How inclusive are tech meetups, hackathons

I attend and participate in meetups and technical events on Saturday. I started to observe the presence of more men than women in these events. The ratio of men to women looked like  75: 25 or 80:20. In last few week, I was involved in few activities and experienced some new learning and sharing the same here.

diversityI am father of 2 daughters. Last few years, my wife started to work and some Saturday morning, she needs to attend events at her work, where I offer to take care of my children. Few weeks ago, my wife had planned work for whole of Saturday and I was leading event at my office on the same day. When both of us discussed to take care of children, I decided to take my children to my office. (they hanged with my cousin for large hours across lunch). While i was happy that i can keep my children with me, they shared with me that it was exciting initially and felt bored and restless after few hours.

My personal experience made me look at our volunteers. We had one female employee to volunteer. She was one year experienced and that made it easy for her to come.   I looked at male employees and asked myself ” Who was taking care of their children in their homes?  Are their wife house-wife’s?”. Felt good when a manger brought his son for few hours to event.  I found volunteers were mainly men. I was surprised with lady HR executive who stayed whole event, possibly she is recently married.

Our whole day event(9 to 8)  got delayed by 30 minutes. My wife came and picked children around 6 pm and I was left to come home late. A mother would have found it tricky to balance delay in event and needs of her children.  My own daughters become uneasy and uncomfortable when mother come few minutes late from promised time.

In another technical meetup conduced, a female colleagues and women had come. When thanked for their participation on weekend in their busy schedules. they shared ” Event was closet to my home for me to attend”. If you look at Bangalore, more of events happen in Koramangala or IndiraNagar. What is percentage of weekends events that happen around ITPL ? When I inquired women about joining session online, they said “Not easy to join webinar. kids allow father to do office work and not mothers”. Reminded of ex-colleague who takes conference calls being  present in bathroom to reduce disturbance.

While I  consider hackathon helps to identify talent applying knowledge rather than only being good theory and enable hiring of diverse talent. How much hackathon help companies to recruit qualified  2 to 5 years experienced IT women professionals, married and mothers. Do companies miss to hire women employees using hackathons? On a different note, women employees stay for long time in their jobs compared to men. To leverage short-term benefit, are we sacrificing long-term benefit?

On Google of  words “hackathon Bangalore  women”, here are few result links.

I observe that  above were single day hackathon. Recommend companies who want to hire diverse mix of candidates to have 1-day hackathon compared to 2 -day hackathon ( Friday evening to Sunday evening). While  48 hour schedule  favors men than women, i acknowledge that married men & fathers want to spend weekend with their families.

Happy to see lot more inclusiveness  in paid events  TechSparks events are on Friday and Saturday, completes early evening, allow  participants to return home/families. HasGeek events are more on week days.  NPC events are mainly on weekdays, with night networking on the first event day. Can we measure the number of women who stay to network ? Let me thanks them for allowing Sundays to the participant families.

Advertisements

Is it fair to ask “Married or Single?”

Read article Married or Single?  posted by Punit Soni. In recruitment process, candidate asked this question”Married or Single?”. I was surprised to see this article. May be I did not expect an article on women rights from Punit Soni (sorry?) and was happy that he was ready to scratch upon the tip of the iceberg. Made me think my IT Career experiences.

Been for more than decade in IT industry, I agree that huge effort is needed from new manager to follow fair approach towards women and differently able people.   Not only large companies can create a fair environment for women, small companies and startups can do also. What is needed is a positive mindset and that comes from positive interactions experienced by male employee early in career in his team or by his supervisor Did they have right experiences that influences them on being manager to  create positive environment for women?

Here my experiences and learning that has helped me to create my perspective towards women employees. sharing the same to say it is possible to create positive mindset.

In my second job, the only Tech Lead I worked for long duration and was friend was women. One day, she had to leave late and she comes by 2-wheeler from south Bangalore. My manager Asif had called for a taxi. On her leaving, he asked her to go home safe in taxi. She went in cab leaving her 2-wheeler. These are times when team worked using desktops and  cab means private card called in advance and we worked in Central Business district. Thanks Asif to help me get right perception to support female employee.

When we went to USA, we had our first daughter born and we were only two of us. Not knowing what to do in new city, I asked my female lead engineer(45 years old) and she was extremely helpful to make me see the responsibility to take care of my wife and my child.   At the same time, She raised question to my  company manger “what will Srini do if baby is born and project is over previous week”. My manger neither gave her proper answer and also came and polished asked “How does she know that your wife is pregnant? I responded that this is our problem and we will handle”.

This lead engineer c and manger shared  how my manger responded and  shared that we take steps to ensure that  your family will not be in zombie state and know what to do. Surprised that how Mid-West Americans supported, contrary to my past wrong belief ” Americans do not care”, both men and women. When baby was born, support received from everyone in Milwaukee, made me humbler and also make me to think of “Pay backwards”what I received. Our manager  attitudes gets developed when we are engineer and the positive it is towards women, it remains positive later. 

In my third job at startup, it was multiple experience. As company, women were treated well. Company bought 4 wheeler and hired driver for company owned 4 wheeler and employed the driver.Officially the driver becomes escort for female employee going late. After Prathibha case, female employees were asked to go home by 8:30 pm and we had a cab at 8:30 pm . Another trip at 7: 30 pm to drop employees to closest bus-stop. My friend Sudhakar showed that we can  balance diversity and being frugal and it is mindset.

On my end, I hired women employee for short term. she was quick learner, well skilled and went for higher studies later.  Thanks to V who  was my first female team member.  She shared how guys behaved, remarks shared without bad intention and why it hurts. My patient listening to her geared myself to hire women employees and understood their needs from manager.

Talent needs to be valued, irrespective of  men or women. My colleagues used to share with women candidates project challenges, late evening call support needed. We conveyed that we will support your well being, we have constraints and still we try our best. Planned their work  to allow them leave home by 8:30 pm or have setup to Work from Home.  We need to answer questions from male employees for this partial support to women.

For my team, there was female candidate for interview for automation engineer and I observed that she was pregnant (already father to 2 children). J performed extremely well in the interview and answered beyond my expectations and her current salary was too low with our offering.  Asking her to wait, I went to my HR(female) & recruitment mgr(child) and said “she is pregnant and she is best fit for role”. They said “Hire for talent”. HR influences in large way in creating culture of organization towards women employees. 

I went back and shared with her our interest and said ” I have seen my wife pregnant.  Are you pregnant?”. She answered yes and asked  how she can travel from Vijaya Nagar in this state. She shared that her company is in ITPL and our office was half the distance compared to her office. I asked next bold question” When is baby due date?”. This date fell 2 weeks before release, there was (>) 5 months from day she can join  I hired her.

This girl learnt learn C# and write code in C# using Visual Studio in first month. She did all this independently with  little supervision with my team lead. Her work impressed me to keep in touch for long time, even after both left company, she went abroad and searched for a job coming back to Bangalore. Today I will hire her again if she looks for a job. Jothi taught me to never look at things like pregnancy in job interview.

In my own startup. S , started as fresher, after an year she got married, she became pregnant too.. We switched off elevator beyond 1 hour in morning and evening. The pregnant employee was permitted to come to the 3rd floor office by elevator. If you are attentive to your actions, you can create exceptions every where. 

When she left of maternity leave, we paid salary across her maternity months.  Thanks to Guru who would keep S’s salary first aside, even in tricky times. When she came back, there was an unfortunate scenario for her to leave. S was given gift and asked to get things right and join back. There was clarity in thought that paying her maternity days was right thing to do as employer. Allowing her to  leave was right thing as that is what is expected from a  parent in her situations.  Being parents, we could relate to S as parents.  Your colleagues drive and influence your approach towards women. 

To end, We see more people beyond women with need on humanity to support them fairly and equally to enable them get a fair life, differently enabled people. As part of my product marketing role in 2nd startup, I proposed an innovative way to make NGOs to use our product. GN, my partner allowed creation of  campaign to provide our product offering free for differently enabled students. While we obtained a lot of learning about our learning software and it opened new opportunities, GN decided to walk the talk by hiring 3 differently enabled people in office. The whole office learnt how to work with them and how we make them feel in our interactions. Thanks GN for humble experience that gave me confidence to work with NGOs and organizations working  with differently able students.

On one side, when companies like SAP offer day care centers and special support for female employees, picture is not rosy across IT employees. These are experiences heard from employees, friends and neighbors.

Female employees, mothers in small companies are scheduled calls at 8:30 PM to 9:30 PM or from 9 PM to 10 PM. What would happen to their children sleeping habit?

Female employees in ITPL areas can be found on BMTC VOLVO buses even after 9 PM when roads get deserted. I see girls who stay in one of our apartments coming late. I am happy with women walking on road in night. If female employee is not ready to care for her safety in Bangalore famous for its Pratibha case, how will it strike to manager (male) to think of female employee needs? 

Both male and female employees in India attend calls between 6:30 PM and 8:30 PM. Assume that these Indians can attend from home, when do they spend time with their children? Mostly, you would see their American colleagues would do best to have all things to  protects his personal time. Do Indians not need personal time?.

I know houses where fathers lock their rooms because child would not allow them to take calls. when my girls were young, they come and sit on my lap across client call. I used to inform that she is listening and my daughters rarely shouted/screamed. May be a rare case. Today in home calls, when people ask to ON webcams, I do not or at times I hear that I look dull, I ignore and focus on agenda.  I and my daughter share study room. .

To note, at closing time of call at 9:30 PM, lead/manager asks team member to send minutes of meeting  or send email with some details or perform a small change and wants the same immediate, sharing that would help them be more productive. My question is ” why they fail to understand that employee took call in personal time? How fair it is of them to assign work and ask for  completion in personal time?

Do you run unit tests prior to code check-in?

In 2005, my project activities included running  unit tests as part of a larger unit test suite every day as part of daily morning and evening build (to identify parallels in code branch) and weekly build (to identify parallels across multiple code branches & unit test failures). Team members received an email with build results and parallels getting created and failures in unit tests.Developers were to look for errors in their unit code code check-ins and for parallels in their code modules and perform code fix or code merge action

In reality, Developers ignored or missed the emails in busy schedule with claim that length of integration build email runs in to pages spanning across all modules. Engineers (includes me) were assigned shared responsibility to ensure unit test errors and parallels gets resolved within the same day and got allotted time  to engage/remind developers to result in to regular fix. Never was happy with the explosion of incoming emails (code review, resolution and responses), all of which I did not understand in detail.

Still, I found benefits from this exercise. I gained ability to get bigger picture and visibility in to solution architecture and mind-map the entire code base, which helped me to be helping hand for integration efforts at end of agile sprint and agile milestone demos. Otherwise,this was a boring routine that needs highest amount of attention and needs timely execution. Also gave rise to fun scenarios where follow-up of developers who failed to fix in required time created conflicts with them, in addition to being pulled for gaps by the manager.
CI cycle.png
In one of my consulting assignment, I found project team where development cycle was not complete and was keep on adding technical debt to development cycle. I set myself to work on the below mission.
technical debt.png
Unit tests were executed using Microsoft unit test frameworks(MSTests.exe) with TFS build engine. TFS code check-in allows to run custom operation before check-in. Based on final status of the custom operation, the check-in can be allowed to be added to code repository or the check-in can be rejected. Decided to create experiment to run unit tests prior to check-in to reach my goal.

Started experiment with one team good with unit test success. Team developers liked idea and shared that this approach is more transparent to developer and were able to see through benefits of validation as part of performing check-in. Some of them pointed out that the same tests can be executed to identify potential errors and decrease scenarios where tests passed in isolation and failed in integration runs.
Run unit tests before code check-in
With positive note with one team, when we expanded to other teams, there were new challenges to execute unit tests process as part of check-in.  To start with developer check-ins got queued. The code check-in became a long time consuming process and also demanded more resources.

  • Developers moving code from old branch to new version have not fixed unit tests failures reporting lack of time in sprints for through tests.
  • Some team had no failures in their teams unit tests. As other teams unit tests failed, they were also prevented to do check-in.
  • Some teams for testing algorithm performed database operations to retrieve every test data  input and to store results of every test in database increasing time span for unit test process. They could have got test data from excel and store results in database in a batch mode.
  • Unit tests  included simple unit tests  specific to class (no external interaction) and complex integration unit tests ( interaction with external databases or queue). The complex tests increased time span for unit test process.

How did we approach to make unit tests run as part of code check-in?

We leveraged support available to run unit tests based on Microsoft unit test framework to resolve unit test mess and get unit tests to happen streamlined as part of code check-in.

First, Test categories was created for each teams. When code got checked-in by team members, only unit tests of the team were executed. Team could specify unit test exempt counter that allow teams to  check-ins with unit test failures on short-term basis. Fewer test errors compared to team’s exempt counter allowed check-ins to happen. More test errors compared to team’s exempt counter stopped the check-in. if there was few errors compared to team’s exempt counter, the team’s exempt counter was reset to lower value.

Second, unit tests that belong to team were categorized as unit tests (simple) and integration tests(complex). We decided that unit tests  to run as part of code-check-in and the integration tests to run as part of daily integration build.

To run unit tests for code check-ins,  entire tests in the current test suite was marked as integration tests.  Development teams were to mark unit tests that satisfy simple definition from current test suite, to run as part of team code check-in.
Re-engineer unit tests

Started with first success check-in, with no unit tests to run as part of code check-in. Teams started to mark integration tests that need to get marked as unit tests. We have to evangelize with teams to have own self goals to increase unit test count every day/sprint, increasing in code coverage.

Developers can add new tests and mark tests as unit test or integration tests.  Code Coverage was implemented to additionally track code covered by unit tests and teams were given goal to achieve  for code coverage.

Requests were allowed to increase unit test exempt counter  to allow code check-in in presence of failed unit tests. Every exemption request got published to the entire team, and this helped team leads to drive team focus to bring unit test failures to zero.

Third, work with team to rewrite unit tests better.
Better way to write unit tests

Obfuscation : High Level Overview

Programmers obfuscate code to conceal its purpose or its logic, in order to prevent tampering, deter reverse engineering. Program that obfuscates is called an obfuscator.

While obfuscators like Javascript Obfuscator  and  http://javascript2img.com/  are there for JavaScript and some embed JavaScript code in image , should data (data, API keys, login credentials, etc.)  transmitted between client-side to server-side  be de-obfuscated? if yes, de-obfuscated data needs to get deserialized at the server-side API endpoint.  This blog is about my learning of   obfuscation  in .NET world to explore obfuscation  in javascript  code

Assemblies can be obfuscated using a GUI and/or a command line program.  GUI program helps in learning  to select/define various settings which specify the different ways an assembly can be obfuscated.  The obfuscator command line program is used in scripts that help automate the build process.  In VS, the obfuscator command line program is executed in a project’s post-build event, immediately after the project’s assembly gets created.

Approach to obfuscate  assemblies depend on the assembly type. Let us look at three type of assemblies. Private assemblies that may not be signed at all,  Strong named assembly  signed with the private key from a strong name key file. Delay signed assembly signed with the public key from a strong name key file. Obfuscating a private and a strong named assembly is straightforward.  Obfuscating a delay signed assembly becomes tricky, when the assembly is installed in the Global Assembly Cache (GAC)

VS solution can have multiple build configurations. Which configurations do you apply obfuscation to? When the Debug solution configuration is selected then my tests are always run against the non-obfuscated assemblies. Do we generate both obfuscated and non-obfuscated assemblies under the Release solution configuration?

If a problem occurs in the obfuscated assemblies, developer wants to test for the problem occurrence in the non-obfuscated assemblies. The question becomes whether problem created is related to the process of obfuscation. Thinking  deeply you question also how  to configure VS to selectively build non-obfuscated assemblies in one run and then build obfuscated assemblies in another run?

The solution is to create a third solution configuration based on the default release configuration called Obfuscated Release. On selection, obfuscated assemblies are build.

How to confirm that your assemblies are being obfuscated? When the obfuscator is executed in the post-build event, it should log information in the VS output window. Hence, when you do not see this information in the VS output window then the obfuscator has not been executed.

One can make use of  ILDASM.exe  to view human-readable info about an assembly.  If ILDASM displays such info then the assembly has not been obfuscated.  On other hand, if ILDASM is unable to display such info, then assembly may have been obfuscated.

Does reflection and obfuscation play well together? Not always. If you write code that uses reflection to query information about MyClass then this code will fail because the name MyClass does not exist in the obfuscated assembly. Be prepared for obfuscation to introduce bugs into your applications that use reflection.

How to start debugging a problem with no prior obfuscation experience?  Start with checking  whether the problem occurs under in Debug and Release solution configurations with disabled obfuscation. If problem is reproduced, fix problem and end debugging.

If problem in production does not get reproduced, move forward to second step. Modify the obfuscator project file to disables every single obfuscation setting and try to rebuild the application to see if the problem reoccurs.  If the problem does not occur, enable one obfuscation setting and test again.

Keep continue enabling obfuscation settings one at a time, and testing application until problem gets reproduced.

Next East India company had already arrived

A close friend of mine shared  this link “Why Silicon Valley is betting big on India“.  Having also heard recent comparison of Facebook with East India company to exploit India in the past, my thoughts went deep and wide.

SaaS from Silicon Valley takes it as winners take it all. Are we helping Silicon Valley firms to be winners and become next East India Company

I am sure the folks in silicon valley see opportunities to see their products and offering in India. Any  business men on discovering a new market is  interested to capture the market as part of their business strategy. While Silicon Valley firms would bet on India as a good strategy,  my thoughts went to looking deeply how good is the arrival of Silicon Valley companies helps India’s growth and empower Indians to grow.  Looking at macro level, one sees that Indian Prime Minister visited office of Silicon Valley companies and has offered invitation with a red carpet welcome to arrive in India.

In any business, the business needs to create moat beyond startup stage. A moat can come from scaled operation to server a large number of customers or innovation in specific area or combination of both. From a market perspective, U.S economy has its own firms offering services and products for U.S customers. Some of these products and services can apply to India.
Let me acknowledge first that for some one with ample money and effort, a lot of work and effort  is needed to find new product market fit for existing product in new market and remains true for the silicon valley firms coming to India , They need to modify existing product to satisfy needs & desires of customer and resolve roadblocks specific to India.
Having a product ready at hand, I see that Silicon valley firms have following benefits by entering Indian market to deepen and broaden moat for their products.
  • Indian population is arriving in the digital age and this is  really large number compared to other markets. Capturing a small percentage of Indian market helps them to create best moat for their firms.
  • Encourage Indian startups to develop services above Silicon Valley platforms or products, the moat gets deepened and broadened for Silicon Valley core business. Without being in open, there is learning of what works and what does not.
  • Leverage cost advantage to experiment new innovation  based on their existing infrastructure and learn what works in Indian market. This can be applied to global product road-map as lot of them may apply to other third world countries.

Silicon valley firms are doing the right things to help their interests. Is that same as the right thing for India and Indians? Here are my observations. I would like to hear what you think. 

India is largest market for social  networks. Look at media firm like  yourstory.com. They leverage Facebook to capture the user comments and interaction and youtube.com for hosting videos. Large professionals including me make use of LinkedIn, which counts Indians to be large percentage of their active users. Even Prime Minister of India has great followers in Facebook and Twitter and not sure how using  “Make in Foreign” product sync with his “Make in India” campaign. Facebook has learnt about India and tried to launch Free-basics program to create even a larger moat in Indian market and Indians woke up. Where is Indian player to compete with Facebook?

<blockquote class=”twitter-tweet” data-lang=”en”><p lang=”en” dir=”ltr”>The longer I go without Twitter, the happier I am. But the only place I have to say that is Twitter. So please, someone, replace Twitter.</p>&mdash; Paul Graham (@paulg) <a href=”https://twitter.com/paulg/status/703705844614094848″>February 27, 2016</a></blockquote>
//platform.twitter.com/widgets.js

India has large number of developers who develop cloud applications and SaaS platforms. All these are build on  cloud infrastructure offerings of Amazon or Microsoft. We enable both Amazon and Microsoft to create their moat for cloud infrastructure.  Where is Indian Full stack cloud player to compete  with Amazon and Microsoft?

India has developers who develop mobile applications and Indian mobile users will shortly become large percentage of mobile users of the world. We use hardware, software arriving from Silicon Valley. We enables Google and Apple to develop moats for mobile. Where is Indian Full stack software mobile player to compete  with Apple and  Google? Mobile companies like Micro-max have created android device variant and helps Google to make their moat deepened and broadened.

Every Indian including me, makes use of Google search engine. Google has expanded itself to include Indian languages. I know all language space providers leverage Google for every thing.  By making more Indians make use of Android phones, Google has already create a large moat. By making all Indian content available as part of iTunes store, Apple is working to create its moat. Who competes with Google and Apple for Indian space?

In retail space, it is refreshing that Flip-kart and snap-deal are given some challenge for amazon. I  consider that Amazon.in wins over Indian players from customer satisfaction and their gaps with Indian players are less at this moment. From Amazon.in perspective, they have success to start creating a better moat in India compared to their experience of creating moat in China (vs alibaba.com). I subscribe to amazon kindle unlimited and also responsible to strengthen their moat.

In payment space, I Silicon Valley companies have not been able to created moat in India and the Indian regulation has prevented the same to an extent. Happy to see that moat created by consortium of Indian players (paytm, mobikwik, ezetap etxc) working together to create RuPay and NPCI based infrastructure along with with Indian government may have potential muscle to destroy moat created by Visa and MasterCard.

May be acceptance of others comes from Indian culture. We have welcome every one to our country either in friendly way or through a war and we have helped them to establish and grow. In the recent past, we helped British to become powerful starting with East India company. May now it is our turn to help  Silicon Valley to flourish and become powerful. May be in future, we would help China firms to flourish.
We continue not to innovate in basic areas. We fight with initiatives like Free Basics over policy and not over innovation. Wish  the divide and conquer policy is not once used to exploit Indians.

Connected Approach to Agile, DevOps, Lean

This blog is for my own reference.
DevOps  is a mindset that requires cultural evolution similar to Agile and Lean Startup. It is more than a technology or a tool set. Like Agile, implementation of DevOps depends on  people, maturity of process and usage of right tools.

When teams master DevOps along with Agile and Lean, the team would be able to observe and learn based on feedback in different practice areas. The combination of DevOps with agile is aimed  to make application life-cycle faster and more predictable.

  • Manage technical debt. Any technical debt you carry is a risk to generate unplanned work—such as Live Site Incidents—that interfere with your intended delivery. Developers need to be conscious of any debt items and take initiatives to educate stakeholders and schedule paying technical debts off before they become large to interfere with the quality of service delivered.
  • Does customer really get value. Items in backlog are ranked according to what matters to the customers and focus in on delivery of value for customers. Though this existed from the first decade of Agile, now we can measure how much value we are offering to customer and whether we need to correct our course.
  • Look product backlog as customer Hypothesis. Prior to DevOps, product stakeholders added items in to backlog that they considered of value to customer and the the product owner groomed the backlog. Now, we can treat the backlog as a set of hypotheses, that gets turned into experiments,where we need to collect data to support or diminish the hypothesis. With real evidence, we can determine the next move in the backlog and persevere (do more) or pivot (do something different) The evidence takes center stage over the likes and dislikes of product owner.
  • Evidence and data. We instrument everything, not just for health, availability, performance, and other qualities of service, This is needed to understand usage and collect evidence relative to the backlog hypotheses. For ex, when user experience gets changed, we plan and implement multiple experiments, measure the impact of experiment  collecting data based on user action. The usage data can be contrasted across usage patterns, such as weekday and weekend users, to hypothesize new ways of improving the experience for each.
  • Production first mindset. That data is reliable only if the quality of service is consistently excellent. We always track the live site status, re-mediate any live site incidents at root cause, and proactively identify any outliers in performance to see why they are experiencing slowdowns.

[Copied image from Microsoft DevOps webpage]
DevOps Picture

To have system available as 24 x 7x 365 service that leverages the cloud infrastructure,

  • To support cloud deployment, the design need to start as cloud-first.
  • Design needs to be ready for system to be deployed as on-premises product(with a few exceptions).
  • Design and architecture system needs to get continuously tinkered and evolved and Refactoring becomes a regular activity to have more independent, discrete services.

Effectively the connected approach helps to provide more confidence to stakeholders that system is hardened at scale and more evidence on the maturity of the system.

Is your website XSS vulnerable?

Cross-site scripting (XSS) is injection attack, similar to SQL injection. Instead of injecting SQL query, here attacker injects malicious code in JavaScript. The victim is more of the user than the application.

An attacker injects malicious code usually embedding a JavaScript in a trusted Website. From the trusted server, the code gets transferred to a victim’s HTML enabled agent (browser or email client) where it is interpreted as executable code instead of data.  While the malicious code runs with the same privileges of an authorized script, user (victim) is under false belief that code is from the trusted web site.  The cross scripting attacks occur in 2 ways.

  • Where the injected code gets permanently stored on the target servers such as database and becomes part of the dynamic content of the website that is rendered on the browser.
  • The injected code is made available as link in the email. when user clicks the email link, the malicious code goes to vulnerable web server and then moves to the user’s browser.  The browser would execute the script, that appears to come from the trusted web server.
  • The injection happens via input fields on HTML page or inside the client script that accepts or returns back data from user’s browser.(more inside DOM model of user’s browser)

These attacks can take and expose the user’ session cookie and sometimes expose files present on the user machine to the hacker. Sometimes they spoil the rendering of the user interface and spoil user experience. While this flaw can be easily corrected by the developers, once they are detected or once the developer is aware of the risks, hackers find it also east to detect once an application is deployed and is accessible over internet.

Hackers and Developer’s both can leverage applications like XSSer, XSSploit to find this type of vulnerability. It is better that development team identifies these flaws using these tools as part of testing product or website and enable the developers to fix them ahead of deployment.

With more of data and execution getting handled by java script communicating to Web Service on server independently, the scope of this vulnerability increases. Simple developer practices can easily reduce risk due to this vulnerability

  • Validate input: Each input field in HTML page needs to be validated for script tags. This is important and may not be sufficient to prevent all XSS attacks. Be aware of the danger when input fields allow entering of invalid characters to suit user requirement.
  • Encoding: Can we encode the inputs in a field and present the same as safe string for HTML use? This prevents malicious code from executing.  There are special libraries that provide encoding methods. In the same way, any data that is send to user’s browser can be HTML entity encoded.  This makes any malicious code to become harmless display characters on the user’s browser.

Check whether your website is free of XSS vulnerability. If static code analysis is performed for your C# or java code, it is time to check whether your JavaScript code is also subjected via static code analysis.

Used following links to understand XSS related flaws related to knockout.js and also link to secured library

If you want to allow users to customize their web page using HTML and CSS, please also take care of XSS vulnerability.