Research

Adopt the “Beyonce Rule” for Scalable Impact

By Torq
September 28, 2021
6 Minute Read
Adopt the “Beyonce Rule” for Scalable Impact

Recently, I started to read the invaluable book Software Engineering at Google. It’s a great book by Google, describing their engineering practices across many different domains.

One of the first chapters discusses the matter of making a “scalable impact,” which I find very interesting, and something that I believe has been overlooked by many organizations.

What is Scalable Impact?

Creating “scalable impact” is making a change that will improve your organization’s engineering practices without investing unnecessary effort for each new team member.

First, let’s review some examples that don’t demonstrate “scalable impact”.

What Hinders Scalable Impact?

1. Code Reviews

Code reviews have many advantages. Code reviews allow teams to share knowledge, catch design flaws, enforce common patterns and practices. Seems like a good idea, right? Well, the problem is —these don’t scale. The larger the team, the larger the effort, and this scales linearly with each new developer.

2. Manual QA

Similar to code reviews, manual QA for each release doesn’t scale. As a team grows, release velocity increases. As release velocity increases, more releases require manual QA —creating a bottleneck and single point of failure.

3. Manual deployment approvals

In many organizations, only a small, dedicated team can perform the actual deployment to production. Just as with manual QA, increased release velocity brought on by team growth turns this into a function that blocks scale.

4. Excessive documentation

Documentation is useful —it allows teams to share knowledge in-house and publicly without having to be there to personally explain things. But, as you create more and more documentation, there are two downsides: 1. You have to keep it up to date 2. Devs need to read it. And we DEVs, (or we as human beings…) can be lazy. We don’t like to do things that require a ton of effort; we love to take the easy way, if possible. We don’t read the docs and we definitely don’t update the docs if we change something. So in many cases, the end result is a waste of time, or an old and out-of-date document that no one even reads. In the end, the conventions you created may not be used anywhere.

How to Make Scalable Impact

Okay, so how exactly do you make scalable impact then? At Torq, we’ve adopted a number of practices that help us realize scalable impact and set our team up for successful growth. I’ll highlight each of these examples below, and talk through the details of them in a future post.

1. Centralized Linting

Let’s say that one day you decide all your developers have to avoid using errors.Wrapf and instead use fmt.Errof. At that point, most organizations tend to create a new convention page and write that down there. Later, a nice Slack message will be sent to the #rnd channel. Something like this:

“Hi there, we decided to stop using errors.Wrapf, please use only fmt.Errorf from now on. See the conventions here: …”

How many of you are familiar with this practice? If you’re familiar with it, you probably also realize this won’t work. 

Why, you ask? Because human beings don’t work well with rules, unless they’re reinforced. That wiki page describing the newest convention? It’s already depreciated the moment you wrote it.

So how do you solve that issue, then? My advice: Come up with a centralized linting solution. By centralized, I mean one that immediately affects all new builds, without any changes to your projects.

Returning to the example above, with centralized linting, you change your global linting rules. That means you immediately avoid any new usages of the old convention. No questions asked, and nothing to remember. It’s as simple as that — the PR won’t be mergeable unless the new convention is used. No documentation to maintain, no convention to teach new recruits. Your documentation is now the linting rules code. 

There you have it: Scalable Impact.

At Torq we use ReviewDog to achieve this, which I’ll describe in detail in a later post.

2. Unified/Reusable CI pipeline

Another story you may all be able to relate to: One day your CTO reaches out and asks for the full list of dependency licenses used across ALL your codebase.

So then you start googling and you find an awesome tool doing exactly that. But now you’re stuck. You have to run that tool and collect the results for ALL your projects, and we’re talking about minimum 50+ (or more for larger organizations).

Here’s the (happy!) twist: With unified CI Pipelines, this task becomes easy.

By unified, I mean maintaining a common baseline for all your CI pipelines. One that you can change from a single location, by doing only a single change.

To solve the above issue you will add that logic for license extraction to your common base and execute that as part of your CIs. Then, just let your CI do the rest.

Another (real) example: Let’s say you want to change your unit-testing runner.

You decided that gotestsum is the real deal, and your teammates chime in: “That old go test is useless. We MUST move to the new shiny tool.”

More opportunity for scalable impact: Just change the test part of your unified CI, and all your projects will use gotestsum instead of go test. 

To achieve this, we use Makefile inheritance and CircleCI orbs. Again, I’ll dig into this in a future post.

3. Automated E2E Tests

Nothing new here —each and every deployment should pass the same test suite. Again, every deployment.

Green -> deployed

Red -> rolled back

No “sanity suite”,  no “Ah, this one is flaky, you can go ahead and deploy”. No user intervention. Of course, this means your complete E2E suite should be fast and reliable (I use under 5 minutes as a rule of thumb).

Adopt the “Beyonce Rule”

“If you liked it then you shoulda put a ring on it!” said the mighty Beyonce in her famous song, Single Ladies (Put a Ring on It).

Later, malicious DEVs took that line and rephrased it to “if you like it, put a [test, lint, e2e, ticket] on it!”

Put plainly, new investments or changes require you to put the right framework in place to make them scalable. Getting started with this requires having the right tools; but after that, it’s easy to adopt the practice.

Found a new issue that can be caught by a listing rule? Easy! Add the lint rule to your centralized linting solution.

Want to add a new tool that tracks the test coverage? Simple! Change the unified CI configs.

The upfront investment here helps the entire team grow, and delivers returns (in reduced toil, and increased velocity) over time.  Applying the Beyonce Rule turns your team from Danity Kane to Destiny’s Child. It becomes super easy to add/change the existing conventions and processes. The Beyonce Rule is cost-effective and can be easily adopted.

Share

Related Articles

Use Cases

5 Security Automation Examples for Non-Developers

By Torq
August 16, 2021
5 Minute Read
5 Security Automation Examples for Non-Developers

If you’re a developer who lives and breathes code all day, you probably don’t mind having to write complex configuration files to set up an automation tool or configure a management policy.

But the fact is that many of the stakeholders who stand to benefit from security automation are not developers. They’re IT engineers, test engineers, help desk staff, or other types of employees who may have some coding skills, but not enough to generate the hundreds of lines of code necessary to set up the typical automation tool.

Fortunately for non-developers, there are ways to leverage security automation without drowning in manually written code. Here’s a look at five examples of how non-developers can take advantage of security automation while writing little, if any, code.

1. Low-Code Configuration for Detection Rules

Detection rules are the policies that tell security automation tools what to identify as a potential breach. They could configure a tool to detect multiple failed login requests from an unknown host, for instance, or repeated attempts to access non-existent URLs (which could reflect efforts by attackers to discover unprotected URLs that contain sensitive content).

Traditionally, writing rules to detect events like these required writing a lot of custom code, which only developers were good at doing. A faster and easier approach today is to use a low-code technique that allows anyone – not just developers – to specify which types of events security tools should monitor for and then generate the necessary configuration code automatically.

When you take this approach, any engineer can say, “I want to detect repeated login failures” or “I want to detect high rates of 404 responses from a single host,” and then generate the requisite code automatically.

2. Automated Incident Response Playbooks

Along similar lines, you don’t need to be a developer to specify which steps automation tools should take when they detect a security incident.

Instead, non-developers can indicate their intent, which may be something like “I want to block a host’s IP range if the host is previously unknown to the network and more than three failed login attempts originate from the host in under a minute.” Then, automation tools will generate the code necessary to configure security tools to enforce that rule instantly whenever the specified condition is triggered.

3. Automatically Trigger Endpoint Scanning

Whenever a possible security incident arises, automatic scanning of impacted endpoints is a basic best practice for determining the extent of any breach and isolating compromised hosts from the network.

However, performing endpoint scanning across a large number of hosts can be difficult. It has traditionally required either a large amount of manual effort (if you perform each scan by hand) or the authoring of code that will tell your scanning tools to run the scans automatically based on the host and access data you give them. Either way, the process was slow and required collaboration between multiple stakeholders.

However, by using an approach where endpoint scans are configured and executed automatically teams can perform this important step much faster. For instance, if helpdesk staff who are supporting end-users notice the possible presence of malware on a user’s device, they can automatically request scans of all endpoints associated with that user (or with the user’s group or business unit) rather than having to ask developers to configure the scans for them.

4. Automatically Generate Security Testing Code During CI/CD

The testing stage of the CI/CD pipeline has traditionally focused on testing for application performance and reliability rather than security.

That’s not because test engineers deem security unimportant. It’s because most of them aren’t security engineers, and they don’t want to spend lots of time writing code to automate pre-deployment security testing on top of performance testing.

This is another context in which automatically generated code can help integrate security into a process in which it has traditionally played little role due to the complexity of generating the necessary security code. When test engineers can indicate the types of security risks they want to test for within application release candidates (like injection vulnerabilities) and then automatically generate the code they need to run those tests, it becomes much easier to make security testing part and parcel of the broader CI/CD testing process.

5. Update Security Automation Rules for a New Environment

Your business may already have security configuration code in place. That’s great – until you decide to make a change like moving to a new cloud or migrating from VMs to containers, at which point your rules need to be rewritten.

You could update the rules by having security analysts and developers work together tediously to figure out what needs to change and how to change it. Or, you could use low-code security automation tools to generate the new code automatically. There may be some tweaks left for your team to perform manually, but the bulk of the heavy lifting required to secure your new setup can be performed automatically.

Extending Security Automation to Non-Developers

Security automation is a powerful methodology. But given that non-coders are often the stakeholders most in need of security automation, platforms that require stanza upon stanza of manual configuration code to do their job make it difficult – to say the least – for most businesses to leverage security automation to the fullest effect.

That’s why the future of security automation lies in solutions that generate the necessary code and configurations automatically, allowing all stakeholders to implement the security checks and responses they need in order to protect their assets without having to learn to code or lean on developers to write code for them.

Share

Related Articles

Use Cases

5 Automated Anti-Phishing Protection Techniques

By Torq
August 8, 2021
4 Minute Read
5 Automated Anti-Phishing Protection Techniques

In an age when attackers create over a million phishing sites each month, and phishing serves as a beachhead for 95 percent of all attacks against enterprise networks, how can businesses respond?

Part of the answer lies in educating users to recognize and report phishing, of course. But user education only goes so far – particularly because the same statistics cited above show that, on average, only 3 percent of users will report phishing emails. Strong anti-phishing education may increase that number, but you’re still fighting an uphill battle if you rely on your users as your primary means of defense against phishing.

Instead, teams should lean as much as possible on automated anti-phishing techniques. By using automation to detect and respond to phishing attempts, businesses can stop the majority of phishing messages before they ever reach end-users.

Keep reading for an overview of five practical strategies for automatically detecting and managing phishing attacks.

Filter Messages Based on Multiple Attributes

Most security and IT teams know that they should automatically filter incoming email for signs of malicious content.

However, the mistake that many teams (and security tools) make in this regard is focusing just on one attribute of messages – typically, the content of the message itself – when performing scans.

Although scanning for signs of phishing like misspelled words or suspicious domain names is one way to detect phishing messages, it’s hardly the only one. A better approach is to evaluate each message based on multiple attributes – its content, the domain from which it originated, whether or not it contains an attachment, which kind of attachment, and so on – to build a more informed assessment of whether it may be phishing.

This multifaceted analysis is especially important for automatically catching phishing attempts, given that attackers have gotten much better at crafting good phishing content. The days are long gone when simply scanning email for strings like “Nigerian prince” guaranteed that you’d catch the phishers.

Detonate Attachments in Sandboxes

If your security tools detect possible malicious content but you need an extra level of confirmation, you can take the automated response a step further by “detonating” attachments — or downloading and opening any links that the phishing content included —  inside a sandboxed environment.

By installing the malicious content in a safe, isolated location and evaluating what happens, you can detect anomalies or attack signatures that will confirm that the content is indeed malicious.

Of course, the original content should remain quarantined and inaccessible to your end-users while your tools perform the sandboxed detonation. You can either safely release the content to users or block it definitively, pending the results of the sandbox analysis.

Block Sender Names and Domains Automatically

If you detect a phishing attempt, you can minimize its impact by using automation tools to block the sender’s name and domain as quickly as possible. Doing so minimizes the number of emails or other messages that the phishers are able to send to your users. It also disrupts their ability to engage with any users whom they successfully trick into responding to them.

And, by blocking not just malicious sender names but entire domains, you make it much harder for the phishers to continue their attack using multiple accounts.

Automatically Scan Affected Endpoints

Another step that you should take immediately and automatically upon detecting a phishing email is to scan any endpoints – such as the affected user’s PC or phone – that are associated with it.

Immediate scanning will maximize your chances of detecting and isolating any malware that the phishers may have been able to deploy.

Reset Affected User Credentials

Along with scanning impacted endpoints, you should also use automation tools to reset the login credentials for users who may have been impacted by a phishing attack. By logging them out of any open sessions and forcing a password change, you also mitigate the ability of attackers to exploit accounts that they compromised through phishing.

Automation as the Future of Anti-Phishing

The phishers are only going to get better at what they do. To keep up, businesses need to become more efficient in their responses. That means adopting automated anti-phishing tools that allow teams not just to detect phishing attacks as quickly and as accurately as possible, but also to minimize the potential impact of a successful phishing breach on the IT estate.

Share

Related Articles

See Torq in Action

Get a demo to see how Torq helps you harness AI in the SOC to detect, prioritize, and respond to threats faster.

Is your security team ready to automate more, faster?