Thoughts on Security

It is almost impossible to secure a web app. You cannot tell if a browser is being used or a script simulating it. Anything that can be called from the browser should be treated as a public API (with the exception of insisting on backwards compatibility).

This means any endpoint reachable from the client must be treated as if the user is directly calling it. This means that you need to consider authentication (who is the user) and authorisation (what the user is allowed to do). Trust no-one!

This means that all endpoints need to be tested at the API level as well as via the UI.

All those bundled minified js bundles that you have carefully constructed form excellent documentation of your exposed APIs. All the endpoints exist as neat little strings among the minified code.

Bus Factor

The Bus Factor for a project is the number of people that if hit by a bus (or equivalent leave) would break a project.

In an ideal situation there are sufficient runbooks and documentation for a project to continue should all the team members leave. This is frequently not the case.

Pairing can help reduce the Bus Factor. Two people have context on most things. This can still go wrong with the minimum effective team size (3). METS allows for one to be on holiday, one to be sick and still have someone to continue some form of progress. The downside is that someone will not be pairing (or the team can only mob on a single item).

You can’t eliminate the Bus Factor but need to reduce it. If anyone has too much information in their heads then they need to start actively writing down more than they would normally do. This means carefully documenting how to do anything that only they need to know.

This can seem counterproductive if having special knowledge makes you feel special. However being unreplaceable also means being unpromotable as the essential knowledge that you hoard will become a burden.

How big is your projects Bus Factor?