I remember when I was first drafted into the security council of my then employers. I was just a developer keen to improve my understanding of application security, and there I was with the senior architects and developers, along with the devision’s head of delivery. And yet I did something that inadvertantly propelled me into the role of being one of the leaders of the council, significantly raising my profile within the devision and leading to more opportunities. Read on to find out more….
So, first of all, this isn’t really about development or infosec per-se; it’s more about how a developer (or other professional) working within a large organisation can use their initiative to turn something conversation focused to solution focused, and how this can benefit them;; it’s about recognising a gap, filling it and building on that momentum.
So, back to the security council; a lot of very smart people, with a lot of very smart opinions. And we talked; boy did we talk. The problems of secure development are even more legion, multifaceted and intractable than that of development, and often are a matter of trading one risk against another. We knew that we wanted each team to create an initial threat model, but apart from that we were unsure of the shape and form models and the wider security project. For example, should security tickets be open to everyone (thus engendering a glass house culture where issues could not reside unsolved), or open to a select few (minimising the immediate threat surface). A few meetings went by, many interesting views were aired on a variety of topics, but nothing was actually getting done.
So I decided to do something.
I decided to actually create a threat model for my team.
It wasn’t great; there wasn’t any STRIDE analysis, and there were glaring omissions in some sections. However, it was a decent first attempt, identified the assets, roles, some threats and potential antagonist business models, plus it led to some tickets being raised.
When I presented the threat model to the council at our next meeting, it completely change the trajectory of the conversation. Or rather, it actually gave the conversation a trajectory, as beforehand it was an amorphous web of talk, opinions and ideas. The delivery manager liked what I had done, it was to be used as the template for all the other teams threat models, and it gave the rest of the following conversations a framework with which to work with; what had been a back on forth on abstract concepts was now a discussion about how to create concrete, tangible artefacts.
By showing a bit of initiative and actually producing something real, I felt I had dropped a seed crystal into the soup of all the opinions and expertise that was floating around the security council, and by showing that initiative and creating that momentum I gained a lot of recognition from the delivery manager and my peers. I was later asked to review our current scrum process and documentation, to present at OWASP and to work with our security consultant to produce in depth threat models for new high security systems.
So remember that when there’s a lot of talk and to-ing and fro-ing about things, if you create something concrete that’s not too bad, you will galvanise the conversation and have a say in how it is shaped. It may be wrong in parts, people may disagree, it’s final form may be completely different from your initial offering, but by creating it you will show leadership and that in itself will cause other parties to up their game and commit to creating solutions to the problems they’re talking about.
One final word of warning; beware of creating something for the sake of it, or prematurely. What you present to the others will need to be helpful and at least a decent attempt. I was lucky with the threat model; I was able to embark on it without having to consult with anyone else or wait for any big decisions to be made by the council. If what you present is premature, or unhelpful to the conversation at hand, you may still gain some respect for initiative but your effort will be seen as an annoyance, not a boon!