I love being able to sleep at night. I like it that I can be pretty sure nobody is going to break in and attack me, that my children sleep safe and my possessions are likely to remain mine. In fact, I value my security very highly indeed, and I’m prepared to pay a lot to get it. I’m sure it’s the same for you.
In fact, security and privacy are valuable to almost everyone. So why have we traditionally presented software security as a negative thing, as a tax on the cost of software development?
Let me tell you a story.
One Monday, developer Jane Suru had a chat with her tester colleague Amar and they realised that the Cross Site Scripting issue Amar had identified the day before could lead to big trouble, with crooks getting personal details from their customers. She went to her team lead and told him ‘We’ve got a big worry here that could cause a lot of reputation damage to the organisation’ (red alert). He added it to his list of concerns (yellow alert) and reported that week to his boss. She looked at the overall picture, with all the usual major worries, and her monthly report to the board stated that everything was no worse than usual (green). Nothing was done about the security issue. Six months later a list of half a million stolen ‘identities’ was spotted on the dark web by security researchers, who identified them as coming from Jane and Amar’s site; the organisation will be fined a huge sum under GDPR regulations.
Or consider the alternative version:
On a very similar Monday, developer Jane Suru had a chat with her tester colleague Amar and they realised that the Cross Site Scripting issue Amar had identified could lead to big trouble, with crooks getting personal details from their customers. She sat down with Amar and identified how to fix the issue and how long it might take, then went to her product owner Rita and told her “You know we’re now promoting our website as the most secure one for our clients, and we’re getting new customers as a result? Amar’s identified a new story protecting the site against crooks stealing customer details; it’ll take a couple of days’ effort and is in the backlog now.” Rita prioritised the story into a sprint a few weeks later, and reported to senior management that the GDPR conformance program was going forward well.
See the difference?
It is usually the technical team that identifies security and privacy issues. Like the door locks and burglar alarms that defend our houses, the mechanics of keeping people safe is a very technical task. Only the technical people are in a position to see and fix the problems. But they can only do it if they are given the resources, time and sometimes money, to do so. How do they get them?
In the first story version, Jane and Amar used the normal approach of presenting the security issue as a problem for management. They ran up against two unhelpful effects. First, line management don’t normally allocate time—that’s the role of product or project management—so for work to be done they need to escalate the issue to get higher level support. Second, management are rewarded for ‘looking good’, which gives them an incentive to play down negative issues to their seniors.
In the second version, Jane and Amar presented the security issue as an opportunity. They identified a positive commercial outcome from solving it: credible security, leading to more customers; and they presented the task of solving it as a user story for the product manager. A product manager is used to allocating resources based on risk, impact and reward; that’s her job. And if the solution is presented in a positive way, it’s easy for her to prioritise it against other positive developments.
Indeed many security issues will not need to be solved. Really! Often product management may determine that resolving a security or privacy issue will give less value to the organisation than new functionality, or functionality fixes, or performance improvements. That too is good; remembering our household security, we don’t all need to waste money on steel backed front doors. The important thing is that the decision can be made in a businesslike way, as GDPR and such standards require.
Developers tend to hate ‘selling’, but Jane and Amar aren’t ‘selling’ the solution to their product manager. They’re doing a professional job in representing a technical issue in a way that product management can reason about. And that means:
- Identifying positive benefits to the organisation of the security issue being solved, and
- Estimating the costs of the solution and representing it as a user story
Psychologists tell us if you want to help someone to do something it’s much more effective to offer inducements than to make threats. Let’s get into the habit of representing security fixes as positive user stories!
-- Charles
Note: We at Security Lancaster offer very practical applied training in this and related processes.