-
April 2, 2024
In my 18-years long career in software security, I've had the privilege of collaborating with a diverse array of companies, ranging from nimble startups to established Fortune 500 giants. Whether establishing product security practices from scratch in startups or fine-tuning product security functions in larger organizations to align with growth objectives and engineering velocity, I've gained valuable insights along the way.
Through these experiences, I've come to appreciate the critical importance of fostering proactive and seamless collaboration between engineering and product security teams. This synergy is not just advantageous; it's essential for ensuring the swift and secure delivery of software releases in today’s fast feature driven software development lifecycle.
In this blog, I aim to do more than just share my experiences—I want to engage and empower readers by offering practical advice on steering clear of common pitfalls in software security. Together, we'll explore strategies for achieving smoother collaboration between development and product security teams, ultimately paving the way for more efficient and effective software development processes.
Introduction
Every organization possesses one or more unique development workflows, shaped by the evolution of their engineering department, tools, and processes since the inception of their product journey. As organizations mature and embark on their compliance journey to market their product across different sectors, the significance of product security becomes paramount.
When making the initial security hire, it's crucial to ensure they grasp the intricacies of the product roadmap, engineering culture, and existing CI/CD tooling. This understanding empowers them to seamlessly integrate security measures throughout the software development life cycle.
As the organization, product offerings and customer base grows, it is important for security functions to scale smoothly. Engineering orgs are under tremendous pressure to release shiny new features that generate revenue. If security doesn't match the speed of releases, then organizations may release insecure versions of software or slow down their overall releases. Both are detrimental to business. Let's take a look at the problems more closely.
If security teams fail to closely consider any of the aforementioned aspects (product roadmap, engineering culture, dev workflows), security processes, tooling, and security engineers may inadvertently create friction, hindering developer velocity and impeding release cycles. Such friction can significantly tarnish the security team’s reputation and overall effectiveness. In cases of ineffective collaboration, security teams may be blamed for the following:
Tooling issues:
Process-related problems:
Communication challenges:
Security professionals understand these development team concerns. However, to bridge the gap and build trust, let's explore these strategies
1. Communication at all layers
Product security leaders must forge strong relationships with engineering, product leaders, and frontline teams like developers, SREs, and product managers. Security teams should be actively involved in all strategic and tactical planning sessions, especially when prioritizing new products or features.
Empower your development teams! Provide developers, SREs, and QA testers with regular, hands-on security training specific to the technologies they use. This fosters collaboration beyond just vulnerabilities and incidents. Training equips them with remediation knowledge that can be directly applied when fixing vulnerabilities, ultimately resulting in more secure products.
Call to action:
2. Stakeholder buy-in
Including security from the beginning is critical to avoid delays and ensure a secure product launch. To achieve this, security leaders must secure executive buy-in from all stakeholder leadership teams. This collaboration empowers us to implement the right checks and balances, guaranteeing that security and privacy are prioritized throughout the entire product development lifecycle – from planning to launch.
Call to action:
Security leaders must develop a compelling presentation that clearly outlines the benefits of early security involvement. Focus on cost savings, faster time to market, and reduced risk of breaches. Use real-world examples or data to showcase the impact. Schedule meetings with key executives and leadership teams to secure their buy-in. In fact the VP R&D and CISO should illustrate a good rapport and lead by examples for their teams.
3. Appsec Tooling & developer workflow integration
Modern application security tools are built for today's fast-paced development workflows. Seamless integration means developers can screen security posture without disrupting their flow. This allows for early detection and fixing of vulnerabilities before features reach production. Security scans become transparent, empowering developers to write secure code from the start.
Call to action:
4. Always remember & cherish the human connection
“Dev and Appsec conversations are emotional conversations” ~ Shahar Man, CEO & Founder, Backslash
Whether the conversations are related to vulnerability remediation or risk prioritization these are emotional interactions between developers and Appsec engineers.
Developers work hard to build and push new features to production under tight deadlines set by product management. They take pride in their creativity and in the product that they have built. Appsec engineers take pride in protecting the software by identifying security defects, communicating them with engineering to drive fast remediation to protect the organization and customer trust. If security engineers do not form a strong bond with developers and do not show appreciation for their innovation and creativity, discussions around “security defects” can be interpreted as criticism. By working through these emotions with empathy and open communication, Dev and Appsec teams can build a strong bond. This human connection fosters trust, making collaboration more productive towards achieving a common goal of protecting software, customer trust, organization’s reputation and revenue.
Software fuels human progress, but with this power comes the responsibility to secure it. The good news? You're not alone in this fight. By implementing these practical strategies, you can forge a powerful alliance between security and development teams. This collaboration is the secret weapon for achieving faster, more secure releases. Together, we can build a more secure future.
Trupti has 18 years of diverse experience, leading security and privacy initiatives in Fortune 500 companies and dynamic startups. She enjoys researching emerging trends in security and their impact on software security and privacy . Her journey is marked by cultivating high-performing teams, pioneering product security and privacy engineering strategies, and instilling a progressive mindset. A seasoned public speaker and product security leader, she passionately imparts her insights to drive positive security impacts and mitigate organizational risks. Notably, she holds a patent for a secure and anonymous electronic polling solution.