At Clever we move a lot of data, both from school districts into Clever and from Clever into all the external places that school districts want that data shared. Broadly, we call this behavior “syncing”, and various sync flavors show up across Clever. Let’s talk about two ways to perform data syncs by using an […] The post Everything but…
Clever
https://engineering.clever.com/ · 38 posts · history since 2014 · active
7 Aug 2024
29 Nov 2023
A tool for Identity Federation Security Assertion Markup Language, or SAML, is an open standard for exchanging authentication and authorization data between two parties. It’s a common strategy for single sign-on (SSO), allowing users to sign in once and authenticate with multiple third party applications. Similar to OAuth2.0, SAML promotes data security by preventing direct […] The post SAML Protocol…
18 Jul 2023
Adding AuthN to OAuth2.0 OpenID Connect (OIDC) is an authentication protocol that sits on top of the OAuth2.0 protocol. It provides a standardized way for clients to authenticate users and obtain information about their identity. In simple terms, OpenID Connect allows users to log in to different applications using a single set of credentials. It […] The post OpenID Connect…
23 May 2023
A primer on delegated access OAuth, short for “open authorization”, is a widely used protocol that allows users to grant third-party websites or applications access to their personal information on other websites. It provides a mechanism for secure access delegation across the internet. History Class Prior to the creation of OAuth, sharing of information with […] The post What is…
22 Mar 2023
Demystifying authentication and authorization When you hear the term Auth, what comes to mind? You probably think of signing into a system with your username and password, and you’re half right. But auth is bigger than that. The bucket term also includes everything you can do in a system once you submit those credentials. Auth […] The post AuthN vs…
11 Oct 2022
Designing and engineering a messaging system that is used by 6.8 million students and half a million teachers in K-12 schools is no easy feat. While the typical threats against online systems from unauthorized and unauthenticated access to sensitive information remain, the school environment compounds privacy challenges as additional entities such as guardians, co-teachers, and […] The post Privacy and…
23 Sept 2022
What’s it like to be an engineer at Clever? What does success look like for individuals and teams? From engineers with non-traditional backgrounds to engineers with Computer Science degrees, four engineers share their perspectives about their experiences, typical days, and growth while working at Clever. The post Interviewing at Clever: Answers to the 10 most common questions appeared first on…
25 Apr 2022
During my final search for an internship, I had an idea of where I wanted to work: a place with a friendly culture and strong engineering practices – something in between a startup and a big company. To my luck, I interned at Clever – an organization that surpassed those expectations in the span of […] The post Working at…
10 Aug 2021
Why multi-region sessions? Each year leading up to Back to School (our busiest season), Clever’s engineering team invests in our highest traffic systems to make sure we can handle user growth and new traffic patterns. During 2020–2021, SAML auth at Clever grew from <10% of our login related traffic to about 40% of our traffic! For this […] The post…
12 Jul 2021
Emily Hou talks about her transition from an individual contributor to an engineering manager at Clever. The post Lessons learned: My first year transitioning from an engineer to a manager appeared first on Clever Engineering Blog.
9 Jun 2021
Context At Clever, we rely on nearly two thousand infrastructure secrets like DB access keys, API tokens, and session secret keys to provide our services to students and teachers. Properly securing these secrets so we don’t expose them in our various environments requires thorough engineering efforts. In fact, securing secrets is generally a hard problem […] The post How Clever…
27 Apr 2021
Listen to an interview with our CTO and architect discuss how we chose a new computer language. The post Choosing Golang for Clever appeared first on Clever Engineering Blog.
16 Oct 2019
When building systems for new products, there’s a delicate balance between writing code that works and writing code that lasts. A common anti-pattern is preemptively optimizing systems for the future while still trying to find product market fit. For new product teams, this can be a costly mistake as it leads to a slower iterative […] The post Evolving Systems…
12 Sept 2019
Five women on Clever’s engineering team discuss what inclusivity looks like at Clever, how to grow and maintain female leadership at a tech company, and the challenges they are excited to tackle within their roles. The engineering team is passionate about improving education and solving hard problems. One problem the Clever team is constantly solving […] The post How Clever…
24 Jul 2019
At Clever, we lock down code access to customer data using AWS IAM roles with session policies. In Clever’s microservice AWS architecture, each service has a unique IAM role with access to the AWS resources it needs: S3 buckets, DynamoDB tables, and so on. Our services are multi-tenant and customer data is separated via logical […] The post Using IAM…
12 Oct 2018
Everyone in the US is now back in school, and we’ve been feeling the rush of excitement here at Clever over the last few weeks. On a typical day at Clever this school year, we regularly hit more than 1,000 logins per second! As we’ve chronicled over the last few months (July, May) , the […] The post Clever SSO…
8 Aug 2018
Over the last few months, we’ve been readying Clever SSO for our biggest year ever. We want students across the country logging in quickly and reliably to all of their learning applications. A couple of months ago, we described our initial stress testing approach. In this post, we want to tell you more about this […] The post Clever SSO…
24 Jul 2018
Clever Goals is a new product that tracks students’ educational software usage. It creates progress data, a new type of data for Clever. This sensitive data needs to be protected from unauthorized access, and users should feel in control over how it’s used. How does the Clever security team make sure that new products like […] The post Securing New…
16 May 2018
Two months ago, we experienced the worst outage in the history of Clever SSO. We wrote up a postmortem soon afterwards. We mentioned at the time that this postmortem was the beginning of our process to reevaluate everything we do to make sure we can be worthy of the trust you place in us. We […] The post Clever Reliability…
19 Apr 2018
For data engineers and analysts, it’s pretty common to get questions about missing or incorrect data. “Hey Data Engineer, there’s an issue with the data – I expect numbers at least 20% higher than what our reporting tools show. Can you take a look?” If you’ve ever been responsible for a Business Intelligence pipeline, you’ve […] The post Save sanity…
28 Mar 2018
This story begins someplace familiar to many startups: our monolithic API had become unwieldy, and we wanted to transition towards a microservice architecture. And, like other young, scrappy startups, we couldn’t afford to freeze development while we re-architected the entire system. So, instead, each time we wrote a feature we carved off the related chunk […] The post Wag: A…
16 Mar 2018
On Tuesday, Wednesday, and Thursday, March 6th-8th, 2018, Clever logins failed for all customers: 1h on Tuesday, 1h15 on Wednesday, and almost 5h on Thursday. This was Clever’s single worst outage ever in length, repeatedness, and impact. This postmortem is the first of many public steps we’ll be taking to ensure Clever is a service […] The post Postmortem on…
28 Feb 2018
Over the past month, Clever worked with CERT to address a vulnerability in our open-source SAML2 library. Clever maintains an open source library implementing the SAML protocol in Node.js known as saml2-js. We use this library internally in our SAML service provider functionality for schools using Clever SSO and the Clever Portal. It is used […] The post saml2-js and…
6 Feb 2018
At Clever, one of our tenets is “Always a Student”, and in that spirit of learning we wanted to share the changes we made to fix memory allocation issues in AWS Elastic Container Service related to swappiness. Swappiness is a Linux Kernel setting that specifies how likely it is for a page in memory to be […] The post Swappiness…
11 Dec 2017
tl;dr: Try out microplane! It’s a CLI tool to make changes across many repos. The Problem At Clever, we’ve embraced microservices. They promote modularity, which leads to simpler code bases and lets our engineers move quickly and independently. They are easier to deploy, which helps us build towards incremental, frequent deploys and continuous delivery. In […] The post Mo Repos,…
6 Sept 2017
At Clever, we chose early on to deliberately define the key principles we wanted our culture to reflect. These tenets are a part of day-to-day vocabulary, and we think they make us a stronger team. About a year ago, we asked ourselves: how do these tenets apply to our engineering team? Are there aspects of […] The post Defining Clever’s…
27 Jul 2017
Clever Instant Login makes it easy for students to log in to their learning applications, saving valuable instructional time. By using the widely-deployed OAuth 2 protocol, our team tries to save valuable development time and make it easy for our app customers to create integrations. OAuth 2 has been a fairly smooth road, but we […] The post Clever Instant…
15 Mar 2017
Since June 2012, Clever has only had one version of our API: v1.1. We’re now ready to introduce v1.2! In this post, we’ll talk about what the new version means for our customers. Why API versioning? Very few, if any, non-Clever developers saw API v1.0. Early beta versions had this designation, but as we finalized […] The post Moving from…
10 Jan 2017
The password is both a ubiquitous and brittle security mechanism. With the emergence of new security trends like post-quantum cryptography and IoT-botnet attacks, it’s easy to overlook attacks that exploit guessable, reused, or coerced passwords. But the wherewithal among users to use strong passwords and keep them safe is rare. Despite decades of practice, managing […] The post Securing Saved-password…
12 May 2016
Clever Badges makes it easy for K-2 students to log into applications. As with any new feature, we wanted to understand and address any potential security risks before we launched Clever Badges to our users. If we built Clever Badges without thinking deeply about security, it would have been easy to introduce a vulnerability and […] The post Clever Badges…
17 Apr 2015
A few months ago Clever had the opportunity to give a talk to the GoSF Meetup group (the “largest Go meetup group in the world”!). Mohit and Alex discussed their experience creating Sphinx (our rate limiting service) and the usefulness of Go’s interfaces in doing so. Here are the slides: There are a few reasons […] The post Using Go’s…
8 Apr 2015
Sometimes it’s obvious what code has to change, but it’s painfully hard to prove you’ve fixed it. When’s the last time a conceptually simple fix took you hours longer to than planned, because you could not get the project running locally to verify your change worked? I just want to change a little CSS on […] The post Aviator: locally…
18 Mar 2015
Student Data privacy and security are our foremost responsibilities here at Clever. We invest heavily to ensure that we are improving privacy for schools, students, and teachers, and we make sure that everyone at Clever is constantly working towards this goal. About five months ago, we were made aware of aspects of our privacy policy […] The post Open Sourcing…
10 Dec 2014
Back To School is the busiest time for any education company. Students, teachers, schools, software companies, and the rest of the education world are all gearing up for a new school year. Unfortunately, during the most critical time of the year, Clever’s infrastructure was throwing a fit. At the time, Clever was adding over a […] The post When your…
29 Sept 2014
CVE-2014-6271 and CVE-2014-7169, also known as “Shellshock”, are high impact vulnerabilities affecting the Born Again Shell (BASH). The vulnerability allows an attacker to trick Bash into running arbitrary commands which could result in unauthorized disclosure of information, unauthorized modification and disruption of service. Because this is such a big threat, and because at Clever we take security […] The post…
29 Jul 2014
As JavaScript has matured as a language, the module has become the primary unit of code organization. However, as with many facets of JS, modules grew organically from the developer ecosystem (as opposed to being designed as part of the language from the beginning), so they have their flaws – one being that you can […] The post Testing Private…
18 Jun 2014
At Clever we help 1 in 6 schools in the country sync data on an hourly basis from their student information systems (SISes) to the ed tech apps that their teachers and students use. These 20,000 schools sync about 50 GB of data in aggregate – that’s over a terabyte of data per day. While […] The post The Best…
6 Jun 2014
At Clever we’re building a way for students and teachers to start using learning applications with a click of a button. This is incredibly difficult to do in a school environment, because existing infrastructure is typically incompatible with a world where students use software on the internet. The backbone of the infrastructure at most schools […] The post Engineering at…