Intentional weakness, getting a job in tech, and OSS funding - 123dev #50

I’m back to custom issue titles. I’ll add a small intro here too. Welcome all the new subscribers. ❤️

Older cars were built strong with lots of metal and reinforced welds. The thought that building every part strong so it wouldn’t break turned out to be a bad idea.

In an accident, something has to give. All that energy has to go somewhere. With a rigid frame—and mostly hollow interior—the area that usually collapsed was the passenger space. Combine that with a lack of other safety features, accidents used to be much more dangerous for the people than the cars.

Newer cars have intentional weaknesses in the front and rear known as crumple zones. This makes sure the rigid passenger compartment is the last thing to collapse.

Writing software and building systems need similar intentional weaknesses to make sure the most important components and critical functionality is protected. Sometimes, you can predict how systems will fail. Other times you have to discover failures in action.

The car industry does this by building test cars, crash test dummies, and lots of instrumentation (e.g. sensors, high speed cameras). The software industry does this with trial an error, test environments, and debuggers.

The internet was in a flurry to update log4j settings to prevent exploitation last week. If you were quick, you updated your settings and then had to patch the library the next day.

Your ability to deploy changes quickly has impact for your business’ ability to adapt and your security posture. All that time you’ve put off updating your Jenkins instance or migrating to a new system should have been a higher priority.

This security vulnerability devolved into a discussion online about open source funding. How can we prevent these type of issues in the future and what is the responsibility of “big business”? I don’t have answers, but I don’t think the solution is as simple as throwing money at maintainers, and current solutions with scanning and notifications aren’t working.

I talked to a lot of people last week about getting a job in tech. I took a lot of the advice I was giving in DMs and put it in this thread. If you’re a new subscriber thank you. Feel free to reply to this email if you have feedback or would like to see specific topics.

I wrote this blog at the beginning of this newsletter, but I’m going to include it again so all of the new subscribers can read it too. Still relevant information that is more generic than the twitter thread.

I found this page extremely useful for HTML and CSS snippets. Not only do they give you the code but they clearly show what it should look like with an image and example.