Security Quadrants

I had the question of How QA’s can deliver business value and have more budget than security. While exploring, I wanted to understand how Agile testing is done. I came over to the blog by Brian Marick. He describes agile testing in four quadrants on his blog page. Inspired by his quadrant, I created what it would take for security.

I have chosen the left and right quadrants as “Supporting Secure Development” and “Organisational Trust & Safety”. Supporting Security Development leads to helping the development team secure the product that customers are paying the organisation for. Organisational Trust & Safety rely more on Compliance safeguarding from legal and regulators and also the organisation security effort we put in.

Q1: Technology facing and Supporting the secure development

This quadrant focuses on giving instant feedback and testing for development teams to act upon. CiCD tools must give actionable outputs for developers to act on rather than swim in false positives. Provide Secure infrastructure for developers to deploy and don’t care about the security implications of deployment

Q2: Business facing and Supporting the secure development

This quadrant focuses on immediate business values. Having abuse/evil stories has more ROI as mostly it will get fixed rather than pondering upon issues found later in development. Evil stories tell the developer beforehand that these issues are to be made sure not present and commitment that these won’t be present while developing code. Security Engineering has straightforward business values such as developing secure shared libraries, shared SBOM, developing and managing security functionalities as plugins. Virtual patching has the benefits of stopping an incident from occurring, safeguarding businesses from ongoing attacks and fixing security issues that are in backlog.

Q3: Business facing and Organisational Trust & Safety

This quadrant focuses on compliance and audit requirements. I have included security awareness and training in this quadrant cause I believe that some functional and non-functional teams are going to deal with customer data. It is important to train them on how to deal with customers and how to safeguard from attacks to safeguard customer data which is a business value.

Q4: Technology facing and Organisational Trust & Safety

This quadrant focuses on organisational security efforts for safeguarding our Tech and Products from the perspective of Organisational Trust & Safety. Enterprise IT security includes VPN, onboarding and offboarding employees & contractor security with access management. Vulnerability management on found and yet-to-be-found vulnerabilities so that we improve our product security. Detection and monitoring enables us to be proactive on Organisational Trust & Safety.

if you look on the diagram, some may have both business values and technical values. I have weighted them and put them in the quadrant based on the greedy method.

This is my first post in 2024. Happy new Year !!.