Saturday, April 29, 2017

Agile Security

I recently helped SANS review curriculum for an exciting new course coming out soon on a topic near and dear to my heart. While reviewing this course I started thinking about how security processes might evolve. I've often thought about the term Agile Security but not sure people would buy into this idea. It could be a great time for security teams to revisit how they operate. It could be the evolution of the cloud is driving the need to reconsider security perspectives. If what you are doing works just fine then don't change a thing. However, if you find the need to move faster and respond to threats more quickly, consider the following.

Agile: A word that makes some software engineers cringe because use of the word has transformed - like many other abused and overused words in the technical space by consultants and people jumping on bandwagons to sell products and services. But agile as a word is not the problem. It's the people who are talking about agile but doing quite the opposite. Agile just means you have a process that gets out of the way so you can work fast and adjust your plans quickly as your needs change. This is most important in a security environment with 0-days and rapidly evolving threats to organizations. 

Consider the transformation that occurred in the software industry. When I got my master’s degree in software engineering I took classes with and from people who worked at Boeing. We discussed how to write lengthy, detailed requirements documents with very precise numbered hierarchies. The document would cover every single implementation detail. In theory, this very thorough coverage of the requirements would save money.

Of course, when building something like an airplane details are crucially important. Lives are at stake. The same would apply for medical devices and software. But we were writing similar documents for internal business applications and web sites at the time. Companies would charge sometimes millions of dollars to spend three months or longer writing "Requirements Specifications".

In the end...when the programmers got the specifications, they didn't really work as planned and threw most of the spec out the window by the end of the project. Or worse, the developers followed the specifications precisely even though they didn't meet the need or solve the problem. Often the team would stumble upon information not known at the time of writing the requirements and would find that certain aspects of the requirements were not technically feasible or cost-effective.

About that very same time the idea of Extreme Programming was evolving. I read a book and thought, well this is much more practical. I started a business and wrote my own form of task tracking system much like what Version One is today. My former co-workers who are groaning at the thought of Version One should consider whether they would rather use Microsoft Project...not me, but to each his or her own. Version One has a list of tasks and you can mark the status of each task, track dependencies, time and more. In my case I had contractors working on billable assignments so I added in a time tracker. They could hit a button to start and stop work on a task so I could create very detailed invoices for customers. I could also arrange the tasks in priority order and break them down into small enough pieces so I could see precise progress. In the event priorities changed I could move a task at the bottom of the list up to the top at any given moment and adjust the deliverables and schedule.

How does this relate to security? In large organizations, many security teams are writing lengthy documents that I equate to the old software requirements specifications. And just like those specifications, I can tell you from the trenches of the development teams in these large're lucky if people even know they exist. Sorry. It's true. Even if they do the most well-intentioned employee will have a hard time remembering and following all your rules.

What to do? I would suggest that security people learn from the software development processes how to move faster. Instead of writing documents, create agile backlogs. Create the "Epics" or large work items that need to be completed to maintain security in your organization. Prioritize and fund the Epics. Create stories for the Epics. This may be before or after funding, but either way the stories will evolve over the life of any project. Prioritize the stories. Assign the stories to teams. The teams work the stories in 2, 3 or 4 week sprints. Make sure you work the must-have stories at the beginning so you don't have a half-baked project at the end when the money runs out and you deliver nothing.

Before you hire some expensive consultant to make this all more complicated than it needs to be (which I have experienced), see if you can work with these definitions as a starting point. If you are talking about how to implement the process instead of doing work, the process is failing. Keep it simple and focus on whatever helps get work done most quickly and accurately - and exclude extraneous things that get in the way of getting work done.

1. Team: A team of people with certain expertise or assigned to a project or product.

2. Backlog: Typically associated with a team. A backlog contains the work items assigned to a team. The work items should be in priority order from most to least important. Most large companies have multiple backlogs and teams.

3. Backlog Owner: The person who creates the stories in the backlog. When a story is completed the backlog owner gets a demo of the deliverable and "accepts" the work or sends it back for additional fixes before it is accepted. The team closes the stories after the backlog owner accepts the deliverables. The backlog owner is generally a product manager in the case of a product or a technical owner in the case of architectural or security requirements.

4. Epic: Typically, an epic is a project or subset of work that requires approval and budget. Business executives fund "Epics" just as you would for any other project or initiative.

5. Stories: Deliverables associated with an Epic. The story should define WHAT in business terms not HOW in technical terms. Each story should be short and describe how the deliverable will be tested and demonstrated to the backlog owner to prove that the work was completed as required.

6. Sprint: A 2, 3 or 4-week period. A team commits to complete however many stories it can each sprint from the top of the backlog. If a story takes longer than one sprint to complete, break it into multiple smaller stories.

7. Sprint Planning: At the beginning of each sprint the team holds a planning meeting and commits to as many stories from the top of the backlog as will be possible to complete. In my case I had my each team member prepare their individual commitments in advance so these meetings were typically short.

8. Demo or Sprint Review: At the end of the sprint the team demonstrates the deliverables of each story to the backlog owner and stories are closed. 

I'm not going to get into planning poker, capacity planning, retrospectives, cards and Fibonacci numbers right now. If you just start with the above that will get you going. Keep it simple and focus on getting work done versus lengthy process discussions and meeting overload. Once you master the above you can get fancy. I do believe in certain methods for poker planning and capacity planning that help keep projects on track but the main points for now:

  • Put the requirements into a backlog instead of a document.
  • Define requirements in business terms (what, not how).
  • Break down the work into small pieces.
  • Demonstrate work as it is completed and prove it works.
  • Prioritize and adjust as needed.

My definition of Agile Security. In a nut shell.

But wait. We're not done. If you put all sorts of things in a backlog that define your requirements and deliverables, how will you enforce your policies?

Write software. You may have an overarching document that defines security policies. Preferably it is on an internal web site - or better yet in a database - and adjusted quickly as policy requirements change. Then, turn as many of those requirements as possible into software that at least monitors for infractions in an automated way, but preferably enforces adherence to policies up front. I have some ideas about this in a white paper on event driven security automation.

What, you don't want to write software? Hire a software programmer. This is the convergence of software and security. I predict that security people who embrace this wonderful relationship with those pesky software developers who are causing all your security headaches will be most successful in the future. And those pesky software developers probably need to learn a thing or two about security!


Before I tell you that Agile or Scrum or whatever your favorite word is for what is basically a Work Breakdown Structure is the silver bullet that will solve all your problems and all your security initiatives will be completed on time and under budget, I will tell you that Agile has a flaw when not properly managed. You need to have a beginning and an end of a project and make sure things are prioritized correctly to actually achieve a deliverable. Time and money are not endless. Some agile teams assume they are and operate as such. 

Make sure you have a way to determine whether your epic and stories can be completed within your time and budget and manage to that time and budget. This means your backlog truly needs be prioritized so the must-haves are the top and the things at the end of the list can be cut if not completed when time and money runs out on the project. There is also an art to managing people's time and keeping distractions away from the team - one of which can turn out to be your "scrum master" if they are more focused on process than deliverables. Additionally, it's a good idea to understand points, burn downs, capacity planning and how to use those in your estimation process to keep the project on track. 

But generally, I think agile, scrum and extreme programming concepts are better than alternatives for many projects.