Nixu and Santa Claus have a long history of working together to secure a happy Christmas. This year, we have been helping Santa to create and improve secure software development practices, which was one of the items on the roadmap we created after the toy factory assessment last year.
Background: delivering once a year
Earlier, Santa and the elves had no particular reason to be very agile: delivery once a year has been quite enough. However, the increasing gift wishes for computer games and internet-connected toys have forced Santa’s toy factory to consider their software development security.
We really need to rethink our development practices. After all, a toy full of bugs or vulnerabilities would make the children very sad. Children’s wishes are also coming relatively late during the year which requires rapid changes from us.
– Shinny Upatree, the lead developer
Development practices review
We reviewed the current software development practices together with the elves, starting from product management. The developer elves thought that their project staffing is quite well in order during spring and summer. However, they complained that typically in November and December they lack resources because updating the naughty or nice lists gets higher priority.
When the discussion went to secure coding and having a defensive mindset, all the elves agreed that they had room for improvement: so far, the main threat they had considered was Grinch ruining Christmas.
Visibility of security work also raised some concerns amongst the elves, as the backlog handling was still based on pen and paper. Actually, the whole backlog handling and mapping of development items to the original stakeholder requirements (“Johnny wants an electric toy train for Christmas”) sounded a bit hard to follow, but maybe that’s the magic of Christmas.
There was some disagreement amongst the developer and QA elves about the repeatability of the delivery process, but they all agreed on improving the security hardening of games and toys. As kids are unlikely to start reading lengthy manuals after unwrapping gifts, setting secure defaults sounded like a good idea to everyone. Pepper Minstix, one of the senior test specialists, reckoned that parents would also be pleased about toys that are secure by default, as that would give them more opportunities to relax and rest.
Santa goes DevSecOps
Based on the review workshops, the elves already had plenty of ideas on how to improve taking security into account in their toy-making processes. Especially Wunorse Openslae, an elf renowned for his inventions, was very excited about the concept of DevSecOps, already sketched an enhanced process diagram to showcase how to run static code analysis, software composition analysis, and other automated security verification activities for each build.
The elves also decided that they will nominate a Security Champion from each team and start gradually introducing new security practices, such as threat modeling and code security reviews. They also agreed on creating security acceptance criteria and taking a closer look at the security of the release distribution as the next thing.
The Nixuans involved in the secure development processes review would like to thank Santa and the elves for their commitment and time for remote workshops during the busiest time of the year. We also wish everyone a merry, cybersecure Christmas!
Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.