As our AppSec team matures, we’re defining our processes and expectations. One of the next things for us to try out is a Service Catalog, where we list what sorts of services we can offer to other teams. Having one is a tool to allow us to plan our work, get better at the work we’ve decided to focus on, and be better partners to engineering. But what should such a catalog look like?
Collecting potential offerings
- reviewed the last 10ish requests that came to our team through our various intake portals, classified the request types, where the work happened, and what the output looked like.
- put together a form for my reports to continue tracking incoming requests while I was out for a week (yay taking time away!)
- hosted a whiteboarding session to collect all the different services team members wanted to offer.
We then took that pile and voted for things in two ways — items that had a deep security impact, and items we thought we were set up for success for. We picked the top 6 and moved them onto the next phase.
Can we handle this?
Wanting to provide a service is one thing. Handling the incoming load is another thing entirely. Luckily, GoFundMe is a pretty transparent company, and I was able to get my hands on the full set of projects Engineering hopes to work on this year, along with what area of focus they’re in (Keep The Lights On, tech debt, new business, etc). For a back-of-the-napkin sketch of commitment load, for each of our offerings we sketched out
- How much work it would take us to get into a “refined” spot
- How much time we thought we’d spend per instance once in that refined spot
- How much coverage we wanted humans to be doing (combination of “most risky 10%” and “automation should handle 30% of this workload for us”)
- Which types of projects we thought the offering applied to
I did some spreadsheet magic to generate how much time per sprint we’d end up spending on each of the offerings. In this discussion, we realized one offering was something we wanted to improve our capacity around, but didn’t want to officially offer as it being needed would indicate we had failed to catch something earlier in the lifecycle. Ends up we can handle it, even if we’re wildly successful!
Fitting into the flow
Then it’s a matter of ideal time to offer our services for each of these projects. So we’re setting up automations to detect when a project moves from one phase of our Product Lifecycle to another, so we can proactively reach out.
I’ll also need to shop the catalog around to our partners to be sure we’re offering things that make sense to them and that they see the value in.
Being explicit
We’re now working on being clearer about what each of these offerings means, how to request each one, etc. So far, I think the following are the important bits of information:
- What it is, and which part of the Product Lifecycle it aligns with
- What an output looks like and where it lives
- What to expect (from a human; from AI)
- How to set yourself up for success
- Specifics to add to our backlog
Metrics
From all this, we can
- occasionally track how much time we’re spending on these items
- measure hit rate of how many projects we covered
- be intentional about what we’re automating
- track coverage of security touchpoints across projects and add that to our overall risk assessment
Instagram Engineering
Shopify Engineering