“Value stream mapping” – that’s a Lean methodology for logistics and supply-chain processes, right? What does that have to do with software security?
Good question! In the ’80s, value stream mapping applied to logistics and supply chain processes in the Japanese manufacturing industry. The success of the methodology for manufacturing led to wider adoption, including adoption in Lean software development, where the processes to create and deliver software are mapped as value streams of both material (artifacts) and information flow.
This concept came up recently when I was participating in a webinar on application security ROI. My co-presenter, SANS analyst Jim Bird, recommended using value stream analysis to determine, and lessen, security’s impact on engineering processes. In his accompanying report, he writes: “We need to look at our security decisions not only in terms of risk and direct costs, but also in terms of how they impact engineering value chains and how to minimize these impacts.” For example, when security testing is conducted in the development process is an important consideration in terms of lessening impact – addressing security issues in completed code is much more cumbersome than addressing them when still coding.
Bird uses another example of software composition analysis vs. threat modeling. Teams can fairly easily add automated software composition analysis into the build without changing how the team works. Total costs are modest: an upfront license for the tool and integration into the build. From that point, feedback is immediate and straightforward on each build: The tools show where vulnerabilities were found and how serious they are, with few false positives.
I like the idea of taking this approach one step further and thinking in terms of value streams when considering your overall approach to AppSec. We can apply value streams to understand how your AppSec tools and processes will impact your development workflows, and where and how you can optimize your AppSec investments. As VP of Engineering at CA Veracode, I need to optimize my AppSec investment within my own engineering team. Constantly under pressure to deliver faster, cheaper and better, I need to make AppSec as seamless as possible, while reducing the most risk possible. To do this, I start with the company’s security policy, which defines our company’s tolerance for risk. At CA Veracode, we have a very low risk tolerance; security is the core of our business, and we handle sensitive data on behalf of our customers.
Our security policy establishes:
From there, I think about the investment in application security in terms of each software value stream. I want to make sure that my investments match the particular complexities, data storage needs and other differentiating factors of each value stream. For instance, some of our software value streams use different software methodologies (Agile, Scrum, DevOps), different tooling (Eclipse, JIRA, Jenkins, etc.), different technologies and modalities (microservices, embedded components, etc.) and handle different types of data (different levels of sensitivity).
Case in point: our static analysis product is one of our software development value streams. The data that flows through that stream is extremely sensitive, requiring a deep AppSec investment in data encryption and protection. In contrast, our eLearning product, another value stream, manages less-sensitive data presented through a web interface. The eLearning value stream requires a less data-oriented security investment, primarily involving checking for vulnerabilities in the web interface. A third software stream, our product Greenlight (for security unit testing), uses a brand new continuous deployment pipeline. Aligning security with this value stream requires deep automated integration of security with the delivery pipeline.
In the end, it comes down to supporting the business and mapping security investments to business priorities. Thinking about application security in terms of value streams is one way to create this alignment and to apply the right security technology and approach to maximize ROI.
It’s important to note that this is not a one-and-done project. I don’t ever consider our investment in application security “complete.” There are always product, technology and process changes that will in turn require our AppSec investment to be tweaked and optimized.
Again, quoting the SANS report: “The magic is in determining the right balance between proactive control, reactive agility, tolerance for the risks facing your organization and selecting the right tools and practices to make your applications secure without slowing development.”
Get more details on using value-stream mapping to optimize your application security investment in the SANS ROI of AppSec webinar and report bundle.