Monday, February 3, 2014

Data Privacy and Security in ThoughtWorks Radar, Sort of

Once or twice a year the thought leaders at ThoughtWorks, including their Chief Scientist and book writer Martin Fowler, get together and put together a Radar report listing software development techniques and technologies (tools, platforms, languages and frameworks) that they think are interesting, and that they think other developers should be interested in too. Unlike analyses from Gartner, the Radar only includes things that ThoughtWorks teams have actually tried and seen work, or tried and seen not work, or are trying and think might work.

The Radar is always a good read, a way to keep up with the latest fashions, and is an especially good resource on practices and tools for mobile, Web and Cloud development projects, and Open Source tools and platforms for automated testing and build and deployment.

ThoughtWorks was a pioneer in continuous build and Continuous Integration, and in devops: ideas and tools for Continuous Deployment and Continuous Delivery have been included in the Radar going back to 2009, and ThoughtWorks has an entire practice built around Continuous Delivery.

And now, maybe because they were shamed into this by Matt Konda at Jemurai Security, ThoughtWorks have included data privacy and application security in the latest Radar, although in an unfortunately obscure and limited way.

Data Privacy – Assess Datensparsamkeit

There are four rings in the ThoughtWorks Radar:

  • Adopt (ThoughtWorks feels strongly that everyone should be doing this)
  • Trial (worth pursuing, but maybe start off carefully)
  • Assess (try it out, it might work, at least learn something about it)
  • Hold (proceed with caution – i.e., you should probably not do/use this, or if you are doing/using this you should probably stop doing/using this)

Concerns for Data Privacy were added to the Jan 2014 Radar. The idea is sound:

“only store as much personal information as is absolutely required for the business or applicable laws… If you never store the information, you do not need to worry about someone stealing it.”

But the way it was presented was unfortunate. Data privacy was added as a Radar blip in the early stage “Assess” try-it-out ring, and with a cute but obscure label (“Datensparsamkeit”) taken from German privacy legislation.

This is a recognized good practice, demanded by many regulations. Why is this in “Assess”, and why is it hidden under a German name?

Application Security – Hold Ignoring OWASP Top 10

ThoughtWorks has now recognized that security is important:

“Barely a week goes by without the IT industry being embarrassed by yet another high profile loss of data, leak of passwords, or breach of a supposedly secure system.”

The way that this report works, people should stop doing what is in the “Hold” ring, and focus most of their attention on what is in the “Adopt” ring because these are proven, key technologies and practices that are wroth following. Instead of asking developers to Adopt secure design and development practices, they've added security as a “first-class concern during software construction” by putting “Ignoring OWASP Top 10” in the Hold ring.

Like “Assess Datensparsamkeit”, “Hold Ignoring OWASP Top 10” won’t make a lot of sense to most developers, unless they take extra time to read and understand more on their own.

Oh Well, at least this is something for now

Although this could have been done in a much more understandable and straightforward way, at least this Radar shows that ThoughtWorks is actively thinking about security and privacy in their projects, and that they think that other developers should too. The ThoughtWorks Radar will reach a different (and probably bigger) audience than most software security-focused publications, including developers who have never heard of the OWASP Top 10 or Datensparsamkeit, so this is a good thing.

All of this is likely to be temporary, however, because of the attention-deficit way that the Radar works. ThoughtWorks only lists things that they currently find interesting in each report. A few practices and technologies stay on the Radar for a while as they move from Assess to Trial to Adopt (if they prove to be key) or Hold (if they don’t work out), and because they are fundamental to the way that ThoughtWorks teams work (like evolutionary architecture and continuous build and automated testing). But most ideas and tools drop off the Radar often and quickly, as ThoughtWorkers move on to the next shiny new thing.

So, for the moment at least, security and privacy will get some extra attention from ThoughtWorks and the developers that they influence.

Past Radars

If you are interested in following the changing ideas, cool tools and recent fashions in software development hilighted in the Radar, here are links going back to 2009:

Jan 2014 (the Radar discussed in this post)

May 2013

October 2012

March 2012

July 2011

January 2011

August 2010

April 2010

January 2010

November 2009

Site Meter