Leading Product

Share this post

Leading Product Edition 9

leadproduct.substack.com

Leading Product Edition 9

Product Security Part 1 | Considering the Software Product System Model | Some Gems | Contemplation = 8.5 minutes

Nick Deshpande
Feb 14, 2022
1
Share

Greetings! The good news: The days will only get longer (in the northern hemisphere). The Vernal Equinox is about five weeks away.

The great news: A product newsletter packed with so much content. Let’s get at it.

🔐 Product Security (Part 1)

Let’s talk about abuse cases

I’m gearing up for conference talk in April about product security (See Events listing below). Still toying with the exact scope of a session talk. So here are my crib notes.

A pretty brief introduction…

As product managers, we communicate using various means and models, and among them are use cases - the definition of a specific interaction between a user and a product, usually via an interface or underlying protocols (e.g. services using API calls).

A good use case lets us understand and build how a user’s anticipated input will result in an output. The confluence of such interactions shape the user experience. As a development planning function, a use case might get atomized into a few user stories within an Epic.

Use cases have many sources; they tend to reflect requirements derived from research (e.g. interviews, surveys, etc.), design best practices, usage analytics deployed within existing products, direct user feedback, and other sources. They are also hard to pin down and will change once in production. A user will not always be able to articulate what (or how) they want to be able to use your product. Similarly, users might find uses for your product that weren’t anticipated.

It’s important to harness imagination and diverse perspectives to recognize the signals that indicate a change might be warranted to accommodate unmet user demand. (It also helps to think in terms of workflows rather than features - another topic for another time).

Similarly, the same mindset is required when coming up with abuse cases — how can a malicious user (or unwitting legitimate user) cause harm to your product, the data it processes and stores, other users, and connected systems?

That’s what I intend to explore in an ongoing series. Have any questions about this topic?

Leave a comment

What’s a good system to think about product security?

Classic information security teaches us about the CIA triad and how to achieve it. Information security is the preservation of a Confidentiality, Integrity, and Availability. To achieve and retain CIA, products must be made and kept secure by protecting them from unauthorized access, use, disclosure, disruption, modification, or destruction. That’s a good starting point; there’s a lot more to it these days.

Source… NIST of course :)

We’ll return to this topic. For now, I’ll leave the reader with a partial checklist of what to consider when tackling the domain of product security. Each of these activities merit deep exploration.

This is available as a Notion page that you can duplicate, edit, and use.


📝 The Software Product System Model

Found in Scholarship. I’ve revamped this segment to structure it a bit better. The idea is to make it practical and also let you, the reader, decide if you might read the entire article.


Stumble across an article or concept and want LP to break it down? 👇🏽

Email me


Title: Software Product System Model: A Customer‑Value Oriented, Adaptable, DevOps‑Based Product Model

Authors: Haluk Altunel and Bilge Say

Link

Thesis: Product Leaders can attain a more holistic view of their software products by adopting the Software Product System Model (SPSM), write Altunel and Say. SPSM enables teams to optimize interactions between systems thinking and software engineering disciplines over three distinct phases: pre-development, development and post-development. This way, product leaders can better orchestrate releases with the DevOps pipeline and leverage quality gates as fed by the product backlog.

So what? An interesting framing, perhaps a process that’s reflected in practice (with some variance) at DevOps mature companies. The proposed model is useful, as it makes certain activities deliberate and explicit. I really like the idea of introducing quality gates (not blocks!) with an explicit tie to objects in the backlog that were elicited from user feedback. I.e. the pipeline is telling you that what’s being released has been asked for.


🪙 2 Great Twitter Threads & 1 Great Issue

Found Online

Shreyes Doshi started an awesome thread about product and time management, and @swyx took notes.

Twitter avatar for @shreyas
Shreyas Doshi @shreyas
Advanced time management principles: (for senior product managers & leaders)
3:49 AM ∙ Feb 12, 2022
6,274Likes1,052Retweets

This raised a gem from a previous thread as well, which I’ve bookmarked.

Twitter avatar for @swyx
swyx @swyx
There are 3 levels to product work: 1 - Execution (Getting Things Done - Outputs) 2 - Impact (Being Effective - Outcomes) 3 - Optics (Getting Recognized - Perception) Everybody has different stack ranked/default levels.
Twitter avatar for @shreyas
Shreyas Doshi @shreyas
There are 3 levels to product work (1) The Execution level (2) The Impact level (3) The Optics level When an individual & their team are fixated on different levels, often there is conflict. E.g. PM is fixated on (2), Team on (1) PM on (3), Team on (2) PM on (2), Team on (3)
2:30 AM ∙ Feb 13, 2022

Follow along and bookmark your favourites.

Meanwhile, Aadil Maan writes about systems thinking in the latest issue of Building Rome(s), another Substack newsletter.

Building Rome(s)
Beyond Agile (6/52): System of Systems
As Technical Program Managers, we develop and manage many processes and frameworks. Each comes with its own set of complexities and scale. Their effectiveness is not always a guarantee but we believe that everything we do will be the right solution…
Read more
a year ago · 1 like · 2 comments · Aadil Maan

I jumped in the comments with my take on complex systems.

I've come to think of complex systems as when in which there is no discernable relationship or predictability between inputs and outputs.

Check it out!


🗓️ Events

A section for event listings… probably online

  • April 21. Security Compass’ product security conference, Equilibrium 2022 will take place virtually. It’s free to register here.

  • June 16-17. The International Conference on Product Development and Design Evaluation Activities is coming to Toronto this summer. The call for papers and flyer are available at the website. Submission deadline is very soon - Feb 16th.


🦊 Contemplation

How can your product be more secure? What can you do to prepare to respond to an an incident today, and not in the moment?


❤️‍🔥 Take care

Thanks for reading. Please comment, share and provide feedback.

1
Share
Comments
Top
New
Community

No posts

Ready for more?

© 2023 Nick
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing