Who is team Merlin?
Hey there! This is the very first post from team Merlin! If you have yet heard about us or have heard about us but unsure of what we’re doing, then you should continue reading!
Fret not, we won’t be telling a grandfather story! (why grandfather? See the team chart below and you’ll understand why!)
Team Merlin is a centralised team in Digital Design and Development (aka DCube or D3) and it consists of two sub teams — Security and Quality Engineering (QE).
Yup! We aren’t kidding! In 2017, there were some discussions about the gaps between the security policy and what needs to be done within DCube and then…
As there was resource constraint (there were only three of us back then), we started off by identifying the missing security processes, deciding on the direction, and also planning for the future. The first security service provided by team Merlin was the (internal) Vulnerability Assessment and Penetration Testing (VAPT)!
Today, team Merlin has grown quite a bit and we now have a total of eight members!
What does team Merlin do?
Team Merlin’s role here is to uphold the security posture of the products in DCube. But don’t be mistaken; we aren’t so much of a security police but rather, our goal is to encourage the product teams to be more pro-active in reducing vulnerabilities and to be more IM8-compliant.
But before any security issues can be resolved, we first have to know where and what exactly are those issues happening at, right? So how do team Merlin and the product teams know about it?
Here’s how security and team Merlin’s services fit into DCube agile framework:
There will be manual secure code review conducted every month. The purpose of this manual secure code review is to catch any IM8 violations, potential security loopholes, and also bad coding practices which may lead to security issues. An internal penetration testing will also be conducted on a quarterly basis. All these security issues found will then be discussed with the respective product teams during team Merlin’s monthly security review session.
During the monthly security review sessions, the key people (PM, tech. lead, 1 developer, and the QE) in each product team will be presented with the following:
- Current month’s health status as compared to the previous months
- Automated vulnerability scan results
- Findings flagged out by the secure code reviewer
- Internal penetration testing results (if there’s one done recently)
- Suggestions on how they can go about fixing these problems
- Share any solution or best practice implemented by the other product teams, especially when two or more teams are facing the same problem (well… sharing is caring, right?)
Of course, the product teams may also clarify/ask for any security or IM8-compliant advice(s) relating to the business requirements or how they should architect their code, infrastructure configurations, etc, and we’ll share our thoughts on those.
Okie dokie~ We shall end our first post here. There will be more good and hot stuff coming up! Stay tune and look out for our posts if you’d like to know more in-depth about what team Merlin is up to!