Application Security Testing: An Integral Part of DevOps
In this scenario, there are three players: Big Boss, Junior Boss, and Worker Bee. The three actors will play out very simple dialogues, both external and internal. These dialogues represent scenarios among the three players and an objective. The dialogues are adjusted for the scenarios. Maybe you'll recognize yourself as a player in a similar situation. If you are really adventurous, consider figuring out ways to change each scenario to get an optimal outcome. The optimal result is a job well done and everyone feels pretty good about it. Consider writing your responses as comments on the article, email me, or email the publisher. Thanks for playing.
XYZ Skunkworks has a software product, but it takes forever to update and ship. The Big Boss has been tasked with making the software easier to update and more profitable.
Big Boss: Junior boss, XYZ Omniplex costs too much to update and ship the next version. We need to do better. Make it better. [Thinking: This is a vague, large target and probably won't work. I will give them tight deadlines to see whether they are going to produce anything valuable. Probably not, so I need to know before I commit too much money.]
Junior Boss: Worker Bee, figure out all of the stuff the Omniplex team is doing wrong and tell them how do better. I need a schedule and a plan. [Thinking: If we get a plan and schedule and I hold Worker Bee to it, Big Boss will be impressed.]
Worker Bee: Okay, but gee, like a doctor treating a patient, shouldn't we diagnose specific symptoms and treat those? [Thinking: If I can tell them how to do it better, why not just have me do it?]
Big Boss: Where are my solutions, Junior Boss? [Thinking: These lunk-heads are taking forever.]
Junior Boss: Worker Bee, you are missing your deadlines. Tighten up your recommendations and give me something. Big Boss is crushing my head. [Thinking: I better show Big Boss something or they will cancel the project.]
Worker Bee: It's taking a little longer than estimated. [Narrator: Estimate equals guess.] Give me a little more time and I will get you something useful. [Thinking: Does anybody care how detailed or useful the suggestions are or do we just care about the schedule?]
Narrator: When push comes to shove in this scenario, the Worker Bee will rush to meet deadlines, the initial recommendations will be weak, and the project is cancelled. Junior Boss is left shaking her head. The reason is that she didn't know that by allowing herself to be rushed she was part of Big Boss's self-fulfilling prophecy.
Pushback and Idea Resolution
Big Boss: Junior boss, XYZ Omniplex costs too much to update and ship the next version. We need to do better. Make it better and hurry up! [Thinking: This is probably a pointless idea, so I need to know so I can kill it and get a victory by "saving" money.]
Junior Boss: These estimates are exactly that, best estimates. If what we get isn't useful, I am giving my people more time for a better result because results count, right?! [Thinking: If this turd cancels it, that is already what was intended and I'd rather get out sooner than attach my name to rubbish. Life is too short.]
Worker Bee: Wow, someone really cares about the quality of my product, not just BS quantity and schedules. [Thinking: Maybe what I am doing is worthwhile.]
Big Boss: If you can't deliver, I will find someone who can. [Thinking: I will show him who the Big Boss is.]
Junior Boss: I am not saying I can't deliver. I am saying I want to deliver a quality product within a reasonable time. Perhaps I could show you some basic ideas, drafts sort of early, and you can help decide which might be the most reasonable to pursue. Instead of fixing everything, we could fix the top two or three big issues first and reassess. [Thinking: I don't think Big Boss will know any of the technical stuff. If she asks questions that are insightful, there is hope, but I am not going to be bullied.]
Big Boss: I want everything fixed. [Thinking: Maybe being a bully isn't going to work here; Junior Boss' suggestion is reasonable.]
Junior Boss: Eventually, we may be able to improve those things that need improving. I'd like to start with a couple big ticket items. Focus our energies on those initially. This will help in two ways: We will be better able to deliver to a schedule, and you will have measurably higher returns on our efforts. Then, you can reassess whether there is more low hanging fruit and whether we can continue or proceed. [Thinking: Can't be more reasonable than that.]
Junior Boss: Okay, Worker Bee, find me some big possible wins and we'll work on the best two or three for now.
Worker Bee: Now, at least, we are working on treating actual symptoms instead of everything.
Narrator: Now, a couple of things can happen in the second scenario. Big Boss fires Junior Boss. That's okay; no one wants to work for a bully. Big Boss offers a compromise and the two continue to work as collaborators, or Big Boss sees the logic of Junior Boss' thinking and acquiesces—taking credit for the refinement (which is how Big Boss got to be Big Boss. Let's not be too unrealistic.)
A patient walks into the doctor's office. The doctor prescribes every possible medicine and remedy available without asking a single question.
In medicine, it's called malpractice.
Bert Lance is attributed with saying If it ain't broke, don't fix it. In the 1970s, while working as a body double for Richard Roundtree on the set of Shaft, Jackson Wayfare phrased it this way: If you don't know what's broke, how are you going to fix it? Wayfare, of course, was talking about the steamer on the lot hotdog stand.
About the Author
Paul Kimmel is the VB Today columnist for www.codeguru.com and has written several books on object-oriented programming and .NET. Check out his upcoming book LINQ Unleashed for C# now available on Amazon.com and fine bookstores everywhere. You may contact him for technology questions at firstname.lastname@example.org.
Copyright © 2008 by Paul T. Kimmel. All Rights Reserved.