(With apologies to Joel Spolsky, from whom this post was ripped off)

Have you ever heard of COBIT? It’s a fairly esoteric system for measuring how good a network security team is. No, wait! Don’t follow that link! It will take you about $3,500,000 just to understand that stuff. So I’ve stolen my own, highly irresponsible, sloppy test to rate the quality of a network security team. The great part about it is that it takes about 3 minutes. With all the time you save, you can go to law school.

(I’m using network security as a synecdoche for all of enterprise IT, but I think I’d win an argument about whether the same issues apply to the team that manages the WebSphere deployments and all the WAR files and whatnot.)

The Joel Test

1. Do you use source control?
2. Can you make a build in one step?
3. Do you make daily builds?
4. Do you have a bug database?
5. Do you fix bugs before writing new code?
6. Do you have an up-to-date schedule?
7. Do you have a spec?
8. Do programmers have quiet working conditions?
9. Do you use the best tools money can buy?
10. Do you have testers?
11. Do new candidates write code during their interview?
12. Do you do hallway usability testing?

1. Do you use source control?

Programmers have had source control since the 1980s. With source control, every change you make to a file is tracked. Any line of code can be tracked diff-by-diff back to the origin of the file. Are your firewall rules under version control? If you don’t have source control, you’re going to stress out trying to get engineers to work together. They’ll have no easy way to know what their coworkers did. Mistakes can’t be rolled back easily. And source control backs up all your rules, in a single place, so you can reconsitute that PIX ASA that just threw a rod from a cold spare in minutes.

2. Can you make a build in one step?

By this I mean, how many steps does it take to get an access rule change deployed from the latest source snapshot? On good teams, there’s a simple process you can follow to get a firewall completely deployed from scratch, which checks out the company standard configuration, adds the right doodads to the configuration, tracks the device in inventory, etc.

A process that takes more than one step is prone to errors. And when you’re under pressure because Pepsi needs you to punch a hole for a database management app that Coke has forbidden you from allowing near their dat,a, you want to have a very fast cycle of making sure your rules work. If it takes 20 steps to deploy a rule, you’re going to crazy and you’re going to bring the network down.

3. Do you make daily builds?

When devs use source control, sometimes people check things in that break the build. The usual pattern is, things work fine on the developer’s machine, but she forgot to add a header file, so nobody else can build. “Breaking the build” can cost developers whole days of productivity, so good teams have rules to detect and punish people who do it.

Network security engineers have a “build”, but when they break it, they don’t just kill the rest of the team’s productivity. They kill the network. So good network security teams want to make sure people can work on projects that touch access rules without getting unreviewed changes into the configurations that will get pushed out during the next change window.

4. Do you have a bug database?

I don’t care what you say. If you’re managing access rules, even if you only have a few devices, without an organized database listing all the change requests that produced the rules, you’re going to have crappy firewall rulesets. Lots of engineers think they can hold the rules in their heads. Uh huh. What hosts on your network are allowed to talk FTP to the outside world, and why? Thought so. You absolutely have to track change requests formally.

Change tracking can be complicated or simple. A minimal tracking system needs to record the following facts for every request:

• Who requested the change

• Why they requested it

• Was the request approved

• Who was the request assigned to

• What devices had to change to accomodate the request

You can absolutely DIY this; lots of teams build their own tracking systems in-house, and they work great.

5. Do you fix bugs before writing new code?

When Joel Spolsky worked on the Excel team at Microsoft, he picked up a story about Word for Windows, which slipped constantly because the schedule allowed no time to fix bugs. The quality of the codebase decayed, to the point where developers were writing “if 2+2 !+ 4 return 4” or whatever. They referred to this as “infinite defects methodology”, converted to “zero defects methodology”, which meant they got to fix bugs, and eventually shipped. And when Joel Spolsky was in the alps fighting grizzly bears, he used his magical fire breath and saved the maidens fair.

But I digress.

Once every year or so, big companies commission small companies like ours to do the “annual external pen-test”, in which testers try to break in through the perimeter firewall. Even though I don’t do a lot of network pen-testing, I’ve done a couple. And on all of them, some stale old Win2k host gets left exposed or some branch network has 445/tcp open, because there are 20,000+ lines of firewall rules and rules only get added, never removed.

Just like with code, it is much more expensive to fix a bug early than late. But at least with software, you find out about bugs because your program crashes or a user sees the wrong header font size in the help file. With firewall rules, not so much. You mostly find out that you’re boned when you flunk some random audit.

Most of the same reasons developers need to fix bugs before writing new code apply to enterprise IT, too:

• It’s easier to fix a bug when it’s right there in your face than to remember it or track it down later

• It’s easier to predict to your customers when their changes are going to get completed when you know you aren’t going to lose 2 days fishing old SMB exceptions out of your rules after an MSRC announcement

• It’s less stressful and less costly to fix things up front than to blow a change window or push an emergency change because of an advisory or a client audit.

6. Do you have an up-to-date schedule?

Which brings us to schedules. Because the dirty secret is, the rest of the IT team at your company probably hates you, because your job mostly involves saying “not yet” to their requests to change things on your devices. But that doesn’t cut it. Too many business processes are impacted by your workflow; clients can’t get brought online until the PMP-certified project manager checks off your box in the process, and so you’re a cost center, and the VP/Operations starts to hear about how one of next year’s priorities is to “streamline firewall management and reduce TCO”.

It’s possible to keep a schedule; figure out how fast you can complete a change, and track the number of outstanding change requests you have. It can take significant time to research and execute a complicated firewall architecture change, as long as you can communicate up-front to project teams how long it will take, and then come in on schedule.

7. Do you have a spec?

Documenting all your configuration is like writing a software spec: everybody agrees it’s a good thing, but nobody does it.

It’s weird that this is the case, because nobody in the company has a stronger opinion about how technology should be deployed and managed than the network security engineering team, but probably all you have is apocryphal Visio diagrams on a network share somewhere, and you’re much more likely to just throw another configuration line onto a device than to write a document that explains what you’re doing.

Documentation doesn’t have to be painful. You can just set up Mediawiki and start by writing a short paragraph for every device you manage. Or you can write programs that take inventory and analyze your configs. However you do it, you should be able to have a rule that says “no changes without updating the documentation”.

8. Do programmers have quiet working conditions?

And also, pet unicorns?

9. Do you use the best tools money can buy?

“Top notch development teams don’t torture their programmers […] and programmers are easily bribed by giving them the coolest, latest stuff”.

Things it’s crazy network security engineers don’t get to have include:

• A network switch on their desk

• Two monitors

• A laptop with a big screen

• Unlimited disk space

• A place to get a new VMware image up with a couple of clicks

• A license for Burp Suite

I could go on and on here, but the only reason I’m writing this is that Joel Spolsky has this as a Joel Test item. Motherhood, meet apple pie, and also see “pet unicorns”.

10. Do you have testers?

“Skimping on testers is such an outrageous false economy that I’m simply blown away that more people don’t recognize it”, which is probably why most network security teams have testers. There had to be something network engineering teams do better, processwise, than developers.

11. Do new candidates write code during their interview?

It’s hard to write code in an interview. Interviewing teams are so infamous for skipping this step that there’s a whole interview question methodology, the “FizzBuzz test”, that says “at least show me you can print the numbers 1-100 with every 3rd number as ‘fizz’ and every 5th as ‘buzz’”, which is a 1-liner in Ruby, but that’s how desperately teams need to know that candidates even know where the parens and the braces go.

And so here’s another thing network security teams do better. Because, do security engineering teams have this problem? Probably very few candidates actually know how TCP flow control works, or whether they actually need path MTU discovery enabled, but I tend to doubt that a lot of teams are staffed with people who couldn’t punch an exception into an IOS ACL set for FTP or DNS if they needed to.

12. Do you do hallway usability testing?

And here I concede that there is one item on the Joel Test that does not directly apply to network security teams.

My Point, And I Do Have One

There’s a seed funding firm called Y Combinator that is all the rage with the kids these days; they’ll give you ~$20,000 for your 2-person startup in exchange for 5-6% of the company even if you have almost no working code and you’re just out of school. Some surprisingly good companies have come out of YC. One of them is Dropbox, a hugely popular and powerful file synchronization system. A few days ago, Dropbox’s application to YC was posted. One of the grafs in the application talked about Subversion, and ended with “hackers [(developers)] have access to these tools, but normal people don’t”.

And its true of network engineering teams too. In a lot of shops, Subversion is space alien technology (and yes, it’s true of some dev shops, too). And where problems are recognized, as with issue tracking, they’re “solved” by massive enterprise management systems with their own headcount dedicated just to keeping Remedy working properly, and everyone hates it.

And of course this is a self-serving post, because “solving the Joel Test for firewall admins” could be the thesis statement for our product. But then, I’ve recently changed up roles at Matasano, and am managing Playbook instead of consulting, and I want to start talking more about what we’re doing. And here’s a way to start the conversation.

Good to be talking to you all again, by the way.