back to article Etsy security rule #1: Don't be a jerk to devs

Businesses should deploy bug bounty programs, phish their staff and launch intelligent attacks against their networks, Zane Lackey says. The now chief security officer of SignalSciences ran through the experience of building and adapting Etsy's security team. Lackey (@zanelackey) and his colleagues, who left the hipster …

  1. Tweetiepooh

    Bribe developers with tee-shorts

    Don't know how I'd respond to a pair of these (American or British interpretation), maybe need a gift card to pay for some gymnastics lessons.

    1. Michael Nidd

      Re: Bribe developers with tee-shorts

      From the first time someone drives a golf ball off the tee that's built into the shorts, their motivational power will be crystal clear.

    2. Ian McNee
      Gimp

      Re: Bribe developers with tee-shorts

      Tee-shorts for penetration testers...and what line of business were they in again?? :-O

    3. I ain't Spartacus Gold badge
      Coat

      Re: Bribe developers with tee-shorts

      The problem with handing out t-shorts is that the internal competition causes splits...

    4. Jedit Silver badge
      Coat

      Re: Bribe developers with tee-shorts

      Why are you all so worried about T-shorts? When worn properly there's no arm in them.

      1. imanidiot Silver badge
        Coat

        Re: Bribe developers with tee-shorts

        Damn you all, my coworkers are looking at me funny... AGAIN!

  2. Anonymous Coward
    Anonymous Coward

    Calm down, explain your terms

    Is it just me or is much of this overexcited article unintelligible even to people in the business ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Calm down, explain your terms

      Yep it's not just you, it's very poorly written and largely unintelligible.

      1. Pete 2 Silver badge

        Re: Calm down, explain your terms

        > and largely unintelligible

        Well, since the author's name is Pauli, you'd expect some exclusion.

    2. fruitoftheloon

      Re: Calm down, explain your terms

      Bb,

      it made a fair amount of sense to me.

      J

      1. Cliff

        Re: Calm down, explain your terms

        Imagine it's a Steve Bong piece, that frame of mind and reference makes it an easier read. It's not pitched at the technical edge more at board level, so it's more enterprisey.

    3. Anonymous Coward
      Anonymous Coward

      Re: Calm down, explain your terms

      I thought I was the only one. This "article" is full of promotional gibberish and techno-marketing talk. The writer even techbombed the article with several feel-good outside web site references, because after all the subject of the story is referencing them so they must be the only way, correct?

      Reads like the very worst of Ars, when their writers are coming down off their weekend party highs. Why write coherently lucid and in-depth articles when loosely throwing around info-by-soundbites still gets you a paystub at the end of the week?

  3. Pete 2 Silver badge

    Easily pleased?

    > bribes to developers who report flaws including gift cards and tee-shorts which he said worked "shockingly well"

    One place I worked, some years ago, had an incentive scheme where each manager had a couple of discretionary "gifts" to dole out every few months. This amounted to a "free" but receipted entry on your expenses for a meal out with a +1 (up to a limit of approx. £50: just above pizzas and a bottle of wine in value). While it was nice to get the recognition it made absolutely no difference to how an individual performed.

    >a hall of fame was more important than monetary rewards

    A friend is a secondary school teacher. The school has a motivational "star" system with "winners" names going on a board in the entrance lobby. However, it really only works for the 13's and under. After that, awarding a child a star is seen as an egregious insult and is more likely to have the opposite affect to the one intended.

    I would suggest that if SignalSciences thinks they are actually altering the behaviour of their employees with such trivia, they are either employing immature developers who are so bereft of love and attention that they could replace their gift certificates with a lollipop and still get the same result, or that their staff scorn their rewards, are intelligent enough to have calculated that they amount to ¢¢¢'s per hour and are actually rewarding themselves in other ways from the company's coffers.

    1. Charlie Clark Silver badge

      Re: Easily pleased?

      While it was nice to get the recognition it made absolutely no difference to how an individual performed.

      Just being polite enough to recognise the contribution is a start. Sure, these things are often trite and immediately devalued by corporate culture but encouraging employees in their jobs is part of the service that managers need to provide.

      1. Anonymous Coward
        Anonymous Coward

        Re: Easily pleased?

        Most bugs, whether coding mistakes or bad design, can be prevented or caught by formal code walk-through/review in which reading the code and comments by peers, with the author and a chairman is an accepted and welcomed part of the development process that is never, ever skipped. This review applies to the first feasability study and the last manual page just as to the code and design. The merged design-development-test system hardly allows time for this and it shows.

        The critical thing is: the author of the item under review is not to be castigated or dimished for any failures, improvements etc found or he will just become defensive and uncooperative.

        Gains: the whole team takes responsibility; all gain familiarity with the code, i.e. knowledge is spread, reducing the criticality of individuals; most defects are caught and remedied at the design stage or the coding stage, before getting near even beta test, let alone the end customer. In the end this is quicker and cheaper than getting the code out of the door and then watching your reputation, time, manpower and budget evaporate in a cycle of analyse-fix-release-analyse... and morale and ability increase.

        Clearly, recognition by each element that the other is an important contributor is vital: production managers, requirements engineers, document writers, testers, designers, marketers, coders: each must feel recognised as equal contributors to the project. The star system is for the film and sport industries, not for the serious world of work.

        Security will be much improved merely by proper reviews, mutual cooperation and understanding. For security measures to work in the long term, treating your workers as potential wrongdoers and makign them feel disaffected is more important than clever systems controlling them. Of course, physical and software controls over access, audit etc. are necessary. But with rewarded, motivated staff who are on your side, these can be made less onerous in terms of adding heavy overheads to daily work. I believe most security failures are internal.

        1. Anonymous Coward
          Anonymous Coward

          Re: Easily pleased?

          Ha our new project manager just abolished code reviews and pair programming despite strenuous objections because he didn't think they could demonstrate business value. I can see code quality sinking to even lower depths now.

          1. James 51

            Re: Easily pleased?

            Perhaps if you can show that your new project manager doesn't demonstrate business value they can be abolished.

        2. Charlie Clark Silver badge

          Re: Easily pleased?

          The critical thing is: the author of the item under review is not to be castigated or dimished for any failures, improvements etc found or he will just become defensive and uncooperative.

          I think that's the key thing. I've not yet come across a one-size-fits-all methodology that actually works but I much prefer automatic static code analysis and tests (including test coverage) over code walkthrough.

          Security bugs are often not picked up in code review but pen testing can be included in a CI setup.

  4. James Dore
    Coat

    Do competent sub-editors exist any more?

    "The fundamental shift is that vulnerabilities occur in all methodologies, but in *continuously <-ly> deployment* there..."

    ""How many people *live*<d> through the days of out of band patches?"

    "When that vulnerability comes *in <it?> is* world-ending,"

    "Continuous deployment *mean*<t> continuous security and allowed "

    "A *vulnerabilities* <vulnerability, singular> and its impact... "

    "While this appeared to put the burden of sorting real bugs from the many more false ones <on to what/where/whom?>, it ensured ..."

    Back to skool.

    1. JonP

      Re: Do competent sub-editors exist any more?

      They're probably trying to get in on the act - let a few 'bugs' through & eventually they'll be offered tee-shorts for finding typos in articles.

  5. Anonymous Coward
    WTF?

    what?

    "The attacks run by Etsy ran over three or four iterations, rather than a single instance due to the fact that attackers will own boxes almost immediately. The increased iterations also provided better intelligence to defenders."

    I don't even know what to say to this. Is he saying that his programmers can't fix more than one bug at a time? Or is he saying that they also fix bugs in their attackers' code?

    Better intelligence to defenders??? I think he's using the wrong defenders.

    Somebody help me out, here.

    1. A Non e-mouse Silver badge

      Re: what?

      I took it to mean that instead of assuming an attacker will take control of one (and only one box) assume they have control of multiple boxes.

  6. dogged

    wtf

    "You're just pushing production and you do that 20 or 30 times a day. When that vulnerability comes in is world-ending, it's just another day."

    What the actual fuck does this mean?

    1. A Non e-mouse Silver badge

      Re: wtf

      If you're continuously updating & releasing code, you don't have to do anything special to quickly release another revision of code to fix a security bug.

      1. Anonymous Coward
        Anonymous Coward

        Re: wtf

        After you find it, determine how to fix it (hopefully without causing another problem), generate the fix, and push that fix back out.

        There can be a considerable window of opportunity between creating the problem and successfully pushing the fix to the systems.

        How much damage will attackers be able to do in that window?

  7. A Non e-mouse Silver badge

    Developers are human

    There are some comments here about the trivial amounts of the rewards for finding/fixing security flaws. I took the whole tone of the article differently: Treat your developers as humans. Give them credit where credit is due. Don't punish them for mistakes (Although ribbing them over a beer is OK)

    All in all, basic stuff that any manager, at any level, in any line of work, should be doing.

    Unfortunately, few managers appear to know how to manage.

  8. Anonymous Coward
    Anonymous Coward

    Um.... why are so many companies reinventing the errors of 50 years ago?

    Letting developers make changes in production without any controls or separation of duties?

    WTF, is this the 1960s?

    1. admiraljkb

      Re: Um.... why are so many companies reinventing the errors of 50 years ago?

      Theoretically if its a proper DevOps shop, then when the code is checked in on a dev branch, automated tests are fired off in the dev environment, if it successfully passes, the code promotes to a qa/test environment, if successful there, then it promotes to a pre-prod/staging environment, and if successful there, then promotes to prod. LOTS of testing occurs before it makes it to production, and devs have NO access to any environment other than their dev ones. There might even be a UAT (user acceptance testing) environment in there as well after qa/test, depending on how things are setup

      That is if its a real DevOps shop. If its a "DevOps" shop instead because the term sounded cool, and "lets use it on a resume" kind of shop..., then yeah, devs are making changes in production and PHB's are pretty clueless that they have major issues.

  9. Pascal Monett Silver badge

    "If you're continuously updating & releasing code"

    Then your application is not ready for production.

    Take it offline, finish the bloody thing, THEN put it into production and survey the security of the app.

  10. Alistair
    Windows

    Emotional buzzfeed descent

    This article is such a wonderful piece of enablement and edificial enlightenment passing. Businesses getting all over the world need much of the reading like this to bottom line enhancement and morale of C suite joss stick enhancement.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like