VP of InfoSec at InVision on secure code development [audio](strongdm.com)
strongdm.com
VP of InfoSec at InVision on secure code development [audio]
https://www.strongdm.com/johnathan-hunt-invision/
19 comments
Can someone help me understand what's interesting about the VP of InfoSec at InVision? What's InVision?
InVision is a tool for making interactive click-throughs, typically, of software mockups. It provides a very natural feeling to prototypes.
I'd expect security is important because of the pre-release and experimental nature of most product mockups.
I'd expect security is important because of the pre-release and experimental nature of most product mockups.
I wonder if languages like Rust would be helpful in areas like this? Especially considering that the strictness of the compiler might allow more "green" developers opportunity to contribute.
No. Rust eliminates C/C++ memory corruption vulnerabilities, but so do all the other mainstream high-level languages.
What Rust enables you to do is ship software that formerly would have demanded C/C++ (kernels, drivers, embedded software, browsers, games) without having to use C/C++. That's a security win, but not a game changer for secure software development in general, the vast majority of which is done in non-C/C++ languages already.
What Rust enables you to do is ship software that formerly would have demanded C/C++ (kernels, drivers, embedded software, browsers, games) without having to use C/C++. That's a security win, but not a game changer for secure software development in general, the vast majority of which is done in non-C/C++ languages already.
Rust addresses C/C++ security issues, but that's where the security benefits end (that's still a lot of benefits though!)
I really wish "units of measure" types took off in the langdev world. "String" is woefully inadequate to describe the actual type of a string; Imagine a world where string data is of type <string:urlencoded> or <string:xsssanitized>, and display functions would only accept strings of the correct type. I know F# has this, but unfortunately it never caught on elsewhere.
I really wish "units of measure" types took off in the langdev world. "String" is woefully inadequate to describe the actual type of a string; Imagine a world where string data is of type <string:urlencoded> or <string:xsssanitized>, and display functions would only accept strings of the correct type. I know F# has this, but unfortunately it never caught on elsewhere.
What are the problems with using inheritance to handle this?
class urlencoded extends String;
class xsssanitized extends String;
then secure functions can be explicit about what type they need. void embedInPage(xssssanitized xssString);Most modern frameworks, in all the mainstream languages, already have this feature, and it's usually the default. You still get XSS because you still have to override the filter to do custom HTML, but it helps a lot.
Right; I'm trying to understand the difference between this and the "units of measure" approach the grandparent was referencing.
(To be clear, your latter point is referring to things like 'dangerouslySetInnerHTML' in react?)
https://reactjs.org/docs/dom-elements.html#dangerouslysetinn...
(To be clear, your latter point is referring to things like 'dangerouslySetInnerHTML' in react?)
https://reactjs.org/docs/dom-elements.html#dangerouslysetinn...
I think obviously no: language definitely contributes to SOME vulnerabilities, but it does not solve all or even most of them. java apps are great example of memory safety, type safety, and still huge vulnerabilities exist in java apps.
> InVision is a 100% remotely distributed company. We don’t have an office, we have almost 1000 employees, we have scaled to 1000 people with everyone working out of their own home
just like most open source projects.
one of the bad parts IMO is that you can't hire green engineers since they need more hands-on guidance.
just like most open source projects.
one of the bad parts IMO is that you can't hire green engineers since they need more hands-on guidance.
I've thought the same, but is this true?
A shout-out to HN folks w/ experience at full-remote companies: are there hiring and onboarding practices you've used that allow less-experienced hires to be successful when working remotely?
A shout-out to HN folks w/ experience at full-remote companies: are there hiring and onboarding practices you've used that allow less-experienced hires to be successful when working remotely?
On our full-remote team the #1 onboarding (and ongoing) practice for engineers is near-full-time pair programming.
For engineers who haven't logged many pairing hours before, it requires a few weeks of stamina-building: it's initially exhausting to hold a model in your head while engaging your vocal cords.
One non-obvious but critical tip for continuous pairing: ensure everyone has an excellent audio environment. Buy the right headset, have a door or acoustic foam installed in the home office, etc.
For engineers who haven't logged many pairing hours before, it requires a few weeks of stamina-building: it's initially exhausting to hold a model in your head while engaging your vocal cords.
One non-obvious but critical tip for continuous pairing: ensure everyone has an excellent audio environment. Buy the right headset, have a door or acoustic foam installed in the home office, etc.
Who needs to hire Junior engineers when you can hire very senior ones at half the price in another part of the country/world?
> A bug bounty program, you’re inviting the entire world to attack your site. And by the way, you you’re not obviously using production, right, you’re spinning up a clone that has no customer data. And it’s not even connected to your network.
> Also, pen tests rarely perform lateral movements across your app, right? .... Whereas a bug bounty, those people can continue to move and infiltrate your network and give you a string of attacks that they were able to finally polling your data,
So I may have misunderstood (or the transcribing is wrong) but the person says you should give bug bounty hunters an isolated non-production instance and yet wants "lateral movement" ? Sounds a bit incoherent.
> Also, pen tests rarely perform lateral movements across your app, right? .... Whereas a bug bounty, those people can continue to move and infiltrate your network and give you a string of attacks that they were able to finally polling your data,
So I may have misunderstood (or the transcribing is wrong) but the person says you should give bug bounty hunters an isolated non-production instance and yet wants "lateral movement" ? Sounds a bit incoherent.
Should probably say [audio] in the title (it's 30 minutes without transcription).
If you scroll down on the page there is a transcription.
Oh thanks, thought it was a footer under the audio player.