Craft bazaar Etsy's security plan is candy to get devs talking
Don't be that grumpy security guy people are afraid to approach
Kiwicon podcast Etsy's security chieftain Rich Smith has told the hacker faithful to secure their organisations by buttering-up devs with beer and candy.
Speaking at the KiwiCon event in Wellington, New Zealand, the guardian of the popular hipster bazaar and co-founder of Iceland consultancy Syndis offered tips from running the fast-spaced Agile development company where code shipped almost as frequently as the patchwork quilts.
Smith re-iterated lessons given earlier this year by colleague Zane Lackey and said corporate security teams in smaller or new businesses should be friendly and designed to move as quickly as development teams.
"Abrasive individuals will single-handed do more to undermine the security brand and culture at your company than anything else.
"People will actively avoid engaging with your security team because it's staffed with dicks."
"When the dev bar tab runs out, the security team picks it up and everyone loves the team for it. It really can be that simple - but I would advise you all to assign budget to this."
Podcast:Listen or download Security the Etsy way.
Smith's team keeps a giant jar of candy at the desk and finds it lures lots of developers who stay to ask questions of the team.
The chart-obsessed security team even mapped candy consumption to graph security incidents and even created an IRC bot which staff could ping to find out what sweets were in the jar.
Smith also explained that in his opinion security teams need to become able to quickly repair bugs without halting production for anything other than the very worst flaws, although he acknowledged this won't be acceptable for risk-averse organisations.
Etsy is a larger organisation than punters might expect, with more than 600 staff and about 50 changes being pushed live each day under its continuous development and delivery scheme. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust