An Iterative Process
Most relevant for 🔥 Advisors and 🔍 Technical Evaluators
An iterative process is a way of working through a project by repeatedly refining and improving upon it through a series of cycles or iterations. In software development, this process is often used as a way to manage the complexity of creating large, complex software systems. Using an iterative process allows the team to focus on small, manageable chunks of work at a time, which helps to reduce the risk of errors and makes it easier to manage the complexity of the project.
It also allows the team to gather feedback from stakeholders and users throughout the process, which can be used to refine and improve the project as it progresses.
Core Guidelines
- Be transparent and engaged with all stakeholders through open systems and communication.
- Share results and outputs, early and often for feedback.
- Debrief and reflect upon the quality of outcomes and outputs, to inform, revise, and improve subsequent iterations of the work.
How We Engage
Our process adheres to a series of tasks and engagements outlined in the Assessment Methodologysection, involving the vendor or technology solution team. This approach fosters transparency and ensures the accuracy of the findings we produce and share.
Furthermore, is important to engage with vendors frequently regarding any discovered vulnerabilities or bugs. After each step in the process we share an update with the vendor and the commissioning team (f.i. it was UNICEF in our case) and allow feedback so the process can be iterative and accurately reflect a relevant and up-to-date solution.
We begin with introductions and laying a foundation of communication and trust, which we hope continues throughout the lifecycle of our engagement.
Below are a few examples of how our iterative process involves the vendor or technology solution team in the assessment process:
- Initial introduction between assessment team, solution team, and other stakeholders.
- Onboarding call with the vendor and typical guided walk-thru or demo of the solution.
- Create an established communications channel and share an asset request list with the vendor.
- Tip: It is helpful to choose a communication channel that already exists in the vendor workflow to ease any burden of communication.
- Create a file sharing service folder for ease of document uploading and sharing of Assets and any additional resources the vendor deem useful to successfully complete the process (case studies, security audits, SBOM, independent reports, etc.).
- Maintain transparency throughout the process and communicate regularly.
- Once technical quality assessments are complete, we value a video call with the vendor or technology solution team to review comments and findings in real-time. Time is then spent incorporating comments and updating our final report.
- Tip: This step should happen before sharing the full assessment with other stakeholders.
For high or severe level vulnerabilities, the disclosure approach includes:
- Ethically disclose vulnerabilities or bugs to vendors.
- After each step you complete in the assessment, disclose any vulnerabilities or bugs found to the vendor through an agreed upon communication channel.
- Handle all sensitive communications through a secure, confidential manner agreed upon by the vendor and assessment team.
- Negotiate with vendors regarding the complexity of a fix and timeline.
- Based on the complexity, determine how and when to update the assessment report accordingly (ie- a vulnerability is disclosed, but not fixed, a fix is in process, a resulting evaluation of a fix).