Engineering Blog

Creating Delightful Graphs using HTML 5 Canvas

At Pendo, we collect tons of data, and we’re always finding new ways to showcase that data so our customers can see how their apps are being used and can make their software more lovable. One of the data visualizations we have been working on recently is Product Engagement Score. To calculate a Product Engagement Score, we combine Stickiness, Growth, and Adoption to show how invested users are in that product.

Read more…

Engineering Management: Interviews & Hiring

What makes a great engineering manager? What are the important frameworks that engineering manager should know about? How do you assess and interview for this crucial role?

Pendo’s SVP of Engineering Dave Rensin speaks to Exponet about hiring managers including his top tips for people in the midst of an engineering manager interview.

Avoiding Header Method Override Cache Poisoning

Configuring CloudFront in front of Google Cloud Storage

On April 15, 2021, a security researcher reached out to Pendo’s security team regarding a potential vulnerability in cdn.pendo.io. The proof of concept used the HTTP header X-HTTP-Method-Override to poison the cache, causing the cache to return a blank page to future clients for the lifetime of the cache entry.

A security researcher, who has asked to remain anonymous, described the issue as they observed it (personal communication, April 15, 2021):

“When sending a request to any asset located on https://cdn.pendo.io/ that includes an HTTP header X-HTTP-Method-Override with the value HEAD, the request gets passed to the back-end (unless the cache prevents it) and then triggers a response based on the value of that header which gets stored in the cache. By pointing a request to any endpoint located on https://cdn.pendo.io/ and providing that header an attacker can store an invalid response in the cache that has no body, which in the browser will be seen as a completely blank page.” 

Read more…

How Pendo Maintains a Culture of Quality with Cypress

I recently had the opportunity to take part in a case study for Cypress on behalf of Pendo to talk about our quality culture and how using Cypress helped us with our testing and releases. Cypress had seen the progression we had made over the past year and were keen for us to discuss our experience in the form of a webcast.

I sat down with Cypress’ Distinguished Engineer, Gleb Bahmutov, to talk about how Pendo utilised Cypress to rebuild the automated test suite for our Guides product. We discussed common issues that can arise when building automation frameworks such as flaky tests, identifying elements inconsistently, and using explicit waits in tests. We then discussed how we avoided these by following best practices set by Cypress such as using data attributes, adding test retries, and waiting on aliases. We then go into detail on how this helped us to create a stable foundation for automated Sanity and Regression test suites. We also talked about how we added integrations to support further reporting and maintenance processes.

Watch the recording to learn about Pendo Guides, Cypress best practices, and usage of key features from Cypress such as Test Retries.Feel free to reach out to me on Twitter if you have any questions, or you can find additional questions and answers linked in the Cypress blog here.

A Tour of Steganography – Embedding Payloads in PNG Files

Hiding data in inconspicuous places is not just something the spies of old did to get messages across borders, it is also something that attackers do to exfiltrate data out of vulnerable systems. Attackers may even slip malicious commands past antivirus software. The act of hiding data or malicious commands into regular files is called Steganography – a fascinating discipline that many talented security professionals devote themselves to mastering.

I am going to discuss how to embed payloads into PNG files without corrupting the original file, and how to hide that payload to prevent antivirus from being able to detect it.

Read more…

Welcome to the new Pendo Developers!

The Pendo Developers site has a new look and lots more content! Of course, this is still the place to get updates on Pendo’s customer-facing mobile SDKs and browser agent updates, but stick around and check out some of our new posts from Engineering on how and why Pendo works the way it does. We’ve also added API documentation on integrating Pendo with your application and how Pendo interacts with applications out of the box.

Why We Built Pendo Reports for Confluence

At Pendo, the product and engineering teams use Confluence for almost all knowledge sharing.

An idea might start in a meeting or Slack thread but it’s not canon until we’ve captured and shared it in a Confluence doc. It’s the cauldron where data from a variety of sources get mixed into the message—the purpose—of what we’re doing next. One of the most-shared data sources in Confluence is Pendo itself (as you might expect from a tool that provides product insights). Almost hourly, our product managers copied and pasted rows from reports or charts from our web app’s UI to help describe the point of a doc. When we approached the team about an Atlassian product integration, the choice was obvious; it should be Confluence.

Once we decided to build the integration, many questions remained. What should we build? Where should we begin? What is the steel thread to build first to get this party started? The integration build took a few unexpected turns. Here’s a bit of that journey. Read more…

How We Built Pankbot

Last week, Pendo hosted our second, semi-annual hackathon, or, as we like to call it, Bias to Hack. During this round of Bias to Hack, I sat back and joined another team; six months ago, however, I was pitching my own idea. It was an idea that would make the lives of Pendozers much easier but one that requires a bit of explanation. Read more…

Get Going at GopherCon

The Go community is growing by leaps and bounds: a fact borne out by the 2017 TIOBE programming language popularity index, which shows Go moving up to tenth place from last year’s 55th place.

Further proof of Go’s rapid ascent was evident to those who attended the recent GopherCon in Denver, CO. Imagine hanging out with 1,500 of your fellow Gophers, many of whom traveled great distances to learn from the Go experts and each other.

The Pendo backend engineering team attended this year’s event in force. We love Go and use it to process hundreds of millions of data points a day, along with querying and summarizing that data in innumerable ways. Pendo is a 100% Go shop on the backend, no legacy code (we’ve been using Go since version 1.2). In addition to learning the latest Go tips and tricks, the team pitched in to help our recruiting manager answer questions about Pendo and our backend development opportunities. Read more…