Calming the turbulence in the winds of cybersecurity-related threats
13 June 2024
Another fortnight, another turbulence of data breaches and digital security disappointments… should this frequent display be the accepted norm?
The scares
An ever frequent feature of the news is data breaches and digital security disappointments, whether public hospital procedures are cancelled, private ticket information leaks or Reddit-rumours raise hiding concerns. We should be driven: to be better; to ask the questions of why and how; to hold each other accountable; to be secure by design and impenetrable by proof. Nathan Gardels challenges the old “move fast and break things” motto that echoed around the Silicon Valley:
"getting governance right by moving deliberatively and fixing things is the first order of business if we are to escape the fate that befell a disrupted world in the last century”
To help us understand and implement better security solutions, tools and guides are becoming commonplace, such as Auth0 talking about how to secure your browser storage. But beware of your tools! Sometimes the most innocent plugins can have surprisingly devastating effects, as this on-going research into millions of VS code extensions shows us.
The ethics
It’s not up to us to just produce protected systems, but we must give people better ownership and control of their own data too. Especially with the potential (bad) power of AI, how do we anticipate and protect accordingly?
Thinking of the UK, the 2022-2025 digital future roadmap highlights how digital transformation is to take place, embracing digital twins, consolidating user accounts and so on, but guidance on Data Ownership in Government notes that the "government does not have a consistent framework around data ownership” , so how do we work to address these concerns?
Maybe we could reinvent the internet. Decentralisation has been suggested by a few, such as the ICP Hub who see Dfinity developing a new protocol (ICP) to utilise nodes across an independent network, allow better security and scalability. Combine this newer concept with an older one like Alpha Browser and this decentralised network could still be used to identify an owner’s unique data and protect (or fairly attribute) the data that is out there.
Even Farrell and Berjon suggest that, in a metaphor looking at nature and industrial revolutions, we could consider re-wilding the internet, prioritising user autonomy over corporate interests, giving back control over privacy and data/digital interactions.
The critiques
Don’t forget the basics. KISS- keep it simple, stupid. But be wary. Remembering that VS code extensions pain with what Jim Nielsen notes in his “Just” one line article, short term simple can cause long term pain, so keep it smart as well as simple.
And maybe simplicity changes! Matt Bessey paints a picture of adopting GraphQL as "an incredible piece technology”, and then is willing to acknowledge the problems and instead advocate change. Our workloads feel like they grow exponentially with change, but sometimes we spend more time and energy firefighting problems than if we had changed And patches mean leaks which means…
Plus, patchiness doesn’t look good! Do we make an effort to polish our code (and designs) , and not do it as an afterthought? Matthew Strom details how polishing should be intentional and necessary, but delicate to balance so as not to kill innovation or creativity.
Or maybe process can help. Our own Adam Dickey has been looking at how product discovery could be enhanced by leveraging Kanban - continuous delivery, better visualisation and optimised efficiency could help you produce a product that is more complete, correct and secure by its design.
See you later?
Serverless Days 2024 recordings are now available. Here’s Matthew Wilson's talk, definitely worth a watch.
JetBrains Academy on 18th June - Andrew is presenting on Finding an Authentic Voice in Young Professional.
A bit further ahead - AWS Community Day BelfAWST in September is also calling for speakers.
As always, we have a veritable smorgasbord of security training for engineering teams!
Until next time
Article By
Andrew Paul
Software Engineering Trainer