In this article we would like to review what Raj Umadas, Product Security Manager at Compass, has shared during our recent webinar highlighting recurring themes that have led to impactful collaborations and organizational risk reduction. Product security (ProdSec) is crucial in the process of growing your business, as it helps build a solid and trusted brand for products. While you might be wondering how product security themes come into the mix, know that they’re the bedrock of ProdSec.
There are so many themes up for consideration, but we’ll be highlighting a few standouts that have been used successfully by Raj while securing top organizations like Etsy, Squarespace, Canary, and Spotify.
5 Proven Product Security Themes
Before we delve into the juicy stuff, let’s get something straight. Typically, these themes work for tech-oriented organizations and require its employees to step to the fore in deploying modern technologies for solutions.
Without further ado:
1. Developing Meaningful Partnerships
In today’s world, partnerships are everything. Since no person is an island, you will need to engage other organizations or internal teams in order to take your company to greater heights.
That is not all there is to partnerships, though, as any “Dick and Harry” can form one. Before you delve into any partnership, ensure that the interests of your organization and that of the partnering firm are aligned.
For example, if you have an organization that is into coding and programming, establishing a bond with a firm that is into building apps is sure to yield positive dividends.
Additionally, partnerships don’t have to be external. Internal partnerships can also foster organizational growth. For context, dividing a project between two teams is sure to yield quicker results.
Finally, an effective partnership should never be parasitic. Whenever you feel as though you are being taken advantage of, it is within your rights to call it quits.
2. The Golden Path
While you can find this term as a Netflix movie, it is important to note that its usage is entirely different in the world of product security.
At several organizations, the golden path is used to ensure engineers are using all the tools available to them to enable success. It is a set of developer productivity tooling that has strong adoption within the organization. A well-defined golden path is basically a fail-safe that prevents you from “shooting yourself in the foot,” as it is meant to be a secure methodology for achieving your engineering, and therefore your ProdSec goals.
You can get your team of software developers to develop and deploy a working system. It has worked for the many successful companies in modern times and is one theme that should not be relegated to the background.
However, supporting the “Golden Path” does not mean you should limit your partnerships ventures to only the teams that adopt it.. Your productivity tooling may not support the needs of all teams and therefore there will be a population that does not conform. You can provide support with security reviews and other expertise that is within your capabilities but outside the golden path. In the long run, it could yield your organization some positives.
3. Clinging Onto Opportunities
The saying, “opportunity comes but once,” accentuates this theme. In product security, you will have to make use of any chance you think your company can avail itself of.
This theme is the contrast of following the conservative approach. You do not have to wait until an issue arises before you take a huge leap. If you see a set of motivated individuals ready to put in the needed working hours, bring them onboard.
If the company does experience a crisis in the future, these individuals would be by your side to provide the much-needed solution. You would not have to worry about integration into your organization since you have already established a good partnership.
4. Solve for the Semantically Smaller Problem
Okay, so this theme sounds rather complicated, but it’s actually not that hard to comprehend.
Here is an illustration.
In organizations that are made up of highly motivated engineers, solving “Google scale” problems often takes precedence over primary areas within the firm, and may even be considered a good day’s work.
Effectively, Google scale should not be your initial focus, it is a great opportunity to garner blackhat talk for your organization, but probably one that increases the lead time to true risk reduction for your organization. A better option would be to create your own effective in-house solutions for your specific problems.
An in-house solution might not be the most tech-savvy or score high marks in a DevOps An in-house solution might not be the most tech-savvy or score high marks in a DevOps competition, it is a start regardless. To get development underway, you need to get a hold of how your teams work and try to implement simple solutions on easy tasks.
That way, you can focus on any optimization aspects that pop up during the tests.
5. Use Your Risk Budget
Every company should have a risk budget as this helps to mitigate losses. To ensure that you don’t exceed this budget limit, you might want to use some cost-effective tools like SAST. With SAST, you don’t have to worry about engaging third-party alternatives as you are in charge of all proceedings.
But bear in mind that using the SAST tool, your company might receive less coverage and findings. Nevertheless, if you are to weigh the risks, it’s negligible.
Another way you can control your risk budget is by spending on things that are relevant. For context, only go with security reviews that you can deliver with high quality. Also, you can do some research, collect data, and prioritize with a scale of preference. This helps you identify what needs to be done and hold off on what doesn’t really make sense at the moment.
Although these themes have worked well for some organizations, they may or may not apply to your organizational structure or business model. It is left for you and your team to decide which ones you would like to adopt or not.
Nonetheless, it’s worth noting that they have, in fact, worked wonderfully well for many successful companies we know today, especially the ones mentioned earlier.
If a theme does not work for you, there is no harm in trying out multiple alternatives till you find one that clicks. Usually, you can apply one or more of these ProdSec themes within the organization.