Addition, Adaptation or Abandonment

At the core of introducing security to an environment is change. Change is an interesting and sometimes scary thing, especially if you are meddling is someone else's workflow or domain. 

So how do you handle this change when what you are proposing involves the developer’s workflows?

In short, you have to make very conscious decisions about what you add, what you adapt and what you abandon.

The most important consideration when adding to a lifecycle is the cost and frequency of the activity.  Costs need to be measured in both terms of activity completion and the additional costs levied as a result of delaying or providing less resource to other functions.

Additional activities need to be roughly scored before they are proposed to the team. This score may mean that the number of stories loaded into Sprints may need to be reduced to compensate. Trust me when I say that this will be a challenging conversation to have.

Scoring needs to be carried out in conjunction between security specialists and development leaders. It needs to factor in the ramp up or education period for the new practice as well as whether the change will impact on story development. Blocks introduced to processes need to be found early and addressed.

Examples of activities that are likely to be added to workflows include outsourced security services such as penetration testing and security vulnerability management. These include processes for triage, prioritisation and scheduling remediation of vulnerabilities as they are identified. 

The cost of adding items to workflows is quite clear. If something additional goes in, something has to give in return. Basic 'physics says no' rules apply here.

Is it better therefore to adapt existing rituals, artifacts or workflows to include security focus points?

What if the coffee shop was suffering from a case of sticky fingered clients? Drinks are going missing and Bob is getting into trouble. Something must be done.

Do we now have a secure warm drink filled utopia? I don’t think so.

The customers are feeling inconvenienced and are proving to be quite bad at remembering to keep their receipt at hand. Bob is slowed down by the additional checks and hot drinks are queuing up on the exit counter and rapidly going cold. Furthermore, nobody feels empowered or trusted.

The process was adapted for security but in making a change like this was security chaos theory in action. One tiny butterfly-wing-beat of an action and Godzilla destroys a perfectly good coffee shop.

Simply put, if security start tweaking and adapting processes without fully analysing and understanding the situation then small security gains will come at a massive cost to the organisation.

If you need to adapt an existing process, work with the process owners to figure out how best to do that. Keep your adaptations focused on objectives not activities.  Nobody knows the current process and its constraints as well as the people living it every day. Don’t assume you know better than they do, communicate your needs and support them in helping you meet them.

Sometimes the simplest adaptations can have the greatest return.

For example, tagging or labeling all tickets that come through your work tracking system (i.e. JIRA or equivalent) with the word ‘security’ allows any developer or technical team member to quickly identify and flag security related stories. This simple label is the enabler for custom dashboards and work flows. It can be used to trigger additional code reviews or make anticipating security consultant support requirements easier.  Best of all, anyone can do it. No special skills or tools required.

You've adapted a process. Your confidence is high. The only possible outcome is improvement right?

Making the change is the simple part, then it's up to you and the teams to monitor the process closely to see if it’s working. Continuous improvement (or learning from your mistakes) is a core of agile security as much as it is agile software development.

Simple things like choosing the wrong name for a process, ritual or artifact can cause confusion and inefficiency. Be prepared to react if your dream plan goes horribly wrong and react quickly.  Process change and adaptation takes time and is often done is increments. If you are changing a ritual or process that has been in place for months or even years – you will need to provide education and support to manage the transition.

So there was no good way to add to the workflow or adapt an existing process, is that the end of the story? Is the situation impossible?

Sometimes as security people the tools and processes that we are used to are just not made for your circumstances. They may be cumbersome or costly. Perhaps they need dedicated specialist resources or dedicated maintenance and monitoring.

So why don’t you abandon them altogether?

Security is an evolving profession. 

The tools, techniques and methodologies we have are the product of years of work by organisations and individuals with a wide range of constraints and operating environments. While they are tried and true for a lot of circumstances, that may not always work for your organisation at this time.

Instead of focusing on your inability to integrate a certain activity or practice with your development lifecycle, focus on what those activities were trying to achieve and what risk they were protecting you from.  Once you have your objective in mind, invent something new.