Fitting Dev Security into a busy day

As my blog can attest, I have been somewhat distracted over the last 12 months or so by the day job. The blog isn’t the only casualty. What with work, a little self study (but no-where near enough) and family life, I have no time and little desire to keep plugging away on things that didn’t directly lead to my recent spell of employment.

The day job

The day job is probably not what I was planning to do, but it has some interesting challenges and I work with some decent folk, so I can’t complain. I do, as with most people with my skill-set, basically stare at a computer for 8 hours a day, 5 days a week. So pretty much the last thing I want to do when I get home is look at a computer, though oddly, looking at the TV doesn’t seem anywhere near as demanding 😛

Family life

When I’m not at work, I’m fighting with the kids, I mean negotiating, to get them to do the things I want them to do… or trying to keep a tidy house, or preparing dinner, all the boring things that grown-ups need to do.

The weekend

Of course I get two whole days for me, except I don’t, because whilst the wife usually takes over the cooking part of being a grown-up for the weekend, these days are when we do even worse grown-up things, like go shopping…

Additionally, we have these 2 days to help the kids keep up with school work, or help them build some school project, or just taking them to the play-park, etc.

The projects

All of those things I’ve worked on over the last few years, some finished, many not, still live, mostly, in my GitHub repo’s, several of them have been caught out by recent vulnerabilities in React, or other node packages. So today, I woke up to see an unusually high number of emails for a Friday morning, for me at least.

Some I had seen before, and filed them under I’ll do that later (but never actually get round to it) but many were new.

Now, as far as I know, I haven’t had anything that has been compromised, and most of my live (used) projects, thankfully, haven’t been caught up in these events due to not having those problematic components. But that doesn’t stop GitHub, Netlify and Vercel from emailing me about them.

Of course I am thankful for the friendly nudge from my service providers, I don’t mean to complain about that, I also wouldn’t dream of complaining about the problem being in a React component for example. My complaint, if there is one at all, is to myself for not staying on top of these things.

Update or archive?

There are some projects that I built (or at least started to build) as proof-of-concept or learning exercises. The tech I may have used for that project, may have been a one-time-thing for me. So one of the first challenges I had was trying to remember how to update those, in many case, npm was the winner, but that wasn’t true for all of my projects.

Additionally, I have a couple of old Gatsby blogs, I specifically moved away from them because every time I did an update, it would break some dependancy and I would be caught in dependancy hell where different things broke other things…

Furthermore, there are some things I really find interesting, but actually getting employment off the back of that interest, is incredibly hard (looking at you Web3), so keeping those projects up to date feels like a waste of my limited time.

The projects that I or others currently rely on, were actually mostly unaffected (except an ubuntu LTS build image has changed), for projects that I basically finished but don’t use, I spent several hours trying to manage the dependancies, and for projects that I just don’t have the time or energy to throw at them for now, I archived them.

Learning moment

I have a robust attitude to Risk and Security at work, but some of my personal projects fell along the way. I have a couple of mobile apps that I update, just because I use them and I generally can’t push out my own updates without addressing the issues flagged during build. For projects that I no longer have a need to maintain, I am archiving them. If they had a web presence, I likely took it down, though a couple are still up.

If you have finished with something, it’s worth keeping the repo on GitHub in my opinion as you never know when you might want to revisit it, it also supports your learning journey, it shows that you have been plugging away at problems, large or small, for a period of time, this isn’t something you just picked up last week and now thing you deserve a job in the subject. But if you are not currently working on it, archive it, it marks the repo as read-only and reduces the alerts from your service providers. That said, I did notice that even though I archived a repo with lots of vulnerable code in it, it did not prevent someone from taking a fork, so, that dodgy code might well live on, I hope in nothing that makes it to production.