A project intended to move a small robot around a hazardous board teaches some solid security lessons.
DevOps Skills- Put six adults together for 41 hours with a pile of parts and a vague goal and what do you get? In my case, amplified lessons in secure software development — and a game where you take a robot to do battle.
So last weekend I participated in a make-a-thon. Described as “like a walk-a-thon with less walking and more making,” it was a fund-raiser and a way for me to scratch my ongoing geek itch. Since mechanical engineering isn’t my forte, I was assigned to be half the programming team. And, as is true for so many real-world dev projects, we began on Friday night with only a vague sense of what the hardware would ultimately look like.
So the first thing I did was sit down, write careful specifications, and start hand-crafting the finest in artisinal code, right? Of course not: I headed for the Internet and started grabbing routines described as doing what I wanted to do. And just like that, I was neck-deep in the reality of most agile and dev-ops software shops.
Now, I was lucky in several respects: I was doing classic OT stuff in a variant of C — I could look at the code and tell what was going on. But the thing that struck me in retrospect was just how easily I was grabbing routines and throwing them into my application, and just how little regard I was giving the variables and code that didn’t have an immediate impact on my job.
So that’s the first amplified lesson: do a security scan on downloaded code before you slap it into your application. GitHub’s Semmle acquisition should make this easier for a lot of open source projects, but it’s got to be considered a critical step regardless of where the code comes from.
The next amplified lesson comes straight out of the instructions for blue jeans: Shrink to fit. At times during the development process we had great herds of unused variables and function names roaming across the rolling plains of our code. The combination of code from repositories and debugging routines left detritus that we ultimately had to clean up late in the process because things were getting confusing.