Agile Security DevSecOps

Security knowledge entropy

Entropy has been described as the measure of disorder of a system.   The Second Law of Thermodynamics, as defined by Rudolf Clausius, states that the ‘Entropy of the universe tends to a maximum’, which means that the universe is heading towards maximum entropy, or maximum disorder. Entropy can be seen in everyday life, ice melts, metal rusts and food decays. In these cases, it is irreversible, you cannot un-melt ice, or un-rust metal or un-decay food. However, it is possible to slow down entropy. For example, you can refreeze water, treat bare metal and preserve food in a fridge or freezer. So how does this fit in with security education? In education, there is a natural tendency to forget, not only as individuals, but collectively as well. Thus, as individuals we can probably remember what we ate yesterday, but will find it difficult to remember what we ate a week ago, and harder still to recall our meals from a month ago, and practically impossible a year ago. Collective memory is stronger than individual memory; people can recall different moments of an original event or combine the various retained elements of a skill shared amongst the individuals. However, over time, even the memory of  a group will start to erode.

Software is complex, made up of many different components such as classes, functions, properties, events, data stores etc. There are many languages and frameworks each with their own unique qualities that are difficult to retain unless you are experienced with using that language or framework. Even with this experience, the technology can change, or you may never use some obscure features of the technology. It is not possible for a software engineer to retain the knowledge of the details of every technology they encounter. As time goes by, the gap between what engineers know (either individually or collectively) and what the technologies offer widens. This is what I call knowledge entropy.

The best way to counter entropy is to either slow it down or change the state of the affected object. Returning to the concept I raised earlier about rusty metal: you can slow down the appearance of rust by treating it, such as oiling or painting the metal before rust appears. This prolongs the life of the metal. On the other hand, you can keep rubbing it down in attempt to return it to a previous state by removing the rust every time it appears. However, as a result of constantly removing layers of rust, the metal will eventually weaken. So, when it comes to knowledge and skills the best option to slow it down is to provide continuous learning. Less desirable is the to offer an occasional course when gaps in knowledge and skill appear. Slowing down the relentless path towards disorder through a continuous education strategy is a better option than occasionally attempting to reverse it with ad-hoc courses when knowledge gaps appear.

Often a gap in our security knowledge is filled by attending a security course whose syllabus covers a number of security topics. In the short-term, this may meet the requirement. But over time, our knowledge will fade until we reach the point when we need to go on a refresher course. We brush up on the skill in the same way we rub down a rusty piece of metal and, unfortunately, we are weaker for it. It is also an expensive option because if the funding stops, education stops and the ‘rust’ sets in. A better methodology is to instil a culture of continuous learning allowing engineers to spend time keeping up-to-date with their security knowledge as part of their daily activity. There are many ways to accomplish this.

The most important way to tackle knowledge entropy is to create a learning culture within the organisation, by making learning security easy for engineers. As a start, I suggest implementing the following:

  • print out the fact sheets of the OWASP Top Ten common weaknesses and place them on walls of the communal areas
  • provide a library of online resources, such as subscriptions to video training, whitepapers, e-books and e-magazines
  • encourage weekly lunchtime learning sessions where security engineers can share their knowledge about common vulnerabilities with the software engineers

It is essential to use security automation tests to identify the most common weaknesses within your organisation’s software to focus on educating engineers about fixing and avoiding these issues. It is also beneficial to hold regular capture the flag (CTF) tournaments to give your engineers an opportunity to practice their cybersecurity offensive and defensive skills. Creating a competitive environment in which engineers are rewarded for security success, such as finding and fixing the most defects, or eliminating entire categories of vulnerabilities from their applications will incentivise healthy security hygiene.

Education must be considered at a group level and not at an individual level. By rewarding teams for their security ability rather than individuals, you avoid weak performers becoming apathetic to the cause. Conversely, by rewarding teams, the natural tendency is for stronger individuals to help their weaker colleagues to improve the overall knowledge of the team. Teams competing with other teams on security will promote a healthy increase in ability across the engineering organisation. Rewards should be relatively inexpensive; in my experience simple items such as stickers, mugs and t-shirts decorated with the team’s achievements are sufficient.

A culture that slows security knowledge entropy is a perfect fit for the five ideals of DevOps: engineering teams become self-sufficient in acquiring and maintaining security skills, promoting locality and simplicity; continuous learning encourages focus, flow and joy or developing secure software; it also promotes continuous improvement in the daily activities of the engineers who can focus on creating better value for their customers while minimising security risks; engineers are more likely to call out bad habits or vulnerable code due to increased psychological safety; and finally, customers will benefit from greater security.

At Dynaminet, we provide solutions to integrate a security education strategy that slows down the effect of entropy, maintains an engaged workforce and improves the quality of your products. If you are interested in understanding more about how continuous learning will improve your overall security posture, please feel free to reach out to me directly.