Cake
  • Log In
  • Sign Up
    • Do you have an individual that gets assigned a security role and takes on the perspective of analyzing architecture early on? Gets involved in story planning/requirements building? Do you have someone that is dedicated to security that does this?

      Great questions!

      I think it's really important for security to be everyone's job. And I don't just mean every engineer; I mean every single person at a company from the CEO to the housekeeping staff.

      Some people are experts, and they can have a large sphere of influence. Other people aren't experts, and their sphere of influence will be smaller. But everyone should think about the security and privacy implications of the work they do, whether that work is managing infrastructure, writing code, reading emails, answering phone calls, or cleaning the office.

      In terms of engineering specifically, I think one of the most valuable things each engineer can do is think about how to break stuff.

      Security is fundamentally about information: who can see it, who can change it, and the processes through which those things happen. So when I'm planning a change or writing code or configuring infrastructure or something, I try to imagine the information that will be flowing through the features I'm planning, the code I'm writing, or the services I'm configuring. I imagine the roadblocks it'll encounter and the unexpected detours it might take. In less abstract terms: I try to think of ways to break the stuff I'm building, and then I do my best to prevent that from happening.

      Prevention may mean doing something simple like ensuring that user input gets sanitized properly, or it may mean seeking out an expert who can help me understand something more complicated that I don't fully understand yet.

    • I don't have a comprehensive answer ready (and I'm not an infosec person per se, much more a devops person who has come from the Ops and networking side initially). But all things considered, and acknowledging that creating an easily digestable InfoSec 101 customized to the realities of a particular project is an awesome onboarding tool that will help a lot, I always try and teach people that it is the matter of some very basic engineering. If you design something, be it a function or a system, you need to think - how will this break. And thinking about what sensitive stuff is in there and how a malicious actor can game your system to extract or misuse it is just an angle in that analysis.