🥶 DMAIC: as a value system for optimization
You and I can talk not only about information security, but also about how to survive with developers and at the same time understand the “kitchen cooking”. Against this backdrop, we can use these methods to our advantage and develop what we create as our brainchild. Transfer the case to your work, for example, you need to get in and fix the problems, look at the “report for sins” and how it was fixed.
Let's talk about a system for orchestrating house information security in developer processes. I often use phrases related to profile things in my expressions. We all have professional deformation, so I, having received the DASA DevOps Product Manager certification, began to pay more attention to this.
During the development and testing of vulnerabilities I often hear:
- “We need to optimize the pipe, it’s rolling with brakes”
- “Reduce falls otherwise there will be questions again”
- “These vulnerabilities are not exploited, prove to us”
- “Let’s get technical debt and then we’ll sort it out”
- “Why should we do this? We are updating ourselves"
- “Pamagite” (😂)
This occurs due to the lack of structure and any
standardization. Let's look at the standardization process not from the point of view of the regulator and worry about this word, but let's pay attention to the fact that it can be useful if everyone has a similar approach.
When there is no structure, such tasks turn into endless refactoring for the sake of refactoring, that is, “work for the sake of work.” Against this background, we need to optimize business processes, improve quality and efficiency, and minimize costs.
Therefore DMAIC
An approach used in production management. It allows you to consistently solve problems and improve business processes using quantitative and qualitative metrics. A proven model from Lean Six Sigma that can be perfectly applied to DevSecOps.
Model:
D - Define - first we formulate the problem and goal. For example: “reduce SAST false positives by 30% without loss of coverage”
M - Measure - we collect data: frequency, time for analysis, percentage of coverage of vulnerabilities in the code base, number of generated vulnerabilities, etc.
A - Analyze - we find the root causes, where the point of failure is a tool, configuration, triage process or even a human factor, etc.
I - Improve - implement changes: update rules, automate, add callback-actions, optimize job analyzers, write policies, modernize pipeline, etc.
C - Control - we record the result: dashboards, alerts, regular reviews, etc. An improvement is not considered successful if it cannot be repeated and maintained, and continuous testing is important.
Bottom line: this is actually an approach to problem solving, that is, value for orchestrating chaos on the information security side. This is when we have arrived somewhere and we need to improve the safety of the product (we understand that we can’t solve it with tools).
DMAIC answers clearly and demonstrates exactly what has changed. Therefore, every team member is aware of exactly what is happening. As a result, all decisions and completed processes are summarized, and this already helps to move smoothly to the next stage. This way you clearly monitor the consequences and solve pressing problems.
DMAIC helps translate improvements from “seems to be better” into measurable practice. Works for anything from setting up pipelines to mature AppSec processes.
#pmi #devsecops #riskanalys #roadmap