Many developers are involved now in volunteer work. 🔧🌍 Teams create websites and applications to share useful information for refugees, to organize humanitarian and logistic efforts and even to track military machines.
Are you among those who make this globe run better or save lives in 🇺🇦 Ukraine with your 💪 engineering efforts and software? Let us share with you some observations on how to make this impact even more effective from a security perspective.
▶️ 1. 🎯Focus on your MVP. The idea of adding some sophisticated features to your emergency software before it goes public is tempting but releasing early might help more people. Leave additional features for later. Take it for granted that they’re highly volatile based on available capabilities and people's requests.
▶️ 2. Do software security asap, invite data security engineers early. It saves time and lives. Otherwise, if the security flaws come out in the last stage of the development, they might require re-engineering or compromises one wouldn’t like to have.
▶️ 3. Use risk modeling. Ask yourself “what could go wrong?” often. Be context-wise as some risks that you already know can have much worse adverse consequences in urgent/vulnerable situations. F. ex., during warfare, stakes for data leakage or service unavailability could cost not only GDPR fines, but people’s lives.
▶️ 4. Mind data security. Be careful with data. Don’t collect/store sensitive data. But if you have to, then use encryption for data in transfer, storage, and backup. Take care of the encryption keys.
▶️ 5. Follow OWASP Cheat sheets, OWASP MASVS/MSTG, OWASP ASVS/WSTG. Search for free and available data security services, firewalls, encryption libraries (f. ex., check these must-haves). Move to #2 if currently it’s a hard task.
▶️ 6. Look after physical security:
❇️ Include in your reliability plan events of physical damage or sudden unavailability of the servers/connection lines/data centre, etc.
❇️ If your infra is in a cloud, check other devs/super admin access rights and eliminate risks of unauthorised parties getting access to your systems or losing access to them at all.
❇️ Give preference to low-maintenance and automated infra instead of high-maintenance ones (and move to #1).
❇️ Ensure all team members use long passwords and have multi-factor authentication (MFA) enabled.
▶️ 7. Choose commodity technologies and interoperable solutions rather than those that are rare and hard to replace. You’ll move faster, have more possibilities to find qualified specialists to work with and less problems if something goes unexpected.
▶️ 8. Match your expertise with the projects. F. ex., being experienced in AI/ML or hardware design, you’d better search for initiatives in the same fields as you can contribute to their success more than, say, in frontend development where you have to study first.
▶️ 9. Collaborate and communicate. It is likely that some other people work on the same module/task as you and together you can make it faster. Also, if you build a feature which can be used in, say, 10 projects, your impact is 10x fold and you save lots of time and effort for those 10 teams.
▶️ 10. Match priorities with timing. If you are volunteering during an emergency and want to make an immediate impact, make sure the goal/results of a project you’re contributing to can be achieved within a tight time frame, not “several months/years later”. Switch if an initiative has no chance to win/get to production. During an emergency, losing time can be a disaster. 🔐