DEV Community: Mark Roxberry

Why do we need all of this data? OWASP Privacy Risks - P-10

Mark Roxberry — Fri, 22 Oct 2021 19:36:08 +0000

P-10 Collection of data not required for the user-consented purpose

The OWASP Top 10 Privacy Risks Project identifies the top 10 privacy risks in web applications, the cloud and the global online ecosystem. In September of 2021, version 2 of the project was released. I'm going to work through the list and discuss each risk, with references and mitigation countermeasures, if they exist.

The P-10 risk, "Collection of data not required for the user-consented purpose" on the list is the collection of too much data from users.

Companies are collecting more data than they need

“Most companies are collecting data these days on all the interactions, on all the places that they touch customers in the normal course of doing business,” says Elea Feit, senior fellow at Wharton Customer Analytics and a Drexel marketing professor. (from Your Data Is Shared and Sold…What’s Being Done About It? - Knowledge@Wharton)

From Security.org, a review of privacy policies reveals that they have granted themselves liberal access to user data. From The Data Big Tech Companies Have On You. Reviewing companies and their grades from that article:

Google gets an F

In addition to data they collect from user interactions, their policy allows for data collection on users from local newspapers, third party marketing partners, or advertisers.

Facebook's Grade: C

By design, Facebook operates off of user data. But how do they make money? "Facebook makes the majority of its money through its advertisers"

Amazon Grade: B-

Amazon collects a ton of data from users and shares data with millions of Marketplace sellers, it does not by default send PII to those sellers. Additionally, Amazon provides opt-out for any information sent to 3rd parties.

What to do to mitigate P-10

I recommend that you look into making a "Lean Data Commitment", following Mozilla's "Lean Data Practices" guide to help define your organization's privacy best practices. "Lean Data Practices" can be found here. Particulary note the 3 tenets of lean data practices:

"Stay Lean" - review your data collection
"Build Security" - protect customer data
"Engage Your Users" - inform your users, keep your practices transparent.

Scan your site for Privacy issues at PRIVACYSCORE

References

OWASP Top 10 Privacy Risks Project
Your Data Is Shared and Sold…What’s Being Done About It? - Knowledge@Wharton
The Data Big Tech Companies Have On You - Security.org
Your mass consumer data collection is destroying consumer trust - Tech Crunch
The Rising Concern Around Consumer Data And Privacy - Forbes

Github Action for Gatsby Publish

Mark Roxberry — Tue, 27 Jul 2021 21:29:22 +0000

Why?

The gatsby template includes scripting to deploy from whereever you cloned your code. It works just fine and is reliable when everything is set up on my machine. The package.json includes the deploy script:

  "scripts": {
      ...
    "deploy": "gatsby build --prefix-paths && gh-pages -d public"
  },

However, there are 2 drawbacks for my workflow (and my goal to start writing more):

You can deploy without a commit and push to the repository
You can't deploy without running the deploy script, so any work on the site on Github or my iPad won't get deployed until I commit and push on one device and then pull and deploy to the same repo on my computer. Ain't nobody got time for that.

I was using a Github Action for my Jekyll site, prior to moving to Gatsby, and that worked when I pushed to branch and kickoff the publish action. This action was a bit more involved as I was using Azure for a host and it required a few more configuration hurdles to set it up.

For my current site, I thought it has to be pretty simple - push to main branch, trigger an action, copy to gh-pages branch and that's that. Turns out, that is that and I was able to get it working pretty fast.

I documented my steps in case I need to go back and change anything - e.g. I would like to update the siteMetadata.version in the gatsby-config.js file at some point. Here are the steps

Steps to publish a Gatsby site to gh-pages

Create a new workflow in the repository Actions section

name: Gatsby Publish

on:
  push:
    branches:
      main

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: enriikke/gatsby-gh-pages-action@v2
        with:
          access-token: ${{ secrets.ACCESS_TOKEN }}
          deploy-branch: gh-pages

Create a personal access token (PAT), select the repo permission.

Authentication in a Github Action Workflow
Create a Secret in the repo: ACCESS_TOKEN and use the new PAT token (note the workflow YAML file specifies the ACCESS_TOKEN parameter).
Build should kick in and go green
Profit?

And lo and behold, my site is passing (hopefully this shows it's passing):

Next things

[ ] Improve this post with images from Github
[ ] Add embedded gist for the main.yml
[ ] Config version update (need to think about - should only happen on non posts)
[ ] Create a tweet with the title if a post

https://gist.github.com/roxberry/f6f58e2212346fd8c699c1d8c8cf8bcf.js

Dev Note - HttpClient in Salesforce Commerce Cloud SFRA

Mark Roxberry — Tue, 27 Jul 2021 21:26:02 +0000

Using HttpClient in Salesforce Commerce Cloud

I needed a quick way to get a model for a view. For our API calls, I created services, profiles and credentials that are managed by SFCC. But that's overkill for a one off call. HttpClient is a way to make external calls, in SFCC/SFRA there's a little twist. Code to use the TypeScript HTTPClient in cartridge code:

function callExternalUrl(parameters) {
    var HTTPClient = require('dw/net/HTTPClient');
    var Logger = require('dw/system/Logger');

    if (!empty(parameters)) {
        var url = parameters.url;
        var userId = parameters.userId;
        var password = parameters.password;

        var httpClient = new HTTPClient();
        httpClient.setTimeout(2000);
        httpClient.open("GET", url, userId, password);
        httpClient.send();

        if (httpClient.statusCode == 200) {
            //confirm response
            Logger.getLogger("shop").info(
                httpClient.text
            );

            // do something with response object
            // var sourceObject = JSON.parse(httpClient.text);

            }
        } else {
            // error handling
            Logger.getLogger("shop").error(
                "An error occured with status code " + 
                httpClient.statusCode
            );
        }
    }

// ...
// var parameters = {
//     url: "",
//     userId: "",
//     password: ""
// }
// callExternalUrl(parameters)

SQL Server on Linux via Docker

Mark Roxberry — Fri, 11 Jun 2021 00:09:19 +0000

Get Docker (if it is not already running)
Get the SQL Server on Linux for Docker Engine image

I'm running Docker on MacOS, I will use the SQL Server on Linux for Docker Engine at Docker Hub

   docker pull microsoft/mssql-server-linux

Set the settings and start the container

SQL Server on Linux for Docker Engine requires an environment setting to accept the EULA and set a strong SA password:

   ACCEPT_EULA = Y
   SA_PASSWORD = <your password>

Run this in the terminal:

   docker run -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=yourStrong(!)Password' -p 1433:1433 -d microsoft/mssql-server-linux

Copy a backup to the container

   docker cp '/tmp/DatabaseName.bak' mssql-server-linux:/tmp

Restore the backup

   RESTORE DATABASE DatabaseName FROM DISK='/tmp/DatabaseName.bak'
   WITH MOVE 'DatabaseName' TO '/var/opt/mssql/data/DatabaseName.MDF',
   MOVE 'DatabaseName_log' TO '/var/opt/mssql/data/DatabaseName_log.ldf'
   Go

Connect with a docker command or an IDE like DataGrip

Using SQL Server for Linux in Docker has allowed me to continue to develop using a Linux distro or macOS without needing to set up a VM to run the database backend.