Engineering Blog

Proactive Secrets Management at Pendo

The last thing any good product security team wants is for their codebase to look something like this:

This nightmare scenario is why security teams use a process known as “secrets management” to find and remove secrets from production code. However, the issue with manual secrets management is that it is a reactive process instead of a proactive one.

Read more…

Using Gosec to find Insecure Code Patterns

Golang at Pendo

Go and Pendo

From Pendo’s inception, we have felt strongly about using performant, modern tools and languages to build our product with. Go was a conscious choice because it was built on 3 principles that were crucial to Pendo’s success and agility: efficient compilation, efficient execution, and ease of programming. A future blog post will discuss in detail the process of choosing Go, and all considerations that went into the decision-making process. If you would like to know more about Go, click here for a comprehensive FAQ.

Read more…

Quality at Pendo: Our experience of Gorilla Testing

Welcome to the second part of our two part blog on Quality at Pendo, in part one we looked at ensemble testing and how this benefited one of our key releases. In part two we tried our hand at Gorilla testing to see how this form of testing might benefit our testing approach and culture. 

Goals:

  1. To try a different method of testing
  2. To open new channels and methods for communication and collaboration within the quality team
  3. To promote knowledge sharing
  4. To increase test coverage and confidence in areas affected by framework migration (including data)

Read more…

Quality at Pendo: Our Experiences in Ensemble Testing

In this blog post you’ll read about our successes and challenges as we tried our hand at Ensemble (Mob) Testing

At Pendo, we’re always trying to push the boundaries of testing. We believe that  incorporating new approaches is key to promoting our quality culture and a quality focused mindset within our teams. We actively promote that everyone is responsible for quality and constantly strive for more collaboration and knowledge sharing to assist everyone on our quality journey. We have always found value in exploratory testing and recently tried two different approaches to enhance and improve our approach to this key testing activity.

Read more…

WebAssembly vs JavaScript: the LZ77 algorithm

WebAssembly (Wasm, in short) is an assembly-like instruction format for a stack-based virtual machine. It is designed to be encoded in an efficient binary format that can be executed at near-native speed on any platform that can host the virtual machine. In particular, this is supported on all modern browsers (Chrome, Edge, Firefox and Safari).

Read more…

Pendo Aggs: Writing Your First Aggregation

At Pendo we are always looking to enable our customers to gain insights into their products so they can invest in building the right features for their users. One of the key methods for doing this is to dig into the data.  We have a lot of cool tools such as Dashboards, Data Explorer, and Retention to display that data in a meaningful way. Read more…

Creating Delightful Graphs using HTML 5 Canvas

At Pendo, we collect tons of data, and we’re always finding new ways to showcase that data so our customers can see how their apps are being used and can make their software more lovable. One of the data visualizations we have been working on recently is Product Engagement Score. To calculate a Product Engagement Score, we combine Stickiness, Growth, and Adoption to show how invested users are in that product.

Read more…

Engineering Management: Interviews & Hiring

What makes a great engineering manager? What are the important frameworks that engineering manager should know about? How do you assess and interview for this crucial role?

Pendo’s SVP of Engineering Dave Rensin speaks to Exponet about hiring managers including his top tips for people in the midst of an engineering manager interview.

Avoiding Header Method Override Cache Poisoning

Configuring CloudFront in front of Google Cloud Storage

On April 15, 2021, a security researcher reached out to Pendo’s security team regarding a potential vulnerability in cdn.pendo.io. The proof of concept used the HTTP header X-HTTP-Method-Override to poison the cache, causing the cache to return a blank page to future clients for the lifetime of the cache entry.

A security researcher, who has asked to remain anonymous, described the issue as they observed it (personal communication, April 15, 2021):

“When sending a request to any asset located on https://cdn.pendo.io/ that includes an HTTP header X-HTTP-Method-Override with the value HEAD, the request gets passed to the back-end (unless the cache prevents it) and then triggers a response based on the value of that header which gets stored in the cache. By pointing a request to any endpoint located on https://cdn.pendo.io/ and providing that header an attacker can store an invalid response in the cache that has no body, which in the browser will be seen as a completely blank page.” 

Read more…