Podcasts about fusionauth

Kendall Miller is a bubbly extrovert who sticks his fingers in a lot of pies. He advises tech companies like FusionAuth, positions tech products like Civo & Tensorlake, organizes tech networks like CTO Lunches, and even sells whiskey & gin to tech people like us via his Friday Deployment Spirits brand. Kendall has learned a lot since he first entered the industry and he's eager to share what he knows, and who he knows, with the world.

Kendall Miller is a bubbly extrovert who sticks his fingers in a lot of pies. He advises tech companies like FusionAuth, positions tech products like Civo & Tensorlake, organizes tech networks like CTO Lunches, and even sells whiskey & gin to tech people like us via his Friday Deployment Spirits brand. Kendall has learned a lot since he first entered the industry and he's eager to share what he knows, and who he knows, with the world.

Dan Moore from FusionAuth joins us for a wide-ranging discussion about modern auth strategies. We talk magic links, OTP, MFA, passkeys, password managers & so much more.

Dan Moore from FusionAuth joins us for a wide-ranging discussion about modern auth strategies. We talk magic links, OTP, MFA, passkeys, password managers & so much more.

Topics CoveredCharacteristics of Maintainable SoftwareDan emphasizes the importance of internal consistency in codebases, automated tests, and proper documentation to preserve decision-making context.[00:05:32] Internal consistency: Why it matters.[00:08:09] Lessons from maintaining legacy codebases.Working with Legacy SystemsDan shares stories of upgrading ORM frameworks, introducing caching systems, and transitioning to bug tracking tools.[00:09:52] Replacing custom ORM systems with Hibernate and Ehcache.[00:13:10] Tackling high-risk components with automated testing.Modern Authentication ChallengesAs part of FusionAuth, Dan discusses building developer-friendly tools that balance local flexibility with SaaS convenience.[00:21:05] FusionAuth's role in secure authentication.[00:28:13] Testing authentication flows locally and in CI pipelines.Navigating Constraints in TeamsAdvice for managing technical debt, advocating for team priorities, and communicating with stakeholders during lean times.[00:16:39] Communicating the impact of resource constraints.[00:19:27] Tracing single requests to understand complex systems.Industry Trends and AI's RoleFrom managed services to the impact of AI on coding languages, Dan reflects on how the industry continues to evolve.[00:35:05] Managed services as accelerators for maintainability.[00:41:25] The potential and limits of AI in software development.Key TakeawaysConsistency and documentation in codebases reduce cognitive overhead for developers.Understand how your software fits into the business to prioritize effectively.AI might reshape the industry, but it won't replace the need for thoughtful problem-solving.Opinionated frameworks like Ruby on Rails continue to offer exceptional developer ergonomics.Resources MentionedFusionAuth BlogDan's Personal BlogCIAM Weekly NewsletterDan's Book: Letters to a New DeveloperZen and the Art of Motorcycle MaintenanceThe Asimov story mentionedTry FusionAuthDownload FusionAuth: Get started with the self-hosted version today.Free Trial of FusionAuth: Experience the FusionAuth cloud for free!Connect with DanLinkedInBlueSkyThanks to Our Sponsor!Turn hours of debugging into just minutes! AppSignal is a performance monitoring and error-tracking tool designed for Ruby, Elixir, Python, Node.js, Javascript, and other frameworks.It offers six powerful features with one simple interface, providing developers with real-time insights into the performance and health of web applications.Keep your coding cool and error-free, one line at a time! Use the code maintainable to get a 10% discount for your first year. Check them out! Subscribe to Maintainable on:Apple PodcastsSpotifyOr search "Maintainable" wherever you stream your podcasts.Keep up to date with the Maintainable Podcast by joining the newsletter.

saas.unbound is a podcast for and about founders who are working on scaling inspiring products that people love, brought to you by https://saas.group/, a serial acquirer of B2B SaaS companies. In episode #46, Anna Nadeina talks with Brian, Founder and CEO of FusionAuth, the authentication and authorization platform for developers, and CleanSpeak, a profanity filtering & moderation tool.Subscribe to our channel to be the first to see the interviews that we publish twice a week - https://www.youtube.com/@saas-group Stay up to date: Twitter: https://twitter.com/SaaS_group LinkedIn: https://www.linkedin.com/company/14790796

Dan Moore is Principal Product Engineer for FusionAuth where he helps evangelize authentication, authorization, and security. Dan is a former CTO, AWS certification instructor, and Engineering Director and has a wealth of experience in back-end development spanning 25 years. In this conversation, we discuss the origins of Customer Identity Access Management, where it is today, and what the future may hold.Where to find DanLinkedIn: https://www.linkedin.com/in/mooreds/Twitter: https://twitter.com/mooredsGitHub: https://github.com/mooredsSubstack: https://ciamweekly.substack.com/Vendor neutral articles: https://fusionauth.io/articles/ Follow, Like, and Subscribe!Podcast: https://www.thecloudgambit.com/YouTube: https://www.youtube.com/@TheCloudGambitLinkedIn: https://www.linkedin.com/company/thecloudgambitTwitter: https://twitter.com/TheCloudGambitTikTok: https://www.tiktok.com/@thecloudgambit

On this week's episode, Teja sits down with Brian Pontarelli, Founder and CEO of both FusionAuth and Cleanspeak. They discuss the complexities of growing two businesses at the same time, making progress without using AI, and the subtle clues in an interview process that let you know someone's a great culture fit.https://fusionauth.io/https://cleanspeak.com/ Hosted on Acast. See acast.com/privacy for more information.

Welcome to The SaaS CFO Podcast. In this episode, host Ben is joined by Brian Pontarelli, founder and CEO at Fusionauth, a customer identity and access management tool. Brian delves into his coding background, the products and services offered by Fusionauth, and the company's journey from its founding to recent growth equity investment. He shares insights on their go-to-market strategy, metrics guiding the business, and their focus on product development and boosting their market presence. Don't miss Brian's valuable lessons learned and what's in store for Fusionauth's future. Tune in for an insightful conversation on SaaS growth and evolution. Show Notes: 00:00 Login downtime closes cash register. Prioritize customer login ease. 04:45 Friend and I tried to recreate the web, but switched to a profanity filter which became successful. 08:02 Focused on content marketing, SEO, and developer-oriented ads using platforms like Google and LinkedIn to reach developers. Ads are creative and provide immediate value with ebooks. 09:40 Received interest from various firms, pursued growth equity investment. 13:25 Focusing on real metrics, not just revenue growth. 16:28 Fusionauth IO website - comprehensive and transparent resource for information without sales pressure. Links: SaaS Fundraising Stories: https://www.thesaasnews.com/news/fusionauth-secures-65-million-in-funding Brian Pontarelli's LinkedIn: https://www.linkedin.com/in/voidmain/ Fusion Auth's LinkedIn: https://www.linkedin.com/company/fusionauth/ Fusion Auth's Website: https://fusionauth.io/ To know more about Ben check out the links below: Subscribe to Ben's daily metrics newsletter: https://saasmetricsschool.beehiiv.com/subscribe Subscribe to Ben's SaaS newsletter: https://mailchi.mp/df1db6bf8bca/the-saas-cfo-sign-up-landing-page SaaS Metrics courses here: https://www.thesaasacademy.com/ Join Ben's SaaS community here: https://www.thesaasacademy.com/offers/ivNjwYDx/checkout Follow Ben on LinkedIn: https://www.linkedin.com/in/benrmurray

This week Adam speaks with Brian Pontarelli, the CEO and founder of Inversoft inc, the parent company to softwares FusionAuth, a leading customer identity and access management platform & Cleanspeak, a platform to filter offensive and inappropriate content. Prior to launching FusionAuth, Brian studied computer engineering at CU Boulder, was an employee at tech companies such as Orbitz and was co-chairman of Denver and Boulder Startup Weeks along with Adam. On this episode, Brian talks about his recent success with FusionAuth, his time building a company in Colorado's thriving tech community, plus a lesson on fostering a positive and enthusiastic company culture.Listen now on: Amazon Music (Alexa) | Spotify | Apple Podcasts or wherever you get podcasts!Check out more about what we're up to at Range.vc Connect with hosts Adam and Chris and the Range VC team on LinkedIn https://www.linkedin.com/company/range-ventures/See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

In the latest episode of the State of Identity podcast series, we delve into the ever-evolving world of customer identity and access management. Join host Cameron D'Ambrosi from Liminal as he sits down with Brian Pontarelli, the founder and CEO of FusionAuth, to explore the exciting developments and challenges in the realm of passwordless authentication, user data management, and the quest for seamless transitions in the digital landscape. Bryan shares his expertise and unique perspective, shedding light on the fascinating journey of Fusion Auth and its pivotal role in this dynamic landscape. Tune in for a thought-provoking discussion that promises to expand your understanding of CIAM and its critical role in the modern enterprise.

This week on API Intersection, we get down and dirty talking about authentication and authorization. It's a topic you can't avoid, whether you like it or not! Visit Dan's LinkedIn and check out his work at fusionauth.io_____To subscribe to the podcast, visit https://stoplight.io/podcast

Last week in security news: Accelerating development with AWS CDK plugin – CfnGuardValidator, This week's S3 Bucket Negligence Award is brought to you by PwC Nigeria, The volkswagen open source tool, and more!Links: Last week I talked about AWS Management Console Access incorrectly. My thanks to Timothy Ingalls on the Last Week in AWS community Slack for flagging this for me. Gold star for you! This week's S3 Bucket Negligence Award is brought to you by PwC Nigeria. FusionAuth has a great dive into their annual SOC 2 vendor selection process. My beloved Retool has a post talking about how an MFA failure mode led to a small number of customers being exposed.  Accelerating development with AWS CDK plugin – CfnGuardValidator  How to implement cryptographic modules to secure private keys used with IAM Roles Anywhere  Tool of the week: The volkswagen open source tool detects when your tests are being run in a CI server, and makes them pass.

Jesse chats with Josh O'Bannon, FusionAuth Engineering Support Team Lead and 1909 BE Alum about Josh's Turing story, relgion and spirituality, FusionAuth, authentication, and the field of Support Engineering. There are some child related background noises. Is AI Taking Over Dev Jobs? (https://writing.turing.edu/is-ai-taking-over-dev-jobs/) If you or someone you know are code curious, we encourage you to attend a Turing Try Coding Event. You can register for a Try Coding class at turing.edu/try-coding.

AWS Morning Brief for the week of June 26, 2023 with Corey Quinn. Links: The FTC comment period about the business of cloud computing ended Amazon warehouse practices are now the focus of a senate probe The FTC is suing Amazon for its Prime enrollment dark patterns Amazon's iRobot acquisition is now the subject of an EU investigation The launch of Amazon Clinic is being delayed after the senate asked some hard questions Announcing Amazon EC2 Hpc7g instances  AWS Lambda supports starting from timestamp for Kafka event sources AWS Step Functions launches Versions and Aliases  AWS Transfer Family announces structured JSON log format 5 Stages to Building a Successful Partner Practice with AWS Say Hello to 176 AWS Competency, Service Delivery, Service Ready, and MSP Partners Added or Renewed in May How GoDaddy Implemented a Multi-Region Event-Driven Platform at Scale New Amazon EC2 C7gn Instances: Graviton3E Processors and Up To 200 Gbps Network Bandwidth For actual technical depth, my thanks to David Cuthbert in the Last Week in AWS Slack Community for surfacing this AnandTech article. Stream VPC Flow Logs to Datadog via Amazon Kinesis Data Firehose Creating real-time flood alerts with the cloud Use AWS Private Certificate Authority to issue device attestation certificates for Matter Should I use the hosted UI or create a custom UI in Amazon Cognito? - Trick question, you should use recurring Last Week in AWS sponsor FusionAuth instead.  Coming soon: updates to AWS Certified Cloud Practitioner exam How I achieved all six specialty AWS Certifications on first attempt How to win a $5 Amazon Gift Card, just by signing up for the Amazon News newsletter 

Dan is head of DevRel at FusionAuth - Auth Built for Devs, by Devs FusionAuth's journey from moderation to auth provider. Introduction to Dan Moore, head of DevRel at fusion. Fusion's journey Free to use for many users, but also a cloud offering. Synchronous communication vs asynchronous communication. Synchronous communication vs asynchronous communication. 10% of their traffic is coming from forum pages. No one ever searches on Stack Overflow. What are some of the experiments that have gone well?  Efforts to promote community feel. Community stories, finding out user pain points and wins. The importance of getting your community to know each other. Getting 20 or 30 blog posts on the blog. Dan's experience on Screaming into the cloud. Dan's Twitter - https://twitter.com/mooredsFusionAuth - https://fusionauth.io/ 

Authentication is a key technology that underpins large portions of the online world, and so it's worth exploring in a bit more detail. In this episode of the Full Stack Journey podcast, Scott talks with Dan Moore of FusionAuth about all things authentication.

Authentication is a key technology that underpins large portions of the online world, and so it's worth exploring in a bit more detail. In this episode of the Full Stack Journey podcast, Scott talks with Dan Moore of FusionAuth about all things authentication. The post Full Stack Journey 075: Authentication’s Role In The Online World appeared first on Packet Pushers.

Authentication is a key technology that underpins large portions of the online world, and so it's worth exploring in a bit more detail. In this episode of the Full Stack Journey podcast, Scott talks with Dan Moore of FusionAuth about all things authentication. The post Full Stack Journey 075: Authentication’s Role In The Online World appeared first on Packet Pushers.

Authentication is a key technology that underpins large portions of the online world, and so it's worth exploring in a bit more detail. In this episode of the Full Stack Journey podcast, Scott talks with Dan Moore of FusionAuth about all things authentication.

Trent Kusters and tinyBuild CEO Alex Nichiporchik revisit Alex's presentation from D.I.C.E. Barcelona 2022 where he discussed "Development Under Siege," the efforts tinyBuild went through to evacuate their development staff leading up to and during the invasion of Ukraine by Russian forces. tinyBuild had over 180 developers across both Ukraine and Russia, and Alex details the mass mobilization efforts they undertook to get their employees to safety and the challenges they faced along the way.  Listen to the full episode here or watch on our Youtube channel. This episode is sponsored by FusionAuth. For more information, go to FusionAuth.io/game.

What if you didn't have to worry about managing user passwords as a Python developer? That's where the WebAuthn protocol and new hardware standards are heading. This week on the show, Dan Moore from FusionAuth returns to discuss a password-less future.

Ted Price chats with PlayStation London Studio Co-Studio Heads, Tara Saunders and Stuart Whyte. Together they discuss studio culture including the values the studio created to guide them; their approach to supporting team well-being; and what their studio is doing to embrace diversity both inside and outside the studio. Listen to the full episode here or watch the full episode on our Youtube channel. This episode is sponsored by FusionAuth. For more information, go to FusionAuth.io/game.

About DanDan Moore is head of developer relations for FusionAuth, where he helps share information about authentication, authorization and security with developers building all kinds of applications.A former CTO, AWS certification instructor, engineering manager and a longtime developer, he's been writing software for (checks watch) over 20 years.Links Referenced: FusionAuth: https://fusionauth.io Twitter: https://twitter.com/mooreds TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at AWS AppConfig. Engineers love to solve, and occasionally create, problems. But not when it's an on-call fire-drill at 4 in the morning. Software problems should drive innovation and collaboration, NOT stress, and sleeplessness, and threats of violence. That's why so many developers are realizing the value of AWS AppConfig Feature Flags. Feature Flags let developers push code to production, but hide that that feature from customers so that the developers can release their feature when it's ready. This practice allows for safe, fast, and convenient software development. You can seamlessly incorporate AppConfig Feature Flags into your AWS or cloud environment and ship your Features with excitement, not trepidation and fear. To get started, go to snark.cloud/appconfig. That's snark.cloud/appconfig.Corey: This episode is sponsored in part by our friends at Sysdig. Sysdig secures your cloud from source to run. They believe, as do I, that DevOps and security are inextricably linked. If you wanna learn more about how they view this, check out their blog, it's definitely worth the read. To learn more about how they are absolutely getting it right from where I sit, visit Sysdig.com and tell them that I sent you. That's S Y S D I G.com. And my thanks to them for their continued support of this ridiculous nonsense.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I am joined today on this promoted episode, which is brought to us by our friends at FusionAuth by Dan Moore, who is their head of DevRel at same. Dan, thank you for joining me.Dan: Corey, thank you so much for having me.Corey: So, you and I have been talking for a while. I believe it predates not just you working over at FusionAuth but me even writing the newsletter and the rest. We met on a leadership Slack many years ago. We've kept in touch ever since, and I think, I haven't run the actual numbers on this, but I believe that you are at the top of the leaderboard right now for the number of responses I have gotten to various newsletter issues that I've sent out over the years.And it's always something great. It's “Here's a link I found that I thought that you might appreciate.” And we finally sat down and met each other in person, had a cup of coffee somewhat recently, and the first thing you asked was, “Is it okay that I keep doing this?” And at the bottom of the newsletter is “Hey, if you've seen something interesting, hit reply and let me know.” And you'd be surprised how few people actually take me up on it. So, let me start by thanking you for being as enthusiastic a contributor of the content as you have been.Dan: Well, I appreciate that. And I remember the first time I ran across your newsletter and was super impressed by kind of the breadth of it. And I guess my way of thanking you is to just send you interesting tidbits that I run across. And it's always fun when I see one of the links that I sent go into the newsletter because what you provide is just such a service to the community. So, thank you.Corey: The fun part, too, is that about half the time that you send a link in, I already have it in my queue, or I've seen it before, but not always. I talked to Jeff Barr about this a while back, and apparently, a big Amazonian theme that he lives by is two is better than zero. He'd rather two people tell him about a thing than no one tells him about the thing. And I've tried to embody that. It's the right answer, but it's also super tricky to figure out what people have heard or haven't heard. It leads to interesting places. But enough about my nonsense. Let's talk about your nonsense instead. So, FusionAuth; what do you folks do over there?Dan: So, FusionAuth is an auth provider, and we offer a Community Edition, which is downloadable for free; we also offer premium editions, but the space we play in is really CIAM, which is Customer Identity Access Management. Very similar to Auth0 or Cognito that some of your listeners might have heard of.Corey: If people have heard about Cognito, it's usually bracketed by profanity, in one direction or another, but I'm sure we'll get there in a minute. I will say that I never considered authentication to be a differentiator between services that I use. And then one day I was looking for a tool—I'm not going to name what it was just because I don't really want to deal with the angry letters and whatnot—but I signed up for this thing to test it out, and “Oh, great. So, what's my password?” “Oh, we don't use passwords. We just every time you want to log in, we're going to email you a link and then you go ahead and click the link.”And I hadn't seen something like that before. And my immediate response to that was, “Okay, this feels like an area they've decided to innovate in.” Their core business is basically information retention and returning it to you—basically any CRUD app. Yay. I don't think this is where I want them to be innovating.I want them to use the tried and true solutions, not build their own or be creative on this stuff, so it was a contributor to me wanting to go in a different direction. When you start doing things like that, there's no multi-factor authentication available and you start to wonder, how have they implemented this? What corners have they cut? Who's reviewed this? It just gave me a weird feeling.And that was sort of the day I realized that authentication for me is kind of like crypto, by which I mean cryptography, not cryptocurrency, I want to be very clear on, here. You should not roll your own cryptography, you should not roll your own encryption, you should buy off-the-shelf unless you're one of maybe five companies on the planet. Spoiler, if you're listening to this, you are almost certainly not one of them.Dan: [laugh]. Yeah. So, first of all, I've been at FusionAuth for a couple of years. Before I came to FusionAuth, I had rolled my own authentication a couple of times. And what I've realized working there is that it really is—there a couple of things worth unpacking here.One is you can now buy or leverage open-source libraries or other providers a lot more than you could 15 or 20 years ago. So, it's become this thing that can be snapped into your architecture. The second is, auth is the front door to application. And while it isn't really that differentiated—I don't think most applications, as you kind of alluded to, should innovate there—it is kind of critical that it runs all the time that it's safe and secure, that it's accessible, that it looks like your application.So, at the same time, it's undifferentiated, right? Like, at the end of the day, people just want to get through authentication and authorization schemes into your application. That is really the critical thing. So, it's undifferentiated, it's critical, it needs to be highly available. Those are all things that make it a good candidate for outsourcing.Corey: There are a few things to unpack there. First is that everything becomes commoditized in the fullness of time. And this is a good thing. Back in the original dotcom bubble, there were entire teams of engineers at all kinds of different e-commerce companies that were basically destroying themselves trying to build an online shopping cart. And today you wind up implementing Shopify or something like it—which is usually Shopify—and that solves the problem for you. This is no longer a point of differentiation.If I want to start selling physical goods on the internet, it feels like it'll take me half an hour or so to wind up with a bare-bones shopping cart thing ready to go, and then I just have to add inventory. Authentication feels like it was kind of the same thing. I mean, back in that song from early on in internet history “Code Monkey” talks about building a login page as part of it, and yeah, that was a colossal pain. These days, there are a bunch of different ways to do that with folks who spend their entire careers working on this exact problem so you can go and work on something that is a lot more core and central to the value that your business ostensibly provides. And that seems like the right path to go down.But this does lead to the obvious counter-question of how is it that you differentiate other than, you know, via marketing, which again, not the worst answer in the world, but it also turns into skeezy marketing. “Yes, you should use this other company's option, or you could use ours and we don't have any intentional backdoors in our version.” “Hmm. That sounds more suspicious and more than a little bit frightening. Tell me more.” “No, legal won't let me.” And it's “Okay.” Aside from the terrible things, how do you differentiate?Dan: I liked that. That was an oddly specific disclaimer, right? Like, whenever a company says, “Oh, yeah, no.” [laugh].Corey: “My breakfast cereal has less arsenic than leading brands.”Dan: Perfect. So yeah, so FusionAuth realizes that, kind of, there are a lot of options out there, and so we've chosen to niche down. And one of the things that we really focus on is the CIAM market. And that stands for Customer Identity Access Management. And we can dive into that a little bit later if you want to know more about that.We have a variety of deployment options, which I think differentiates us from a lot of the SaaS providers out there. You can run us as a self-hosted option with, by the way, professional-grade support, you can use us as a SaaS provider if you don't want to run it yourself. We are experts in operating this piece of software. And then thirdly, you can move between them, right? It's your data, so if you start out and you're bare bones and you want to save money, you can start with self-hosted, when you grow, move to the SaaS version.Or we actually have some bigger companies that kickstart on the SaaS version because they want to get going with this integration problem and then later, as they build out their capabilities, they want the option to move it in-house. So, that is a really key differentiator for us. The last one I'd say is we're really dev-focused. Who isn't, right? Everyone says they're dev-focused, but we live that in terms of our APIs, in terms of our documentation, in terms of our open development process. Like, there's actually a GitHub issues list you can go look on the FusionAuth GitHub profile and it shows exactly what we have planned for the next couple of releases.Corey: If you go to one of my test reference applications, lasttweetinaws.com, as of the time of this recording at least, it asks you to authenticate with your Twitter account. And you can do that, and it's free; I don't charge for any of these things. And once you're authenticated, you can use it to author Twitter threads because I needed it to exist, first off, and secondly, it makes a super handy test app to try out a whole bunch of different things.And one of the reasons you can just go and use it without registering an account for this thing or anything else was because I tried to set that up in an early version with Cognito and immediately gave the hell up and figured, all right, if you can find the URL, you can use this thing because the experience was that terrible. If instead, I had gone down the path of using FusionAuth, what would have made that experience different, other than the fact that Cognito was pretty clearly a tech demo at best rather than something that had any care, finish, spit and polish went into it.Dan: So, I've used Cognito. I'm not going to bag on Cognito, I'm going to leave that to—[laugh].Corey: Oh, I will, don't worry. I'll do all the bagging on Cognito you'd like because the problem is, and I want to be clear on this point, is that I didn't understand what it was doing because the interface was arcane, and the failure mode of everything in this entire sector, when the interface is bad, the immediate takeaway is not “This thing's a piece of crap.” It's, “Oh, I'm bad at this. I'm just not smart enough.” And it's insulting, and it sets me off every time I see it. So, if I feel like I'm coming across as relatively annoyed by the product, it's because it made me feel dumb. That is one of those cardinal sins, from my perspective. So, if you work on that team, please reach out. I would love to give you a laundry list of feedback. I'm not here to make you feel bad about your product; I'm here to make you feel bad about making your customers feel bad. Now please, Dan, continue.Dan: Sure. So, I would just say that one of the things that we've strived to do for years and years is translate some of the arcane IAM Identity Access Management jargon into what normal developers expect. And so, we don't have clients in our OAuth implementation—although they really are clients if you're an RFC junkie—we have applications, right? We have users, we have groups, we have all these things that are what users would expect, even though underlying them they're based on the same standards that, frankly, Cognito and Auth0 and a lot of other people use as well.But to get back to your question, I would say that, if you had chosen to use FusionAuth, you would have had a couple of advantages. The first is, as I mentioned, kind of the developer friendliness and the extensive documentation, example applications. The second would be a themeability. And this is something that we hear from our clients over and over again, is Cognito is okay if you stay within the lines in terms of your user interface, right? If you just want to login form, if you want to stay between lines and you don't want to customize your application's login page at all.We actually provide you with HTML templates. It's actually using a language called FreeMarker, but they let you do whatever the heck you want. Now, of course, with great power comes great responsibility. Now, you own that piece, right, and we do have some more simple customization you can do if all you want to do is change the color. But most of our clients are the kind of folks who really want their application login screen to look exactly like their application, and so they're willing to take on that slightly heavier burden. Unfortunately, Cognito doesn't give you that option at all, as far as I can tell when I've kicked the tires on it. The theming is—how I put this politely—some of our clients have found the theming to be lacking.Corey: That's part of the issue where when I was looking at all the reference implementations, I could find for Cognito, it went from “Oh, you have your own app, and its branding, and the rest,” and bam, suddenly, you're looking right, like, you're logging into an AWS console sub-console property because of course they have those. And it felt like “Oh, great. If I'm going to rip off some company's design aesthetic wholesale, I'm sorry, Amazon is nowhere near anywhere except the bottom 10% of that list, I've got to say. I'm sorry, but it is not an aesthetically pleasing site, full stop. So, why impose that on customers?”It feels like it's one of those things where—like, so many Amazon service teams say, “We're going to start by building a minimum lovable product.” And it's yeah, it's a product that only a parent could love. And the problem is, so many of them don't seem to iterate beyond that do a full-featured story. And this is again, this is not every AWS service. A lot of them are phenomenal and grow into themselves over time.One of the best rags-to-riches stories that I can recall is EFS, their Elastic File System, for an example. But others, like Cognito just sort of seem to sit and languish for so long that I've basically given up hope. Even if they wind up eventually fixing all of these problems, the reputation has been cemented at this point. They've got to give it a different terrible name.Dan: I mean, here's the thing. Like, EFS, if it looks horrible, right, or if it has, like, a toughest user experience, guess what? Your users are devs. And if they're forced to use it, they will. They can sometimes see the glimmers of the beauty that is kind of embedded, right, the diamond in the rough. If your users come to a login page and see something ugly, you immediately have this really negative association. And so again, the login and authentication process is really the front door of your application, and you just need to make sure that it shines.Corey: For me at least, so much of what's what a user experience or user takeaway is going to be about a company's product starts with their process of logging into it, which is one of the reasons that I have challenges with the way that multi-factor auth can be presented, like, “Step one, login to the thing.” Oh, great. Now, you have to fish out your YubiKey, or you have to go check your email for a link or find a code somewhere and punch it in. It adds friction to a process. So, when you have these services or tools that oh, your session will expire every 15 minutes and you have to do that whole thing again to log back in, it's ugh, I'm already annoyed by the time I even look at anything beyond just the login stuff.And heaven forbid, like, there are worse things, let's be very clear here. For example, if I log in to a site, and I'm suddenly looking at someone else's account, yeah, that's known as a disaster and I don't care how beautiful the design aesthetic is or how easy to use it is, we're done here. But that is job zero: the security aspect of these things. Then there's all the polish that makes it go from something that people tolerate because they have to into something that, in the context of a login page I guess, just sort of fades into the background.Dan: That's exactly what you want, right? It's just like the old story about the sysadmin. People only notice when things are going wrong. People only care about authentication when it stops them from getting into what they actually want to do, right? No one ever says, “Oh, my gosh, that login experience was so amazing for that application. I'm going to come back to that application,” right? They notice when it's friction, they noticed when it's sand in the gears.And our goal at FusionAuth, obviously, security is job zero because as you said, last thing you want is for a user to have access to some other user's data or to be able to escalate their privileges, but after that, you want to fade in the background, right? No one comes to FusionAuth and builds a whole application on top of it, right? We are one component that plugs into your application and lets you get on to the fundamentals of building the features that your users really care about, and then wraps your whole application in a blanket of security, essentially.Corey: I'll take even one more example before we just drive this point home in a way that I hope resonates with folks. Everyone has an opinion on logging into AWS properties because “Oh, what about your Amazon account?” At which point it's “Oh, sit down. We're going for a ride here. Are you talking about amazon.com account? Are you talking about the root account for my AWS account? Are you talking about an IAM user? Are you talking about the service formerly known as AWS SSO that's now IAM Identity Center users? Are you talking about their Chime user account? Are you talking about your repost forum account?” And so, on and so on and so on. I'm sure I'm missing half a dozen right now off the top of my head.Yeah, that's awful. I've been also developing lately on top of Google Cloud, and it is so far to the opposite end of that spectrum that it's suspicious and more than a little bit frightening. When I go to console.cloud.google.com, I am boom, there. There is no login approach, which on the one hand, I definitely appreciate, just from a pure perspective of you're Google, you track everything I do on the internet. Thank you for not insulting my intelligence by pretending you don't know who I am when I log into your Cloud Console.Counterpoint, when I log into the admin portal for my Google Workspaces account, admin.google.com, it always re-prompts for a password, which is reasonable. You'd think that stuff running production might want to do something like that, in some cases. I would not be annoyed if it asked me to just type in a password again when I get to the expensive things that have lasting repercussions.Although, given my personality, logging into Gmail can have massive career repercussions as soon as I hit send on anything. I digress. It is such a difference from user experience and ease-of-use that it's one of those areas where I feel like you're fighting something of a losing battle, just because when it works well, it's glorious to the point where you don't notice it. When authentication doesn't work well, it's annoying. And there's really no in between.Dan: I don't have anything to say to that. I mean, I a hundred percent agree that it's something that you could have to get right and no one cares, except for when you get it wrong. And if your listeners can take one thing away from this call, right, I know it's we're sponsored by FusionAuth, I want to rep Fusion, I want people to be aware of FusionAuth, but don't roll your own, right? There are a lot of solutions out there. I hope you evaluate FusionAuth, I hope you evaluate some other solutions, but this is such a critical thing and Corey has laid out [laugh] in multiple different ways, the ways it can ruin your user experience and your reputation. So, look at something that you can build or a library that you can build on top of. Don't roll your own. Please, please don't.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: So, tell me a little bit more about how it is that you folks think about yourselves in just in terms of the market space, for example. The idea of CIAM, customer IAM, it does feel viscerally different than traditional IAM in the context of, you know, AWS, which I use all the time, but I don't think I have the vocabulary to describe it without sounding like a buffoon. What is the definition between the two, please? Or the divergence, at least?Dan: Yeah, so I mean, not to go back to AWS services, but I'm sure a lot of your listeners are familiar with them. AWS SSO or the artist formerly known as AWS SSO is IAM, right? So, it's Workforce, right, and Workforce—Corey: And it was glorious, to the point where I felt like it was basically NDA'ed from other service teams because they couldn't talk about it. But this was so much nicer than having to juggle IAM keys and sessions that timeout after an hour in the console. “What do you doing in the console?” “I'm doing ClickOps, Jeremy. Leave me alone.”It's just I want to make sure that I'm talking about this the right way. It feels like AWS SSO—creature formerly known as—and traditional IAM feels like they're directionally the same thing as far as what they target, as far as customer bases, and what they empower you to do.Dan: Absolutely, absolutely. There are other players in that same market, right? And that's the market that grew up originally: it's for employees. So, employees have this very fixed lifecycle. They have complicated relationships with other employees and departments in organizations, you can tell them what to do, right, you can say you have to enroll your MFA key or you are no longer employed with us.Customers have a different set of requirements, and yet they're crucial to businesses because customers are, [laugh] who pay you money, right? And so, things that customers do that employees don't: they choose to register; they pick you, you don't pick them; they have a wide variety of devices and expectations; they also have a higher expectation of UX polish. Again, with an IAM solution, you can kind of dictate to your employees because you're paying them money. With a customer identity access management solution, it is part of your product, in the same way, you can't really dictate features unless you have something that the customer absolutely has to have and there are no substitutes for it, you have to adjust to the customer demands. CIAM is more responsive to those demands and is a smoother experience.The other thing I would say is CIAM, also, frankly, has a simpler model. Most customers have access to applications, maybe they have a couple of roles that you know, an admin role, an editor role, a viewer role if you're kind of a media conglomerate, for an example, but they don't have necessarily the thicket of complexity that you might have to have an eye on, so it's just simpler to model.Corey: Here's an area that feels like it's on the boundary between them. I distinctly remember being actively annoyed a while back that I had to roll my marketing person her own entire AWS IAM account solely so that she could upload assets into an S3 bucket that was driving some other stuff. It feels very much like that is a better use case for something that is a customer IAM solution. Because if I screw up those permissions even slightly, well, congratulations, now I've inadvertently given someone access to wind up, you know, taking production down. It feels like it is way too close to things that are going to leave a mark, whereas the idea of a customer authentication story for something like that is awesome.And no please if you're listening to this, don't email me with this thing you built and put on the Marketplace that “Oh, it uses signed URLs and whatnot to wind up automatically federating an identity just for this one per—” Yes. I don't want to build something ridiculous and overwrought so a single person can update assets within S3. I promise I don't want to do that. It just ends badly.Dan: Well, that was the promise of Cognito, right? And that is actually one of the reasons you should stick with Cognito if you have super-detailed requirements that are all about AWS and permissions to things inside AWS. Cognito has that tight integration. And I assume—I haven't looked at some of the other big cloud providers, but I assume that some of the other ones have that similar level of integration. So yeah, so that my answer there would be Cognito is the CIAM solution that AWS has, so that is what I would expect it to be able to handle, relatively smoothly.Corey: A question I have for you about the product itself is based on a frustration I originally had with Cognito, which is that once you're in there and you are using that for authentication and you have users, there's no way for me to get access to the credentials of my users. I can't really do an export in any traditional sense. Is that possible with FusionAuth?Dan: Absolutely. So, your data is your data. And because we're a self-hosted or SaaS solution, if you're running it self-hosted, obviously you have access to the password hashes in your database. If you are—Corey: The hashes, not the plaintext passwords to be explicitly clear on this. [laugh].Dan: Absolutely the hashes. And we have a number of guides that help you get hashes from other providers into ours. We have a written export guide ourselves, but it's in the database and the schema is public. You can go download our schema right now. And if—Corey: And I assume you've used an industry standard hashing algorithm for this?Dan: Yeah, we have a number of different options. You can bring your own actually, if you want, and we've had people bring their own options because they have either special needs or they have an older thing that's not as secure. And so, they still want their users to be able to log in, so they write a plugin and then they import the users' hashes, and then we transparently re-encrypt with a more modern one. The default for us is PDK.Corey: I assume you do the re-encryption at login time because there's no other way for you to get that.Dan: Exactly. Yeah yeah yeah—Corey: Yeah.Dan: —because that's the only time we see the password, right? Like we don't see it any other time. But we support Bcrypt and other modern algorithms. And it's entirely configurable; if you want to set a factor, which basically is how—Corey: I want to use MD5 because I'm still living in 2003.Dan: [laugh]. Please don't use MD5. Second takeaway: don't roll your own and don't use MD5. Yeah, so it's very tweakable, but we shipped with a secured default, basically.Corey: I just want to clarify as well why this is actively important. I don't think people quite understand that in many cases, picking an authentication provider is one of those lasting decisions where migrations take an awful lot of work. And they probably should. There should be no mechanism by which I can export the clear text passwords. If any authentication provider advertises or offers such a thing, don't use that one. I'm going to be very direct on that point.The downside to this is that if you are going to migrate from any other provider to any other provider, it has to happen either slowly as in, every time people log in, it'll check with the old system and then migrate that user to the new one, or you have to force password resets for your entire customer base. And the problem with that is I don't care what story you tell me. If I get an email from one of my vendors saying “You now have to reset your password because we're migrating to their auth thing,” or whatnot, there's no way around it, there's no messaging that solves this, people will think that you suffered a data breach that you are not disclosing. And that is a heavy, heavy lift. Another pattern I've seen is it for a period of three months or whatnot, depending on user base, you will wind up having the plug in there, and anyone who logs in after that point will, “Ohh you need to reset your password. And your password is expired. Click here to reset.” That tends to be a little bit better when it's not the proactive outreach announcement, but it's still a difficult lift and it adds—again—friction to the customer experience.Dan: Yep. And the third one—which you imply it—is you have access to your password hashes. They're hashed in a secure manner. And trust me, even though they're hashed securely, like, if you contact FusionAuth and say, “Hey, I want to move off FusionAuth,” we will arrange a way to get you your database in a secure manner, right? It's going to be encrypted, we're going to have a separate password that we communicate with you out-of-band because this is—even if it is hashed and salted and handled correctly, it's still very, very sensitive data because credentials are the keys to the kingdom.So, but those are the three options, right? The slow migration, which is operationally expensive, the requiring the user to reset their password, which is horribly expensive from a user interface perspective, right, and the customer service perspective, or export your password hashes. And we think that the third option is the least of the evils because guess what? It's your data, right? It's your user data. We will help you be careful with it, but you own it.Corey: I think that there's a lot of seriously important nuance to the whole world of authentication. And the fact that this is such a difficult area to even talk about with folks who are not deeply steeped in that ecosystem should be an indication alone that this is the sort of thing that you definitely want to outsource to a company that knows what the hell they're doing. And it's not like other areas of tech where you can basically stumble your way through something. It's like “Well, I'm going to write a Lambda to go ahead and post some nonsense on Twitter.” “Okay, are you good at programming?” “Not even slightly, but I am persistent and brute force is a viable strategy, so we're going to go with that one.” “Great. Okay, that's awesome.”But authentication is one of those areas where mistakes will show. The reputational impact of losing data goes from merely embarrassing to potentially life-ruining for folks. The most stressful job I've ever had from a data security position wasn't when I was dealing with money—because that's only money, which sounds like a weird thing to say—it was when I did a brief stint at Grindr where people weren't out. In some countries, users could have wound up in jail or have been killed if their sexuality became known. And that was the stuff that kept me up at night.Compared to that, “Okay, you got some credit card numbers with that. What the hell do I care about that, relatively speaking?” It's like, “Yeah, it's well, my credit card number was stolen.” “Yeah, but did you die, though?” “Oh, you had to make a phone call and reset some stuff.” And I'm not trivializing the importance of data security. Especially, like, if you're a bank, and you're listening to this, and you're terrified, yeah, that's not what I'm saying at all. I'm just saying there are worse things.Dan: Sure. Yeah. I mean, I think that, unfortunately, the pandemic showed us that we're living more and more of our lives online. And the identity online and making sure that safe and secure is just critical. And again, not just for your employees, although that's really important, too, but more of your customer interactions are going to be taking place online because it's scalable, because it makes people money, because it allows for capabilities that weren't previously there, and you have to take that seriously. So, take care of your users' data. Please, please do that.Corey: And one of the best ways you can do that is by not touching the things that are commoditized in your effort to apply differentiation. That's why I will never again write my own auth system, with a couple of asterisks next to it because some of what I do is objectively horrifying, intentionally so. But if I care about the authentication piece, I have the good sense to pay someone else to do it for me.Dan: From personal experience, you mentioned at the beginning that we go back aways. I remember when I first discovered RDS, and I thought, “Oh, my God. I can outsource all this scut work, all of the database backups, all of the upgrades, all of the availability checking, right? Like, I can outsource this to somebody else who will take this off my plate.” And I was so thankful.And I don't—outside of, again, with some asterisks, right, there are places where I could consider running a database, but they're very few and far between—I feel like auth has entered that category. There are great providers like FusionAuth out there that are happy to take this off your plate and let you move forward. And in some ways, I'm not really sure which is more dangerous; like, not running a database properly or not running an auth system properly. They both give me shivers and I would hate to [laugh] hate to be forced to choose. But they're comparable levels of risk, so I a hundred percent agree, Corey.Corey: Dan, I really want to thank you for taking so much time to talk to me about your view of the world. If people want to learn more because you're not in their inboxes responding to newsletters every week, where's the best place to find you?Dan: Sure, you can find more about me at Twitter. I'm @mooreds, M-O-O-R-E-D-S. And you can learn more about FusionAuth and download it for free at fusionauth.io.Corey: And we will put links to all of that in the show notes. I really want to thank you again for just being so generous with your time. It's deeply appreciated.Dan: Corey, thank you so much for having me.Corey: Dan Moore, Head of DevRel at FusionAuth. I'm Cloud Economist Corey Quinn. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry, insulting comment that will be attributed to someone else because they screwed up by rolling their own authentication.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Today on Day Two Cloud, we talk about why Terraform stinks. OK, maybe it doesn't stink, but just because everyone seems to love a particular tool doesn't make it right for you. We talk with Dan Moore, a developer advocate at FusionAuth, who tried to use Terraform and just couldn't get behind it. This episode is based on a presentation Dan gave at Gluecon in May 2022.

Today on Day Two Cloud, we talk about why Terraform stinks. OK, maybe it doesn't stink, but just because everyone seems to love a particular tool doesn't make it right for you. We talk with Dan Moore, a developer advocate at FusionAuth, who tried to use Terraform and just couldn't get behind it. This episode is based on a presentation Dan gave at Gluecon in May 2022. The post Day Two Cloud 155: Terraform Stinks appeared first on Packet Pushers.

Today on Day Two Cloud, we talk about why Terraform stinks. OK, maybe it doesn't stink, but just because everyone seems to love a particular tool doesn't make it right for you. We talk with Dan Moore, a developer advocate at FusionAuth, who tried to use Terraform and just couldn't get behind it. This episode is based on a presentation Dan gave at Gluecon in May 2022. The post Day Two Cloud 155: Terraform Stinks appeared first on Packet Pushers.

Today on Day Two Cloud, we talk about why Terraform stinks. OK, maybe it doesn't stink, but just because everyone seems to love a particular tool doesn't make it right for you. We talk with Dan Moore, a developer advocate at FusionAuth, who tried to use Terraform and just couldn't get behind it. This episode is based on a presentation Dan gave at Gluecon in May 2022.

Today on Day Two Cloud, we talk about why Terraform stinks. OK, maybe it doesn't stink, but just because everyone seems to love a particular tool doesn't make it right for you. We talk with Dan Moore, a developer advocate at FusionAuth, who tried to use Terraform and just couldn't get behind it. This episode is based on a presentation Dan gave at Gluecon in May 2022.

Today on Day Two Cloud, we talk about why Terraform stinks. OK, maybe it doesn't stink, but just because everyone seems to love a particular tool doesn't make it right for you. We talk with Dan Moore, a developer advocate at FusionAuth, who tried to use Terraform and just couldn't get behind it. This episode is based on a presentation Dan gave at Gluecon in May 2022. The post Day Two Cloud 155: Terraform Stinks appeared first on Packet Pushers.

In this episode of What Matters, PJ sits down with Dan Moore, Head of DevRel for FusionAuth, to discuss the importance of authentication to organizational security, open source authentication options, and whether blockchain has a future as an auth tool. 

We all know about Identity Providers today. But where did they come from and why are they so important to security? In this episode, Dan Moore, solutions architect and head of DevRel at FusionAuth, answers questions on a variety of auth related questions, and helps us understand the ways developers are impacted by things like IAM, SSO, and more. ----- https://www.w3.org/community/fed-id/ - W3C group mentioned https://martinfowler.com/articles/agile-threat-modelling.html - threat modelling https://owasp.org/www-project-top-ten/ - OWASP top ten

Python has come a long way since it was released in 1991. It originally released when the Standard Library was primary the totality of functionality you could leverage when building your applications. With the addition of pip and the 368,000 packages on PyPI, it's a different world where what we need and expect from the Standard Library. Brett Cannon and Christian Heimes have introduced PEP 594 which is the first step in trimming outdated and unmaintained older modules from the Standard Library. Join us to dive into the history and future of Python's Standard Library. Links from the show Brett Cannon: @brettsky Christian Heimes: @ChristianHeimes PEP 594: peps.python.org PEP 594 deprecated modules: peps.python.org Python WebAssembly REPL: repl.ethanhs.me Pyodide: github.com JupyterLite: jupyterlite.readthedocs.io "How to run Python in the browser" - Katie Bell: youtube.com .NET's Blazor: dotnet.microsoft.com wasmtime: pypi.org Python 3.10.4 Release Notes: docs.python.org Watch this episode on YouTube: youtube.com --- Stay in touch with us --- Subscribe on YouTube: youtube.com Follow Talk Python on Twitter: @talkpython Follow Michael on Twitter: @mkennedy Sponsors Microsoft FusionAuth Talk Python Training

Watch the live stream: Watch on YouTube About the show Sponsored by FusionAuth: pythonbytes.fm/fusionauth Special guest: Ian Hellen Brian #1: gensim.parsing.preprocessing Problem I'm working on Turn a blog title into a possible url example: “Twisted and Testing Event Driven / Asynchronous Applications - Glyph” would like, perhaps: “twisted-testing-event-driven-asynchrounous-applications” Sub-problem: remove stop words ← this is the hard part I started with an article called Removing Stop Words from Strings in Python It covered how to do this with NLTK, Gensim, and SpaCy I was most successful with remove_stopwords() from Gensim from gensim.parsing.preprocessing import remove_stopwords It's part of a gensim.parsing.preprocessing package I wonder what's all in there? a treasure trove gensim.parsing.preprocessing.preprocess_string is one this function applies filters to a string, with the defaults almost being just what I want: strip_tags() strip_punctuation() strip_multiple_whitespaces() strip_numeric() remove_stopwords() strip_short() stem_text() ← I think I want everything except this this one turns “Twisted” into “Twist”, not good. There's lots of other text processing goodies in there also. Oh, yeah, and Gensim is also cool. topic modeling for training semantic NLP models So, I think I found a really big hammer for my little problem. But I'm good with that Michael #2: DevDocs via Loic Thomson Gather and search a bunch of technology docs together at once For example: Python + Flask + JavaScript + Vue + CSS Has an offline mode for laptops / tablets Installs as a PWA (sadly not on Firefox) Ian #3: MSTICPy MSTICPy is toolset for CyberSecurity investigations and hunting in Jupyter notebooks. What is CyberSec hunting/investigating? - responding to security alerts and threat intelligence reports, trawling through security logs from cloud services and hosts to determine if it's a real threat or not. Why Jupyter notebooks? SOC (Security Ops Center) tools can be excellent but all have limitations You can get data from anywhere Use custom analysis and visualizations Control the workflow…. workflow is repeatable Open source pkg - created originally to support MS Sentinel Notebooks but now supports lots of providers. When I start this 3+ yrs ago I thought a lot this would be in PyPI - but no

Dan Moore, Head of Developer Relations at FusionAuth is our feature interview this week. News from Frontier Airlines, Whataburger, Evolve, Lares, Coalfire, Ping Identity, Red Canary and a lot more. Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com This week's news: Join the Colorado = Security Slack channel Survey finds Denver neighbors rank among the best in the country for being the least annoying Frontier merger could bring around 1,000 high-paying Spirit jobs to Colorado Colorado's first Whataburger will open next week Denver vacation rental company raises $100M round after busiest year yet Introducing the Colorado Inno Madness Bracket Matthew Sharp of Logicworks and "Rock" Lambros of RockCyber on "The CISO Evolution." New Defensive Guidance from the NSA COALFIRE LAUNCHES APPLICATION SECURITY SOLUTIONS POWERED BY THREADFIX PLATFORM How Can Your Enterprise Grow Securely in the Metaverse? | Ping Identity Take MDR beyond the endpoint with Red Canary Threat Investigation CISO of the Year Winner is... Job Openings: Red Canary - GRC Analyst Elevations Credit Union - VP Information Security (Broomfield Basecamp) SSR Mining - Manager, Cyber Security Operations RTD - Senior Cybersecurity Engineer DispatchHealth - Information Security Manager Global Medical Response - Sr Cyber Security Engineer Air Methods - Cyber Security Analyst Ball Aerospace - Cyber Security Professional II Trustwave - Information Security Advisor Couchbase - IT & Cyber Security Auditor Upcoming Events: This Week and Next: ISSA Denver - March Chapter Meeting - 3/9 ASIS - Happy Hour FOCOWYO - 3/10 Denver CSA - March Meeting - 3/15 Denver ISACA - March: Security and Controls in Amazon Web Services (AWS) - 3/17 Let's Talk Software Security! - Hiring, Developing, and Retaining Software Security Talent - 3/18 ISSA C.Springs - 9th Annual ISSA-COS Cyber Focus Forum - 3/22 ISC2 Pikes Peak - March Meeting - 3/23 Denver ISSA - DEFCON Cloud Hacking Village CTF - 3/23 ASIS Denver - WIS BRUNCH : SOLDIER'S IN PETTICOATS - 3/31 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

Watch the live stream: Watch on YouTube About the show Sponsor: Brought to you by FusionAuth - check them out at pythonbytes.fm/fusionauth Special guest: Calvin Hendryx-Parker Brian #1: Why your mock still doesn't work Ned Batchelder Some back story: Why your mock doesn't work a quick tour of Python name assignment The short version of Python Names and Values talk importing difference between from foo import bar and import foo w.r.t mocking punchline: “Mock it where it's used” Now, Why your mock still doesn't work talks about using @patch decorator (also applies to @patch.object decorator) and utilizing mock_thing1, mock_thing2 parameters to test you can change the return value or an attribute or whatever. normal mock stuff. But…. the punchline…. be careful about the order of patches. It needs to be @patch("foo.thing2") @patch("foo.thing1") def test_(mock_thing1, mock_thing2): ... Further reading: https://docs.python.org/3/library/unittest.mock.html#patch https://docs.python.org/3/library/unittest.mock.html#patch-object Michael #2: pls via Chris May Are you a developer who uses the terminal? (likely!) ls/l are not super helpful. There are replacements and alternatives But if you're a dev, you might want the most relevant info for you, so enter pls See images in Michael's tweets [1, 2]. You must install nerdfonts and set your terminal's font to them Calvin #3: Kitty Cross platform GPU accelerated terminal (written in Python Extended with Kittens written in Python Super fast rendering Has a rich set of plugins available for things like searching the buffer with fzf Brian #4: Futures and easy parallelisation Jaime Buelta Code example for quick scripts to perform slow tasks in parallel. Uses concurrent.futures and ThreadPoolExecutor. Starts with a small toy example, then goes on to a requests example to grab a bunch of pages in parallel. The call to executor.submit() sets up the job. This is done in a list comprehension, generating a list of futures. The call to futures.result() on each future within the list is where the blocking happens. Since we want to wait for all results, it's ok to block on the first, second, etc. Nice small snippet for easy parallel work. Example: from concurrent.futures import ThreadPoolExecutor import time import requests from urllib.parse import urljoin NUM_WORKERS = 2 executor = ThreadPoolExecutor(NUM_WORKERS) def retrieve(root_url, path): url = urljoin(root_url, path) print(f'{time.time()} Retrieving {url}') result = requests.get(url) return result arguments = [('https://google.com/', 'search'), ('https://www.facebook.com/', 'login'), ('https://nyt.com/', 'international')] futures_array = [executor.submit(retrieve, *arg) for arg in arguments] result = [future.result() for future in futures_array] print(result) Michael #5: pgMustard So you have a crappy web app that is slow but don't know why. Is it an N+1 problem with an ORM? Is it a lack of indexes? If you're using postgres, check out pgMustard: A simple yet powerful tool to help you speed up queries This is a paid product but might be worthwhile if you live deeply in postgres. Calvin #6: bpytop Great way to see what is going on in your system/server Shows nice graphs in the terminal for system performance such as CPU and Network traffic Support themes and is fast and easy to install with pipx Michael uses Glances which is fun too. Calvin used to be a heavy Glances user until he saw the light

DevRel has evolved over the past few years and in this podcast we are talking to the groundbreaking thought leaders who are paving the way for people and organizations who want to follow DevRel best practices. To many people, Developer Relations is the community management for technical audiences, but for others it's a lot more. It's building relationships and fostering trust, it's collecting and relaying feedback to other teams or it's inspiring people to build tools to empower.In this week's episode we talk to Dan Moore, Head of Developer Relations @FusionAuth. Dan helps businesses solve problems with software. He is a back end web developer, DevRel leader, writer and technology leader focused on unix/open source friendly technology stacks and shares with us all of the knowledge he has gained along the way.

Links: Qtorque.io: https://qtorque.io A disturbing article: https://doublepulsar.com/the-hard-truth-about-ransomware-we-arent-prepared-it-s-a-battle-with-new-rules-and-it-hasn-t-a93ad3030a54 Kaspersky's Amazon SES token: https://www.bleepingcomputer.com/news/security/kasperskys-stolen-amazon-ses-token-used-in-office-365-phishing/ Twitch breach: https://www.esecurityplanet.com/cloud/twitch-breach-shows-difficulty-cloud-security/ Implement OAuth 2.0 device grant flow by using Amazon Cognito and AWS Lambda: https://aws.amazon.com/blogs/security/implement-oauth-2-0-device-grant-flow-by-using-amazon-cognito-and-aws-lambda/ Systems Manager Parameter Store: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it's nobody in particular's job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: Writing ad copy to fit into a 30-second slot is hard, but if anyone can do it the folks at Quali can. Just like their Torque infrastructure automation platform can deliver complex application environments anytime, anywhere, in just seconds instead of hours, days, or weeks. Visit Qtorque.io today, and learn how you can spin up application environments in about the same amount of time it took you to listen to this ad.Corey: It's a pretty quiet week on the AWS security front because I'm studiously ignoring Robinhood's breach. There's nothing to see here.So, Ransomware sucks and it's getting worse. Kevin Beaumont wrote a disturbing article earlier this summer—that I just stumbled over, so it's new to me—about how we effectively aren't prepared for what's happening in the ransomworld space. It's a new battle with new rules, and we haven't seen the worst of it by far. Now look, alarmism is easy to come by, but Kevin is very well respected in this space for a reason; when he speaks, smart people listen.If you do nothing else for me this week, please, please, please be careful with credentials. Don't embed them into apps you ship other places; don't hardcode them into your apps; ideally for those applications you run on AWS itself you use instance or function or whatever roles that have ephemeral credentials. Because if you don't, someone may steal them like they did with Kaspersky's Amazon SES token and use it for Office365 phishing attacks.And I found analysis that I rather liked about the Twitch breach—although I believe they pronounce it ‘Twetch'. It emphasizes that this stuff is hard, and it talks about the general principles that you should be considering with respect to securing cloud apps. Contrary to the narrative some folks are spinning, Twitch engineers were neither incompetent nor careless, as a general rule.Corey: This episode is sponsored in part by something new. Cloud Academy is a training platform built on two primary goals: having the highest quality content in tech and cloud skills and building a good community that is rich and full of IT and engineering professionals. You wouldn't think those things go together, but sometimes they do. It's both useful for individuals and large enterprises, but here's what makes this something new—I don't use that term lightly—Cloud Academy invites you to showcase just how good your AWS skills are. For the next four weeks, you'll have a chance to prove yourself. Compete in four unique lab challenges where they'll be awarding more than $2,000 in cash and prizes. I'm not kidding: first place is a thousand bucks. Pre-register for the first challenge now, one that I picked out myself on Amazon SNS image resizing, by visiting cloudacademy.com/corey—C-O-R-E-Y. That's cloudacademy.com/corey. We're going to have some fun with this one.There was an AWS post: Implement OAuth 2.0 device grant flow by using Amazon Cognito and AWS Lambda. Awkward title but I like the principle here. The challenge I have is that Cognito is just. So. Difficult. I don't think I'm the only person who feels this way.Objectively, using Cognito is the best sales pitch I can imagine for FusionAuth or Auth0. I'm hoping for a better story at re:Invent this year from the Cognito team, but I've been saying that for three years now. The problem with the complexity is that once it's working—huzzah, at great expense and difficulty—you'll move on to other things; nobody is going to be able to untangle what you've done without at least as much work in the future, should things change. If it isn't simple, I question its security just due to the risk of misconfiguration.And this is—I don't know if this is a tool or a tip; it's kind of both. If you're using AWS, which I imagine if you're listening to this, you probably are, let me draw your attention to Systems Manager Parameter Store. Great service, dumb name. I use it myself constantly for things that are even slightly sensitive. And those things range from usernames to third-party credentials to URL endpoints for various things.Think of it as a free version of Secrets Manager. The value of that service is that you can run arbitrary code to rotate credentials elsewhere, but it'll cost you 40¢ per month per secret to use it. Now contrasted with that, Parameter Store is free. The security guarantees are the same; don't view this as being somehow less secure because it's missing the word ‘secrets' in its name. Obviously, if you're using something with a bit more oomph like HashiCorp's excellent Vault, you can safely ignore everything that I just said. And that's what happened last week in AWS security. If you've enjoyed listening to this, tell everyone you know to listen to it as well. Become an evangelist and annoy the hell out people, to my benefit. Thanks for listening and I'll talk to you next week.Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.Announcer: This has been a HumblePod production. Stay humble.

What do you wish someone had told you when you were just starting out? If you are a new developer (we're not using “junior developer” here - listen along to find out why!), there are skills you have, skills you can transfer from somewhere else, and skills you don't even know you need. You probably also have a lot of assumptions… and not too many people who can tell you whether they're true. Dan wants to change that!Who is Dan Moore? He is the author of Letters to a New Developer - a blog and book of advice he wishes he had gotten at the beginning of his career. Dan is a developer with twenty years of experience, currently working as a Solutions Architect at FusionAuth.Links Guest Follow Dan Moore on Twitter Follow Dan Moore on LinkedIn Check out Dan's blog HostFollow Alex from Scrimba on Twitter Episode linksDan's book of letters to a new developer

In this week's episode Matt sits down with Dan Moore. Dan is currently working at FusionAuth as a Developer Advocate. I spoke to Dan about his origins of creating an automated mailing system for his parents' Insurance Company, how even your “weak” relationships can still create opportunity down the road & why it is important to test your cofounder. Dan's new book “Letters to a New Developer” is available right now. Other things covered in this episode include: - The Spectrum of Developer Advocacy - The importance in committing for 6 months when growing a blog - Maintaining a community & much more Get in touch with Dan: https://www.linkedin.com/in/mooreds/ https://twitter.com/mooreds https://letterstoanewdeveloper.com/ http://www.mooreds.com/ http://boulder-ruby.org Check out Dan's book on Amazon: https://www.amazon.com/Letters-New-Developer-Starting-Development/dp/1484260732/ --- Send in a voice message: https://anchor.fm/work-in-programming/message