Archives: Engineering Blog Posts

Engineering Blog Post

Engineering Management: Interviews & Hiring

What makes a great engineering manager? What are the important frameworks that engineering manager should know about? How do you assess and interview for this crucial role?

Pendo’s SVP of Engineering Dave Rensin speaks to Exponet about hiring managers including his top tips for people in the midst of an engineering manager interview.

Avoiding Header Method Override Cache Poisoning

Configuring CloudFront in front of Google Cloud Storage

On April 15, 2021, a security researcher reached out to Pendo’s security team regarding a potential vulnerability in The proof of concept used the HTTP header X-HTTP-Method-Override to poison the cache, causing the cache to return a blank page to future clients for the lifetime of the cache entry.

A security researcher, who has asked to remain anonymous, described the issue as they observed it (personal communication, April 15, 2021):

“When sending a request to any asset located on that includes an HTTP header X-HTTP-Method-Override with the value HEAD, the request gets passed to the back-end (unless the cache prevents it) and then triggers a response based on the value of that header which gets stored in the cache. By pointing a request to any endpoint located on and providing that header an attacker can store an invalid response in the cache that has no body, which in the browser will be seen as a completely blank page.” 

How Pendo Maintains a Culture of Quality with Cypress

I recently had the opportunity to take part in a case study for Cypress on behalf of Pendo to talk about our quality culture and how using Cypress helped us with our testing and releases. Cypress had seen the progression we had made over the past year and were keen for us to discuss our experience in the form of a webcast.

I sat down with Cypress’ Distinguished Engineer, Gleb Bahmutov, to talk about how Pendo utilised Cypress to rebuild the automated test suite for our Guides product. We discussed common issues that can arise when building automation frameworks such as flaky tests, identifying elements inconsistently, and using explicit waits in tests. We then discussed how we avoided these by following best practices set by Cypress such as using data attributes, adding test retries, and waiting on aliases. We then go into detail on how this helped us to create a stable foundation for automated Sanity and Regression test suites. We also talked about how we added integrations to support further reporting and maintenance processes.

Watch the recording to learn about Pendo Guides, Cypress best practices, and usage of key features from Cypress such as Test Retries.Feel free to reach out to me on Twitter if you have any questions, or you can find additional questions and answers linked in the Cypress blog here.

A Tour of Steganography – Embedding Payloads in PNG Files

Hiding data in inconspicuous places is not just something the spies of old did to get messages across borders, it is also something that attackers do to exfiltrate data out of vulnerable systems. Attackers may even slip malicious commands past antivirus software. The act of hiding data or malicious commands into regular files is called Steganography – a fascinating discipline that many talented security professionals devote themselves to mastering.

I am going to discuss how to embed payloads into PNG files without corrupting the original file, and how to hide that payload to prevent antivirus from being able to detect it.