Nontraditional Red Teams

February 3, 2025

Most developers know about red teams: a specific group of people chosen to be the antagonist to your system, trying to sniff out vulnerabilities in your code or organization. Basically, like Sneakers, or the annoying plotline in The Newsroom season two. (Someone should have really red team’d Sorkin himself on that one.)

There’s a few other concepts of a red team I think that every development team should have some exposure to outside of the traditional cybersecurity angle.

Someone to look for dicks

Once upon a time, GitHub was very excitedly looking forward to shipping our FIRST BILLBOARD! It’s an odd experience, turning into one of those startups who advertise on 101. Some sort of weird fucked-up sign of maturity and/or sufficient VC dollars. Particularly for a company whose product only exists In The Cloud… seeing real-world analogues is very surreal.

So Marketing worked on it, ran it through design, chatted on some plans as to what it should look like. If I recall, the GitHub thread on it was a couple weeks old, and Cameron McEfee put out a final “I’m going to send this to the printers at the end of the day, so speak now or forever hold your peace!” Some few-dozen people had seen it at this point so it probably was fine.

Anyway, I looked at the last iteration around the same time as Rick Bradley did and we each were like… uh-oh that looks like goatse. Are we sure we aren’t goatse-ing all of San Francisco traffic for a few weeks? Seems rude.

Octocat... of a sort

Cameron dropped a “holy shit” and got it updated it prior to it hitting the printers. He also put a kind of “dick check” in the general design shipping process for large launches at GitHub- check for various genitals, meme-ability, and really any sort of ways the new work could be used in unintended ways.

I mean, the last thing you want is to have teammates work on something for months and users end up ignoring all their hard work because the new logo looks like a booty or something.

It sounds totally goofy, but it’s not a bad idea to have someone in an antagonistic mindset to make sure you’re not shipping something awkward, insulting, or inappropriate through your visuals.

Finally, internet shitposters have a valid business use case.

Someone with an ad blocker

Ad blockers can be somewhat contentious: on one hand it’s good to support websites whose access might be free-of-charge; on the other hand, so many of these websites are fucking terrible, with ads and popups and unclosable interstitials.

But some of your users are going to use ad blockers; there’s no way around that. So have some asshole on your team constantly piping up if you break navigation with various ad blockers turned on. Yeah, there’s some political aspects here — who blocks the blockers? — but every time a site inexplicably doesn’t work because someone made it so a file include or piece of HTML wrecks your entire site is one of the most rage-inducing aspects of modern sites out there, particularly if there aren’t any ads on the site in the first place.

Someone with a password manager

Look: I have a lot to say about sessions and signing in to a product, but suffice to say: there will be password managers for the foreseeable future and holy shit how do you all get the simplest sign-in form so wrong all the time?

Like, at its basic form it’s just a username and password. I get — sort of — layering on all this other shit like magic links and 2FA and enterprise sign-in, but so many dev teams don’t even get the basic form right: they do something custom in a hair-brained way so that 1Password or other password managers don’t auto-fill the form. (Yes, some of that is because 1Password itself has turned into some sort of deranged software that breaks if you look at it, but you get the idea.)

So someone on your team should use a password manager. I mean, you all should, of course, but for the love of god at least get one person on the team to pipe up with “why doesn’t my auto-fill work on our site?” And then fix it.

None of these are like, major blockers: people will work around broken forms or websites, and drivers will drive by your phallus on the highway. But they’re pretty easy to prevent. The main problem is that when you’re building a new feature you have so many other things to worry about… which is why having a kind of “red team” can be so helpful, to come at it with fresh, antagonistic eyes.

Anyway, just wanted you to think about this as you build your products! If you think it’s helpful, I’m just about to send these stickers to the printer- let me know if you’re interested in grabbing one.

Use your eyes!