Skip to main content

Posts

Vanta is a pretty good tool

  On a project I've been working on, I've been preparing for SOC 2 Type II certification. My responsibilities have mostly been on the engineering/IT side, ensuring that our SaaS is deployed and developed according to SOC 2 processes. This isn't something a developer would willingly or enthusiastically take on, right? I can’t believe I’m saying this out loud, but actually ... it hasn’t been that bad. The biggest reason for this has definitely been Vanta . Vanta has distilled the rather hard-to-decipher process descriptions into actionable items. As far as I know, SOC 2 isn’t a one-size-fits-all (SaaS provider) certification; it differs according to the stack - which makes sense. Plugging in all our services, from cloud providers to issue trackers, spits out a tailored task list. The task list can even include literal Terraform code examples, which you can copy-paste with minor changes. You could kind of get a similar list from AWS Audit Manager or AWS Security
Recent posts

Debugging slow connection open to PgCat

On a project I'm working on we are using PgCat as the PostgreSQL frontend. We chose it mainly based on gut feeling as pgbouncer seems a bit dated, although it would have arguably been the safe choice. I was looking into the connection times using our tracing tool (Sentry) and noticed that establishing connections takes about 50ms.  That is a bit slow, right? It was easy enough to confirm that it is indeed very slow. Establishing a direct connection to the mostly idle Postgres is in the sub-5ms range. I quickly found a  ticket  about connection slowness,  hinting that the problem could be related to TCP_NODELAY. Essentially, it disables Nagle's algorithm , which batches small packets together. I guess that establishing connections from the client to PgCat is such a light process that the extra buffering is actively harmful. And sure enough, after upgrading PgCat, we see sub 5ms connection times.  So why use PgCat at all? For us, it is for scaling purposes but not for load distri

Canyon Precede:ON 7

I bought or technically leased a Canyon Precede:ON 7 (2022) electric bike last fall. This post is about my experiences with it after riding for about 2000 km this winter. The season was a bit colder than usual, and we had more snow than in years, so I properly put the bike through its paces. I've been cycling for almost 20 years. I've never owned a car nor used public transport regularly. I pedal all distances below 30km in all seasons. Besides commuting, I've mountain biked and raced BMX, and I still actively ride my road bike during the spring and summer months. I've owned a handful of bikes and kept them until their frames failed. Buying new bikes or gear has not been a major part of my hobby, and frankly, I'm quite sceptical about the benefits of updating bikes or gear frequently. I've never owned an E-bike before, but I've rented one a couple of times. The bike arrived in a hilariously large box. I suppose there's no need to worry about damage durin

SAML 2 with django-allauth

Django-allauth got SAMLv2 support last August. It has been and continues to be an exceptionally complete package for all authentication-related things. SAML in 2024? Sure, it is OAuth or something more modern you would usually want, but as we all know, we only sometimes have that choice. In this post, I will explore how to integrate customer users into a SaaS product using SAML. The official documentation covers the installation part. It also has an example of configuring it in the settings file. Alternatively, the settings can be stored in the DB. Often, SAML is used to integrate all users (and roles) from specific organizations. So, if a customer, say, Acme, wants to start using our SaaS product, all their user information often uses the same integration. In this case, Acme wants to use SAML. Let's slap the configuration to the DB. Here is a screenshot of an example config, viewed through the Django admin. Their identity provider could be anything, and I have filled in the setti

2023

It was a year of wrapping up a major project I've been working on for several years. Nothing is, of course, ever truly finished in software, so "fully released" is maybe a better choice of words. In 2023, I was also part of starting a new, presumably soon-to-be megaproject. This led to me switching jobs. See this tweet My new employer is an early-stage startup. I have never been on one, so I wanted to know what that is like. We are a close-knit team, quite different from the 100+ member projects I began my career with. Before fully committing to the new one, I juggled two jobs for six months. I was a (primarily) mobile developer by day and transformed into a web developer by night (actually, I did most of the coding on weekends). My first assignment was related to setting up the frontend, which I ended up doing with NextJS + Tailwind + shadcn/ui combo.  My working days have changed dramatically. Earlier in the year, I worked on a reasonably stable and mature organization

Motivated Developers Do Valuable Things (Mostly)

I have a provocative claim that people do what they want in a given software organization and then play the game of scrum or some similar established process. A more nuanced way of putting that is that we (developers) are incredibly easy to sidetrack from the commonly agreed "most important TODO items." Sure, we follow the abstract, larger vision of a given product, but the more granular the level, the more variance there is in people following the predetermined issue list. When it is written or said out, all that does not seem that provocative. It is actually written in agile process documentation, but not in those words. Agile process talks about "requirement volatility" which can be seen as a similar thing I am talking about. Given most employees do what they want, how do organizations keep on top of that? Now, for what might seem like a continuation of stating the obvious: meetings and issue trackers are vital tools for monitoring team activities. Motivated indi

Second job

I've taken a hiatus from blogging for the past few months, partially due to laziness but mainly due to the start of my second job. Why take on more work? As a well-compensated developer, I could live comfortably on a single income, could I? Money was not the prime mover but rather the personal development path. Although I can tinker with cool technologies with professional colleagues in my day job, I can't shake the feeling that I may have become too comfortable. There's nothing inherently wrong with being in a comfortable position, but that's not where I'm meant to be right now. I am well aware of the dangers of taking on more work with deadlines, meetings, and time pressures—the typical catalysts of burnout. Therefore, I must let go of some responsibilities. Writing brings me joy, but the preparation involved in preparing technical blog posts (admittedly, there have been few recently) can overheat my mental engine. I'm not advocating for or against voluntaril