May 29, 2020
If you’ve ever seen any footage of the American West, you’ve probably seen one or more pictures or videos of prairie dogs popping out of their holes. This is often followed by something scientifically described as “jump-yipping”.
The science behind this says that it’s basically a group-based security control – of the assurance category of the SABSA MTCS if you’re really getting technical – that assesses the readiness and alert levels of the rest of the colony. If the “wave” of responses is quite extensive, then generally, the rest of the colony is paying attention, and the confidence levels of the individual little buggers can be high that they’re safe to go about their business.
The key point is that they’re always assessing and validating what they’re doing in the context of the environment they’re in. And it’s a pretty good thing to keep in mind as you go about your security architecture work—perhaps without the jumping and the yipping, however.
It’s especially necessary to avoid one of the biggest traps you’re likely to fall into when you’re given one of those rough-n-ready solution architecture sketches accompanying your typical business software project. It’s essential to resist your urge to tear into it like a hungry hyena and start STRIDING around the place drawing attack trees and identifying the “security objectives” because you’re putting the cart about 100 miles ahead of the horse.
Instead, you’re going to need to use what you have to start asking some intelligent questions, but the ones that are most important aren’t the 4 standard Shostack questions. Those come later, and the answers – and the activities – need to be appropriately prioritized by the answers to the questions you ask BEFORE the standard threat modeling questions.
However, since Threat Modeling has generally become integrated into the security vocabulary, and since there’s such a big emphasis on it place in the CI/CD delivery models of DevOps…
…it’s likely that we’re sucked into that black hole too, thinking we’re doing architecture, when we’re most certainly not.
Pop up, little prairie dog! Pop up and make sure you’re doing the right things!
What I’m talking about could be thought of as a process, and, in some cases, it has been documented as such—including by me for some of our consulting engagements in the past.
But processes have problems, and especially if you’re struggling to get architecture established in your security program, the last thing you need is to bring along a Louis Vuitton steamer trunk of a process when you’re trying to establish a beachhead in an organization that’s most likely has an archive of said vintage luggage that would fill the warehouse at the end of the original Raiders of the Lost Ark.
Sure, eventually…you’re going to need something for everyone who comes in afterwards and keeps things going. These are the “infantry” soldiers of Cringley’s Accidental Empires fame you might’ve heard me talk about before.
But right now, no. It’s the surest way to get cut off at the knees before you even have a chance to prove value. You need something lighter. You need something faster.
You need a system, guided by principles that always apply, and which you can rely on once you’ve repeated a few simple practices enough to make them habits. Of course, in this case, I’m talking about The Agile Security System™, because that’s exactly what it is.
And in the upcoming June issue of the print, delivered-to-your-door-anywhere-in-the-world Security Sanity™ newsletter, I’m going to show you how to apply those principles, practices and Baseline Perspectives™ to help you develop enough architecture to enable the right security decisions to be made when you’re starting from a picture that might be everything from two boxes and a line between them…
…to an image that looks like someone barfed the rainbow slurpee and network infrastructure shaped Valentines candy they were gorging on when they were hammering out the solution design until 4am.
However, if you’re not already subscribed, the window to get this hands-on, over-the-shoulder view of applying the system in action to develop SABSA security architectures you can then build on as a foundation of revitalizing your security program’s perceived value to the business…
…will be closing in just over 2 and a half days, at 11:59pm US/Eastern on Sunday.
After that, even if you subscribe at 12:00am Monday morning, you’ll just have to wait a whole 30 more days until I ship you the July issue—which will be about something entirely different.
To make sure you’ll get your copy, just go to this link ASAP:
And, if for some reason you’re an existing subscriber who’s payment hasn’t been processed before the deadline, your subscription will be cancelled at the end of the month, and you won’t be allowed to subscribe again in the future. So, if you’re in this boat, don’t come to me on Monday and ask for an exception. It won’t happen. Don’t say you didn’t know.
Otherwise, enjoy your Friday evening, and, most importantly…
Andrew S. Townley
Archistry Chief Executive