Why encouraging developer side projects can make your product better, and, in our case, more secure.
An important part of developer culture at Trello is what I call "tree painting." This turn of phrase comes from a 1958 documentary about Disney's background artists, Four Artists Paint One Tree. (If you want to track it down, it's usually on YouTube.)
You see, back in 1958 Disney had four background artists (Marc Davis, Eyvind Earle, Joshua Meador, and Walt Peregoy) working on Sleeping Beauty. As you might be able to imagine, when you get four amazing artists drawing together on one movie, issues in consistency may arise.
Here, for example, is one artist touching up another's work. He adds in leaves around the doorway to preserve the movie's aesthetic.
This is not unlike how we write code. One engineer comes to another with a draft of code. Via code review, another engineer takes a look and suggests modifications. More often than not, the two engineers both walk away having learned from each other. This is the mark of a good engineering team.
So that's one half of the documentary, and arguably the least interesting half. That's because, right after the interviews conclude, the four artists travel to a tree. They sit down. They paint the tree.
It sounds boring until you watch these four artists, who have up until now been drawing under one uniform art direction, draw four completely different trees. The four resulting paintings differ in rhythm, form, and perspective.
And this, to me, is how a great engineering team runs. When we work together we find consensus and work in service of one grand overarching idea that happens to be called Trello. But individually we have quirks and points of view and style. We need the consistency, but we also need to temper it with breaks where we go out into the world and paint trees.
Because while it's nice to think that developers get all the growth and learning they need from working just on Trello, we also know it isn't entirely true. So instead we have processes in place to help developers grow outside the scope of just working on their assigned initiative. We give developers a $3,500-per-year stipend to go to conferences and report back; we have weekly tech talks where we show-and-tell our side projects and daydreams; and we constantly look for opportunities to experiment with new technologies.
To give you a real life tree painting example, one of our server developers, Daniel LeCheminant, moonlights as a whitehat hacker. Daniel has a keen knack for identifying security vulnerabilities. In fact, we first heard about him from the 33 security vulnerabilities he found in Stack Overflow. He even managed to log in as Jeff Atwood at one point. (He reported the bug immediately after discovering it.) It was a no-brainer to hire him to work at Fog Creek, and then Trello.
Daniel has been taking a look at the software Trello uses, such as the communication channel Slack, with the express purpose of finding and reporting security concerns in their code. His endeavors benefit everyone: Trello uses Slack internally, thus it is in our best interest that our main cross company communication tool is more secure.
Of course, what does this imply about Trello's own security? For one thing, having Daniel on our team means that when we're developing a new feature, he's there to think through the security implications. Think of it like one person is painting the leaves of the tree, while Daniel touches up the security around the garden.
We also like to think that this means your data is as safe as it can be. But of course, confidence is no defense against vulnerabilities and that is why Daniel has helped set up our very own bug bounty on HackerOne. If you happen upon a vulnerability, report it to us and you'll have our gratitude. We would also like to thank the 21 people who have alerted us to various issues (all minor and fixed!).
Encouraging developers to paint their own trees is an effective way to improve a company's culture and subsequently, the product itself. In our case, leveraging Daniel's tree painting led to an initiative that helps Trello be more secure. Bringing together talented people with differing strengths means that all of their input is needed in order to create a more complete arboretum.
For those interested in further reading on the technical details of hitting upon and polishing a vulnerability, check out Daniel's blog.