portrait picture

TIMO ZIMMERMANN

balancing software engineering & infosec

Thoughts on WWDC2020

posted on Thursday 2nd of July 2020 in ,

Another year, another WWDC. I could be wrong but this felt like the most consumer focused WWDC I have ever watched. And it is one of the few which actually will have an impact for years to come – think PowerPC to Intel or the introduction of the iPhone. I did not immediately want to post thoughts on all the announcements as I wanted to play with Big Sur first. While it took a bit more work than I would have liked, I got a virtual machine set up and had a chance to spend some time with it.

Big Sur

There is a lot going on, but the biggest change is likely the UI. It is closer to iOS and iPadOS than anything we have seen before. Somehow Apple managed to still make it feel like a Mac, not a scaled up iPadOS version. If you like the design is up to you, tastes are different – personally I am looking forward to upgrade my main system later this year.

The animations are subtle, but I can see people already complaining that actions now take 0.5 seconds longer than before. After all those years – and hearing the same complaints about Windows – I still did not figure out what people do with the 2 minutes a day they gain on not waiting for animations to finish. But I am sure it is life changing.

To me the biggest change is Notes. It finally does not offend the eye anymore! I cannot express how much I hated this slightly yellow, textured design. I am glad it is gone. Reminders also received some nice updates. While it will not compete with Todoist, it might be enough for some people to not buy the next upgrade of Things.

iOS

Apple really tried getting rid of things taking over the whole screen, like incoming phone calls or Siri. But this is mostly a visual change: While Siri is active you still cannot interact with the elements on screen you are seeing. And this seems intentional – in an interview Greg Federighi mentioned they tried a version where you could interact with the system and it did not feel right.

The feature that struck me as odd one is picture in picture. I get it on the iPad 12.9”. While I am not a big fan, it is okay to use from time to time. But phones have limited screen real estate. I cannot imagine actually looking at a video in PiP mode on any phone in existence right now.

(So here is a bit of speculation that might be too forward thinking – what if… Apple works on a foldable phone? Maybe two separate screens with a hinge design. Suddenly there is a lot more screen. And taking over half of the screen available for a phone call or Siri while still presenting information and working on the other screen makes the design decision more coherent.)

Apple Clips could be a game changer. There is a lot of potential – to succeed or fail – and Apple likely has a better chance getting people to adopt it than Android had when they shipped their version. What I really dislike is that it is not an open standard. For businesses to support something like App Clips would be a lot easier to justify it they would not need a customer study first to see if the majority of their customers actually have an Apple device.

(I will not go deep on the whole widget and icon organisation topic – I have used this on my Android dev device enough to know that I literally do not care.)

iPadOS

Search is likely the big one – especially with the magic keyboard it feels more natural to have an macOS like Spotlight experience than the thing we got right now. It also looks like a visual upgrade to me and it makes multitasking feel a bit more natural.

The really big one for me here is – again – Notes. While the handwriting recognition is nice (if it works), the fact that it finally has shape recognition means I can do most of my sketching for architecture diagrams in Notes. Together with the initial draft of the document, primarily because Notes on macOS does not look horrible anymore.

Apple Silicon

I am waiting for an ad screaming “don’t call it CPU”. I do not think I have heard the word silicon so often in a 20 minute video as in this keynote. It is a change people predicted for a very long time and now we will finally see systems ship with Apples own Silicon.

I can easily see this being amazing for notebooks. We will see how the first iteration performs, but considering what most people do with their laptops it will be good enough. Likely not for many engineers, media professionals,… but regular users writing emails, documents and using the web. Considering my iPad Pro has a 36.71-watt-hour battery which lasts for 10 hours imagine how long a laptop would run if the battery only stays the same as in todays models. We are talking truly all day battery life.

Considering they still plan to announce Intel based system as well and that they surely are a few years away from being able to replace a Mac Pro for example, I do not see them deprecating current systems soon(tm). This does put a lot more pressure on the compatibility layer. No one likes “you cannot run this software on your system because reasons you do not understand” – again, we are talking about regular users, not software engineers that know the difference Silicon can make.

While I do not see them merging macOS and iPadOS / iOS, I am curious if portability of apps means I will finally get Xcode on my iPad. What I would really like (and I have been asking for that for years) is to be able to plug a monitor into my iPhone or iPad, connecting a keyboard and mouse and switching the UI to macOS. There is a very good reason why Apple will not do this though: They would cannibalise their low end laptop market. There is also a very good reason why Apple will do this: They can streamline their product lineup and upsell tablet upgrades. Time will tell which way that will go.

The rest

Nothing in watchOS 7 actually excites me. Literally nothing. I also do not see a lot they might want to change at this point, I think we will first see a new revision or new type of wearable which might justify significant OS changes. In the meantime some actually useful standalone apps would be nice.

tvOS – I am sure someone somewhere will use AirPod sharing once. YouTube in 4k is very much appreciated.

Automatically switching between devices will either be an amazing experience or super frustrating when your video call drops audio because you receive a notification on your phone. As I am not running any of the betas on real devices this one is hard to test.

Virtual keynote

Honestly, I like the style. A lot more information than you usually see in a keynote and a faster pace. It felt like the right mix of acknowledging the situation and still being light hearted. And whoever worked on the Apple Silicon intro – kudos, usually I would expect something like this to end in a cringe fest, which it didn’t.

I am sure Apple will move back to a physical event as soon as possible. But I hope they keep the current way they engage with developers and share content. It feels a lot nicer than the years before and the iPad app is actually pretty good.


Adding two factor authentication to Django admin

posted on Thursday 25th of June 2020 in , ,

As my dissatisfaction with WordPress grew, I did the only Reasonable Thing(tm) and decided to roll out my own CMS again. Which means I do not only have the joy of building a tool exactly fitting my needs, but I also have to build some of the functionality I would expect every production-ready system to provide. Account security in Django’s contrib.auth and contrib.admin package did not change a lot over the last decade, but in 2020 I expect some basic functionality from every system, like two factor authentication.

As 2FA is missing in Djangos admin package, what is the Reasonable Decision(tm)? To add it myself, of course. You might see a trend of “reasonable yak shaving” here.

(A small side note if you are working on a SaaS or web app right now: Account security is not a “premium feature” or a feature your users should have to pay for. It is basic functionality you should always provide to anyone, no matter if they are free or paid users, no matter which plan. And now back to our scheduled program!)

This article assumes you have some familiarity with Python and Django; at least enough to create a new application, inherit a class and overwrite a method.

Speed run

When I decided to build a CMS I also decided to speed run the whole process, which means writing as few lines of code as possible and not caring about reusability or customisability. I actually like this approach for tools I am writing primarily for myself – it is fun, give it a try! While I will publish the code to GitHub, I assume most value someone else will get out of it is by learning how to implement certain features like webmentions. What does this mean for the 2FA code we will discuss?

I took – sometimes unnecessary – shortcuts like directly importing django.contrib.auth.models.User instead of using get_user_model(). The demo is not meant to be a reusable app and I want to actively discourage people from copy & pasting the directory as it is. I have not seen many applications over the past ten years actually using the stock user model, and if you happen to have a custom user model you can just skip the model part and simply add the field required to store the secret on the actual user instance.

To login you have the field to enter your token right next to the username and password. Usually entering the token is a separate step. This allows you to pre-validate username and password and support additional factors like push notifications to your app or security keys like YubiKeys, in a very clean and easy to implement way. I have heard arguments for and against having the input on the same form as username and password for the sake of UX – to this day I cannot tell you which one is better from a UI/UX perspective.

There are also additional improvements I would consider requirement for a customer facing system. You will likely want to show a user a QR code to scan to provision their authenticator app instead of printing the secret to standard when running a management command.

(Do not worry if some of those points do not make any sense right now, we will get there by the end of this article.)

Two factor authentication

While there are many ways to realise 2FA I have chosen to go with Time-based one time passwords. You might know TOTP from actually using them via Google Authenticator or another app – you scan a QR code to set up the app and every time you want to login you have to type in a random six digit code. The most common issues with TOTP are listed in the Wikipedia article:

In my opinion the better option would be a hardware key. Google had great success eliminating phishing with hardware keys, and it would address the other two weaknesses as well to a certain degree. You would most likely want to support security keys via WebAuthn. This does not mean security keys are without flaw, you just have other problems to solve.

Let us take a look at the steps we need to take to support two factor authentication:

Luckily there is a library to generate one time passwords which also does lots of the other work we need and Django is, as always, easy to extend. Let us jump into it.

Implementation

You can find the code for this example on GitHub. If not otherwise stated all files we are editing are in the lazyotp package. Before we start writing code please make sure you have PyOTP installed. pip install pyotp will do the trick. Please also make sure you read the PyOTP readme before continuing. It will outline some of the things it can do and explain its API.

We first start by defining the model to store our user specific secrets.

lazyotp/models.py

# coding: utf-8
from django.contrib.auth.models import User
from django.db import models


class Token(models.Model):
    user = models.OneToOneField(User, models.DO_NOTHING)
    secret = models.CharField(max_length=100)

You might want to extend your existing user model with the secret field. I do not see any reason to make this a separate model if you are not planning to support multiple tokens and if you are not using the default user model. The only reason I can think of is supporting multiple 2FA systems, as this can easily clutter your user model a bit.

Next we need a way to generate a secret for a user.

lazyotp/management/commands/generate_totp_secret.py

# coding: utf-8
from django.core.management.base import BaseCommand
from django.contrib.auth.models import User

import pyotp

from lazyotp.models import Token


class Command(BaseCommand):
    help = "Generate a secret for user for TOTP authentication"

    def add_arguments(self, parser):
        parser.add_argument("user_id", type=int)

    def handle(self, *args, **options):
        user = User.objects.get(id=options["user_id"])
        secret = pyotp.random_base32()
        Token.objects.create(user=user, secret=secret)
        self.stdout.write(self.style.SUCCESS(f"Secret generated {secret}"))

Using this management command we print the secret we generated for a given user ID to STDOUT. This means you will have to manually copy & paste the secret into the authenticator app. Surely not the most comfortable solution, but it gets the job done.

Now that we got a secret for a user and can generate a TOTP, we need a way for them to enter one when logging in. I decided to extend Djangos authentication form with a token field.

lazyotp/forms.py

# coding: utf-8
from django.contrib.auth.forms import AuthenticationForm
from django import forms
from django.core.exceptions import ValidationError

import pyotp


class TOTPAuthenticationForm(AuthenticationForm):
    token = forms.CharField(max_length=6)

    def confirm_login_allowed(self, user):
        super().confirm_login_allowed(user)

        if not hasattr(user, "token"):
            raise ValidationError("User not setup for token based authentication")

        secret = user.token.secret
        token = self.cleaned_data.get("token")

        totp = pyotp.TOTP(secret)

        if not totp.verify(token):
            raise ValidationError("Invalid token")

The only addition besides adding the new field is checking that the token is valid when the auth system allows a login. As mentioned earlier, this is also one of the few shortcuts I took and in a production grade system you might want to make this a separate step after the basic username and password authentication.

Now to the slightly tricky part – making Django use our new form. To make this happen we have to overwrite the form on the standard AdminSite and also let it know which template to use to render our form.

lazyotp/admin.py

# coding: utf-8
from django.contrib import admin

from lazyotp.forms import TOTPAuthenticationForm


class TOTPAdminSite(admin.AdminSite):
    login_form = TOTPAuthenticationForm
    login_template = "login_totp.html"

The template will be picked up by Djangos template loader if APP_DIRS is set to True. As a starting point we copy & paste the default templateand add our own form field. (To reduce visual noise I will only include the form below.)

lazyotp/templates/login_totp.html

<form action="{{ app_path }}" method="post" id="login-form">{% csrf_token %}
  <div class="form-row">
    {{ form.username.errors }}
    {{ form.username.label_tag }} {{ form.username }}
  </div>
  <div class="form-row">
    {{ form.password.errors }}
    {{ form.password.label_tag }} {{ form.password }}
    <input type="hidden" name="next" value="{{ next }}">
  </div>
  <div class="form-row">
    {{ form.token.errors }}
    {{ form.token.label_tag }} {{ form.token }}
  </div>
  {% url 'admin_password_reset' as password_reset_url %}
  {% if password_reset_url %}
  <div class="password-reset-link">
    <a href="{{ password_reset_url }}">{% trans 'Forgotten your password or username?' %}</a>
  </div>
  {% endif %}
  <div class="submit-row">
    <input type="submit" value="{% trans 'Log in' %}">
  </div>
</form>

The only change to the default template I had to make was replacing the translate tag with trans.

Now that we have a way to enter a token when logging in we create an AdminConfig and tell Django to use our site instead of the standard one.

lazyotp/apps.py

# coding: utf-8
from django.contrib.admin.apps import AdminConfig


class TOTPAdminConfig(AdminConfig):
    default_site = "lazyotp.admin.TOTPAdminSite"

project/settings.py

INSTALLED_APPS = [
    "django.contrib.auth",
    "lazyotp.apps.TOTPAdminConfig",
    "django.contrib.contenttypes",
    "django.contrib.sessions",
    "django.contrib.messages",
    "django.contrib.staticfiles",
    "lazyotp",
]

Here we are replacing django.contrib.admin with our AdminConfig class and we include our lazyotp package.

That is it. You can now create a super user, run the generate_totp_secret management command, pass in your super users user ID, provision the authenticator application of your choice and login to the admin site.

Next steps

Implementing two factor authentication for user accounts, especially when you have a custom user model should now be a manageable task. If you are stuck a some point please feel free to reach out to me, I am sure we can figure it out.

Either way, what we built so far does need some more love before you can put it in front of your users. First of all you might want to implement a more standard provisioning approach. In your user profile (or the security section of it) you usually would display a QRCode which an authenticator app can scan. You also want to ask the user to enter a TOTP before enabling the feature for their account. This way you can be sure they actually completed the setup process properly.

But there is also more you can do to secure your admin interface. You most likely want to rate limit login attempts for a user account. While TOTP makes brute forcing an account so much harder you should not underestimate the bandwidth that can be thrown at an autoscaling system. I have not seen this being successfully exploited in the wild – which does not mean it did not happen – but you can never be too prepared for what might come.

In the spirit of including a meme in a technical article – “Two factor authenticate all the apps!”


UniFi Dream Machine Pro – not the experience you would expect

posted on Saturday 20th of June 2020 in ,

I like UniFi products: They make my life easy. They simply work. They provide all the features I need. They do not ask me to pay an annual license fee. Sometimes they are a bit pricy, but the overall comfort and quality make it easy for me to justify spending the money. As the Security Gateway Pro 4 was a bit limited in regards to performance and as we are planning to add one or two security cameras to our home the Dream Machine Pro showed up exactly at the right time. Let me tell you, this one was a rollercoaster of simultaneously being pleased by the device and nearly setting my rack on fire to get rid of all the UniFi gear.

To give you a general idea what our network looks like:

Here is what I expected to happen: setup the UDMP, load the site configuration, swap the USG and CloudKey for the UDMP, adopt devices, have a coffee.

Here is what happened: configuration cannot be loaded, all adoptions fail, an 8 port switch might or might not be broken. Two days of work and the urge to sell all my gear and just put a shitty WiFi router somewhere ensued, telling myself minimalism in network design is – for some unknown reason – trendy and a good idea.

But let us start from the beginning. Importing an existing site does not work right now. (It might at some point, but not when I set up my UDMP.) The controller is now embedded, which I really like. If if you have to administrate multiple sites you still want to stick with an external one, as the integrated controller only supports one. Having to reconfigure everything is a bit inconvenient too. We are talking about a Site2Site VPN, one VPN for mobile access to our servers, some DHCP and DNS settings and a few firewall rules and routes. Nothing too problematic for one site, but it added an hour or so to a five minute task.

Once configured I wanted to adopt my existing devices. Literally all of them failed to adopt and needed a reset to allow adoption. Some ended up in a disconnected state, some in a failure. It was not really consistent from what I have seen.

The access points where a special oddity. The adopted, but immediately changed to „disconnected“ without showing the provisioning step. And obviously they did not work. Searching the forums for a bit there were some solutions which required SSHing into the APs and triggering a command at the right time to force provisioning. Luckily the solution was a lot easier – turning off uplink monitoring. Once I flipped the toggle both access points immediately provisioned and worked.

While the two big switches worked fine, one of my 8 port switches seems to be broken now. It simply does not accept PoE in anymore. No idea why. I tried resetting, re-provisioning and a few other troubleshooting steps I could find. It works fine with an external power supply and the port itself – which is part of a LAG – works as usual.

At least the partially broken switch sounds like something you would like to get Ubiquities support opinion on, right? Good luck with that. They were fast to respond to some of my tweets, someone even reached out – and then dropped the ball. It has been nearly two weeks and I did not hear anything from them, not even an acknowledgement that they received my complaint. Their support website does not seem to work in Safari – I cannot submit a ticket or start a live chat. I guess I have to install another browser hoping all the errors in the JS console magically go away.

The Dream Machine Pro is still a young product and it shows. Ignoring the site import for a moment some features you would expect to be present – as they are on all the other devices – like link aggregation are still missing. But other features like IDS / IPS work a lot better and without the performance impact you know from the USG. It really is a mixed bag. Most of the features you are used to are there, but I honestly hope updates will add a few more – like Wireguard.

If you do not absolutely need the throughput of the UDMP I would recommend waiting till a few more updates shipped. If you really need a router and cannot wait, I would consider a Security Gateway and CloudKey with IDS / IPS turned off. For slightly advanced home and small office networking I am still recommending UniFi products – I’m assuming my weekend of network troubles is an outlier and usually they work pretty well. (Considering the support experience they better should.) This was actually the first time I had any serious trouble with their products; and while there are a few alternatives in the same feature / performance / price segment after all I still believe UniFi provides the most polished experience.


Thoughts on HEY

posted on Wednesday 17th of June 2020 in , ,

The folks behind Basecamp were working on an email service for the last two years which launched on Monday. Hey.com is slowly starting to send out beta invites, got some drama with Apple and people already praise it after a few days (maybe hours) of use.

First of all – congratulations to anyone who was involved in shipping! Judging from some Twitter threads I have seen you build something amazing, ignoring the trends of the last few years, and instead actually opted to build a carefully thought out product with a focus on efficiency and user experience. I really appreciate it!

The high level summary of the Apple drama is Apple not approving any updates to the application as long as users cannot subscribe to the service via the app. This seems to be in line with their AppStore policy, but other apps which are considered a “viewer” can get away with this model. As always this is a rule not consistently enforced. And people rightfully point out that Gmail and others get away with the exact same thing.

This is one of the few times where I agree with the Internet mob screaming anti-trust and that Apple should course correct as fast as possible. Usually I like most of the things Apple does. I would love to like the AppStore too. But this means that I expect Apple to do better than this. What I do not agree with is the rhetoric the critics use which makes it sound like Apple is a mafia dictator eating children on live television. But that is the Internet for you.

I do not buy into the business vs customer argument. Especially because this would mean HEY will never be what I actually want it to be. One of my big hopes is having people move away from Gmail. To accomplish this the alternative needs to be on point from a usability and user experience perspective, provide unique features and work flawlessly for every day communication. HEY seems to check all those boxes. It is a well thought out product built by people actually using it.

While this might sound like a perfect pitch, there is the price. $99 might not sound like a lot to people living and working in a first world country for something as essential as email, but it means spending money on something you can get for „free“ somewhere else. And if you‘re less economically favoured this is some serious money. If you are using email professionally it will be a business expense in which case $99 are (hopefully) not even worth discussing.

But for regular consumers using email privately this is a big step. I believe HEY offers enough value to justify the price, but I am certain there are more than enough people to disagree. Being a product is cheaper for consumers, and the cheaper option has proven to be reliable.

The tech-savvy reader might now question why you need an app for your email service. And I am with you on this one. The absence of IMAP and SMTP is one of the reasons why I am personally not interested in HEY. (Well, and my hosting provider is awesome, so there is that.) In their FAQ they give you the reason for their decision:

Can I check my HEY email with my existing email app? In order to use HEY, you’ll need to use one of our custom Web, Mac, Windows, iOS, and Android apps (you can grab them right here). HEY treats email in all sorts of special ways, so off-the-shelf 3rd party email apps won’t work with HEY.

This is where I am willing to put my product hat on. The main issue with email is this: Many people consider it to be broken. They want features which would be hard to build with IMAP, POP and SMTP. They want a curated and customised experience. They do not want spam. They want many things. And building a traditional email client will not solve any of those problems. I can get behind this decision, especially if it drives adoption.

I will follow HEYs journey for three very different reasons:

  1. They seem to have a chance to get people off of Gmail. The fewer people using it, the better.
  2. The whole Apple AppStore thing will likely blow up and might change the playing field – especially considering the EU is getting involved.
  3. It will be interesting to see if they can monetise a service which many consider a business expense with regular consumers.

I wish HEY and their team all the best with their business and dealing with Apple. It is one of the services I hope will disrupt the email landscape and from what I have seen and heard so far it seems to be capable of doing so. And the company and people behind it have shown that they are able to run a company and work in their customers best interest while making sure the lights stay on. The way you should run a company.


Security 101: Path of least resistance

posted on Thursday 28th of May 2020 in ,

No matter if you are starting your career in information security, want to build your newly started company on a solid foundation or for whatever reason decided that it is time to step up your security and compliance game: You are in for a long journey with dozens of fights and surprises you will never anticipate. In the spirit of covering as many angles of possible related to security, let us talk a bit about you and your colleagues.

Let us start with a straight forward example. You decided to start a company working in a highly regulated field, like healthcare. If you are based in the US this most likely means you have to be HIPAA compliant. Most founders are aware of this requirement and have a rough understanding of the implications, but it is likely not deep and not technical enough to ensure that a growing and complex web or mobile app satisfies all requirements. This is why people specialized in security and compliance – like yourself – are brought in.

Most companies will have someone running marketing. No matter how good your product is, you have to sell it. And all over the world one thing holds true to marketing: they need data. The more data the better. This is their job. And let me tell you, it is not very compatible with highly regulated fields. So their first request to engineering is putting Google Analytics on the website so they have an idea what visitors look at and when they lose interest.

As shocking as this might sound, this is actually a problem. Google is actually very specific to not simply use GA for a HIPAA compliant product – believe me, no one will every read this FAQ when tasked to add GA. There is a good chance that you will hear some form of justification along the lines of „but look at healthCareCompanyX! They also use GA“ when you raise this issue. The sad truth is that there are tons of compliance violations in every single field by companies of any size. As long as no one catches it during an audit or sues it simply will not change. This does not mean it is okay to join the ranks of companies violating regulations and therefore customer trust.

There are a few different actions I have seen security teams take in response to a compliance violation like the one described.

You can simply remove GA from the app or website. Now your marketing team does not have data anymore they actually need to be efficient at their job. You did not just take out a whole teams productivity, but most likely also have your leadership team question why they pay a few people a lot of money to sit around. This might sound a little bit dramatic, but it is one of the outcomes I witnessed.

It does not even matter if there is any truth to it, you are in a bad position at this point. Compliance will win lots of arguments and drive decisions. But the team will remember that you turned off one of the tools they need. And moving forward they will try to make sure you do not know about the tools they use. You are the villain that tries to prevent them from doing their job!

Sooner or later you will find mysterious services and tools you never knew your company is using – and chances are pretty good they will not be compliant with your regulations. People will try to take the path of least resistance – which is not talking to you and simply start using tools. When it is uncovered there are usually no ramifications for them, in the end they “did what they had to do to get their job done”.

Another option is to replace GA. You do some research and notice that you can self-host Matomo in a HIPAA compliant way. And it shows some fancy graphs that look like GAs, so it has to be a good replacement, right? Set up a server, drop the pixel and you are done. Except you forgot to port data from GA over. Existing data is core to an analytics solution, you cannot simply discard months of data. Except the marketing team does not know how to use the new tool. Except that core features work differently. Except… you see where this is going.

Professionals usually know one or two tools. They invest a lot to get really good at using those tools to get their job done. Sometimes there is only one tool the whole industry seems to use. You cannot „simply start using another one“. You might have to get a consultant on board for custom development and training. You need to plan transitioning periods. And all of this assumes the team understands why you want to force them to abandon the tool that served them so well for all of their career.

The least fruitful „solutions“ – let us be charitable and call them that – I have ever seen was creating a ticket for the marketing team telling them „GA is not HIPAA compliant – please find another tool“ or asking large enterprises who are not setup for it to sign a BAA. Good luck, you need it.

On a personal note: I have chosen this example because it is easy to follow, this is not a general statement about marketing teams. The same scenario will happen in every team across your company – no matter if it is marketing, finance or engineering. I have also seen amazing teams being sensitive to compliance requirements and doing all the work upfront to make sure tooling will be compliant.

I have never witnessed a good security team that worked in isolation behind closed doors. You can do all the research you want and decide to move forward with what the industry considers best practices and top of the line security measures, but if your team and company is not on board you basically burn money and set yourself up for failure.

The two most important things you have to work on as early as possible are making sure everyone in your company is aligned on the importance of security and compliance and being their partner figuring out solutions that work from a security and compliance point of view – as well as setting your colleagues up for success.

Understanding the importance of compliance and the basic nuances of how decisions are made and tools are evaluated will help teams a lot when making the initial request. In a perfect world you provide something like a small check list to them and as they engage a new vendor to simply check off boxes so they can have a higher confidence that the work they put in talking to them will be worth their time.

Or, if some of the boxes are not checked they know they will have to pull in you and your team immediately before spending more time on the partnership. Self service is one of the most important aspects, as it allows teams to move as fast as they want, not as fast as you are able to do your research. Security teams usually do not scale as required all the time. And the moment it becomes bothersome, slow or tedious to work with you, people will again follow the principle of least effort which is cutting you out of the loop, delaying as long as possible to bring you in.

At some point any team that wants a new, shiny tool should talk to you and your team for a final sign off. The sooner in the process the better. And best case you are involved in the vendor selection early on and act as a thought partner. This will not always be feasible. But having teams follow some form of sign off process and making sure they know you work with them and try to make things work is far better than working reactionary to signed deals. Once you committed money you often will be told to make it work. Even if it is not possible, you will be asked to get creative. This is even less fun than it sounds.

Security and compliance is a process involving the whole company. Work with people and set them up for success. Be mindful of their time and requirements. Help them to get to a solution that works for them, not only for you. This will make your job so much easier and more pleasant.

If you want to follow this article series you can either subscribe to the main RSS feed or to the tag specific one if you only care about startup security posts.