Security by intention - how to improve your security culture through small steps

We're still buzzing after the excitement of last week's Capture the Flag event with Vertical Structure, so we've shoehorned a wider security lens to this week's links.

Security by intention - how to improve your security culture through small steps

Security by Caring

Your wellbeing has a significant affect on the quality of your work. Tiredness, fatigue, stress leads to messy code, errors and security vulnerabilities. Lack of care for others can result in a lack of care for the work. And that attitude is contagious: “If they don’t care, why should I?”

As Vadim Kravcenko reiterates in a brave and honest article:

...our greatest asset isn't the code we write. It’s us, alive, and living the life.

Coping with change, uncertainty and ever-changing priorities can make the integration of work and life difficult. Building an environment that is attentive, proactive and honest in its culture of care is key – words we also use when discussing security.

Maintaining that environment isn’t easy. John Willis uses Deming's principles to highlight how a DevOps culture with an appreciation for vulnerability can

Foster work environments that mitigate burnout risks and enhance productivity and well-being

But my favourite bit of this was where it says we should, “Drive Out Fear. As Simon from Vertical Structure said last week, to have a culture of security, we should not be afraid to reveal our mistakes or to point out things that are wrong.

Security by Sharing

Wes Kao’s article on managing up has security lessons for us: anticipation, flagging potential issues and sharing whole thought processes are key skills we need for a secure attitude. The success of the business you work for is the whole team's responsibility, and Wes has simple steps we can take to grow a productive, and secure, organisation.

One of the best ways to continually expand trust is to demonstrate consistent, reliable follow through and communication

Your code is read by people more often than it is compiled. So write code for human consumption and correction. Nicole Tietz fights the, "It's not me, it's you” blame culture that we’ve already talked about changing. Achieving understandability, Nicole concludes, needs a gradual, or incremental, approach.

The incremental approach is echoed by Nik Silver, who encourages us to take:

Smaller steps… and every step needs to deliver something we could use.

With smaller steps, we test more frequently, take confidence in each step and get faster (and shorter) feedback loops that gives surety in a safe, working product.

Security by Intention

How are you incrementally better than what is around you? John Cutler tells us to stop chasing unicorns and instead to make small, positive changes, becoming better than those around us: don’t obsess over the biggest and loudest voices out there. Nothing stops us looking at what we and our competition do, so use these to become better, more focussed and stronger (therefore more secure!).

Something mightn’t fit or work for us right now, or we failed to understand or appreciate it at a time. That doesn’t mean we avoid it forever – exploration and deliberation with intent could change our insight, especially as projects evolve. An openness to reflection and change (such as Paul Butler’s confession in his Hater’s Guide to Kubernetes) will allow discussions and potential change for the better, keeping sense and safety at the forefront.

Three Quick Links

  1. Make a simple concept, that has become complicated by implementation, easy for users again with UX for UUIDs

  2. Find JavaScript's fetch API cumbersome to read or understand? Wrap around with Wretch

  3. Do you put padding between you and CSS and wonder why it isn’t a margin? Here’s a fundamental guide to the box model and sizing.

See you later?

It already happened, but it’s worth listening about Webwyrm in last week’s Cyber Tuesday podcast from Vertical Structure where Chris, our Head of Engineering, made a guest appearance.

The next BelfAWSt User Group will have the amazing Heitor Lessa from AWS. Spaces for 14th May are going fast, so click attend soon!

A bit further ahead, we’re sponsoring the epic ServerlessDays Belfast again this year for 23rd May 2024, and it’s shaping up to be another amazing one - check it out and book now to avoid missing out.

Finally, some attendees of the Capture the Flag day were asking about our Security by Design course, so it seems appropriate to share a link to it.

Article By
blog author

Andrew Paul

Software Engineering Trainer