
VP of InfoSec at InVision on secure code development [audio] - chef_goldbum
https://www.strongdm.com/johnathan-hunt-invision/
======
tptacek
Can someone help me understand what's interesting about the VP of InfoSec at
InVision? What's InVision?

~~~
SkyPuncher
InVision is a tool for making interactive click-throughs, typically, of
software mockups. It provides a very natural feeling to prototypes.

I'd expect security is important because of the pre-release and experimental
nature of most product mockups.

------
bionicbits
I wonder if languages like Rust would be helpful in areas like this?
Especially considering that the strictness of the compiler might allow more
"green" developers opportunity to contribute.

~~~
bsamuels
Rust addresses C/C++ security issues, but that's where the security benefits
end (that's still a lot of benefits though!)

I really wish "units of measure" types took off in the langdev world. "String"
is woefully inadequate to describe the actual type of a string; Imagine a
world where string data is of type <string:urlencoded> or
<string:xsssanitized>, and display functions would only accept strings of the
correct type. I know F# has this, but unfortunately it never caught on
elsewhere.

~~~
archgoon
What are the problems with using inheritance to handle this?

    
    
      class urlencoded extends String;
    
      class xsssanitized extends String;
    

then secure functions can be explicit about what type they need.

    
    
      void embedInPage(xssssanitized xssString);

~~~
tptacek
Most modern frameworks, in all the mainstream languages, already have this
feature, and it's usually the default. You still get XSS because you still
have to override the filter to do custom HTML, but it helps a lot.

~~~
archgoon
Right; I'm trying to understand the difference between this and the "units of
measure" approach the grandparent was referencing.

(To be clear, your latter point is referring to things like
'dangerouslySetInnerHTML' in react?)

[https://reactjs.org/docs/dom-
elements.html#dangerouslysetinn...](https://reactjs.org/docs/dom-
elements.html#dangerouslysetinnerhtml)

~~~
pcwalton
There isn't a difference, really. Inheritance is one way of implementing
"units of measure".

~~~
pvg
There are practical differences, though, such that it's often not implemented
by subclassing string.

------
devmunchies
> _InVision is a 100% remotely distributed company. We don’t have an office,
> we have almost 1000 employees, we have scaled to 1000 people with everyone
> working out of their own home_

just like most open source projects.

one of the bad parts IMO is that you can't hire green engineers since they
need more hands-on guidance.

~~~
saidajigumi
I've thought the same, but is this true?

A shout-out to HN folks w/ experience at full-remote companies: are there
hiring and onboarding practices you've used that allow less-experienced hires
to be successful when working remotely?

~~~
jmccarthy
On our full-remote team the #1 onboarding (and ongoing) practice for engineers
is near-full-time pair programming.

For engineers who haven't logged many pairing hours before, it requires a few
weeks of stamina-building: it's initially exhausting to hold a model in your
head while engaging your vocal cords.

One non-obvious but critical tip for continuous pairing: ensure everyone has
an excellent audio environment. Buy the right headset, have a door or acoustic
foam installed in the home office, etc.

------
Bhilai
> A bug bounty program, you’re inviting the entire world to attack your site.
> And by the way, you you’re not obviously using production, right, you’re
> spinning up a clone that has no customer data. And it’s not even connected
> to your network.

> Also, pen tests rarely perform lateral movements across your app, right?
> .... Whereas a bug bounty, those people can continue to move and infiltrate
> your network and give you a string of attacks that they were able to finally
> polling your data,

So I may have misunderstood (or the transcribing is wrong) but the person says
you should give bug bounty hunters an isolated non-production instance and yet
wants "lateral movement" ? Sounds a bit incoherent.

------
aboutruby
Should probably say [audio] in the title (it's 30 minutes without
transcription).

~~~
chef_goldbum
If you scroll down on the page there is a transcription.

~~~
aboutruby
Oh thanks, thought it was a footer under the audio player.

