In this article Raj Udamas, Product Security Manager at Compass, shared his experience and highlighted reoccurring themes that have led to impactful collaborations and organizational risk reduction. Product security (ProdSec) is crucial in the process of growing your business, as it helps build a solid and recognizable brand for products. While you might be wondering how product security themes come into the mix, know that they’re the bedrock of ProdSec.
There are so many themes up for consideration, but we’ll be highlighting a few standouts that have been successful in top organizations like Etsy, Squarespace, Canary, and Spotify.
Before we delve into the juicy stuff, let’s get something straight. Typically, these themes work for tech-oriented organizations and require its employees to step to the fore in deploying modern technologies for solutions.
Without further ado:
In today’s world, partnerships are everything. Since no man is an island, you will need to engage other organizations in order to take your company to greater heights.
That is not all there is to partnerships, though, as any “Dick and Harry” can form one. Before you delve into any partnership, ensure that the interests of your organization and that of the partnering firm are aligned.
For example, if you have an organization that is into coding and programming, establishing a bond with a firm that is into building apps is sure to yield positive dividends.
Additionally, partnerships don’t have to be external. Internal partnerships can also foster organizational growth. For context, dividing a project between two teams is sure to yield quicker results.
Finally, an effective partnership should never be parasitic. Whenever you feel as though you are being taken advantage of, it is within your rights to call it quits.
While you can find this term as a Netflix movie, it is important to note that its usage is entirely different in the world of product security.
At several organizations, the golden path is used as a measure of success across a particular period. It is a set of developer productivity tooling that has strong adoption within the organization. A well-defined golden path is basically a fail-safe that prevents you from “shooting yourself in the foot,” as it is meant to be a secure methodology for achieving your ProdSec goals.
You can get your team of software developers to develop and deploy a working system. It has worked for the many successful companies in modern times and is one theme that should not be relegated to the background.
However, working on a “Golden Path” does not mean you should limit your partnerships ventures to other organizations that incorporate a similar methodology. While your productivity tooling may not support systems that do not conform, you can provide support with security reviews and other expertise that is within your capabilities but outside the golden path. In the long run, it could yield your organization some positives.
The saying, “opportunity comes but once,” accentuates this theme. In product security, you will have to make use of any chance you think your company can avail itself of.
This theme is the contrast of following the conservative approach. You don not have to wait until an issue arises before you take a huge leap. If you see a set of motivated individuals ready to put in the needed working hours, bring them onboard.
If the company does experience a crisis in the future, these individuals would be by your side to provide the much-needed solution. You would not have to worry about integration into your organization since you have already established a good partnership.
Okay, so this theme sounds rather complicated, but it’s actually not that hard to comprehend.
Here is an illustration.
In organizations that feature Google products, solving Google scale problems often takes precedence over primary areas within the firm, and may even be considered a good day’s work.
Effectively, Google scale should not be your major focus, but it is a great opportunity to garner blackhat talk for your organization. It is also a portable solution with a wider reach. However, a better option than an external independent body like Google scale would be to create your own effective in-house solutions.
An in-house solution might not be the most tech-savvy or score high marks in a DevOps competition, it is a start regardless. To get development underway, you need to get a hold of how your teams work and try to implement simple solutions on easy tasks. That way, you can focus on any optimization aspects that pop up during the tests.
Every company should have a risk budget as this helps to mitigate losses. To ensure that you don’t exceed this budget limit, you might want to use some cost-effective tools like SAST. With SAST, you don’t have to worry about engaging third-party alternatives as you are in charge of all proceedings.
But bear in mind that using the SAST tool, your company might receive less coverage and findings. Nevertheless, if you are to weigh the risks, it’s negligible.
Another way you can control your risk budget is by spending on things that are relevant. For context, only go with security reviews that you can deliver with high quality. Also, you can do some research, collect data, and prioritize with a scale of preference. This helps you identify what needs to be done and hold off on what doesn’t really make sense at the moment.
Although these themes have worked well for some organizations, they may or may not apply to your organizational structure or business model. It is left for you and your team to decide which ones you would like to adopt or not.
Nonetheless, it’s worth noting that they have, in fact, worked wonderfully well for many successful companies we know today, especially the ones mentioned earlier.
If a theme does not work for you, there is no harm in trying out multiple alternatives till you find one that clicks. Usually, you can apply one or more of these ProdSec themes within the organization.