The Time Value of (Security) Information

Having taken an interest in the recent surge in popularity of DevOps, I found myself watching a DevOps Enterprise Summit presentation by quality engineering guru Elisabeth Hendrickson.

In the talk [video, slides], Elisabeth highlighted the importance of maintaining and reducing the length of feedback loops. In a project management context, a feedback loop is a method for monitoring and maintaining the improvement (and progress) of a project. One of the most popular is Plan-Do-Check-Act (PDCA), also known as a Deming Cycle.

During the planning stage, a project "spec" or specification is created. As Elisabeth pointed out, without completing regular feedback loops, a project’s “spec” is more likely to represent speculation than specification. The earlier and more frequently you check that what you are speculating is true, the better. Delaying this process results in ever increasing risk and project fragility.

The idea of tightening feedback loops is well established, particularly in Agile development, but the simplicity and clarity with which Elisabeth explained the importance of these feedback loops really stood out, principally her highlighting of the time value of information:

"A little information today is worth more than that same information tomorrow"

This is true for all aspects of a project including, of course, security. To highlight just a few examples:

  • During the design stage, a little bit of security knowledge through threat modelling could save developers months of work which they would otherwise have spent building, for example, a flawed authentication system.
  • Having developers go through even some basic security training has frequently been shown to be one of the most effective ways to reduce the number of security bugs in their code.
  • Conducting light or exploratory security testing and code reviews earlier in a project’s lifecycle will reduce the likelihood of having high and critical risk issues when nearing a production state.

If you don't find this convincing enough, I highly recommend watching the presentation and just keeping security in mind. How many projects have you managed, coded, tested or watched in horror from a distance, which would have benefited from even just a little bit of timely security information?

Recent Blog Posts

Meltdown & Spectre 7 weeks on

Posted on Feb 28, 2018 - Written by Barry @ Corsaire - Category: Vulnerabilities

SSL/TLS Cheat Sheet

Posted on Feb 13th, 2018 - Written by Rowena @ Corsaire - Category: SSL/TLS, Guidance

Why do I need to worry about my Cisco ASA? Firewalls are bulletproof right?

Posted on Jan 30th, 2018 - Written by Barry @ Corsaire - Category: Industry News

68 million Dropbox accounts leaked; is your data at risk?

Posted on Sep 2nd, 2016 - Written by Corsaire - Category: Company News

CREST Accredited Penetration Testing

Posted on Jan 19th, 2016 - Written by Corsaire - Category: Company News

The Time (Value) of Information Security

Posted on Sep 7th, 2015 - Written by Corsaire - Category: Company News