Vulnerability, what's the bug deal?

"Vulnerability is the birthplace of innovation, creativity and change"― Brene Brown

Vulnerability is a word that is very frequently used in the Quality Assurance space of IT when we refer to a flaw in a system. Vulnerabilities are also referred as bugs in the software development lifecycle world. As a security tester, I often questioned why people get so defensive and angry when doing the job of identifying vulnerabilities in the delivery lifecycle to help deploy a resilient system to the public. The answer dawned on me when I went on coaching programmes a couple of years ago where vulnerability was becoming a big theme to lead in an authentic and empathetic way.

If you are familiar with TedTalks, you have surely come across one of the most popular videos by Brene Brown on the power of vulnerability. This topic is found in many E.Q programmes as a key element in human productivity and growth. If you go further back in time and look at the definition of this term in the traditional sense, it comes from the latin word "Vulnus" which means wound and refers to our ability to be wounded or being open to attack/damage.

Since IT is at its simplest form a simulation of real life, I started correlating our own human vulnerability to the IT vulnerabilities that we report on. Is it really a surprise that people are afraid of being vulnerable and consciously/unconsciously resist system vulnerabilities that we report on?? Well, when you realise that it triggers a basic survival instinct to defend and protect oneself, it all makes sense. If bugs are reported and tracked in a way that affects a person's credibility and livelihood, we will always face this resistance. Furthermore, detecting bugs also drives a need for change, which then exacerbates the dilemma of resistance further.

With all of the above in mind, I started adapting my own work approach in my Quality Assurance related delivery and here are some of the tips that yielded better collaboration and outcome:

1. Practice better stakeholder management with the sponsors and the peers affected by your results. Ensure that you introduce yourself in person and position yourself as an ally. Find out what is their optimal communication style and try your best to stick to what will make them more open to a productive engagement.
2. Have regular sync-ups with the team to breed trust and collaboration with the different people involved. Take the time to listen to their context. Empower them as much as possible with tools and practices that they can use proactively. For example, I often recommend companies that I consult with to drive a security testing practice whereby developers are empowered with tools to verify the security of their codebase.
3. Always have a round of result reporting which is internal and where the team gets to actually verify and agree with the findings. It is often called a grooming exercise to align on the bugs or software vulnerabilities in terms of validity, severity and priority. It is key to mediate such exercises by enforcing the fact that the meeting's outcome is based on general team consensus and no blame game is allowed.
4. Promote a positive reporting style that focuses on what is being reviewed, fixed and improved in terms of quality instead of only reporting on what is outstanding and problematic. The more holistic your report, the more willing your team will be to assist. For instance, having both qualitative and quantitative data will ensure better transparency and drive to meet expected targets.

Last but not least, I believe that the cultural mindset also needs to be challenged in the workspace with this understanding of Vulnerability. IT Quality Assurance (QA) practice is everyone's responsibility and testing is just a discipline that contribute to ensuring that we are building the right product and also building the product right. By leveraging the latest agile ways of work philosophies, it is key to reposition the detection of bugs and vulnerabilities as an activity to drive software quality and risk management. The human element of Vulnerability has to be taken into account in organisational change management programmes around this aspect of delivery to ensure that the business leaders are able to break this barrier to adopting IT QA practices. Ultimately, business will have to be accountable for promoting the appropriate risk treatment measure/s to ensure functional, secure and performing systems and applications are delivered.