Making the Security Conversation More “Feature-Driven”

This blog was originally published by Adobe here.

Written by Sandhya Narayan, Principal Program Manager, Adobe.

A constantly changing security landscape driven by increasingly persistent threats, growing attack sophistication, and tighter compliance requirements keeps both security and product teams busy. As the pace of change continues to accelerate, the traditional security engagement model — attempting to address security issues and features into products after the fact — cannot scale. This is especially true as the application development process has become both more rapid and more abstracted with the use of newer cloud technologies, such as containers and microservices. In addition, if security teams continue to engage with product teams using the same methods they have always used, you may find yourself in a position of forever playing catch-up. This can make you be seen more as “ticket-pushers” rather than impacting and making meaningful strides in security — something that’s definitely not scalable given this increased pace of development.

In the cloud-centric app development world, focus on evolving your engagement model into a more proactive and collaborative one, making this a foundational concept in your security engagement strategy. This can be part of an overall strategy in your application security efforts to “shift left” as much of the security effort as possible in the development process.

Here are five key improvements to make in your security engagement process to help ensure “secure by design” principles are better used across all products and services:

Engagement

Security teams typically engage with security champions within the product group. While these security champions may assist your centralized security team in scaling security efforts, they are not the ones ultimately responsible for product roadmap decisions; that responsibility falls on application development teams. Adapting to this reality in the software development lifecycle can help you create an engagement model that brings the right players into security conversations at the right time, not only ensuring proper prioritization and timely remediation, but also gaining commitments and making real decisions.

To this end, take a tiered approach, engaging with security champions on a bi-weekly basis and meeting on a monthly or quarterly schedule with product architects and product management to learn more about the overall product roadmap and design strategy. Continue to meet with engineering teams, subject matter experts, and DevOps each time new services are spun off and more details are needed to better understand the inner workings of systems and services. This helps everyone stay informed at all levels and aids in ensuring product security.

Conversation

Making a conscious shift in the conversations with engineering teams is fundamental. While such communication is a soft skill and may be downplayed by engineers, it can help you gain early visibility into engineering and product roadmaps as well as transform your conversations from one-way information downloads from engineering to two-way consultations and collaboration.

Problem Solving

Rather than meeting to just review security issues and gather updates on incremental progress, change your fundamental engagement approach with the product teams. By becoming better listeners, you not only become an integral part of their design process, but you also become problem-solvers who can help brainstorm, ideate, and untangle complex architectural challenges.

Partnership

This change in approach leads to a stronger partnership between your security and product teams. Security team members are no longer seen as the ones who push additional work with unreasonable timelines. Instead, you are now viewed as pivotal partners who can be trusted to call out the missteps and champion the right approaches. Your conversations will be focused on how to securely design applications and services from the ground up.

Design and Build Secure

“Shifting left” in the software development lifecycle and engaging with product teams earlier in the design and development phases helps ensure the product teams understand the need to place security requirements on par with feature requirements. Making sure security is truly integrated throughout the software development process — in the concept, design, development, build, test, and deployment phases — is a win-win for both you and your customers.

With the growing sophistication of attacks and ever-changing business needs, it’s very important for security teams to stay engaged and connected to their product teams. That means your security group must remain flexible and align your engagement strategies with the product teams to help ensure security and compliance needs are met along with business requirements. I strongly believe that fostering this symbiotic model will benefit both security and product teams in the long run.