Making the Security Conversation More ‘Feature-Driven’

Sandhya Narayan
Author: Sandhya Narayan, Principal Program Manager
Date Published: 16 August 2021

Editor’s note: The following is a sponsored blog post from Adobe:

A constantly changing security landscape driven by increasingly persistent threats, growing attack sophistication and tighter compliance requirements keeps both the security and product teams at Adobe busy. As the pace of change continues to accelerate, we found that the traditional security engagement model — attempting to address security issues and features into products after the fact — cannot scale. This is especially true as the application development process has become both more rapid and more abstracted with the use of newer cloud technologies, such as containers and microservices. In addition, we realized that if our security team continued to engage with product teams using the same methods we have always used, we may find ourselves in a position of forever playing catch-up. This can make us be seen more as “ticket-pushers” rather than impacting and making meaningful strides in security — something that’s definitely not scalable given this increased pace of development.

After closely examining our process and engagement with product and service teams to determine what would work best in our cloud-centric app development world, we focused on evolving our engagement model into a more proactive and collaborative one, making this a foundational concept in our security engagement strategy. This is part of an overall strategy in our application security efforts to “shift left” as much of the security effort as possible in the development process.

Here are five key improvements to a security engagement process that we recommend to help ensure “secure by design” principles are better used across teams:

Engagement
Security teams typically engage with security champions within the product group. While these security champions assist our centralized security team in scaling security efforts, they are not the ones ultimately responsible for product roadmap decisions; that responsibility falls on Adobe application development teams. Adapting to this reality in the software development lifecycle helped us create an engagement model that brings the right players into security conversations at the right time, not only ensuring proper prioritization and timely remediation, but also gaining commitments and making real decisions.

To this end, we now take a tiered approach, engaging with security champions on a bi-weekly basis and meeting on a monthly or quarterly schedule with product architects and product management to learn more about the overall product roadmap and design strategy. We also continue to meet with engineering teams, subject matter experts and DevOps each time new services are spun off and more details are needed to better understand the inner workings of systems and services. This helps everyone stay informed at all levels and aids in ensuring product security.

Conversation
Making a conscious shift in the conversations with engineering teams is fundamental. While such communication is a soft skill and may be downplayed by engineers, we found that it has helped us gain early visibility into engineering and product roadmaps as well as transform our conversations from one-way information downloads from engineering to two-way consultations and collaboration.

Problem-Solving
Rather than meeting to just review security issues and gather updates on incremental progress, we changed our fundamental engagement approach with the product teams. By becoming better listeners, we not only became an integral part of their design process, but we also became problem-solvers who can help brainstorm, ideate and untangle complex architectural challenges.

Partnership
This change in approach has led to a stronger partnership between our security and product teams. Security team members are no longer seen as the ones who push additional work with unreasonable timelines. Instead, we are now viewed as pivotal partners who can be trusted to call out the missteps and champion the right approaches. Our conversations are focused on how to securely design applications and services from the ground up.

Design and Build Secure
“Shifting left” in the software development lifecycle and engaging with product teams earlier in the design and development phases helps ensure the product teams understand the need to place security requirements on par with feature requirements. Making sure security is truly integrated throughout the software development process — in the concept, design, development, build, test and deployment phases — is a win-win for both Adobe and our customers.

With the growing sophistication of attacks and ever-changing business needs, it’s very important for security teams to stay engaged and connected to their product teams. At Adobe, that means our security group must remain flexible and align our engagement strategies with the product teams to help ensure security and compliance needs are met along with business requirements. We strongly believe that fostering this symbiotic model will benefit both security and product teams in the long run.