We were already doing that and it still complains:

I think view options may be different from compile options? We tried setting the base dir in view options like this:

and it still complained it didn't have basedir.

Only when you set the basedir on the options object you feed to jade.compile(str, options) does it work.

Edit: on a lark I tried setting compile options - .set('compile options', { basedir: process.cwd() + '/components' }) no workie

Hoping one of you has experience with java profiling.

I want to run an app, and then see a detailed breakdown of time spent by each method, with the ability to drill down. Basically info I could get by hand by putting "System.nanoTime()" calls at the beginning and end of each method and then a lot of manual arithmetic, but done automatically.

I've spent some time searching, but it's a subject that is oddly hard to find practical examples and information on. "visualvm" seems to be the go to recommendation, but I can't figure out how to apply it to my use case: it seems intended for monitoring running applications, as opposed to running an quick application and then viewing results.

Any advice greatly appreciated!

No Java expert but couldn't you call the methods you want to measure in an infinite loop that will break upon an external event then divide the total time by the number of iterations in calling the method you are measuring. Just off the top of my head

adios, the point is there are tools that automatically do all this for you. i don't want to hack something together using instrumentation.

Hmm I'm not sure. I've been using relative paths with jade for a long time tho when it came to extending.

Example:
extends ../layout

I never had a problem. I just set the view engine to jade and pointed it to my folder containing my template files.

Since you mentioned Express I assume we're talking server side here right? I actually never used jade on the client.

Edit:
The error you're getting seems to be related to using absolute paths only. Relative paths have been in forever and work. I'm not sure then, I never used absolute paths and I'm not using that version of jade that supports it yet. Have you tried Google, opening a ticket on github or asking tj on IRC?

Yes tons of googling. According to github it works, but yeah I can try a ticket. All the examples they show for jade.compile assumes you're generating the HTML to some variable then doing something with it. None of them seem to use your assume you're using the standard express res.render().

Didn't know about irc. I figured I'd try here since there are a bunch of node whizes

Absolute paths make life a lot easier when you have a shared folder but may want to refactor some component into sub-components as it grows (move them down a folder). Also in shared partials that might get called from different contexts but need to reference or extend from another shared template. It's nice to have the option of relative or absolute.

So if you're paying $50-100k for a pen testing firm, and you get them for a month or whatever, and have their best guys looking at your product... you're still paying a ton, not necessarily getting any results, and not getting ongoing testing.

If you have say 1000+ professional hackers attempting to hack your dummy server at all times, only costing you money IF they find something (so your secure site may get continuous testing for $0)... you're getting protected way way more effectively than a pen testing firm, and for way less.

Someone brought up the questions of liability and stuff... we're paying a lot of money to lawyers, and only bringing on a certain group of people. If you want an anonymous site, scrub off your logos/sensitive info and just layout your framework on an anonymous test server, no problem. Only want testers from the US? That'll be fine.

To distill what your saying into a sentence: It's much, much more affordable.

Most startups can't afford to spend money on a firm that does professional security checks.

It's an interesting idea and have been thinking about it for a day or two.

The crowd are probably going to be largely untrusted/anonymous if I understand it correctly. This means that if one of them stumbles across a gap in the security which is lucrative, it would be hard to count on them to properly report it. The incentive for exploiting it could be greater than the incentive for reporting it, and they would not be ethically bound to an employer. You could argue that they could do it anyway without being a tester, but I think there might be a lot more temptation for someone who just happens to stumble across it at the time who probably wouldn't be motivated to find problems in site security otherwise.

Also are these crowds going to be attacking live servers? Or mirrors? If a mirror, will it have a copy of the live data? If it's live data, wont potentially innocent parties possibly have their private data exposed to unknown people? If it's not live data, will the test lose its effectiveness? Will your customers be allowed to put their live site up for testing? If so, do you think this could cause PR/legal problems in the future?

I think a good way to combat this would be to give companies the option to share with only vetted security analysts. So I could make my post but limit those who can see it to US-based people with a driver's license or passport on file with Nchabazam's company. This would leave an audit trail that would probably scare most people off from taking advantage of a security hole. As the company gets some traction, you could have ebay-style ratings system for security reviewers, and you could further limit your post to only those who have successfully reviewed X other sites and gotten good reviews, etc. Nchabazam's company could charge premium fees for requesting this kind of restriction.

Being able to hire 'highly rated crowds' of people is a good idea I think.

Uploading drivers licenses etc could work, but that's a huge amount of friction. Do the numbers work well enough to overcome this? How much will be charged to the websites, and how much can each agent in the crowd expect to earn?

Thinking about it, I don't think it would be possible to reward every participating agent in the crowd for every job they attempt (and fail at). It could be gamed too easily (multiple accounts, not actually doing any work).

Those are good points. I think monetary rewards would be on a performance only basis. Companies could pre-list what they'd pay for discovery of different types of vulnerabilities. If you can demonstrate that you can steal a random site user's credit card, we will pay you $2000, etc.

And this could be supplemented with a reputation and thank you based system as well. As SO has demonstrated, lots of people are willing to spend time tackling technical problems for nothing more than nerd street cred.

Getting all this stuff right is not easy and takes time, but the concept is viable imo.

So google currently has the same bounty program we're going to have, with leaderboards and whatnot. We're basically taking that idea. Gameifying it up with points for being active/finding vulnerabilities is going to be a big component. People love internet karma, and stackoverflow is a great example.

And at a minimum of $500/vulnerability, we think people are going to be very excited to try to find stuff.

We'll cultivate a group of verified/prosecutable researchers if people are afraid of legal concerns. It might come at a premium, but it would allay some concerns.

Gaming this system is going to be hard to deal with. A disgruntled web dev might purposefully leave exploits in code so by proxy they can earn the bounty (if it's done intelligently enough as well they wouldn't be blamed either). This sort of exploit will be a limiter on the size of the bounty, if it's too large this becomes a threat especially if the company repeatedly utilises this service. This would mean that any company who gives the service repeat business could actually exposing themselves to more risk than they are trying to mitigate.

I think it's all going to be very difficult to balance, but plausible. I think there's a segment of the market who would benefit from this service but I don't think it's going to be suitable for everyone. If it gets released it's going to be very interesting to see how it runs. I think getting the numbers to work is going to be pretty difficult. My main concern is still with live data being exposed, could potentially be a PR nightmare for the company using the service.

Actual money >>>>>>>>> "gameification" imo.

Our company recently rolled out this stupid F12 initiative that supposed to teach us to learn from our failures or something. I guess they thought they could get us all into it using gameification. Like a bunch of seasoned computer professionals are going to be motivated by a free cheeseburger.

I knew it was going to be a dog when they spent a good 2 to 3 hours pumping it up without telling us what it actually was. I was insulted by the whole thing. We are ****ing professionals, just tell us what you want us to do and we'll do it.

One part of the game you could earn points at was bugging other people to play the game. That was great. Part of me wonders if this wasn't just a test to find out the people who don't actually have anything to do.

Also I thought it was pretty ironic that this whole 'don't be afraid to fail' thing was being pushed by the same bean counters don't have a clue what we actually do, but instead tie our bonus to shallow metrics like number of bugs per man-hour, and whether our project goes into the red or not. (Well supposedly that goes into our bonus, but it never actually does. It's still stressful when they talk about it that way though.)

I think gameification is going to be a quick passing fad in most areas - where companies are hoping to use it as a magic bullet to get users into stuff without actually giving them real incentives. People know when they're being played.

This is certainly different than my first impression. This isn't the first company that tried this. There are a few well-known QA companies that do UI + security testing like this. I think the vetting process, ie, who's allowed in and who is not, is going to be very difficult to execute. I'm guessing there is a security professional in the company who can ensure standards.

The part that I am grappling with is trying to figure out who the customer is supposed to be. I know mom-and-pop isn't concerned. One would think the other target is Big Co, but I disagree with this. Those people that run the security sections probably aren't guys and gals who took a cryptology course in college then got the job. They likely already worked at some security firm, gained the experience, then perhaps got some cert. The crux is that these security professionals gained their experience from someone and that someone is more likely to gain the contract. This should be common sense, favors are favors and there is nothing precisely wrong with this.

For extra reference, this:

How to Get Your CISSP Certification
--> Candidates must have a minimum of five (5) years of direct full-time professional security work experience (etc)

&
--> An endorsement form for this purpose must be completed and signed by an (ISC)² certified professional who is an active member, and who is able to attest to your professional experience.

***

Obviously, I don't know how many connections the company has. As someone pointed out, many startups may not have the 6-fig resources to pay for a full-out pen-tests, but then the question becomes, after vetting, how much can these hackers really earn being freelancers and how will you maintain high quality after accounting for attrition? Surely, once someone is able to spike a few wins, he or she will realize they can earn more doing this for a company.

As I said above, other companies do this sort of work. I had applied to a QA company for UI once, and the frustration was that after I had submitted a bug report, I would not get credit because someone else had already discovered the bug. After this happened about 4 times, I decided I wouldn't want my pay to be dependent on uniqueness so I didn't bother finishing the application.

I don't want to give the impression that I think this is a bad idea because I really don't know. I think it is an interesting perspective. I do agree with suzzer that gameification probably won't be a viable plan unless there is some incentive tied to it, but I don't know, really.

This would probably have to be done. Google and FB actually does have some of the best programmers in the world, which by definition means most other companies don't. In the case of FB and Google, the challenge is really a challenge, as in, "come and get, but good luck," whereas this is more like "we used [x] and lets see how bad it is." You would have to do some background check or something because you really don't want to give god-knows-who free targets. Using a sandbox isn't worth anything because the codebase is the codebase: if they can break the sandbox, then they can break the site just as well.

I mean we're going to payout money to the top people each month, etc... It's not just for pride, it's for real money. We want to encourage people who didn't find vulnerabilities to still help out with what they tried, why they tried it etc... and if you could make say an extra $1000 because of it, you'll probably want to try.

Also, people love google's leaderboard and take a lot of pride in it. Our basis is real money first, but there is a little bit of gameification to make it fun.

dave, the target customers would be small to medium sized startups trying not burn though their money. or any small to medium sized business without a huge tech budget.

I mean you're going to have to setup a test server for this, scrub some data, and point people to it. If having data exposed is a huge issue, you're taking that chance either way. If we can't control the concept of trusted researchers (i.e. you can choose to only use US based, prosecutable researchers), then we'll have trouble with this part. But we have a lot of legal going into this.

We're a start up, so who knows how this will work out. I'll keep people posted when we get some real feedback.

Good luck with it, looking forward to seeing it when it's done!

Def. keep us posted. Should be interesting to see the pivots and all. In regards to the points thing, the way that this other company I am talking about did it was that after finding x bugs of y quality, the testers would receive higher ranks, which came along with access to more interesting assignments and higher pay. Not sure how the idea panned out.

Speaking of which, how is Scirra running these days and what of the competition that's been popping up lately?

+1

Scirra is going very well thanks Tried to make our first hire and did some interviews, but just waiting for the right person, takes time. Currently both feeling a little overwhelmed with work so we do need more people now.

We've now done 550,000 downloads of Construct 2 over 2 years of our existence which is a good milestone as well! Last month was our best month ever, was totally unexpected and wonderful lol. Our minority investor is very happy. Got a potentially big deal in the works as well which will give us a huge amount of distribution, just working hard at the moment to prepare for this if it happens.

Current "make a game for Win 8" competition is being run in conjunction with Microsoft, they are good to us and very supportive. They do lots of seminars and teaching Construct 2 around the world which is great and provide us with some great prizes ($6k worth in our latest comp).

In the process of upgrading to a much bigger server at the moment, we currently do ~400k visits and 2m page views a month and our server is struggling. I can't stand moving servers, probably mainly my own fault but it's always quite a painful experience.

Well there's also the real incentive that earning kudos by hacking into systems can lead to real paydays down the road. So there is real incentive there over and above the prize money.

I just wanted to rant about gamefication for the sake of gamefication.