Writings about software: development and security| beny23.github.io
Once again, I’m sat at Schipol Airport typing up my thoughts about a few days of refreshing Dutch DevOps Goodness! Ok, I admit one or five alcoholic beverages might have been involved too. This was my first DevOpsDays and it did not disappoint. My day started at 3am to catch a flight at 6am but because I was still awake at 1:30 and had decided sleep is for wimps, I arrived a little bit wired.| beny23.github.io
When I stumbled across a post that an encryption library offers a potential backdoor to SSH connectivity on Good Friday, my first thought was: why is it always on a Friday that these things drop? And then my second one: oh bugger, here goes my weekend. Now, I won’t go into the technical details, there are many, many, many, many better resources out there, but I can’t help thinking that this would/should force the software industry to think.| beny23.github.io
I was really positively and pleasantly surprised when I found out what HMRC Digital’s mission statement was. Normally, I am not a fan of mission statements. They usually read like this: Our mission is focused on six core aspirations the company continually strives to achieve… Or some such drivel. Verbal gymnastics to make a company sound like everything to everyone - without being offensive to anyone - which then gets used to “align” people on mandated fun days.| beny23.github.io
As I stare at my laptop after an intense few days at 44CON, I reflect on the experience. I went through a lot of different emotions. Excitement, trepidation, relief, bewilderment, pride, disappointment and hope had accompanied my visit to London to 44CON. We had an OSINT Capture The Flag competition happen right next to a round-table discussion on how the government should secure the country. Looking from outside in, a rallying cry of “Hack the Planet” (if you want to feel old, it turned ...| beny23.github.io
“Outdated tech stack and metaphorical gaffer tape holding together the code” - sound familiar? How about “We can’t recruit, because nobody wants to touch this legacy stuff”? Yet banks and governments would stop working if mainframes were switched off. Instead of outsourcing to the lowest bidder, maintenance is a job for experienced engineers. Not “the short straw”, brown field development can be more exciting than a feature factory. After all, the shiny code written today is the...| beny23.github.io
From a security point of view, application logs are two-sided. On the one hand, it is really important to have good observability, to find out what is happening and what has happened. On the other hand, we don’t want to leak sensitive information. In this post I am going to look at the kinds of things you might find in your logs. The juicy bits are Personal Identifying Information (PII) or security credentials.| beny23.github.io
In this post, I am going to look at an increasingly important part of securing applications: Your supply chain. This includes every library, tool or service that you are using to build, run and monitor your service. When the log4shell vulnerability hit, it wasn’t just a matter of looking at the dependencies that your source code pulls in, but also at the infrastructure you’re using and the build pipeline. Have you had a look at the vulnerability reports of your dependencies lately?| beny23.github.io
This post peels back the covers on what it is like to work with a large digital platform. The platform in question is MDTP - Multichannel Digital Tax Platform, which supports a UK-based tax collection agency which is using a hyperscale cloud provider with a sideline in books. I’ve previously described what it is like to work in MDTP (Making Software. Quickly) during the Covid-19 responses that allowed the UK government to provide financial support for millions turning around projects in rec...| beny23.github.io
This post describes how I developed the Discount Dining Finder a lookup map tool for the Eat Out to Help Out scheme in my spare time. I currently work with Equal Experts and HMRC. The aim of this writing is to provide an insight into how problems of scaling services can be solved by having no servers and not using “serverless services” either. Aperitif A really nice side effect in working in a high functioning environment is that sometimes you’re involved in bouncing ideas off each other.| beny23.github.io