Agile: Most security guys are useless

The return of king Larry to his rightful throne at Google with his nerds engineers rule edict and Jason Fried of 37 Signals talking about the culture of a flat company got me thinking whether in an Agile development world are most security guys useless? The short rationale is that in Agile and really any lean, successful company, you want "everyone to touch the product". Security guys need to code, those that don't (the majority) are not required. But is this the whole story...

The 12 principles [2] behind Agile development are (emphasis mine):

  • Customer satisfaction by rapid delivery of useful software
  • Welcome changing requirements, even late in development
  • Working software is delivered frequently (weeks rather than months)
  • Working software is the principal measure of progress
  • Sustainable development, able to maintain a constant pace
  • Close, daily co-operation between business people and developers
  • Face-to-face conversation is the best form of communication (co-location)
  • Projects are built around motivated individuals, who should be trusted
  • Continuous attention to technical excellence and good design
  • Simplicity
  • Self-organizing teams
  • Regular adaptation to changing circumstances

If you are a startup in particular I don't think you can develop any other way than Agile. Your best bet for survival is to get something out there and iterate like hell. Even in large companies these days rapid delivery, reduced costs, adapting to requirements that get elaborated as you go are increasingly the norm. Paul Graham says "a programmer working as programmers are meant to, is always making new things". I would argue this should be true for everyone working on agile projects including security people. The only people that add value are coding, designing the UI, testing etc; "touching the product". Unfortunately most security people are not doing this; they create documentation, provide advice and consulting, "manage risks" or manage other security people and thus at best add zero value.  Arguably you would be far better having only security engineers that coded the security components and where they performed code reviews and security testing actually fixed the problems.

How about the opposite perspective though? Starting from the top: CISO's sit on executive committees, ten or more layers removed where such hierarchies exist. CSO Online states they are the "executive responsible for the organization's entire security posture" these days expanding their empire to risk, governance, information security, IT security, physical security, data loss and even fraud. Surely that is an important position for ensuring your project delivers the business benefits really quickly. So what if startups don't have them, every Fortune 500 company does right? They must add a lot value. I mean it is the big stuff that makes the difference, securing the budget for that new DLP system, funding for enough resources to review all the projects and changes, keep the security operations running. Even I have argued before that enterprise security controls make the biggest difference in the security posture of an organization.

Then there is everyone that does "Governance Risk and Compliance (GRC). Bingo! Sorry thought I was at Infosec. Afterall the majority of what companies only do security for compliance and regulations are growing increasingly insane complex; even Agile projects need to know whether sending data out of Europe where the evil CIA may watch breaches the Data Protection Act right? It's not like email flows freely around the world, no would store the company's most valuable information in email right? In addition there are the physical security guys obsessing over slab to slab construction and separate rooms for developers, got keep those desks clear and laptops leashed! Also not be forgotten information security that reviews all the supplier contracts including all those pesky cloud vendors and perform all the supplier due diligence visits. Developers in Hawai in Summer and a data center in the Alps in Winter; it's a dirty job but someone has to do it.

Then all the middle managers in security, risk, compliance; absolutely mandatory to keep the troops motivated and in line. No decently large company could do what 37 signals has achieved right? Of course we still need all the bottom of pyramid security underlings running firewalls, providing access, monitoring the SIEM. We would never want outsource or automate these services.

Finally where the bullet hits close to home: security architecture and design for projects. Even on Agile projects we perform a CIA analysis and advice on the inherent risk of a project even before it starts, which of course is always listened to. We write security requirements, driven from threat models that reduce re-inventing the wheel and integrate with enterprise security infrastructure. We review and collaborate on the design, develop attack trees and mis-use cases for sprints and plan security testing. When Fortify360 finds 300 cross site scripting vulnerabilities, we advice how they can be fixed. Look even Microsoft says we are necessary even for Agile processes and that is working so well. But does the business care about any of this, or would they rather have someone that is helping to get the code completed securely and delivered?

All the security guys I know that can code enjoy breaking things too much and either run or work for pen test companies, very few seem interested in working for end-user companies building defenses. Even the few that do, do so as part of security consulting vendors, very few real security hackers work for companies building new systems.

Thankfully it seems unlikely that any large company will soon replace all its security, risk and compliance staff with security engineers that code but just to hedge my bets a little bit I'm going to work on some node.js and jquery to maintain (shameless plug). Any links to outstanding resources for either that I can't find easily on Google would be greatly appreciated #lazyweb. Dam in the hour it took me to write this I could have got hello world and a twitter feed working on my node server.

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

[1] Agile software development poster.
[2]  Beck, Kent; et al. (2001). "Principles behind the Agile Manifesto". Agile Alliance. Retrieved 2011-04-06

No comments:

Post a Comment


Written by