Fork me on GitHub
#web-security
<
2021-09-10
>
slipset07:09:04

Not entirely web-security, but we’re working on getting ISO-27001 certified. It means having to put a change management process in place. It has been super frustrating, but also very enlightening.

slipset07:09:35

One of the problems I’ve been struggling with is what I call optionality in the process. So, in a process you might choose not to do something. But my fear is that we need to document that it was a conscious decision to skip a step, in case we get an audit.

slipset07:09:07

So a nice solution came to me from CircleCI. In circle, you can add [ci skip tests] that means that there is an optionality for running the tests, but the default is that you run them. But if you want to skip the tests, you document in the commit message that you chose to skip them.

slipset08:09:13

And from there. You could say that a PR is optional, but either your commit message has to contain a #23424 which points to the PR, or it has to contain the text [I'm a fool who chose not to seek advice from my coworkers #yolo]

😹 2
slipset08:09:30

And this can then be enforced by the build pipeline.

otfrom14:09:42

I didn't even know this existed

otfrom14:09:12

(def this "#web-security" )

otfrom14:09:56

I'm not doing any webdev atm, but if I do put a web interface on the things I'm working on it really better be secure and I'm not sure that security/authn/authz has always felt that great to me in clojure.

slipset18:09:15

There is a talk from some years ago which likened the (web) security situation in Clojure with that of php: https://www.youtube.com/watch?v=CBL59w7fXw4