Safety at Speed Podcast artwork

Staying secure while dealing with legacy applications with Corgibytes

Safety at Speed Podcast

English - January 27, 2017 18:43 - ★★★★★ - 11 ratings
Technology Business devops compliance cyber security hipaa gdpr regulatory environments Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: Nishi Davidson of SAP Labs on the adoption of Kubernetes

In today's edition of the Safety At Speed Podcast, I spoke to the co-founders of Corgibytes - Andrea Goulet and Scott Ford. The goal of Corgibytes is to help different groups and organizations modernize their existing software applications. In many cases, organizations have existing programs that they have been using for a long time, and which provide a ton of value, but are not always easy to work on. Corgibytes cleans everything up, and makes it more modern and secure. They call themselves the “Code Whisperers”.


As a company that works with sensitive data – such as customer information and intellectual property – Corgibytes has had to overcome some obstacles when working with their clients.


The Biggest Issue They Face Is Trust


One of the first obstacles that Corgibytes faces is getting clients to trust them. In many cases, clients are unwilling to let an outside company take a peak at their applications. Since so much of their business relies upon these applications, it is a little scary to allow someone else to access it. Not only are there intellectual property concerns, but stored customer data is also an issue. If customer data was ever leaked or exposed, it would create a large issue for their client.


To combat this, Corgibytes has started using different security and legal methods to help ease some of their clients' worries. One such method is to allow the client to set up their own virtual environment. This way, Corgibytes completes all of the work within an environment that their client controls.


Security Costs Can Get In The Way


Because Corgibytes is often dealing with sensitive information, their clients require all sorts of different security measures. In one instance, a client wanted an armed guard to be in the room where the work was being performed. However, since Corgibytes employees all work from different locations, this made it unfeasible. It would have simply cost too much to hire an armed guard to be stationed within every coder's home. Andrea and Scott say that they are usually able to work out a compromise with their clients, but in some cases the required security measures simply make that impossible.


As Andrea says “In order to move fast, and in order to get the value that we're promoting, we have to have a limited burden. It's finding that place that is right in the middle.”


Corgibytes Places An Emphasis On Self-Care


Andrea believes that “the biggest security risk are people who are burning out.” Scott told a story about his time working in aerospace, when a safety officer would shut down missions if he sensed the crew was getting tired. Anytime someone suggested “powering through” this was a warning sign that they needed to end for the day. This experience taught Scott that human factors matter, and that ignoring them has consequences.


To address the issue of tired employees, Andrea and Scott have implemented a few policies to ensure everyone stays fresh. For starters, they allow their employees to pick the number of hours they want to work each week, and adjust their pay based on their selection. In addition, there is not a set time that you need to work, you just need to finish your hours by the end of the week. They also offer virtual yoga classes to help their employees relax throughout the day.


They Plan For Mistakes


Even though they take measures to prevent their employees from making mistakes, they know they are going to happen anyway. Andrea and Scott have implemented a two-pronged approach for dealing with mistakes – the first is to have systems in place that minimize the impact. They plan for easy rollbacks, and have systems in place that constantly monitor for issues, so that when something does happen, they can fix it quickly, and right away.


Secondly, when a mistake does happen, they don't focus on placing blame. They believe that placing blame only leads to fear of mistakes, which in turn creates even more mistakes. Rather, they try to find the reason that the mistake happened, and how they can prevent it from happening again.


They Want Security To Be More Continuous


Finally, Andrea expressed a desire for security measures to become more continuous in the future. Rather than having a set level of security for each project, it should vary based on the stage of the project. Based on the work flow, security could be dialed up or down to fit the circumstances. As of right now, one of their biggest challenges is knowing how much security is actually needed, and finding a way to balance costs against these needs. A continuous approach to security would allow them to better address their needs, and be more cost-effective.


Tools That Corgibytes Likes

Circle CI
Honeybadger
Hackerone
Sonatype

Find Andrea and Scott Online

Corgibytes.com
legacycode.rocks
slack.legacycode.rocks

Scott on Twitter - https://twitter.com/mscottford


Andrea on Twitter - https://twitter.com/andreagoulet

Twitter Mentions