Who is team Merlin?

Hey there! This is the very first post from team Merlin! If you have yet heard about us or have heard about us but unsure of what we’re doing, then you should continue reading!

Fret not, we won’t be telling a grandfather story! (why grandfather? See the team chart below and you’ll understand why!)

Team Merlin is a centralised team in Digital Design and Development (aka DCube or D3) and it consists of two sub teams — Security and Quality Engineering (QE).

There’s a Security team in DCube?! Since when?!

Yup! We aren’t kidding! In 2017, there were some discussions about the gaps between the security policy and what needs to be done within DCube and then…

As there was resource constraint (there were only three of us back then), we started off by identifying the missing security processes, deciding on the direction, and also planning for the future. The first security service provided by team Merlin was the (internal) Vulnerability Assessment and Penetration Testing (VAPT)!

Today, team Merlin has grown quite a bit and we now have a total of eight members!

What does team Merlin do?

Team Merlin’s role here is to uphold the security posture of the products in DCube. But don’t be mistaken; we aren’t so much of a security police but rather, our goal is to encourage the product teams to be more pro-active in reducing vulnerabilities and to be more IM8-compliant.

But before any security issues can be resolved, we first have to know where and what exactly are those issues happening at, right? So how do team Merlin and the product teams know about it?

Here’s how security and team Merlin’s services fit into DCube agile framework:

There will be manual secure code review conducted every month. The purpose of this manual secure code review is to catch any IM8 violations, potential security loopholes, and also bad coding practices which may lead to security issues. An internal penetration testing will also be conducted on a quarterly basis. All these security issues found will then be discussed with the respective product teams during team Merlin’s monthly security review session.

During the monthly security review sessions, the key people (PM, tech. lead, 1 developer, and the QE) in each product team will be presented with the following:

  • Current month’s health status as compared to the previous months
  • Automated vulnerability scan results
  • Findings flagged out by the secure code reviewer
  • Internal penetration testing results (if there’s one done recently)
  • Suggestions on how they can go about fixing these problems
  • Share any solution or best practice implemented by the other product teams, especially when two or more teams are facing the same problem (well… sharing is caring, right?)

Of course, the product teams may also clarify/ask for any security or IM8-compliant advice(s) relating to the business requirements or how they should architect their code, infrastructure configurations, etc, and we’ll share our thoughts on those.

Okie dokie~ We shall end our first post here. There will be more good and hot stuff coming up! Stay tune and look out for our posts if you’d like to know more in-depth about what team Merlin is up to!

- Merlin

--

--

--

Be Happy, Be Awesome! We deliver high-quality digital services to citizens and businesses in Singapore 😊

Recommended from Medium

{UPDATE} Waves - Water Idle Slide Lake Hack Free Resources Generator

SSH, it’s going to connect to GitHub

How to Securely Vote From My Own Device

Product Issue 18: U-CDS Eye Candy

Snapshot Tutorial

Monday update from PointPay

LSP Circulation Report — December 2021

S-Wallet guide for new users;

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Team Merlin

Team Merlin

We are a team of Security & Quality Engineers in GDS-DCube.

More from Medium

A week in cloud types

A big cumulonimbus cloud above a grassy field

Quality Assurance (QA) in Digital Ag Solutions

Tips From a Trailblazer: How To Build A Successful Product

Weeknote 28 February — 6 March