Value Stream Mapping Worskshops for Intelligent Continuous Security

Value Stream Mapping Worskshops for Intelligent Continuous Security

• 1.
  Value Stream MappingVSM Workshop For Intelligent Continuous Security ICS Value Stream Mapping Workshop for ICS Intelligent Continuous Security is a Trademark of Engineering DevOps Consulting © 2025 Note: Excel tools referenced in this document are available on EngineeringDevoOps.com By Marc Hornbeek
• 2.
  2 Purpose: identify prioritiesand requirements for improved security protection practices in application value streams.
• 3.
  A Value StreamMap is a visual diagram that illustrates the stages, timings and other information which is relevant to the value of interest for Value Stream Mapping. 3 https://en.wikipedia.org/wiki/Value_stream_mapping https://devops.com/lean-value-stream-mapping-for-devops/ http://itrevolution.com/starting-devops-value-stream/ https://webinars.devops.com/4-steps-how-to-value-stream- map-your-software-pipelines https://www.youtube.com/watch?v=J7G1pYeCOYU https://www.youtube.com/watch?v=wzl7Y7N8S6k Value stream mapping is a lean engineering method. It is a visual and collaborative method for teams to analyze the current state. and design an improved future state, for the series of stages that take product or service capabilities from inception through to customer operations. It can be applied to nearly any application.
• 4.
  4 The primary stepsare: 1. Assign a Value Stream Mapping Team leader and teams. 2. Train the teams on the Value Stream Mapping approach. 3. Prepare for, conduct, and document the Current State Value Stream Mapping Workshop for the selected application. This step is part of Discovery and Assessment. 4. Prepare for, conduct and document the Future State Value Stream Mapping Workshop for the selected application. This step is part of Solution Mapping. Value Stream Mapping Workshop Steps Value Stream Mapping is conducted as a team in a workshop.
• 5.
  5 • The ValueStream Mapping Team Leader’s role is to orchestrate activities for Value Stream Mapping workshops. The leader must be experienced in leading Value Stream Mapping workshops. Skills required include leading teams, understands the “Value” being analyzed (For ICS VSMs this shall include security practices and results), process control, critical and objective thinking, obtaining consensus, and meticulous documentation. This can be someone from the organization that is responsible for the application, or someone outside of the organization, such as an independent consultant. • The Current State Value Stream Mapping Team for an ICS Current State Value Stream Mapping workshop shall include people that are familiar with current stages and practices for development, security, operations, tools and governance of the application. This becomes the baseline for comparing improvements. • The Future State Value Stream Mapping Team for an ICS Future State Value Stream Mapping workshop shall include the same people from the Current State Value Stream Mapping workshop, plus people that are EXPERTS in practices that were identified as areas for improvement. Value Stream Mapping Team Leader, and Teams
• 6.
  6 • Preparation activities(Typically one week before the Workshop): • The Current State Value Stream Mapping Team Leader educates members on the value stream mapping method. For example, the Value Stream Mapping Team leader could present this presentation to the team. • Ask each team member to collect information that will be needed to complete the Current State Value Stream Map. What are the value stream stages that they believe are important to the workshop? What is the lead time for each stage? Identify any wait times between stages. Identify security results from each stage in the form of the % of security events that are rejected by or otherwise fail to meet requirements of the next stage. • During the workshop (Tyically 2 hours with the Current State Value Stream Mapping Team in attendance): • Obtain consensus of the current state value stream map stages. • Use the Current State Value Stream Mapping Workshop Record shown on the next slide to capture information for each stage including: inputs, outputs, Wait times, Time to complete each stage, % of security events that are rejected by or otherwise fail to meet requirements of the next stage, and relevant people, process and technology practices. • The Current State Value Stream Mapping Workshop Record template is available in MS Excel format. • An example of Current State Value Stream Mapping Workshop Record is provided in the 2nd slide after this one. • Before leaving the workshop obtain consensus about the record. Current State Value Stream Mapping Workshop Continued next slide….
• 7.
  Current State ValueStream Mapping Workshop Record Template 7 Stage Inputs / Outputs Wait Time to start (hours) Time in stage (hours) % Rejection by next Stage due to Security issues People (Security Aspects) Process (Security Aspects) Technologies (Security Aspects) Totals 0 0 0 0%
• 8.
  Current State ValueStream Mapping Workshop Record Example 8 Stage Inputs / Outputs Wait Time to start (hours) Time in stage (hours) % Rejection by next Stage due to Security issues People (Security Aspects) Process (Security Aspects) Technologies (Security Aspects) Backlog Planning Backlog / feature priority 0 4 10% Product owner, Dev leads, Security usually not participating but security may inut security requests Backlog may include security improvements Jira, no specific security tools Design Feature selection / design spec 4 6 10% Developer alone, no specific security training Design and review, usually not reviewed by security team MS Word, Visio, Java, no spefific security design tools Implement (Code) Feature design / code 1 14 10% Developer alonen no security coding standard Peer review with one other designer, usually not with Security Code and peer review Dev Test Code / Dev tested feature 8 4 20% Dev create Junit, functional and integration test scripts, sometimes with QA, Security does not write tests Most tests are manual functional tests, no standard security tests Dev test scripts in java. Test tools Selenium for GUI tests, RestAssured for Rest APIs testing, Cucumber for functional testing Integrate Pull request / integration build 8 4 5% Developer pull request, no specific security requirements Pull, build with trunk, integration tests with trunk include SCA and SAST. Pull request with GitHub, merge build with trunk, integration tests, Jenkns orchetrates and runs automated integration tests together with Maven. SCA tool Jfrog Xray , SAST tool SonarQube Package Feature build tested with trunk / Feature candiate in artifact repo 2 6 15% Developer, with help fromDevOps engineer when needed Prepare Feature candidate package for release, build containers, register /sign in artifact repo, no specific consideration for security. Docker, Artifactory, Xray, , not using security scanners for artifacts or containers. System Acceptance Feature candidates / System Release Candidate tested 24 48 15% QA, not security involvement Most system tests are manual and created by QA team. Deploy release candidate to staging, run system regresssion, performance, and acceptance tests. Release policies are MSExcel documents reviewed manualy. No policy to run security tests in staging, but Security team sometimes runs Red team testing on releases. Selenium, Cucumber, Gatling, considering to use Harness tool for delivery stage orchestration and automaton. Jira tickets used to document release approvals. Prepare to Deploy System Release Candidate tested / Ready to deploy 8 24 5% Release manager, approvals managed by Change Management Review Board.SRE and Ops Security. Prepare and test deployment scripts in staging, Deployment approval with Release manager, SRE and SecOps team. ServiceNow used for deployment approvals, Dockerfile, Kubernete, Terraform for infrastructure changes Deploy to Production Approved release ready to deploy / Deployed for Validation in Prod 10 4 5% SRE Deploy release candidate to prod for validation, initiate Canary progressive rollout. Argo Kubernetes, monitor with DataDog, evaluating use of Harness in future for AI/ML-driven failure detection. DataDog used for security ing monitor in prod. Validate in Production Release Candidate Deployed to Prod for validation / Gradually deployed release to Prod 1 168 20% SRE team Gradual validation and deloyment to all prod regions using Canary progressive release process. Datadog Security Monitoring, evaluating Harness, considering adding Contrast Security IAST for runtime security alerts. Operations Fully deployed release to Prod / In-Production Operations 0 Until next release 5% SRE, Sec and Ops team Monitor release performance and watch for security anomolies Datadog Security Monitoring + SIEM of containerized Java apps with Kubernetes and AWS cloud Totals 348 66 282 120%
• 9.
  9 • After theworkshop (Conducted and orchestrated by the Value Stream Mapping Team Leader): • Create a Current State Value Stream Map (Diagram) using the diagram template on the next page, and information from the Current State Value Stream Mapping Workshop Record. • An example of a completed Current State Value Stream Map (Diagram) is shown in the 2nd slide after this one. • Make changes, if needed, to make the Current State Value Stream Mapping Workshop Record match the Current State Value Stream Map (Diagram) . • Obtain consensus with the team. This is now the baseline for the Future State Value Stream Workshop. • Schedule the Future State Value Stream Mapping Workshop. Current State Value Stream Mapping Workshop (Continued)
• 10.
  Current State ValueStream Map Diagram Template Input (E.g., Backlog) Factors (People, process, and Tech) Design Tools and Infrastructure: Factors (People, process, and Tech) St End-to-End Time St Wt Implement Factors (People, process, and Tech) Test Factors (People, process, and Tech) St St Wt % Wt % Integrate Factors (People, process, and Tech) Package Factors (People, process, and Tech) St St Wt % Acceptance Factors (People, process, and Tech) Deploy Prep Factors (People, process, and Tech) St St Wt % Wt % Wt % Deploy Factors (People, process, and Tech) Validate Factors (People, process, and Tech) St St Wt % Operations Factors (People, process, and Tech) St Wt % Wt % Wt Wait time St Stage time % % % = Rejected by next stage due to security issues %
• 11.
  Current State ValueStream Map Diagram Example Input (E.g., Backlog) Backlog may include security improvem ents Design Tools and Infrastructure: Cloud: AWS; CICD: Jenkins; Plan and Control: Jira, ServiceNow; Documents: MSWord; Visio’ Code: Java, GitHub; Artifact Repo: Artifactory; Test: Junit, Selenium, RestAssured, Cucumber, Gatling; Security: Xray SCA, SonarQube SAST; Containers: Docker, Kubernetes; Monitoring: DataDog Design and review, usually not reviewed by security team 4 hr 348 hr from Backlog to Fully Deployed 6 hr 4 hr Implement Peer review with one other designer, usually not with Security Dev Test Peer review with one other designer, usually not with Security 14 hr 4 hr 8 hr 10 % 1 hr 10 % Integrate Pull, build with trunk, integrati on tests with trunk include SCA and SAST. Package Prepare Feature candidate package for release, build containers, register /sign in artifact repo, no specific consideratio n for security. 4 hr 6 hr 2 5 % System Acceptance Most system tests are manual and created by QA team. Deploy release candidate to staging, run system regression, performance, and acceptance tests. Release policies are MS Excel documents reviewed manually. No policy to run security tests in staging, but Security team sometimes runs Red team testing on releases. Deploy Prep Prepare and test deployment scripts in staging, Deployment approval with Release manager, SRE and SecOps team. 2 D 1 D 8 hr 15 % 24 hr 15 % 8hr 20 % Deploy Deploy release candidate to prod for validation, initiate Canary progressiv e rollout. Validate Gradual validation and deployment to all prod regions using Canary progressive release process. 4 h 7D 1 h 5 % Operations Monitor release perform ance and watch for security anomali es 0 20 % 1D h 5 % Wt Wait time St Stage time 10 % % % = Rejected by next stage due to security issues 5 % 66 hours 282 hours 120%
• 12.
  12 • Preparation activities(Typical a few days before the Future State Value Strea Mapping Workshop): • The Value Stream Mapping Team Leader , together with the Future State Value Stream Mapping Team, analyze the Current State Value Stream Mapping results and prepare proposals for the Future State Value Stream Map. The improvements will usually be driven by Intelligent Continuous Security improvement practices that have been determined by the leadership of the organization and application. • During the workshop (Typically 2 hours with the Future State Value Stream Mapping Team in attendance): • Debate and obtain consensus of the Future State Value Stream Map. Use the Future State Value Stream Mapping Workshop Record template, shown on the next slide, to capture this information during the workshop. An example is shown on the 2nd slide after this one. • The Future State Value Stream Mapping Workshop Record template is available in MS Excel format. • After the workshop (Conducted and orchestrated by the leader): • Create a Future State Value Stream Map Diagram using the Future State Value Stream Map Diagram template shown on the next page, and the information from the Future State Value Stream Mapping Workshop Record. • Obtain consensus that the Future State Value Stream Mapping Team agree with the Future State Value Stream Mapping Workshop Record and Future State Value Stream Map Diagram. Future State Value Stream Mapping Workshop
• 13.
  Future State ValueStream Mapping Results Template Stages (Revised) Inputs and Outputs New Practices Changes to People, Process and Technologies Estimated Wait Time (Hours) Estimated Time in Stage (Hours) % Rejection by next Stage due to Security issues 0 0 0 0
• 14.
  Future State ValueStream Mapping Results EXAMPLE Stage Inputs and Outputs New ICS Practices Changes to People, Process and Technologies Expected Wait Time (Hours) Expected Time in Stage (Hours) Expected % Rejection by next Stage due to Security issues Backlog Planning Backlog / feature priority .Implement peer mentorship programs to share AI- enhanced security knowledge across teams. .AI identifies recurring issues and recommends training or enhancements. Implement Slack across development, Sec and Ops teams for real-time alerts and collaboration Integrate workflows with ticketing Jira and ServiceNow. 0.00 4.00 5% Design Feature selection / design spec .Mandate threat modeling as part of the design phase using AI-enhanced tools. .AI enhances threat modeling by simulating scenarios and suggesting mitigations. Introduce tool IriusRisk for AI-powered threat libraries and predefined risk patterns for quick and accurate threat identification. 4.00 8.00 10% Implement (Code) and Dev Test (Combine two stages into Feature design / coded and Dev tested feature Secure coding and security testing practices Combine coding and Dev Test into one stage using Test Driven Development TDD and Acceptance Test Driving Development ATDD, with secure coding and testing practices. 0.00 14.00 15% Integrate and Package Release Candidate (Combine two Pull request / integration build and Release Candidate packaged AI enhances static and dynamic analysis tools and enforces policies during deployments. Introduce Aiehance DAST tool Invicti and integrate it into DevOps workflows and CICD piepline via Jenkins. 2.00 4.00 15% System Acceptance Feature Releaase candidates / Release Candidate System tested .AI continuously scans for vulnerabilities and adjusts test cases based on threats. .Simulate red team-blue team exercises with AI- generated incident scenarios. Introduce Harness to orchestrate staging test automation, and integrate with it Bright Security that uses AI to generate adaptive tests case and MITRE CALDERA for AI-Drivn Red team automation. Use Harness to implement Release Poicies as Code. 12.00 48.00 5% Prepare to Deploy System Release Candidate tested / Ready to deploy .Intelligent collaboration tools and AI agents facilitate real-time alerting, predictive analytics, and automation. Implement Slack across development, Sec and Ops teams for real-time alerts and collaboration Integrate workflows with ticketing Jira and ServiceNow. 0.00 12.00 5% Deploy to Production Approved release ready to deploy / Deployed for AI enhances static and dynamic analysis tools and enforces policies during deployments. Use Harness to implemet deployment policies as code 4.00 2.00 5% Validate in Production Release Candidate Deployed to Prod for validation / Gradually Integrate incident retrospectives into release review processes. Use Harness to implemet deployment policies as code, and to orchestrate Canary deployment and Roll-backs 1.00 72.00 5% Operations Fully deployed release to Prod / In-Production Operations .Deploy threat intelligence platforms that correlate external signals with internal telemetry. .AI provides real-time insights for faster decision- making during incidents. Extended Datadog with its Security Monitoring, Threat Intelligence, and AI-enhanced observability features 0 Until next release 5% iven Red tea automation Total 187 23 164 70% Expected Improvement 161 43 118 40%
• 15.
  Future State ValueStream Map Diagram Example Input (E.g., Backlog) Implement Slack across development, Sec and Ops teams for real-time alerts and collaboration Integrate workflows with ticketing Jira and ServiceNow. Design Tools and Infrastructure: New tools: Communication and collaboration: SLACK, IRIUSRISK for AI-powered threat modeling; INVICTI for DAST; Harness for orchestration of staging and deployments and Policy as Code, BRIGHT SECURITY for AI-generative adaptive tests, MITRE CALDERA for AI-Driven Red team testing, Extend DataDog with Security Monitoring, Threat Intelligence and AI-enhanced observability Introduce tool IRIUSRISK for AI-powered threat libraries and predefined risk patterns for quick and accurate threat identification. 4 hr 187 hr from Backlog to Fully Deployed 8 hr 4 hr Implement Code and Dev Test Combine coding and Dev Test into one stage using Test Driven Development TDD and Acceptance Test Driving Development ATDD, with secure coding and testing practices. 14 hr 0 hr 10 % Integrate and Package Introduce AI- enhanced DAST tool INVICTI and integrate it into DevOps workflows and CICD pipeline via Jenkins. 4 hr System Acceptance Introduce Harness to orchestrate staging test automation and integrate with it BRIGHT SECURITY that uses AI to generate adaptive tests case and MITRE CALDERA for AI-Driven Red team automation. Use Harness to implement Release Policies as Code. Deploy Prep Implement Slack across development, Sec and Ops teams for real-time alerts and collaboration Integrate workflows with ticketing Jira and ServiceNow. 48 hr 12 hr 0 hr 5 % V 12 hr 8hr Deploy Use Harness to implement deployment policies as code. Validate Use Harness to implement deployment policies as code, and to orchestrate Canary deployment and Roll- backs. 2 h 72 hr 1 h 5 % V Operations Extend Datadog with its Security Monitoring, Threat Intelligence, and AI- enhanced observabilit y features. 0 5 % 4 h 5 % Wt Wait time St Stage time 5 % % % = Rejected by next stage due to security issues 5 % 23 hours = 65% improved 164 hours = 42% improved 70% = 42% improved 15 % 15 %
• 16.
  Marc Hornbeek a.k.a. DevOps_the_Grayesq. CEO and Principal Consultant Engineering DevOps Consulting Author – Engineering DevOps mhornbeek@engineeringdevops.com Learn More