Sometimes, you need to outsource the dirty work to accomplish your goals. This is as true in application security as it is in my household where we rely on a duo of robot vacuums for handling some of our dirty work. Our two little electronic vacuum cleaners, named Bob the Roomba and Steve the Roomba, share something in common with Alexander the Great - their middle name. The two robot vacuums also share something in common with how security should be enforced in your organization. Do you feel like you’re faced with the never-ending chore around getting security vulnerabilities addressed in your organization? You’re not alone in this very human problem.

As parents, getting little boys to pick up their toys is a never ending chore that starts with nagging, escalates to yelling or grounding, and usually ends in defeat as parents have to clean up the mess. Everything changed when we started running our dynamic duo of robotic vacuums every day though. After the first or second run where we demonstrated Steve's insatiable appetite for Lego blocks, toys, and dirty clothes, the boys got the hint. Keeping the floor clean wasn't something they had to do to keep us happy: any mess they left meant that they would lose what they cared about to an uncaring and unyielding automatic overlord.

Steve the Roomba and Bob the Roomba have been taking turns as family member of the week and monthly MVP for a while now. As soon as we started up the automated cleaning cycle, we'd loudly announce "STEVE TIME!" and the boys would frantically clear their floor of all toys, dirty laundry, and trash in the amount of time it'd take us to complete a single round of nagging before. Don't get us wrong, there was also a lot of initial clean-up work to get their room into a state they could keep it clean - mostly tossing old baby toys, installing organizational shelves, and removing the sheer volume of junk that life tends to accumulate. However, once we helped them get to a good place and had some help from Steve the Roomba and Bob the Roomba, they became active players in keeping the stuff they cared about out of the their robotic overlords' way. And their rooms have been cleaner now than they have been in years.

So what does this little parable of robots and refuse have to teach security professionals? It's not our job to be the the bad guys, we can outsource that to automatic, uncaring, faceless processes. Our job is to help engineering, ops, and other shops to keep the stuff they care about squared away. When I design governance suites, I am very deliberate about not having the security team be the enforcement point for software security. Instead, I position the security team as a tutor that helps a student study for an exam, a parent helping their kids get the bedroom to a manageable state, and as a partner who helps the dev team attain their objectives.

When on-boarding applications into a security program, it's best to treat bringing them into the risk management program like any other managerial orientation. Start by communicating the expectations - namely that there are policy and governance standards and requirements that are signed by the CISO, CIO, or CEO. After that, enable them to meet the expectations with tooling, training, and processes they can adopt. Hold them accountable to meeting those standards and help them make corrections when they fall short. At that point, it’s time to bring in automated policy enforcement.

Steve is our home-bound version of the automated policy hammer that keeps everyone putting effort into maintaining good behavior. Much like an automated or policy driven release gate that acts independently of the security team, Steve the Roomba is the Bringer of Consequences. Such gates and automation are allowed to be the "bad guy" when parents and security teams should focus on enabling developers to beat the requirements. This allows security teams to be the trusted partners and advisers who are helping teams get their software out the door.

Just like we can configure our automated vacuum cleaner to skip rooms or avoid certain areas for a day or two, when setting up release gates and enforcement points, it’s important to have pressure release valves such as exceptions, waivers, and bundling of results into tickets. Such policy vehicles allow teams to address technical debt in a sane manner, meet technical and architectural requirements, and deal with the surge of new findings that come with deploying any new tool while not being able to ignore or band-aid away risk.

There's always more words to spend on a topic like this one, but I've hit my budget for now. Stay secure, and never forget the humans.