This week was shorter than usual, apparently, but I have been exhausted for all of it. Nonetheless, I got some good stuff done. Let’s talk about it.

Work

This week I’ve been very busy across all three of the things that I do that are work. On the mentoring service: I’ve finally replicated the service I use locally in AWS. It has taken months, and frankly it would have been easier to simply deploy the whole thing as a bunch of containers that are triggered by an API call. But I am as stubborn as anything, and I also want to have something to show to the folks who are bankrolling it. So, at least for now, I’ve got a slightly-too-expensive thing that works. My next step will be to turn some of the expensive things into less expensive things – for example, the code that triggers the complex, compute-intensive process of matching mentors and mentees could just be a Step Function that only needs to live (and therefore cost money) for as long as it runs.

In Fast Stream news, I recorded a video of myself talking through the work we’ve been doing and what it means for Fast Streamers. It was horrible. I can’t stand doing speeches to camera. I need some kind of audience, any kind of audience. Doing it without feedback feels so empty and difficult. Before long, we’ll be running it in parallel with the existing process, and finding out what we need to do next with the service.

Finally, I’ve been making good progress on unpicking our old infrastructure and transforming it into something more readable and user-friendly. I also made some changes that will help out my colleagues in their prioritisation efforts, reviewed a lot of code, and supported the new developers to build out our developer environment so that it’s fantastically secure. We’re down to having to store one set of credentials only, and that set has to be confirmed with MFA – so even if the device is nicked, and it’s nicked while it’s unlocked, an attacker would also need the second factor. And they’d need to be a developer with an idea of what they were doing. And they’d need to move quickly, before the victim alerted the rest of the team and we binned those credentials. I am so proud of us.

We call this the Swiss Cheese model of security: even where there are holes, the holes don’t line up into a nice neat line for an attacker to succeed.

MiSc

Aiiie, but this module is dragging. If I have to read one more standard I will surrender. There are 93 controls in ISO 27002 and I believe at this point that I could list most of them: hardly a party trick that folks are begging to see.

One great element of this module is the amount of interaction I’m getting with my fellow students. Last week was an impassioned debate on positive and negative security, and this week the relative merits of NCSC’s three random words approach to passwords versus industry standards. People in this industry have strong opinions, but I think some of them aren’t used to hearing disagreement from colleagues or fellow practitioners. It’s leading to some interesting moments of learning.

I’m a little behind, thanks to the recent bank holiday and spending time in the sunshine and away from my desk. I need to make up the time this week, but I’m confident I will. So in lieu of a random page, have some of last week’s notes.