POSTS

Medical Parallels - Security Guidance

Médecins Sans Frontières

MSF trucks making their way in Planning makes the mission

When MSF (Doctors Without Borders) research working in a new location, they take the time to thoroughly vet the mission and define clear goals. They pull in representatives from those locations, ask them for a picture of how things are, and listen.

  • They learn the lifestyle
  • They learn the social dynamics
  • They learn the political structures

MSF shows up in crisis situations and pulls out when the crisis has resolved. Their job is very specifically not to fix the normal, as unfortunate as that is.

Likewise, for security guidance, do your research.

  • You have to learn their process, as this gives clues as to what types of vulnerabilities are likely to creep in.
  • You have to learn how they interact with other teams, as this gives clues as to the scope of their responsibility and their limitations.
  • You have to learn their organizational structures as this gives clues to their team dynamics and where ownership lies.

This goes triply if you’re foreign to that environment - if this is a new company or new department.

For security guidance, defining the scope of authority and staying within those bounds is absolutely essential. Broadly generic objectives are doomed to failure. This applies especially to the last point, because many issues you experience may be a direct result of conway’s law and need to be worked around.

Safety and Power Dynamics

Neo getting interrogated by Agent Smith Are you making backups, Mr. Anderson? Are you testing the backups quarterly?

Trust is a massive part, and I’m not talking about customer trust - that’s secondary, and a byproduct of having a good working relationship with developers.

Trust is incredibly hard to build, and so, so, so easy to lose. The relationships we have with the developers, and the way which we approach that, is incredibly important.

Developers have to trust you. It’s no different rolling into a community that hasn’t had professional doctors before. A few folks know what you do and respect it, but most folks are apathetic - you might be the first security professional they’ve worked with in their life.

Still others folks have heard that doctors are a bringer of bad luck and are here to poison the population. That these security engineers are here to slow down their delivery pipeline: to set up rules and leave them hanging when they ask for help, to put compliance demands that kill their remaining non-billable time, and to make it impossible for them to hit their deadlines and OKRs.

It’s vital to make sure that people feel that this interaction does not put their work in jeopardy. The approach taken can be perceived as threatening independently of reality.

  • Having a SLA to keep the team responsive towards developers and the resourcing to support that goes a long way towards building trust
  • Education and outreach to make developers feel comfortable with this function - someone I used to work with would do fun presentations on current breaches in order to keep engagement up.
  • Be cognizant of any possible uneven power dynamics and reassure if necessary. If your team takes anonymous feedback, make sure that the tone of the interaction, in addition to the content, is part of it.

What do we do

Guilty Gear Faust - separate article on Guilty Gear coming soon! We want to make sure you don’t have to see this doctor

The easiest analogy I give is that we’re similar in function to primary care physicians. We specialize in preventative care - making sure that products we ship don’t have a reason or need for more specialized security care.

It’s also a priority of ours to research better ways to keep you healthy and create paved roads to self service libraries or automated care through linters and scanning tools.

If we need to refer you to other, more specialized physicians - we can do so - but if we did our jobs right, we’ve massively decreased the amount of incidents that occur.

We’re going out to set up clinics around the community and staff them with qualified security champions for less urgent care.

We’ll be teaching people that it’s best practice to get some fiber and exercise, but understand that due to circumstances not everyone will be able to do so. Even so, we’ll treat everyone with the same care and compassion if they ask for help.

Take care of yourself

This is my last, but most important point that applies to more than just us.

You cannot make others feel safe if you do not feel safe yourself. You cannot build trust if you cannot trust the structures that you reside in or the ability to make good-faith progress. And you cannot build a community if you’re burned out.

Take care of yourself before you take care of others.

Take care of yourself or you won't be able to take care of others