Hello from HiHi!
My name is Ian Rathbone and I’m a Senior Software Engineer at HiHi. Right now I am working on the services that power the features on the wonderful devices you know as the HiHi.
What are you reading? As a developer at HiHi I’ve been granted this excellent training budget as part of the benefits I get here. I’m going to talk about how I make the most of this benefit.
A little background…
A few years ago I attended SDD Deep Dive where Brock Allen and Dominick Baier went into really useful detail about how to get the most out of Identity Server. They provided a great session with a ton of great use cases and examples.
I have successfully deployed two Identity Servers for different use cases, which has continued my interest in security.
I’ve gained an appreciation for how important authentication and authorisation are in my day to day job of building APIs for HiHi.
As I start to develop more and more services that live in the cloud, I now have a whole new level of potential threats to deal with. Along with the plethora of security considerations to think about.
I’m sure you are no stranger to all of the myriad of awful data breaches that seem to happen on an alarmingly frequent basis.
The Training Budget
I now have a good problem where I want to spend my development budget wisely at HiHi.
An obvious choice was to get my Pluralsight subscription renewed. I can continue to get into the various topics that I’m curious about and don’t know enough about such as Containers and Kubernetes. Or is it that I just like hearing Nigel Poulton talk…
Anyway, the benefit of this is that I can make better judgement calls in my role at HiHi to make informed decisions about services we build.
I could not find a training course of value to me or beneficial to HiHi and it occurred to me that I have not had the complete experience of a conference.
NDC London 2019
I found NDC – the Norwegian Developers Conference 2019 (in London) .
The agenda covers a broad range of subjects that I am very interested in. The lineup of speakers feature people that I follow who care about the industry I work in. Seems like a good choice!
There are different tickets available, so I looked into the ‘All Access’ pass that provides a two day workshop. The subjects on offer are fantastic.
After browsing the topics, I settled on Troy Hunt’s “Workshop: Hack Yourself First: How to go on the Cyber-Offence” (great title).
I’ve been an avid reader of Troy’s site, watched some of his talks and I follow a lot of his recommendations and of course added all of my accounts to haveibeenpwned.com.
He’s a guy I trust to tell it how it is – an expert in his field.
Paraphrasing Troy’s own words, the beauty of going to a workshop is that you get experiences that you won’t get out of his Pluralsight courses.
There’s discussions, the opportunity for questions and more in-depth information about the subject. There are tools he will show that are outside the remit of a Pluralsight course. There’s a ton of detail about information breaches that you can’t talk about on an online course too.
These are the really interesting pieces of information that help show where your site could be leaking data. I totally believe that it’s very important that we developers know how the shadier side of the web thinks.
The two day workshop with Troy has provided a great insight into how the average hacker thinks what motivates them.
Not forgetting that NDC have provided some excellent food!
We got our hands dirty and compromised flaws on an example site Troy had designed by using techniques like SQL Injection
We got see what they tools they use (and build) to help exploit these weaknesses.
The workshop has covered how to counter a hacker’s methods by using some of the best professional tools out there. It’s been about applying them practically using that basics like HTTPS. We delved deeper using readily available rules like CSP and HSTS.
These methods keeps the wolves from the door and keep our customers safe.
A Unique Learning Experience
Looking at the methods that Troy demonstrated I appreciate that we have a solid base with security at HiHi. We aren’t doing anything stupid.
I have some thoughts about how we can apply what I have learned. I’m already looking forward to using the analysis tools he showed us.
Fortunately our team take security very seriously and we follow some good practices. Thanks to the experience this week I’ll be bringing some more ideas about this week to add to our processes.
Now it’s onto the three overwhelming days of excellent talks!