Not waving but drowning
There is a point in every transition into security conscious development where you look at your bug tracking system and despair.
It doesn’t matter if you have fancy SaaS project management tools or a stack of crumpled aging post it notes to convey the message. The end result is the same. You have way more vulnerabilities than you expected and they just keep coming.
Whether you are talking about technical debt, performance scaling issues or security vulnerability backlog, the reactions, the stresses and the neurological processes all come to the same end point.
There is a primal urge at this point to run. Flee. Take your desk menagerie of trolls and assorted family oddments, pack your little bag and leave.
In fact, there is some deep psychology and neuroscience at play here.
So if you want the ‘buck up, you’ll get through it speech..’ move along, there’s nothing for you here.
Let’s talk science.
Specifically, let’s talk about bears.
OK so we’re not actually going to discuss bears (though that would be cool). Imagine if you will that you are stood alone in a forest and faced with a bear. Not the cuddly picnic basket stealing variety obviously. This is the 8ft tall, eat your entrails for breakfast sort of bear and today you happen to look a lot like lunch.
At this point, your body is physically and chemically primed for action. Non-essential systems such as digestion are being slowed down and bodily systems used for physical activities such as fighting or running are getting super charged with a potent cocktail of adrenaline and other chemicals.
In a fraction of a second, your body (with your help) will decide whether you are going to go head to head with your furry aggressor or flee in the hope of living another day.
This is primal stuff
While for the majority of us, fighting actual bears isn’t in our day to day schedule, this primal fight/flight mechanism comes back to us when we face a wide range of stresses… including dealing with our security and technical debt.
There is a predictable curve when introducing security into an organization.
To begin with, the feeling (perception) of security will exist to some extent within your organization. You have a certain degree of confidence. You may have never experienced a security breach before. You may have caught minor issues before and resolved them. You know there is work to be done but you aren’t aware of how much.
Then the security programme starts.
Systems and processes begin and security vulnerabilities begin to appear. Initially these are slow to come and easy to manage. You feel empowered and in control. Education and training begin and external testing is somewhere on the calendar.
Your developers are engaged and learning security practices. Your systems are running smoother and the number of vulnerabilities is climbing quickly. The initial glow however is fading and the prioritisation of issues for remediation is becoming complex. There is a balance to find between remediation and business. Important conversations are happening and compromises are being made. The number of fixed issues is slowing.
And this is where you find yourself.
As the pace slows and the process negotiations commence, it can be difficult to feel like you are moving at all. You may watch the dashboards and issue trackers and feel helpless or angry to begin with… eventually the fear will come.
Confidence begins to dip.
Can we fix these issues?
Can we get the process right?
Can we find the balance between business and security?
Can I do this?
And fear… leads us back to bears…. fight or flight.
In my experience, flight is the most tempting and is certainly the easiest option. Find a new job, find a new challenge. Walk away.
However, if you are in this position, if your bear is in front of you and you are scared.. I urge you to fight. It’s a hard road and a long one. You will be wounded and exhausted before the end I have no doubt. Despite your sunny appearances at meetings — inside you will be convinced you are drowning. Endure.
Can I tell you a secret?
Everyone in a defensive application security role feels like this at some stage. For many they feel like this on a regular basis. As an industry we need to accept that defense is hard and start talking about it. You are not alone in your struggle.
Introducing security is not the easy path but it’s the right one. It’s a path that needs strong people and leaders. It needs people communicating honestly and helping each other. It needs us to notice when those around us are not waving but drowning.
It needs people like you.
Originally published at www.defensible.me on June 21, 2014.