Asking When: Ethics in the Product Development Process Part 3
Tuesday June 23, 2020
So, we’re back! If you caught my last piece, I spoke about ethical perspectives to bring into your solution architecture (including but not limited to technical research). Of course, all of this is easier said than done. Particularly when moving into back-end implementation – and thinking about security and data – ethical challenges abound. But, as we all know delivery folks are busy. So very busy, sprinting in order to stay ahead, lest the competition release something first (that might be… shockingly similar). And, because of this never-ending sprint, clients can sometimes gloss over solving a problem that has an inherently unethical impact (ahem, Volkswagen, anyone?).
When doing back-end work, it can be easy not to bump the lamp (e.g., raise a red flag!) and just gloss over any security, authentication, authorization and storage no-no’s you might see. In fact, according to the 2018 Stack Overflow survey, writing unethical code is a grey area for a lot of developers.
Just because someone has decided that you’re going to build something, doesn’t mean you have to build something. At Connected, architects and those implementing are often one in the same. If you are working somewhere where that isn’t the case – and you’re just given directives of what to implement – then that doesn’t mean you can’t ask questions. At the end of the day, that’s really what being ethical is all about: trying to get enough context, and the right context so that you can make an informed decision. This is undoubtedly challenging. This is also less so about being a whistleblower (although, this is what a whistle blower policy can look like) but more about choosing to ask questions instead of only focusing on writing code to create a testable and predictable solution. Much like when designing your solution architecture, you need to think about the security and data of what you are building when you’re moving into feature level designs so that your product has your user’s wellbeing top of mind.
- As a practitioner, you should be staying up to date on security best practices like SQL injection, CSRF, etc. and understand how to use them. This course is part of an ethical hacking series and geared towards SQL injection understanding. And, here’s a rundown on generating CSRF tokens to prevent attacks.
- Of course, if you are building web-based platforms then there are tools that you can reach for in helping you check to see if your security practices are up to ‘snuff. People are always trying to break in, even if your product doesn’t seem hella interesting (data is gold, people). The OWASP Foundation has a roundup of tools for different platforms
- And, if you’re so inspired as to become the next great White Hat, there are courses you can take like this one from Station X
- While we are talking about hacking, let’s appreciate the fact that exposing holes should be celebrated, not an irritating mid-sprint recalibration you have to do
- And, keep basic data hygiene practices in mind. Don’t store plain text passwords. Or payment information. And don’t log any sensitive user information as plain text either. Just don’t.
- Another basic don’t do’s: Commit certifications, keys, passwords, tokens, etc. in the code repo.
- Be thoughtful about how you will be anonymizing your data (for reproducing production issues later on, or what have you)
- Of course, there are some important do’s: scrub sensitive information before logging! Crypt to store passwords! Use environmental variables to keep your secret keys safe! Etc., etc. At the end of the day, keeping your product secure for your audience = an ethical practice you can, and should do.
This article, like the previous one, isn’t supposed to be easy. Ethics are hard. And, ethics is a continuum, not a binary. The grey-ness indicated by the Stack Overflow survey isn’t altogether surprising. Some spaces in the product development process have such an exhausting amount of ethical resources and things to remember, it seems impossible to do so. But hopefully this list provides you with some new! useful! Information so you can start building more ethically in the future.
Stay tuned for the next part in this mini series: Creating the overall user experience (UX) of your product!