SSD Reflection

As technology advances, there is a security trade-off along with it – that is new vulnerabilities (Scheneier, 2014). An article said that the rate of cybercrime is growing consistently with the growth of technology (Utica University, n.d.). We can also see that OWASP updated their top ten list of vulnerabilities every year. Often, it’s not only about re-ordering the top ten list but new additions of previously unknown threats were also introduced.

Through Secure Software Development course, I learned a lot of new things that I haven’t even heard before about software development and security. It introduced me to things I didn’t know can be a vulnerability hotspot – for example is the programming language and operation system, 2 basic things that is publicly known is still being maintained by the developer.

I want to point out to myself (for my future self) several important points that I learnt; they are:

1. UML is not only about software requirement, documentation and communication. It’s also a tool for us to spot vulnerabilities.
2. Unit testing should not only about to test whether a feature is working properly for the end-user, but should also test for possible security vulnerabilities scenarios.

Those two things reflected to me during the final project, where we start building the program, doing the actual coding. We were finding bugs and vulnerabilities by trying to go through the UML diagrams and test it carefully. Sequence diagrams helped us to understand better about our code – reading it feels overwhelmed. Thus, we were able to spot vulnerabilities. It’s also worth to mention that this alone was not enough.

Through a blog post, Konstantin Petrukhnov, a senior consultant from Futurice, argued that we need to test and validate the program logic from 3 different perspective: source code, documentation, and tests (Petrukhnov, 2015). He gave an example of how he experienced a case where from unit-testing it’s all passed, even though the actual result is not as what’s expected. I think it’s a good example that we have to test it from 3 different perspective, so that the validity of one side can be reinforced by other side. We also experienced something similar where we think from the UML that nothing is wrong, but it’s failing during the unit-test.

Other than that, I also learned about how to contribute and be active in a diversified team. My colleagues are coming from different parts of time-zone, different background, and different culture. Probably, the most important thing to remember in this kind of environment is to have understanding and openness.

Understanding means that I need to understand the people I work with, being a human. My culture is different with my colleagues from China or South Africa. We are probably having different technical skills. I need to be careful regarding communications – one small mistake might hurt their feelings. What we did was to “audit” the manpower that the team has. This is to let everyone knows what others strength and weakness early, to give more time to accept the situation. The PPT framework puts People on the first. But to me it’s not about boarding the perfect people, but to be human first.

Openness means to give information as clear as possible, as honest as possible. We aren’t seeing everyone in person at all. We don’t really know what is happening with the others. Each of us relied only on the information given by the source. By being proactive, it maintains trust. If I can’t attend the meeting, tell them. If I find difficulties, ask for help, etc.

Now it’s reaching the end of the module for Secure Software Development course. Then, what’s going to be my plan next?

This is the first module that gives me different experience. I earned both new technical skills as well as soft skills. I’m thinking of enhancing those skills even further by being involved in projects with a diverse team. I don’t know it yet, whether the upcoming module can help me to experience something similar to this. But my backup plan is to work as a volunteer in a global organization like the United Nations Volunteer or Social Coder.

References

Petrukhnov, K., 2015. Self-Explanatory Code Is Good Code, Isn’t It?. [Online] Available at: https://futurice.com/blog/self-explanatory-code [Accessed 30 May 2022].

Scheneier, B., 2014. How Changing Technology Affects Security. [Online] Available at: https://www.wired.com/insights/2014/02/changing-technology-affects-security/ [Accessed 30 May 2022].

Utica University, n.d. Ten Ways Evolving Technology Affects Cybersecurity. [Online] Available at: https://programs.online.utica.edu/resources/article/ten-ways-evolving-technology-affects-cybersecurity [Accessed 30 May 2022].