The home team covers code scanning for security vulnerabilities in open-source registries, whether high-profile skills training programs from Google and Amazon really address systemic inequity in tech (spoiler: probably not), and how a James Bond character sparked Matt’s interest in security.
Learn more about GitHub’s machine learning-based code scanning, which finds security issues before they make it to production.
Google invests $100 million in a skills training program for low-income Americans. Is there a catch?
Take2 is a New Zealand program that teaches incarcerated people to code: building marketable skills, opening up employment opportunities, and dramatically reducing recidivism. At the time of writing, Take2 has a 100% success rate in preventing recidivism.
We have two Lifeboat badges this week: Varad Mondkar, for answering How does the app:layout_goneMarginLeft and its variants affect the view arrangements in constraintlayout?, and Eugene Sh., for answering What is this “a.out” file and what makes it disappear?.
Ben Popper Let's jump over to our topic for the day. Ceora, you shared this, and I think, Cassidy, you mentioned you put it in the newsletter. "From Tumblr Girl to Engineer: How a Platform Inspired a Generation of Women to Code." So Cassidy, high-level quick synopsis of the article, and then Ceora, lead us in. What made you think of dropping this link in there and wanting to talk about it?
Cassidy Williams In this article, the high-level thing is that platforms like Tumblr, like Myspace, like Neopets even, all of these platforms from way back in the day in the early-2000's.
BP [laughter] I'm only laughing because we've mentioned these three so many times, because they're clearly fan favorites.
CW Yeah. So prominent. But honestly, they made coding very accessible because it was all about making your blog look cooler, making your guilds look cooler, making your page look cooler, and they had tutorials very easily accessible so you could take it and then update the HTML and CSS and kind of take it and run with it. And I know so many people, including myself, who got a lot of knowledge and experience just from being able to play around with these platforms and then suddenly said, "Wait, this could be a career, and take it and run with it.”
[intro music plays]
BP Hello everybody. Welcome to the Stack Overflow Podcast. I am Ben Popper, Director of Content here at Stack Overflow, joined as I often am by my wonderful co-hosts Matt, Cassidy, and Ceora. What's going on you guys?
Ceora Ford Hi!
Matt Kiernander Hello!
BP So let's start off as we often do with a little bit of news. We've talked many times on this podcast about open source and the way modern day programmers rely on things like NPM to just kind of grab projects or files or folders out of a library, pop it into their project where it's useful. It makes things go faster, they don't have to reinvent the wheel, but also a bit dangerous when you're using something that you didn't build and actually it turns out it has a security vulnerability. So GitHub code scanning now finds more security vulnerabilities here. The onus is kind of falling on the GitHubs and the NPMs of the world to do more security for folks. Just want to get people's thoughts. Obviously, this is a good thing? I mean, scanning your code is probably something they do anyway. Do we trust them to step up and take care of the ecosystem where it's failing?
CF I remember a little while ago GitHub came out with a feature that basically would almost code for you if that makes sense.
BP Copilot. Yeah.
CF Yeah. Copilot exactly. The way that Copilot works is that obviously some machine learning is involved, and they basically scan a bunch of code that's hosted on the GitHub. And I remember after the initial excitement died down a lot of people had a problem with the fact that GitHub was basically using people's code to build this thing. And I could see maybe people having the same complaint about GitHub or whoever else.
BP Where did you learn this? Is it biased?
CF Right. Exactly, exactly. Even though I do think it could be extremely helpful, especially like I've admitted several times on the podcast before, the last thing I think about when I'm building something is security. I'm trying to get something up and running quickly and I want it to be done. I don't really think about like, "Oh, this is perfect and totally secure." So before I make something live, something that will like ping me, like, "Hey, this has a huge security vulnerability!" would be super useful for me.
BP CRUD app now, security scan later.
CF Right. So I could see how it could be super helpful, but I also understand how people could have some issues with it I guess I could say.
CW Same. I don't really want to have to care that much. I will do base-level my version of security and building up those gates around certain things, but I'm not a security professional.
BP Is Cassidy compliant? Yeah, exactly.
CF Yeah, exactly. And so if a company can do stuff like that for me, I don't mind. And I do think that because these companies are hosting it, it is kind of on them to do it. Because as much as developers, yes, we should care about this sort of thing, there's bad actors out there who want to push bad code and that kind of stuff. And so the hosts that are dealing with all of these libraries and vulnerabilities and stuff, they should screen for that in some way or another so that way people aren't accidentally giving away data they don't want to give away or something like that.
BP Yeah, that makes sense.
MK One of the things that I haven't mentioned on the podcast before is that when I was trying to figure out what section of development I wanted to get into, I was considering going down the security route, because I think I watched a James Bond movie and I saw Q and I was like, "That dude is cool! I want to do that." And so I went and did this whole research and figuring out how to get into penetration testing and all that kind of thing. The security people, it blows my mind how much you need to know to get into that field. It is so dense. There's so much depth that you have to know but also breadth of knowledge about everything. It's incredible. So when it comes to tools like this, that help you bridge that security gap, I don't think a front end developer or a backend developer, they should probably be aware of the issues, but to know about the industry, that's where the dedicated professionals come in, and tools like this I think would be really useful.
CW It's kind of like what we talked about on the episode where we interviewed Juliana, who is the CTO of Stitch.
BP Right, security as a service, I remember.
CW Yeah. Security as a service. It's the kind of thing where there are professionals who have all of this experience. Let's use them and not reinvent the wheel with our own patchy version of security.
BP Yeah, I mean to Matt's point, we were doing an interview recently with the folks from Skillsoft and they were saying that the average number of certifications for the security folks is like above five, whereas for everybody else it was like one or two. They take that stuff way more seriously. They want to be on top of, and be validated as, having the most up-to-date knowledge. Because that kind of stuff for them is changing so rapidly and is just critical. Like maybe I lag a little bit behind on my cloud, whatever certifications, but it's not going to mean the difference between a job or not. But for the security crowd, certifications, and as Matt said, kind of like depth of knowledge is key.
CF And I think it's not just like the depth of knowledge, but all that knowledge is super, super important. And when you're building open-source projects, a lot of times especially for security stuff, you don't have the time to dedicate to making sure you're following all the best practices because it's so in-depth. And it could be detrimental to you if you don't know some of the red flags or whatever. So, I'm going to be kind of enthusiastic about this. I think this is a great feature. I definitely think it's a great move on GitHub's part to implement a feature like this to help people.
BP During beta testing the code scanning feature scanned 12,000 repositories 1.4 million times. Found 20,000 security issues, remote code executions, SQL injection, cross site scripting flaws, some of the big, the usual stuff. The one thing is it may just stress you out. "It's important to note though, while we continue to improve and test our machine learning models, this new experimental analysis can have a higher false positive rate." Oh, well. So it goes. Alright, moving on to our second news hit of the day, Google creates $100 million fund for skills training program. $100 million sounds like a lot, but it's almost kind of table stakes for big tech these days. But yeah, throwing this out here. What do we like or not like about this? In general, I think seeing money going to education feels good. Seeing money going to education that is sort of siloed to one platform feels less good. But, curious to get people's takes.
CF I'll be the resident grumpy person on this. I think a lot of big tech companies have started initiatives like this. We just talked to the folks at AWS and they have something very similar where they get people who have come from non-technical backgrounds and get them ramped up on AWS so that they can have IT jobs that are fairly well paying. My thing is that I always think about from the outside looking in, these things seem like a good idea. Like, yeah, they're going to help people who come from low income communities not be low income anymore, which is great. To me though, sometimes it feels like the bandaid over the gunshot wound, you know? Google and other big companies have notoriously not been so great with diversity and treating non white male employees well. So to me, I'm always thinking about like, okay, this is great, but long-term what are you doing to help the people that are already at Google? That's kind of how I look at it. And then also like you're saying, I tend to be very skeptical about these educational initiatives that are not for profit, but like not 100% free, just because there's always a catch. Not always, but a lot of times there's like some sort of catch.
CW There's often a catch.
CF Yeah, that can be very negative for the candidates. I've seen so many people who come from bootcamps who are like, "I'm paying so much money for a program that wasn't very useful to me." So I just think about those things a lot. Not to be super negative, but they do go through my mind when I see stuff like this.
MK I had a look at what the requirements were because they're working with three different nonprofit groups in this particular case. So Year Up, which focuses on upward mobility programs for the disadvantaged. Merit America, which is an organization that offers tech training programs for adults without a bachelor's degree. And Social Finance, which designs student friendly financing and repayment plans. And the way that it's structured is, a lot of the organizations will only get paid or they'll get their sponsorship from Google, once those students have landed jobs. And the students pay $100 a month for a maximum of five years. So that would be 12 times. What, about five grand I think for an education there? It's better than a lot of the very predatory bootcamps that are around because some of those can be super bad. I'm not sure how that's structured in terms of how it differentiates from other bootcamps, but to me that seems fairly reasonable. Oh, and also you'll only start to repay your training if you find a job that earns at least $40,000 a year as well. So if you don't find a job, you don't pay for the program by the looks of it.
BP Matt, you had mentioned that when I dropped this link it reminded you of a program you did really feel was valuable. You want to shout that one out?
MK Yeah, for sure. I had a chat too, when I was looking for roles actually, this was one of the ones that I applied for because I thought it looked really cool. So what they do is, an organization called Take2. They're operating in the US and the UK. And one of the issues they had with the criminal justice system is when people are incarcerated and they go through their programs, they're not rehabilitated and brought back into society. They're not set up for success, in a way. And so, what they've realized is that tech is a very high paying career, relatively speaking. And you don't need a degree in order to be successful in the field either. If you can do the job, you can do the job, which is great. So what they're doing is teaching people who are incarcerated how to program. And then it's a one-year like web development, not really a bootcamp, because it's a whole year, but they've had incredible success rates. So they've got a 100% reduction in reoffending through similar programs in the US and UK. So out of everyone who's done this program, nobody's reoffended yet, which is incredible. For me, it makes sense doing something like this. They're putting people in the best position to succeed after they've finished. It kind of shows that it works. Like, if you help the people who are in need then they don't need to resort to the behaviors that they had prior to being incarcerated.
CF There's another similar organization like that that I found through Twitter. And they also provide mentorship to people who have been formerly incarcerated.
CW Is it Emergent Works?
CW That's the one that I know. So yeah, with Emergent Works they provide mentorship and they train people, but what they also do is they have consulting. And so the company itself, Emergent Works, can take on client projects and then the formerly incarcerated individuals can get that job experience while being in the program which is really cool.
CF Very cool.
MK That's rad.
BP Alright, well we'll include some links to Take2 in the show notes, because that certainly seems like an admirable organization. Let's jump over to our topic for the day. Ceora, you shared this, and I think Cassidy, you mentioned you put it in the newsletter. "From Tumblr Girl to Engineer: How a Platform Inspired a Generation of Women to Code." So Cassidy, high-level quick synopsis of the article, and then maybe, Ceora, lead us in. What made you think of dropping this link in there and wanting to talk about it?
CW In this article, the high-level thing is that platforms like Tumblr, like Myspace, like Neopets even, all of these platforms from way back in the day in the early-2000's.
BP [laughter] I'm only laughing because we've mentioned these three so many times because they’re clearly fan favorites.
CW Yeah. So prominent. But honestly, they made coding very accessible because it was all about making your blog look cooler, making your guilds look cooler, making your page look cooler. And they had tutorials very easily accessible so you could take it and then update the HTML and CSS and kind of take it and run with it. And I know so many people, including myself, who got a lot of knowledge and experience just from being able to play around with these platforms and then suddenly said, "Wait, this could be a career, and take it and run with it.” And so that's kind of the high-level description of what the article touches on.
BP What this made me think of was your discussion that I missed out on the other week about Gen Z and how they don't understand file systems. So it's like sort of every generation learns with what it enjoys at that age. So a lot of people who come on the podcast who are a little older than us say, "Oh, I loved gaming. So I started a gaming forum or I wanted to build games because I had run out of games." And then for a certain generation it's "Oh, I loved blogging or social media tools." And they're like, "That's what got me into it." And then I was thinking about Gen Z and how they don’t understand file systems. It's like, if you've only ever used a smartphone or a tablet, then you've never had to look at a file or think about a folder ever. And then maybe you get to college and you're like, "I want to try CS 101, see what this is about." And it's all like files and folders and directories and you're like, "I don't know what any of this means. I've been using a computer since I was five, but I've never had to think about any of this." It's just interesting to think about what the gateway is.
CW And yet they're able to do like Apple Shortcuts super well, because that's kind of like "code" and customize your phone.
BP Yeah, they have their own hacks. They have their own system. Totally.
CF I found this article really interesting because I'm fascinated with the idea of how tech changes as the generations progress, if that makes sense. So we've talked about before, how so many people got into tech through, "I started doing stuff with Neopets or Myspace," and I always wondered what was after Myspace? And obviously it was Tumblr, because in the article it features experiences from women who are around mid-twenties age. So still millennials, but the younger millennials. And I just thought it was so cool. And I've always wondered what is the thing for Gen Z that is going to be the gateway to coding for so many people. I still haven't really found it yet. One thing I have discovered though, which isn't necessarily coding, but it's like tech adjacent I guess I could say, is that there are a lot of Gen Z who are really, really good at Photoshop and video editing. I don't know if you've stumbled across people who do fan art for like anime or whatever, or people who do edits on TikTok and YouTube. They are so high quality. I always think to myself, “You all could make up the media department of any company existing right now.”
BP Totally. I've thought about that many times. I'm so glad you said that because it's kind of like certain things will guide you down a path, and if you mess around with the HTML, CSS, to be a programmer, certain things used to be considered nerdy or almost as technical as like being in the AV club and knowing how to edit film. But now, just growing up and wanting to be on social media or Tumblr, you become an expert video, or music, or photo editor, and you're using all of these software skills to do it. So, yeah, like you're saying Ceora, it's almost like you put in that 10,000 hours to get to mastery while you're a teenager without thinking about it.
CF Right, exactly. Because it was fun.
BP And then all of the sudden you turn 18 and it's just intuitive to you. Exactly.
CF I always want to comment under TikToks like, "You know you could get a job with this skill!" I want to say that to them because they really do have the skills. They're using Photoshop, they're using all these different apps and things like that. And another thing that I found interesting was that I used to use Tumblr a ton when I was like 13, 14, 15. And it's interesting that you mentioned, Ben, about the whole file system thing. When I was mid-teens, I didn't have a computer, so I never got to fiddle around with the HTML side of things on Tumblr. To customize your blog I guess you had to have a computer because I just got to use the default settings on Tumblr because I didn't have a laptop to do the editing with. So it's so true when you only interact with the internet through apps and through phones and tablets, it totally changes the way you think about coding and tech.
CW Access just really matters. Where you were talking about the video editing and photo editing and stuff, at my middle school the computers had Photoshop. I would stay after school just to be able to play with Photoshop and to this day I still kind of have decent Photoshop skills purely because I thought it was the coolest thing that my school had Photoshop and I played with it all the time. And you see again on TikTok and stuff, I saw this one kid that was playing around with editing music and stuff. And because this little kid who was maybe six had access to all of this professional video or audio editing software, they were able to make some really cool songs and beats and stuff purely because they had access to it. And that's where I think that plays a lot into it. And I also wanted to give an honorable mention to Minecraft, too.
CF Oh yes! Yeah.
CW I think a lot of kids and young adults and kids who are in college today are coding in Java because they first played with it in Minecraft.
MK Just on Ceora's excellent point as well around the generational shift of people. We had the gamers with the gaming forums, and we had the Tumblr crowd come through and how that's starting to influence the technology and products that we're using today. And I'm so excited to see what that crowd, like the video editing creative field, when they're working professionals, how they start to influence the current technological landscape. I saw on TikTok early on today, they were using something called Generational AI or something, I don't know. I messaged them, I was like, "How the hell are you doing this? Because this is so cool." And what they were doing was they were using images and artificial intelligence and machine learning to sync up a transition of images to music on TikTok. It was absolutely mindblowing. So I'm super excited to see how that starts to influence things later on. In terms of technology and how we got started, I think the first computer I ever used was one of those Macs that kind of look like the back of an alien head. They were all multicolored and yeah, that was my first foray into technology. And then one of the teachers there had set up Doom in this little basement lair, and there was a select few students who managed to weasel their way down and play video games after school. Oh, and then we had this game, this touch typing game, with Timon and Pumbaa from The Lion King.
CW I think I remember that game!
MK It was like an interactive game. And it was basically stopping you from doing the two index fingers typing to actually touch typing. And it was the most fun I think I've ever had with a computer.
CW Yeah! Adventures in Typing with Timon and Pumbaa.
MK That's the one!
CW I found it!
MK It’s so much fun!
BP I think it was the iMac. It had that really bulbous back, and the really nice pastel colors. Yeah. Those things were awesome.
MK It looked like the back of the Alien vs. Predator head. It kind of just went out.
CW They looked so fancy though.
CF This is going to be a clear indicator of generational difference, but we had two of those computers in my classroom when I was in kindergarten. And that was the last time I saw one of those.
CW I think that was sixth grade for me, which I think tracks with our ages.
BP Ceora, when you were saying that you didn't have a computer for Tumblr, I was just thinking I didn't have a smartphone or a tablet until I was out of college. Those things didn't exist for me. Alright, I won't talk about how old I am anymore, let's get back to this article. Was there something specific to Tumblr or to this person's career as an engineer that we wanted to touch on? I think we're bringing to light the way in which different platforms that are appealing to you as a youth can kind of lead you on this great path toward software engineering, but what happened with this particular person, and was there something about Tumblr itself that was relevant to the article?
CF Yeah I wanted to comment on this, too, because the article comprised the experiences of several women in tech, who like I said, are in their mid-twenties now who are software engineers or front end engineers. And one of the things that I found really interesting was that the thing that got the article off to its start was the fact that there was a TikTok where the original poster, she mentioned how there was a generation of girls who learned how to code through Tumblr. And apparently there were comments under the TikTok that were saying like, "HTML, CSS isn't real coding." And one of the questions that the journalist who wrote the article had asked the people they interviewed was, "How do you feel about that? As a software engineer now, how do you feel about people saying that HTML CSS isn't real coding?" And several of them were like, "It definitely is." And they felt like it was an attempt from other people to demean the skills that they had gathered as young girls. Because for some people, in their mind, if you hear that young girls are coding, that makes it seem like it's too easy, and therefore not as difficult. Does that make sense? So I just thought that was really interesting, because I've heard this debate several times on Twitter, where it's like, "Is HTML or CSS really coding?" And it was interesting to hear these women who are now professionals well established in their careers say, "Yeah, it was, and that was how I got started in my career as a software engineer today."
CW Anybody who tries to gatekeep what coding really is grinds my gears so much. Let people enjoy things, let people make things. It's so annoying to me when people do that. I do think you're right, Ceora. I do think it's specifically when it's people who are historically excluded and underrepresented in the field and you even see that. There's a really good article about what developer advocacy and developer experience means by Sarah Drasner, and I can try to find the article to put in the show notes. But she made a really good point about it, where there has been kind of a shift where there's a lot more respect for the profession, but still some people are just like, "Oh, are you technical enough?" And those kinds of questions started to pop up as it became more accessible to people who weren't just white men. And I think that's just a trend in the tech industry, unfortunately, where it's people gatekeeping legitimate skills.
CF I was going to say in the article, they were talking about some of the really advanced things they did with Tumblr through HTML and CSS. And one of the people they interviewed, she and her sister got started with a business selling WordPress templates, all starting from customizing their Tumblr page and then interacting with APIs and coding in PHP. And then eventually got to the point where they had a business, a full-fledged business, as teenagers. And that to me says a lot about how much you can do with just what to us seems like basic coding skills.
CW I think there's one other level to this, too, and you see it a lot, and that's the low-code tools or the no-code tools for creating a lot of things. And I admit there's a very deep part of me where I'm just like, "You're not writing code." But at the same time it's putting together logical blocks to make something. And I've seen so many businesses that have come up, kind of like what you said, Ceora, just in the past year even, of people who didn't know how to write a line of code but they're really good with spreadsheets and in combination with Excel and then a few other tools on top of it, they're able to make a full-on website with a signup flow and with sales. So you could argue the semantics of what coding is and stuff, but it's all just building things for the betterment of you, of the world, of whatever you're trying to solve, and let people enjoy things.
BP Yeah. Build how you want with software and let the product and its success speak for itself.
BP Alright, well let's each if we can, give a recommendation. I'll tell a funny little story. It's my childrens' winter break, mid-winter break, so they're off. So I live in the Hudson Valley now and I went to Catskill yesterday, which is a little town, and I found out that somebody there won the Powerball lottery and I guess their dream was to open up a gaming shop. So they opened up an amazing gaming shop where people come. There's a night for Yu-Gi-Oh, a night for Magic Cards, a night for this, a night for that. And they have the huge tabletop dioramas and so I bought my kids Star Wars Legion, which is like War Hammer, but it's for little kids, not like you have to spend a million dollars and paint them all yourself.
CW You have to win the lottery to play.
BP Yeah. You have to win the lottery to play War Hammer, or be Henry Cavill. So shout out to Kirwan's Game Shop in Catskill and Star Wars Legion if you're interested in a starter approach to tabletop miniature gaming. And if y'all have something you want to recommend– music, movie, programming, independent project, a tweet you liked, whatever it is.
CF Yeah! I'll recommend something. Since we've been talking about video editing and Photoshop and stuff, I recently got Procreate on my iPad. I have no idea how to use it.
CW So good.
MK Oh, I love Procreate!
CF I don't know how to use it yet, but I'm excited because I hope that I'll be able to do something kind of semi-fancy with it. We'll see what comes up within the next couple months if I decide to finally sit down and watch like a 30 minute tutorial on how to use Procreate, but that's going to be my recommendation for today.
CW Procreate's so good. And I'm also going to recommend an iPad app, speaking of video editing and image editing. LumaFusion, it's a video editor for the iPad. They might have an iPhone app, I'm not sure. But it is really solid. I was struggling to edit this one video on my PC and I was just like, "Eh, you know what, I have an iPad. Maybe I'll try out that app that those kids were talking about on TikTok." And I was able to edit an entire video with multiple scenes and all kinds of stuff, so fast and faster than I thought it would be. And it rendered quickly and stuff. I was completely sold immediately. It was really, really easy to use. So that is my latest discovery and find.
MK Yeah, I've played around with video editing on the iPads, especially the new M1 iPads. And it's kind of depressing being like, "I spent $4,000 on a gaming PC and this tablet edits better video than that does."
CW I know, right?
MK It's insane. I'm going to shout out the general AI artist that I mentioned earlier on the podcast. I don't have his TikTok details at the moment, but I will put those in the show notes and you can go and check out that work because I thought it was really, really cool.
BP Alright, everybody. I'm going to shout out the winner of a lifeboat badge, somebody who came on Stack Overflow and helped us rescue some knowledge from the dustbin of history. Awarded yesterday to Varad Mondkar, "What does app:layout do for views in a constrained layout?" We'll find out. Also, I'll just shout out another one. Awarded February 18th to Eugene Sh., "What is this a.out file and what makes it disappear?" Alright, we have the answers for you and find them in the show notes. I am Ben Popper. I am the Director of Content here at Stack Overflow. You can always find me on Twitter @BenPopper, email us email@example.com with questions and suggestions. And if you like the show, leave us a rating and a review. It really helps.
CW I am Cassidy Williams, Head of Developer Experience and Education at Remote. You can find me @Cassidoo on most things.
CF I'm Ceora Ford. I'm a Developer Advocate at ApolloGraphQL. You can find me on Twitter. My username there is @Ceeoreo_.
MK And I'm Matt Kiernander. I'm a Technical Advocate here at Stack Overflow. You can find me online on Twitter or YouTube at @MattKander.
BP Awesome. Alright, everybody. Thank you for listening. Bye.
[outro music plays]