Technical Leadership Summary #2

Another recap of a week’s worth of links, news, and discussion around technical leadership and technology; as usual, follow me of Linkedin if you want to receive a notification when I share a new link.

Where I’ve been this week (last Friday, actually)

Last Friday I attended DevSecOps days in London for a good day of discussions all about “shifting left” security. The conference was organized by Mark Miller, the host of the DevSecOps podcast (recommended).

I had a good debate there on the idea, which I haven’t been able to put to practice yet, to introduce threat modeling in the agile process; watch Irene Michelin talk about Incremental Threat Modeling to get more details, but the basic concept is to treat threat modeling as a non-functional requirement during the sprint planning, write the use cases (abuse cases), and design tests with a tool like OWASP ZAP or Burp Suite to run at the end of the sprint. I’ve taken many notes and collected suggestions from various people on the subject, I hope to be able to write more about it soon.

None of the talks is available online yet, however, here some topics/tools that were discussed

  • Chris Swan of DXC Technology showed how to use interactive labs to educate developers about security (the Yellow Belt Devops Dojo)
  • Simon Maple of Snyk showed how to use didactic applications like Goof to demonstrate how to hack into web application; he also briefly talked how code examples in Stackoverflow are always insecure (watch is colleague give the same talk)

Topics I talked about this week

Elsevier left one of its Kibana server exposed to the Internet and without authentication; and, by the way, there were clear-text passwords recorded that. Remind me of Zcall, where again ELK was left exposed. Facebook, by the way, did something similar albeit in the internal network. As I wrote at the beginning of the week, it’s easy to ridicule these companies but logging sensitive information in internal tools is just a small coding mistake away.

I’ve been browsing different labs on Katacoda and love them. The Kubernetes ones are good; at the DevSecOps days I’ve seen some security oriented.

Streaming Data out of the Monolith: Building a Highly Reliable CDC Stack: I’m getting more and more into CDC (Change Data Capture) propagation as a way to build even streaming applications. It’s really a simple and pragmatic way to create events out of normal database updates, and there are several tools to help with that.

6 Lessons I learned while implementing technical RFCs as a management tool: I’m trying to push RFCs as a tool to make proposals emerge from developers; it promotes visible and open communication, and it’s ideal in distributed teams.

API Gateways are going through an identity crisis has been one of the most interesting articles of the week; it talks about the evolution of API Gateways in a container and serverless world.

And also: