questions/5817738/how-to-use-log-levels-in-java">https://stackoverflow.com/questions/5817738/how-to-use-log-levels-in-java</a> </li> <li> <a href="https://blog.papertrailapp.com/best-practices-for-logging-in-nodejs/"></a><a href="https://blog.papertrailapp.com/best-practices-for-logging-in-nodejs/">https://blog.papertrailapp.com/best-practices-for-logging-in-nodejs/</a> </li> <li> <a href="https://github.com/trentm/node-bunyan#readme"></a><a href="https://github.com/trentm/node-bunyan#readme">https://github.com/trentm/node-bunyan#readme</a> </li> <li> <a href="https://medium.com/containerum/4-tools-to-monitor-your-kubernetes-cluster-efficiently-ceaf62818eea"></a><a href="https://medium.com/containerum/4-tools-to-monitor-your-kubernetes-cluster-efficiently-ceaf62818eea">https://medium.com/containerum/4-tools-to-monitor-your-kubernetes-cluster-efficiently-ceaf62818eea</a> </li> <li> <a href="https://blog.coinbase.com/logs-metrics-and-the-evolution-of-observability-at-coinbase-13196b15edb7"></a><a href="https://blog.coinbase.com/logs-metrics-and-the-evolution-of-observability-at-coinbase-13196b15edb7">https://blog.coinbase.com/logs-metrics-and-the-evolution-of-observability-at-coinbase-13196b15edb7</a> </li> <li> <a href="https://medium.com/easyread/understanding-about-rfc-3339-for-datetime-formatting-in-software-engineering-940aa5d5f68a"></a><a href="https://medium.com/easyread/understanding-about-rfc-3339-for-datetime-formatting-in-software-engineering-940aa5d5f68a">https://medium.com/easyread/understanding-about-rfc-3339-for-datetime-formatting-in-software-engineering-940aa5d5f68a</a> </li> <li> <a href="https://webilicious.xyz/utilizing-winston-to-log-node-js-applications/"></a><a href="https://webilicious.xyz/utilizing-winston-to-log-node-js-applications/">https://webilicious.xyz/utilizing-winston-to-log-node-js-applications/</a> </li> <li>Security <ul> <li><a href="https://attack.mitre.org/">https://attack.mitre.org/</a></li> <li><a href="https://cwe.mitre.org/">https://cwe.mitre.org/</a></li> <li><a href="https://cwe.mitre.org/data/definitions/778.html">https://cwe.mitre.org/data/definitions/778.html</a></li> <li><a href="https://cwe.mitre.org/data/definitions/223.html">https://cwe.mitre.org/data/definitions/223.html</a></li> <li><a href="https://cwe.mitre.org/data/definitions/209.html">https://cwe.mitre.org/data/definitions/209.html</a></li> <li><a href="https://cwe.mitre.org/data/definitions/779.html">https://cwe.mitre.org/data/definitions/779.html</a></li> </ul> </li> </ul> logging react javascript node Akshat Sharma Wed, 15 Apr 2020 17:27:58 +0000 https://forem.com/shrmaky/developer-stories-1-584o https://forem.com/shrmaky/developer-stories-1-584o <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s----foN2-7--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/ln8rrly2s2luq309xoj9.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s----foN2-7--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/ln8rrly2s2luq309xoj9.png" alt="Alt Text"></a></p> jokes startup Akshat Sharma Sat, 11 Apr 2020 04:35:30 +0000 https://forem.com/shrmaky/scalable-open-source-tech-stack-336h https://forem.com/shrmaky/scalable-open-source-tech-stack-336h <p>The software engineering world is changing at a rapid pace.</p> <p>The idea is simple - Bring customers, giving them space to explore &amp; finally call to action.</p> <p><strong>Why technology matters?</strong><br> Battle in the technology space is on who can do this at scale, at scale means, something like handling "Cyber Monday" without warning/readiness.</p> <p>Always remember, great things are done by great people</p> <p><strong>Building Developers Ecosystem:</strong><br> To build a great technology base, we should spend a lot of time in culture &amp; communication. And with the growing powers of open source community, the technologists are penetrating almost every available space possible to automate. We really invest a lot of time in this area, and yes we are hiring.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--otav33Qd--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/gggr9i2xc9ixxjjsmbvd.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--otav33Qd--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/gggr9i2xc9ixxjjsmbvd.png" alt="Alt Text"></a><br> </p> <p><code>Take a break here if you are not at all familiar with Software Development. In the next self explanatory section, am introducing the open-source tools/tech for building modern web.</code><br> </p> <p><strong>Frontend:</strong><br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--dKa1Xsx---/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/ayonmep23q0d05x0vsfp.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--dKa1Xsx---/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/ayonmep23q0d05x0vsfp.png" alt="Alt Text"></a></p> <p><strong>Backend:</strong><br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--WSMii7bc--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/x5zht0pvu4qf6e5q0ilw.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--WSMii7bc--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/x5zht0pvu4qf6e5q0ilw.png" alt="Alt Text"></a></p> <p><strong>DevOps:</strong><br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--C6JBA--5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/88jldg86rlqu68mz8z7r.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--C6JBA--5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/88jldg86rlqu68mz8z7r.png" alt="Alt Text"></a></p> <p><strong>Automation Testing:</strong><br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--3qiZRI5N--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/8dhizjtd6fd5ppjotrr9.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--3qiZRI5N--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/8dhizjtd6fd5ppjotrr9.png" alt="Alt Text"></a></p> <p><strong>Data Processing:</strong><br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--MhZW_ENB--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/nyoflau74hyrz63c84d3.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--MhZW_ENB--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/nyoflau74hyrz63c84d3.png" alt="Alt Text"></a></p> <p>PS: Most of tools/tech are based on my hands-on experience. The three dots on the title is self explanatory that this will continue to advance rapidly. Feel free to DM me or write in comment if any addition/modification can help community.</p> opensource startup devrel