Leading Product Edition 9
Product Security Part 1 | Considering the Software Product System Model | Some Gems | Contemplation = 8.5 minutes
Greetings! The good news: The days will only get longer (in the northern hemisphere). The Vernal Equinox is about five weeks away.
The great news: A product newsletter packed with so much content. Let’s get at it.
🔐 Product Security (Part 1)
Let’s talk about abuse cases
I’m gearing up for conference talk in April about product security (See Events listing below). Still toying with the exact scope of a session talk. So here are my crib notes.
A pretty brief introduction…
As product managers, we communicate using various means and models, and among them are use cases - the definition of a specific interaction between a user and a product, usually via an interface or underlying protocols (e.g. services using API calls).
A good use case lets us understand and build how a user’s anticipated input will result in an output. The confluence of such interactions shape the user experience. As a development planning function, a use case might get atomized into a few user stories within an Epic.
Use cases have many sources; they tend to reflect requirements derived from research (e.g. interviews, surveys, etc.), design best practices, usage analytics deployed within existing products, direct user feedback, and other sources. They are also hard to pin down and will change once in production. A user will not always be able to articulate what (or how) they want to be able to use your product. Similarly, users might find uses for your product that weren’t anticipated.
It’s important to harness imagination and diverse perspectives to recognize the signals that indicate a change might be warranted to accommodate unmet user demand. (It also helps to think in terms of workflows rather than features - another topic for another time).
Similarly, the same mindset is required when coming up with abuse cases — how can a malicious user (or unwitting legitimate user) cause harm to your product, the data it processes and stores, other users, and connected systems?
That’s what I intend to explore in an ongoing series. Have any questions about this topic?
What’s a good system to think about product security?
Classic information security teaches us about the CIA triad and how to achieve it. Information security is the preservation of a Confidentiality, Integrity, and Availability. To achieve and retain CIA, products must be made and kept secure by protecting them from unauthorized access, use, disclosure, disruption, modification, or destruction. That’s a good starting point; there’s a lot more to it these days.
Source… NIST of course :)
We’ll return to this topic. For now, I’ll leave the reader with a partial checklist of what to consider when tackling the domain of product security. Each of these activities merit deep exploration.
📝 The Software Product System Model
Found in Scholarship. I’ve revamped this segment to structure it a bit better. The idea is to make it practical and also let you, the reader, decide if you might read the entire article.
Stumble across an article or concept and want LP to break it down? 👇🏽
Title: Software Product System Model: A Customer‑Value Oriented, Adaptable, DevOps‑Based Product Model
Authors: Haluk Altunel and Bilge Say
Thesis: Product Leaders can attain a more holistic view of their software products by adopting the Software Product System Model (SPSM), write Altunel and Say. SPSM enables teams to optimize interactions between systems thinking and software engineering disciplines over three distinct phases: pre-development, development and post-development. This way, product leaders can better orchestrate releases with the DevOps pipeline and leverage quality gates as fed by the product backlog.
So what? An interesting framing, perhaps a process that’s reflected in practice (with some variance) at DevOps mature companies. The proposed model is useful, as it makes certain activities deliberate and explicit. I really like the idea of introducing quality gates (not blocks!) with an explicit tie to objects in the backlog that were elicited from user feedback. I.e. the pipeline is telling you that what’s being released has been asked for.
🪙 2 Great Twitter Threads & 1 Great Issue
Found Online
Shreyes Doshi started an awesome thread about product and time management, and @swyx took notes.
This raised a gem from a previous thread as well, which I’ve bookmarked.
Follow along and bookmark your favourites.
Meanwhile, Aadil Maan writes about systems thinking in the latest issue of Building Rome(s), another Substack newsletter.
I jumped in the comments with my take on complex systems.
I've come to think of complex systems as when in which there is no discernable relationship or predictability between inputs and outputs.
Check it out!
🗓️ Events
A section for event listings… probably online
April 21. Security Compass’ product security conference, Equilibrium 2022 will take place virtually. It’s free to register here.
June 16-17. The International Conference on Product Development and Design Evaluation Activities is coming to Toronto this summer. The call for papers and flyer are available at the website. Submission deadline is very soon - Feb 16th.
🦊 Contemplation
How can your product be more secure? What can you do to prepare to respond to an an incident today, and not in the moment?
❤️🔥 Take care
Thanks for reading. Please comment, share and provide feedback.