Irresponsible Disclosure: Short Handbook of an Ethical Developer

Transcript

1. irresponsible disclosure short handbook of an ethical developer LEMi ORHAN

   ERGiN AGILE SOFTWARE CRAFTSMAN

2. we live in a new era

3. THE DATA ERA

4. THE DATA ERA where we are the products

5. where we are the products where our data issold THE

   DATA ERA

6. where we are the products where our data is sold

   we are THE DATA ERA

7. where we are the products where our data is sold

   we are where algorithms decide what to buy THE DATA ERA

8. who to vote THE DATA ERA what to feel where

   we are the products where our data is sold we are where algorithms decide what to buy

9. THE DATA ERA where We've facing corruptions more then ever

   in software history

10. THE DATA ERA where we need more developers

11. THE DATA ERA better professionals ethical professionals where we need

    more developers

12. we need to talk about ethics more than ever

13. technology should be constrained by human values https://www.ted.com/talks/zeynep_tufekci_we_re_building_a_dystopia_just_to_make_people_click_on_ads WE'RE BUILDING

    A DYSTOPIA JUST TO MAKE PEOPLE CLICK ON ADS, ZEYNEP TÜFEKÇİ

14. ethics should govern behaviors

15. ethics should govern behaviors decisions politics companies management professions

16. None

17. sets of discipline and minimum standards of behaviors turn development

    into a real profession SOFTWARE DEVELOPMENT IS A PROFESSION

18. Knowing how well you perform when you do your profession

    CRAFTSMANSHIP IS A JOURNEY

19. Loves his job Passioned Disciplined Motivated Apprentice Practices a lot

    Has no ego Embraces feedback Delivers value, not crap Focuses on quality Shares knowledge Participates meetups Joins communities Ethical developer Improves productivity Works as teams Learns like crazy Feels responsible Retrospects regularly Proficient with the tools Reads a lot Knows to say no No the one in the corner Checks quality metrics Programs in PAIRS lets the code test itself CRAFTER SOFTWARE

20. Loves his job Passioned Disciplined Motivated Apprentice Practices a lot

    Has no ego Embraces feedback Delivers value, not crap Focuses on quality Shares knowledge Participates meetups Joins communities Ethical developer Improves productivity Works as teams Learns like crazy Feels responsible Retrospects regularly Proficient with the tools Reads a lot Knows to say no No the one in the corner Checks quality metrics Programs in PAIRS lets the code test itself Ethical developer CRAFTER SOFTWARE

21. PRINCIPLES of AN ETHICAL DEVELOPER SECURITY PRIVACY HONESTY Customer TEAMWORK

    QUALITY PERSONAL SOCIAL MEDIA CULTURAL

22. We apply secure coding practices. SECURITY We test security of

    so!ware. We do not keep passwords in clear text. We remove passwords from external files. We protect log files and all internals. We inform security vulnerabilities.

23. We do not disclose private communication. We show respect to

    privacy of private life. We do not force employees to do overtime. We do not ask passwords of social media accounts to investigate during recruitment process PRIVACY We do not sell/share confidential data

24. We do not claim expertise where we have none. We

    do not inflate our abilities. We do not state undone tasks as done. We do not intentionally misestimate tasks. We do not falsely deny the presence of bugs. HONESTY We do not cheat on performance & quality KPIs.

25. We do not under/over value the outputs. We do not

    promise what we cannot deliver. We do not hide current status of the project. Customer We do not deceive customers about defects.

26. We do not hide information from teammates. We do not

    criticize just to feed out ego. We help our teammates when they need help. We ask help when we need help. TEAMWORK We do not be the guys in the corner

27. We do adequate testing and review. We write well-cra!ed code.

    We write sufficient documentation. We take full responsibility of the code. We regularly check code for quality & refactor. We validate fixes before se$ing them as fixed. QUALITY We do not accept to develop in lower quality.

28. We do not cultivate a brogramming environment. We do not

    steal unauthorized code. We do not use cracked or unlicensed tools. We do not reuse copyrighted code unless proper license is obtained. We do not suppress others opinions. We do not wait others to invest in our career, we invest in ourselves. PERSONAL We do not do mobbing, act sexist or intimidate.

29. We do not involve in trolling, social engineering, perception manipulation

    or black propaganda. We do not post things private to the company you work or to your colleagues. We do not argue with customers even though we are right. We do not communicate with others like an asshole. We show respect in social media. SOCIAL MEDIA

30. We give feedback fast. We also give positive feedback. We

    do not raise our voice to colleagues or to customers. We do not blame others. We respect to people and to our profession. We trust by default. CULTURAL We leave our ego behind the doors

31. what about irresponsible disclosure ?

32. what about irresponsible disclosure ? It does not ma!er if

    a bug bounty program exists or not. We should report security vulnerabilities to the company privately. Use private channels and make it confidential. Be ethical and find ways to report it to the company

33. what about irresponsible disclosure ? hey wait a minute... We

    already did what we recommended here. It does not ma!er if a bug bounty program exists or not. We should report security vulnerabilities to the company privately. Use private channels and make it confidential. Be ethical and find ways to report it to the company

34. 0-day vulnerability had already published on public by someone 2

    weeks before it means, the vulnerability could already be available in deep web it means, hackers could have already started to access machines via root

35. OUR INFRA TEAM CONTACTED WITH APPLE SEVERAL TIMES ABOUT THE

    VULNERABILITY Without writing any password, I could connect to system as root after I entered 3 times. I am saying these to let you understand how serious the topic is. If any company get hurt due to this vulnerability, Apple is the responsible. I don't think you can resolve this issue, therefore I want to talk with someone from security. LIKE THE ONE ON NOV 23, 2017 10:58, 5 DAYS BEFORE THE DISCLOSURE

36. fire alarm When you see the fire spreading uncontrollably, you

    have to press the fire alarm Sometimes keeping the issue private causes more problems than making it public

37. https://www.flickr.com/photos/editor/8560592076 https://gratisography.com Attribution 2.0 Generic (CC BY 2.0) CC0-like Custom

    License https://www.flaticon.com Icons made by Freepik from FlatIcon Basic License https://www.flickr.com/photos/24498687@N03/2337550017 Attribution-NonCommercial 2.0 Generic (CC BY-NC 2.0) REFER ENCES