Void

Month: August, 2018

Checklist

Checklists have been in vogue for quite some time now. Probably Atul Gawde’s book The Checklist Manifesto kickstarted this. I have been late to the party but once I arrived, I never left. A checklist is an amazing tool to organize personal as well as professional life.

checklist-1266989_640

 

Hospitals have figured out that by following simple checklists they can reduce the surgical mortality rate by a big percentage. The airline industry, which is an epitome of the highest possible standard in safety and training, relies on checklists for fail-safeness.

Who does not forget daily chores? Who has not kicked themselves for being late on bill payments? A to-do list solves this problem. There are tons of to-do apps out there, just pick one to start with. Apart from solving daily trivial problems, a checklist is a great way to keep track of long-term goals too, be it saving more, losing weight or adopting a healthier lifestyle.

Professional life requires one to regularly follow-up. A checklist is a great way to list down the follow-ups needed. On the flip side, no one likes doing follow-ups. If you want to be one of those rare people who respond without requiring to follow up, use a timebound to-do app to keep track.

Checklist brings efficiency to project management. Having a checklist of all the tasks to be accomplished before taking a project live leaves little room for ambiguity, misses and last minute scurrying.

A short-term or throw away project may not justify the time spent in automating disparate tasks related to the project. In this scenario, a checklist is a great substitute.

automation

All organizations have an onboarding process. Make a checklist out of it and hand it over to employees on the day of joining. All software projects have some common alerts and metrics needed. Checklist them. Once you do this, you do not have to bother about this for every new project. View checklist as a temporary substitute while you scout for software to automate these.

In short, a checklist can be used as a Swiss Army knife to organize and automate life. A checklist institutes repeatability eliminates ambiguity and improves efficiency.

PS: Link for the above comic from XKCD.

Advertisements

Software Security

Some disparate thoughts on security in no particular order.

Many security bugs can be avoided by making a clear distinction between authentication and authorization. When one logs into Facebook, one uses a username and password. Facebook lets you log in only once it is sure that you are the owner of the account by verifying your password. This is authentication. Once you log in, you cannot view all your friends’ photos. You can only view those photos which your friends have authorized you to view. This is authorization. There is a class of security bugs that arise because developers have not made this distinction.

security-department-1653345_640

A lot of security is knowing what not do. Security by obscurity and hand rolling security algorithms and protocols are the two things that immediately come to my mind. For example, while storing passwords, instead of coming up with an elaborate custom secure storage scheme, employ the industry standard bcrypt.

There is a thought process that you will do better security by having tons of access control. One of the manifestations of this is restricting SSH access to production boxes. Unless you have invested tons in tooling, this slows down teams drastically. In today’s world, where speed is paramount, this does not work. Under pressure to do things fast, teams find ingenious ways to circumvent these controls. Strict access control only works in organizations which are fine with taking things slowly but this usually stifles productivity and leaves a bevy of frustrated developers. The only way around this problem is to have the most necessary access control and take care of the rest through tooling. An example is how Netflix uses tools to enable developers to SSH into production boxes without compromising security.

Security implemented in a naive manner goes against the human nature of seeking to accomplish tasks in the least restrictive manner. If you do not invest in tooling, security always gets in the way of accomplishing things.

A less intrusive way of doing security is to configure systems with sane defaults. An example – when you provision a server, ensure that it is fortified by default. If you are using external tools, configure them with defaults. For example, if you are using Slack, configure it so that only people with your organization’s email address can sign up. Carry out a periodic audit of systems. This could be anything from periodically scanning SSH access logs to repository audits to ensure secrets and passwords are not leaked.

No writeup on security can be complete without touching upon compliance. There are tons – PCI, HIPAA, SOX etc. All these come with their own baggage. One simple way around this is to first understand what and all parts of your application have to be under the scope of compliance. For example, if you have an e-commerce application taking credit card information, you have to be PCI compliant. But this does not mean your entire application has to be under the scope of PCI audit. You can smartly bifurcate the application into parts that deal with payment and parts that do not. Once this is done, only the parts that deal with payment have to be under PCI scope.

A final note, security is a never-ending concern, there is nothing called enough security. Where you draw the line is up to you.

Here is a hilarious comic by XKCD on teaching a lesson to people who do not follow security practices.

exploits_of_a_mom

Blogs Versus Books

Long time back, in one of the social gatherings, someone asked me what do you do in your pastime? I said I read a lot. That person asked – What was the last book you read? I stumbled a bit and took a name. I realized that it had been quite a while since I read a book. Unbeknownst, I had gotten into the habit of reading blogs and articles online with social media and messaging boards acting as the source. There is always more than you can chew with articles touching a wide variety of subjects. Also, it feels a bit like going down a rabbit hole, one blog/tweet leads to another which leads to another and so on until you lose track of time.

I have been a voracious reader of books since my childhood. I got hooked onto online articles and blogs only during the later part of my life. This got me thinking about the difference between reading blogs versus books.

book-1659717_640

Even though most books revolve around a core central idea, the author takes the pain to reinforce this with varying thoughts and anecdotes. The author builds a structured case around the idea and presents a lot of scenarios leading to the core idea. Reading blogs and articles in most cases feels like reading a summary of a concept or just one facet of it.

When you read a book you are enjoying the journey whereas reading a blog feels more like focussing on the destination. Both have their own place but one should strike a balance between the two.

Naming Things

There are only two hard things in Computer Science: cache invalidation and naming things.

— Phil Karlton

Even though the above might have been in jest, naming variables while writing code is a head-scratching experience. Should I make it short? Should I make it descriptive? If descriptive, how descriptive? These thoughts keep running in one’s head.

tag-309129_640

A simple strategy is to keep the descriptiveness of a variable’s name in line with the reach of that variable. If the variable is short-lived i.e within a small block, stick to a short name as the cognitive load of the variable is negligible. If the variable’s reach is much larger, as in if it spans a large number of lines, make it as descriptive as possible.

Goes without saying that names should adhere to the conventions that your team has adopted.

Self-infliction

I recently watched the movie Hichki. The Plot of the movie revolves around a group of kids from less privileged strata of society who get a chance to attend an elite school. During the course of time, these kids feel that the school and the more privileged students there do not give them the respect they deserve. They rebel against this by not studying, causing nuisance and failing grades.

suicide-1267709_640

Kids can be excused when they exhibit self-inflicting behavior but sadly, a lot of adults too manifest this. One common adult refrain is – The organization is not treating me well, so I am not putting my best into the job. Keeping aside morality and call of duty, who loses due to this behavior? It is you. When you do not put your best into anything, you do not improve. If you do not improve, you do not progress.

It is in your best interest to put 100% into your job irrespective of how your organization treats you. If you feel you are not treated well, talk to your higher up and see if you can change this. If not, move on. Slacking is not an answer. You are harming yourself by exhibiting this sort of behavior.