Building out products and features is no longer about owning all the code used. As technology continues to grow at an astronomical rate, it remains necessary to utilize open-source code in the form of third-party packages and APIs.
Third-party packages and APIs enable you to leverage code written by other individuals to get to your goals faster and build out desired features with ease. A great example of this would be the requests package in Python. This package lets you simplify HTTP requests so you can automate your processes without worrying about the overhead. Though requests is a highly used and well-maintained package, there are thousands of other projects out there which can be leveraged—so how can you decide which package is best to use? Integrating with third-party code can be broken down into 3 major areas of consideration: vetting the package, determining security risks, and implementing the code.
At Pendo, we are always looking to provide the best value to our customers. We use Agile to help us navigate the complexities of product development and delivery.
The last thing any good product security team wants is for their codebase to look something like this:
This nightmare scenario is why security teams use a process known as “secrets management” to find and remove secrets from production code. However, the issue with manual secrets management is that it is a reactive process instead of a proactive one.
September 2, 2021 | Posted by Melodie Moorefield-Wilson
Golang at Pendo
From Pendo’s inception, we have felt strongly about using performant, modern tools and languages to build our product with. Go was a conscious choice because it was built on 3 principles that were crucial to Pendo’s success and agility: efficient compilation, efficient execution, and ease of programming. A future blog post will discuss in detail the process of choosing Go, and all considerations that went into the decision-making process. If you would like to know more about Go, click here for a comprehensive FAQ.
Welcome to the second part of our two part blog on Quality at Pendo, in part one we looked at ensemble testing and how this benefited one of our key releases. In part two we tried our hand at Gorilla testing to see how this form of testing might benefit our testing approach and culture.
Goals:
To try a different method of testing
To open new channels and methods for communication and collaboration within the quality team
To promote knowledge sharing
To increase test coverage and confidence in areas affected by framework migration (including data)
In this blog post you’ll read about our successes and challenges as we tried our hand at Ensemble (Mob) Testing
At Pendo, we’re always trying to push the boundaries of testing. We believe that incorporating new approaches is key to promoting our quality culture and a quality focused mindset within our teams. We actively promote that everyone is responsible for quality and constantly strive for more collaboration and knowledge sharing to assist everyone on our quality journey. We have always found value in exploratory testing and recently tried two different approaches to enhance and improve our approach to this key testing activity.
WebAssembly (Wasm, in short) is an assembly-like instruction format for a stack-based virtual machine. It is designed to be encoded in an efficient binary format that can be executed at near-native speed on any platform that can host the virtual machine. In particular, this is supported on all modern browsers (Chrome, Edge, Firefox and Safari).
Pendo’s Jonathan Thompson showcases the power behind the intercept() method in Cypress – by providing examples of request interceptions, mocks, and assertions. Read: Improve Your End to End Tests with Cypress Intercept
Books fetch request highlighted in red. (Screenshot by Jonathan Thompson)
At Pendo we are always looking to enable our customers to gain insights into their products so they can invest in building the right features for their users. One of the key methods for doing this is to dig into the data. We have a lot of cool tools such as Dashboards, Data Explorer, and Retention to display that data in a meaningful way.Read more…
At Pendo, we collect tons of data, and we’re always finding new ways to showcase that data so our customers can see how their apps are being used and can make their software more lovable. One of the data visualizations we have been working on recently is Product Engagement Score. To calculate a Product Engagement Score, we combine Stickiness, Growth, and Adoption to show how invested users are in that product.
What makes a great engineering manager? What are the important frameworks that engineering manager should know about? How do you assess and interview for this crucial role? Pendo’s SVP of Engineering Dave Rensin speaks to Exponet about hiring managers including his top tips for people in the midst of an engineering manager interview.
Configuring CloudFront in front of Google Cloud Storage
On April 15, 2021, a security researcher reached out to Pendo’s security team regarding a potential vulnerability in cdn.pendo.io. The proof of concept used the HTTP header X-HTTP-Method-Override to poison the cache, causing the cache to return a blank page to future clients for the lifetime of the cache entry.
A security researcher, who has asked to remain anonymous, described the issue as they observed it (personal communication, April 15, 2021):
“When sending a request to any asset located on https://cdn.pendo.io/ that includes an HTTP header X-HTTP-Method-Override with the value HEAD, the request gets passed to the back-end (unless the cache prevents it) and then triggers a response based on the value of that header which gets stored in the cache. By pointing a request to any endpoint located on https://cdn.pendo.io/ and providing that header an attacker can store an invalid response in the cache that has no body, which in the browser will be seen as a completely blank page.”
We all spend a shocking amount of time in meetings — much more than we need. Group meetings are especially expensive and almost always low calorie density.
I recently had the opportunity to take part in a case study for Cypress on behalf of Pendo to talk about our quality culture and how using Cypress helped us with our testing and releases. Cypress had seen the progression we had made over the past year and were keen for us to discuss our experience in the form of a webcast.
I sat down with Cypress’ Distinguished Engineer, Gleb Bahmutov, to talk about how Pendo utilised Cypress to rebuild the automated test suite for our Guides product. We discussed common issues that can arise when building automation frameworks such as flaky tests, identifying elements inconsistently, and using explicit waits in tests. We then discussed how we avoided these by following best practices set by Cypress such as using data attributes, adding test retries, and waiting on aliases. We then go into detail on how this helped us to create a stable foundation for automated Sanity and Regression test suites. We also talked about how we added integrations to support further reporting and maintenance processes.
Watch the recording to learn about Pendo Guides, Cypress best practices, and usage of key features from Cypress such as Test Retries.Feel free to reach out to me on Twitter if you have any questions, or you can find additional questions and answers linked in the Cypress blog here.
Hiding data in inconspicuous places is not just something the spies of old did to get messages across borders, it is also something that attackers do to exfiltrate data out of vulnerable systems. Attackers may even slip malicious commands past antivirus software. The act of hiding data or malicious commands into regular files is called Steganography – a fascinating discipline that many talented security professionals devote themselves to mastering.
I am going to discuss how to embed payloads into PNG files without corrupting the original file, and how to hide that payload to prevent antivirus from being able to detect it.
The Pendo Developers site has a new look and lots more content! Of course, this is still the place to get updates on Pendo’s customer-facing mobile SDKs and browser agent updates, but stick around and check out some of our new posts from Engineering on how and why Pendo works the way it does. We’ve also added API documentation on integrating Pendo with your application and how Pendo interacts with applications out of the box.
At Pendo, the product and engineering teams use Confluence for almost all knowledge sharing.
An idea might start in a meeting or Slack thread but it’s not canon until we’ve captured and shared it in a Confluence doc. It’s the cauldron where data from a variety of sources get mixed into the message—the purpose—of what we’re doing next. One of the most-shared data sources in Confluence is Pendo itself (as you might expect from a tool that provides product insights). Almost hourly, our product managers copied and pasted rows from reports or charts from our web app’s UI to help describe the point of a doc. When we approached the team about an Atlassian product integration, the choice was obvious; it should be Confluence.
Once we decided to build the integration, many questions remained. What should we build? Where should we begin? What is the steel thread to build first to get this party started? The integration build took a few unexpected turns. Here’s a bit of that journey. Read more…
Last week, Pendo hosted our second, semi-annual hackathon, or, as we like to call it, Bias to Hack. During this round of Bias to Hack, I sat back and joined another team; six months ago, however, I was pitching my own idea. It was an idea that would make the lives of Pendozers much easier but one that requires a bit of explanation. Read more…
The Go community is growing by leaps and bounds: a fact borne out by the 2017 TIOBE programming language popularity index, which shows Go moving up to tenth place from last year’s 55th place.
Further proof of Go’s rapid ascent was evident to those who attended the recent GopherCon in Denver, CO. Imagine hanging out with 1,500 of your fellow Gophers, many of whom traveled great distances to learn from the Go experts and each other.
The Pendo backend engineering team attended this year’s event in force. We love Go and use it to process hundreds of millions of data points a day, along with querying and summarizing that data in innumerable ways. Pendo is a 100% Go shop on the backend, no legacy code (we’ve been using Go since version 1.2). In addition to learning the latest Go tips and tricks, the team pitched in to help our recruiting manager answer questions about Pendo and our backend development opportunities. Read more…
Since I started working at Pendo, people often ask, “What is Pendo?” From an engineering perspective, if Pendo is one thing it would be what we call “The Agent.” The agent is a bundled set of JavaScript code that makes use of almost every capability inside of a web browser. When our customers want to take advantage of everything Pendo does (web analytics, page interaction recordings, guide delivery, and so much more), all they need to do to get started is add a script tag that downloads the agent on their page, and the agent takes it from there. It’s a simple process for our customers, but there is a lot of work going on behind the scenes. Read more…
At the end of last quarter, the engineering team celebrated a really stupendous year for Pendo by hosting our first company hackathon: Bias To HACK.
It wasn’t your typical hackathon. No one locked us in the office with an endless supply of caffeine and pizza, like some code-fueled middle school lock-in. We didn’t stay up past midnight desperately cobbling together some half-baked demos and clever API mashups to show off our 1337 h4xx0r 5ki1z to one another. And we weren’t spending our time “cracking codes” to breach the Pentagon or something only Hollywood could misrepresent.
We did build some surprising new tools and features as a team and had a lot of fun doing it. And there might have been some pizza in there somewhere. And t-shirts, of course. Read more…
