I publicly speaking about how development teams and those who employ them should go about using user stories with security constraints and abuser stories as a security documentation tool. At this time there is not an entry on Wikipedia about it, so I am going to take a stab at writing it up for you here.
What is an Abuser Story in Software Development?
In software development and product management, an abuser story is a user story from the point of view of a malicious adversary. Abuser stories are used with agile software development methodologies as the basis for defining the activities that should be actively blocked or mitigated by the software and proven by automated regression testing.
I’m back from Boulder, Colorado, having presented on application security to the Ruby developers at the Rocky Mountain Ruby Conference! It was a fantastic group and security is one of those topics that are just not talked about enough within the developer community.
I started off with a definition of application security:
Application Security is the subset of Information Security focused on protecting data and privacy from abuse by adversaries who have access to the software system as a whole. Its purpose is to make software resilient to attack, especially when network defenses alone are insufficient.
Then proceeded to talk about the importance of writing User Stories with security constraints and Abuser Stories, which are user stories from the point of view of a malicious adversary. It’s all about clearly communicating among developers and the non-technical stakeholders about the threats so that these considerations can inform development decisions.
The Q&A was robust with more questions than there was time to get to them all. I was able to give out two blue Yubikey Fido U2F keys thanks to Yubico.
The gist is that when you first start your C Corporation with the intention of raising investment, the first board meetings are not really meetings at all. Just the co-founders signing some paperwork. But once investment is brought on, the lead investor is going to have a board seat and things become formal.
It is sound advice to keep in mind if you see yourself raising capital for your startup company.
Oh, and one more thing, if you have ever watched an episode of Shark Tank, you know that Investors Write Checks for Outcomes, Not Activities (another post by Gordon on his blog). Be sure to keep that in mind as an entrepreneur considering approaching outside investment.
Are you a practicing Ruby on Rails developer? It doesn’t matter if you are called a junior developer, senior developer, or the janitor. It is surprisingly easy for race conditions to slip into your code and out into production. Some of these can lead to annoying duplicate e-mails in your database or they could lead to serious security issues that impact your company’s bottom line.
As you read on, I’m going to teach you a bit about race conditions, also called hazards in some engineering circles, and give you a practical example of how one can slip into a Rails application if you were to choose to enforce validation constraints only within an application’s models with a validates :field_name, uniqueness: true rather than through database constraints.
Before we begin, I do want to remind you about one thing. Preventing race conditions is not just something that can be added to Ruby on Rails because the methods for automatically detecting race conditions is an NP-hard problem in computer science. That’s why it’s so important that you understand something about spotting situations where they may occur so that you stand a better chance at leaving them out of your next deploy.
Today, Wednesday, April 8, 2015, is the tenth anniversary of this blog. I was a Georgia Tech student at the time of the first post. I was a student at Georgia Tech, about to present my research on SQL Injection at the UROC symposium the next week. That research project lead to my first published paper on Application Layer Intrusion Detection for SQL Injection that was accepted as a single author paper by the ACM while I was still an undergraduate student and was instrumental in my decision to pursue Information Security at the graduate level.
The blog itself has had its starts and stops with some challenges settling into a sustainable post schedule. I started this as a CS student, not an author, so some writing disciplines can only be developed over time.
It has had some posts that have been crazy popular, with thousands of readers a month for years, and some that I do not think anyone has ever looked at other than myself. But post after post, readership has increased to the point that we now consistently have more than 9,000 visitors and I hope to cross the 10,000 mark within the year.
I have previously written about Using Rails and SQL Views for a Report. A practical consideration when employing SQL views, which create wonderfully fast read-only tables that can be used by ActiveRecord models seamlessly, in a Ruby on Rails project is where to maintain them in a project.
One approach is to use migrations, since that’s where database stuff normally goes. But a big downside is that this approach is not DRY because changing the SQL view requires a new migration that drops the old view and replaces it with the updated version. Simply changing a field in the SQL view requires copying and pasting the entire definition over again. That’s just annoying!
The second, and in my opinion better approach, is to treat SQL views more like models.
We’d like to post helpful content more often and find ourselves frequently lacking the available time to compose well-written posts of our own, but we are constantly reading the best material we can find on the web for a variety of topics of interest to us, our business, and our clients, so today I’d like to begin sharing some hand-picked “best-of” selections from what we’ve been learning from lately, and hopefully we can begin to post more regularly by including high-quality content recommendations like this on a regular schedule.
Here are some excellent and highly recommended sources of information and education for startups, entrepreneurs, or anybody who works with them.
A user story is a concise written description that describes an item of functionality that is valuable to a user or a purchaser of a web application, preferably from the point of view of that person’s individual desires. They typically consist of three components:
a written description of the story used for planning
conversations about the story that serve to flesh out the details of the story
tests that convey and document the desired outcome and can be used to determine when a story is complete
The best user stories are sufficiently small to be accurately estimable by developers and arranged in a prioritized list where a member of the development team can always confidently pick the next most important task to work on at all times during his or her work week.
But please remember that when applied properly, user stories are not just a form of requirements documentation, but are instead a placeholder for a conversation among team members. Consider that:
Ron Jeffries has named these three aspects with the wonderful alliteration of Card, Conversation, and Confirmation (Jeffries 2001)….Rachel Davies (2001) has said that cards “represent customer requirements rather than document them.” This is the perfect way to think about user stories: While the card may contain the text of the story, the details are worked out in the Conversation and recorded in the Confirmation.