Dude, Where’s My Documentation?
This is a public service announcement:
The not-so-simple act of securing applications produces a lot of documentation, including playbooks and policies, that isn’t typically needed on a daily basis. But when a zero-day event occurs, such as the recent Crowdstrike incident, application security teams better be able to find everything they need—and fast. Sadly, in both big and small companies, missing and outdated documentation is rampant.
Hopefully, your documentation isn’t solely residing in someone’s head. (This may not happen often, but we’ve all heard stories.) If it is, you’ve got a much bigger problem to address, and that’s beyond the scope of this blog.
A much more common issue is that the location of the documentation is in someone’s head, and that someone may no longer work in that department or even that company. That’s really not much better. Both employee promotions and departures can leave teams without access to necessary documentation, and hours can be wasted searching for them.
Missing and outdated documentation can considerably slow down an application security team’s incident response time, which of course increases risk. It can also waste time in less direct ways. If your developers can’t find application security documentation like best practices and architecture suggestions, they may simply ignore those requirements. And if they then go on to build something insecure that needs a lot of remediation work, that can be many, many hours wasted.
Location, location, location
The next time you do a tabletop exercise, take out a stopwatch and see how long it takes for someone to find the right playbook. Was it more than five minutes? Way more? It should be less than one.
It’s important that application security documentation can be found when it’s needed, and that means it needs to be somewhere where people know to look for it. That place is not twenty folders deep on a drive named “beware of the leopard”. It should be, however, a secure storage solution.
Yeah? Who wants to know?
Sometimes the documentation exists and is in a pretty reasonable location, but there’s no process to let the right people know about it. SOCs, NOCs, developers, leadership—lots of teams need ready access to security documentation. The onboarding process for new employees and contractors should include education on the purpose and importance of documentation, clear instructions on how to use it, and where to find it. And of course, only authorized personnel should have access to your documents to prevent sensitive data from getting into the wrong hands.
Keep it current
Sometimes teams can find the documents, but the information in them is outdated and of limited use. The playbook says “Call Wendy.” Who is Wendy? Oh, she left that role five years ago.
Living documents are kept up to date through staff, policy, and industry changes. There are plenty of options—Confluence and Google Docs are two—for creating and hosting these documents; just make sure you use something with version control.
Different companies will need different policies on how often they update various documentation. It’s not a bad idea to give them all a once-over every quarter and after triggering events, like a senior employee moving to a new role or company. You also need to specifically assign that responsibility to somebody.
That said, there’s still room for securely stored hard copies. If your whole network goes down, a printed copy of the appropriate playbook will be a lifesaver.
If you know, you know
Good documentation makes the security world go round. Where you store it, how you store it, and who you tell about it are all vital to keeping your company secure and able to quickly react quickly to developing threats.