A couple of weeks ago I had the fortune to speak at CodeCraftCon in Glasgow, UK. How very fortunate as the venue was only 15 mins away from where I live! But this was not the only reason why the event was such a success. The conference was great, the location fantastic, the food extremely tasty and the overall outcome exceeded people's expectations. I greatly applaud and support events like this which can benefit the local developer community. CodeCraftCon was the first event I attended that the format was wildly different to what most of us are used to when attending technical conferences.
The whole day was designed around guided conversations and a couple of workshops. The guided conversations were the new element in this conference. This format made things a lot more interesting and got everyone involved. The speakers are there to merely "guide" the session using a predefined set of questions. Each question is allocated a 5 minute slice, which is enough time to get most of the attendees in the group involved. Each group consists of about 20 attendees all sitting in a circle.
Obviously this type of session has it's limitation and can't be used for every subject. For example, a technical talk that heavily relies on demos doesn't fit the guided conversation format. Things like TDD, architecture design etc that touch on the theoretical aspect of software development are much better suited.
Can we really call this a talk? The delegates did most of the talking and it was very interesting to guide such an intelligent group of people through my subject: **"Security in Software Development". The main goals of my session were:
- get everyone up to speed with the state of security in software development
- identify roles and responsibilities in the overall development process - highlight some of the most common security threats
- discuss mitigation techniques
Application security is a vast subject that cannot be covered in 45 minutes. However, getting a 30,000 feet view of the state of security, common threats and basic mitigation solutions is feasible. The questions I chose to present to the group are attached below for reference:
- What is security in software development?
- Why is it important to create secure applications?
2.1 Who's impacted by bad security?
- In which scenarios should security be taken into consideration (type of service, application etc)?
- In your technology stack, are you aware of the tools you can use to improve the security of your applications?
- Is software alone enough to guarantee that your applications are secure?
5.1 What about hardware (server, mobile devices etc)
- Who is responsible for application security (Developers, DevOps, Client)?
- Account management is one of the biggest problems. What are some of the known mechanisms for securing user identities (encryption, hashing, password management workflow etc)?
- What are the implication of having your online identity compromised (e.g losing your facebook/twitter account to hackers)?
- Should developers rely on custom identity management implementations or should we encourage the adoption of 3rd party providers such as (oAuth, Azure AD, social media logins etc)?
9.1 Can you think of any risks with either approach?
- Should we throw away username and password authentication in favour of biometrics?
10.1 Can you think of any risks?
- What if your biometric information got compromised?
- Do you believe that all the security features and measures we discussed so far are adequate enough to mitigate against social engineering attacks?
- Various questions raised during the conversation.
The questions above were only a guide and the group was very keen in sharing its knowledge and ideas around security. In many cases the delegates come up with their own interesting questions. The 45 minutes went by really quickly with everyone passionate to discuss about security and recent hacks such as the one against Ashley Madison, Sony and Target. The discussion touched also on the subsequent impact of these incidents and how they've affected businesses and individuals alike around the world. Although we only scratched the surface, it was great to hear all the different perspectives around the subject. For many companies, security has often been considered a second-class citizen while the primary focus was on launching a product or a service. It's our responsibility as developers to change this and it was encouraging to see that the group shared the same feeling.
I really enjoyed CodeCraftCon and I look forward to coming back in 2016. While I originally had my doubts about the use of guided conversations, I'm now a strong supporter of the new format and I would encourage wider adoption where applicable. Both speakers and delegates can benefit by actively participating in conversations around carefully curated and thought-provoking subjects.
Finally, I would encourage you to have a go at the questions above and see if you can answer them with confidence. How security-aware are you? Do you write code with security at the center of your development process?