Having taken an interest in the recent surge in popularity of DevOps, I found myself watching a DevOps Enterprise Summit presentation by quality engineering guru Elisabeth Hendrickson.
In the talk [video, slides], Elisabeth highlighted the importance of maintaining and reducing the length of feedback loops. In a project management context, a feedback loop is a method for monitoring and maintaining the improvement (and progress) of a project. One of the most popular is Plan-Do-Check-Act (PDCA), also known as a Deming Cycle.
During the planning stage, a project "spec" or specification is created. As Elisabeth pointed out, without completing regular feedback loops, a project’s “spec” is more likely to represent speculation than specification. The earlier and more frequently you check that what you are speculating is true, the better. Delaying this process results in ever increasing risk and project fragility.
The idea of tightening feedback loops is well established, particularly in Agile development, but the simplicity and clarity with which Elisabeth explained the importance of these feedback loops really stood out, principally her highlighting of the time value of information:
"A little information today is worth more than that same information tomorrow"
This is true for all aspects of a project including, of course, security. To highlight just a few examples:
- During the design stage, a little bit of security knowledge through threat modelling could save developers months of work which they would otherwise have spent building, for example, a flawed authentication system.
- Having developers go through even some basic security training has frequently been shown to be one of the most effective ways to reduce the number of security bugs in their code.
- Conducting light or exploratory security testing and code reviews earlier in a project’s lifecycle will reduce the likelihood of having high and critical risk issues when nearing a production state.
If you don't find this convincing enough, I highly recommend watching the presentation and just keeping security in mind. How many projects have you managed, coded, tested or watched in horror from a distance, which would have benefited from even just a little bit of timely security information?