Why am I writing this post? Because I have worked in SMEs for a while and the smaller and younger they are the more I worry about their attitude and ability to respond to security events. In fact to event identify that they have had a security based event.
This is been made worse in the last twelve months with the additional responsibilities of GDPR. Now there is a potential massive financial implication of a data breach, not just from the cost of remediation but also from the DCO.
Sure enough there are a lot of vendors offering people silver bullets to protect them from the evil hackers sitting out there with their hoodies covering them up in their dark rooms. But there are two major problems with that, one is that there is no silver bullet and relying on one is a big mistake. The second problem is that without security knowledge in the business they are never going to mature and be able to deal with the emerging threats that come from cyber security. The other problem with the peddlers of silver bullets is the fact that what they sell is not cheap. These small companies are concerned (generally) with building up their revenues to turn a profit. These extra security costs are a luxury. So I suppose they could use open source tools, of which there are plenty. But then we go back to knowledge and skills. Open Source tools are by their very nature more difficult to setup, let alone correctly.
Another concern is the patching and updates of equipment. In a small company is that really going to be a priority?
Even those companies that promote defence in depth and tell you that their tools should be used in conjunction with others they are just too expensive. I fully appreciate the need for the expense, building some of these tools is a long and prolonged process which costs money.
If you look at this from the hackers point of view these companies provide an ideal learning ground for future breaches. Not only that but they also provide possible jumping off points for bigger fish. Why would you attempt a breach against a massive organisation with sophisticated security prevention measure and a security team when you can go for one of their suppliers who have no security knowledge at all.
So why am I writing this post? Well because there seems to be a massive gap in the market to help these companies meet their GDPR requirements but also to protect them from hackers. I am not sure what form a solution to the problem might take but there is surely a possibility of somebody filling that gap.
There are a couple of things that concern me about it and the most pressing is security. It is just so easy to include hundreds of packages the source of which is almost impossible to track.
If those modules are maintained by people you don’t know anything about how do you know they can be trusted. How do you know if someone has not changed the code somewhere in those packages to do something malicious.
But that concern was precipitated by my very first concern. The sheer number of packages you can install without even trying to do so. Next time you play with node just check how many packages youhave just by including express and a couple of components.
And then finally perhaps the reason that appears to be the most churlish is that just because anyone can now write backend code with JS does not mean that you should. Sometimes Node just does not do the trick. If you want to create a system that processes and transforms lots of data, Node is not the right tool.
Do people really think that throwing every new piece of cool technology at a project will make it a success? I love new technology and used to spend time playing with new Frameworks etc so I could find a use pattern for them. But very few of them made them into projects because their was no value to be added from doing so.
I have seen so many projects where the business case for building them is based on keeping a technology stack up to date. Great if that is going to add value or provide a competitive advantage. But spending time and money to move your website to the latest and greatest JS framework is not a valid reason.
This is not a blog post to show what is best practice in web development but a rant against those people who use the term ‘best practice’ to defend their use of a technology.
I shall explain with a couple of examples. Yesterday at work a developer said the business could not have a web page with 5 even columns on the page because they use bootstrap which uses a 12 column grid. I tried to point out this was an issue and was told using Bootstrap was ‘best practice’.
We are building a new website and it HAS to be hosted on AWS because it is ‘best practice’.
We are building a new website in PHP and we have to use a framework because that is ‘best practice’.
I have nothing against Bootstrap, AWS or PHP Frameworks but this highlights that people are building a solution before they have even looked at the requirements. Each project is unique and has unique requirements so to come to the conversation with a fixed mindset of what solutions will work is just plain wrong.
It could be that these solutions are the best thing for the project but you can’t decide that because it is ‘best practice’. You have to decide that because it is best for the project.
So I was asked at work the other day if I could help find a missing server. I know that sounds odd but it was running some software that nobody had ever needed to use but was considered essential. They did not know the IP address or the user name or password used to gain access.
I had come across nmap in the past and never really understood how useful it could be. And then as part of my studies I learned of its amazing range of facilities. So after 5 minutes of research(dabbling). I found an invocation that would show me every single open port on every single device on the network. After filtering that down a little I had some potential devices we could try.
I am not sharing the nmap invocation because that would give away what I was looking for and possibly why.
Obviously that does not get you the access you need but perhaps that is the subject of another blog post.
When I started out in development (many years ago) I wanted to write everything myself. I did not want to use any shortcuts or use other tools that would cue the time. I wanted to write those tools. And then use them myself. This was also supported by a need. I started to develop at the age of 11 when the internet was probably just another military secret. So coding things yourself was almost essential. Books were great but only got you so far.
However, as I have got older (not convinced wiser) I have got more and more lazy and see very little merit in building something when someone else is already done most of the work for you. So on my latest project I am going for very simple metric. Write as little of your on code as possible. Less chance of you adding errors that way.
It also means that you can go quicker to market than if you are trying to hand code everything. The purist in me (buried very deep) tells me that I could probably do a better job that would suit the needs of the business better. But, and this is something that only experience brings, the business I am working for don’t actually care what the technical underpinnings of the solution are. They want their solution and they will want it to be easy to maintain.
This causes a couple of problems. One writing simple code with few lines of code is incredibly difficult to do and those young developers that work for you are going to rebel and want to move on to some other more exciting (i.e. writing more code) project. But one day I am hoping they will also see that writing all of this code is only worth it when you really have to.
So I got my grades for my second module of my masters over the weekend and was pleased with the grade but a little frustrated with the lack of feedback. So on some elements I obviously did very well and others I was down at 60% and 65% but with no explanation of what areas I could have covered that would have got me those marks or areas I should have considered.
I am assuming that is it based on a grade for applying a more critical analysis of my answers but I really do not know.
I wanted to create a simple blog and I could not be bothered to code one myself. So I thought I would look around for a good blog system. And you know the only one that was easy and took no set up time, thanks largely to LCN.COM, was WordPress. So here I am with my very first WordPress site.
I will say the main reason for reluctance in the past was based mostly on security. And now for the purposes of this trivial site it seems and irrelevance really. So here I am and here I will remain for a while and see how many if any blog posts I get out using this rather than having to code things by hand. I have got too lazy for that.