How to Build a Product Security Roadmap

00:00

[Music]

00:03

hello and welcome back to nucleus

00:05

shortcuts I'm your host Adam Dudley and

00:07

our topic today is what is product

00:09

security and how to build a roadmap for

00:12

Success so today's expert on the topic

00:14

is anshuman uh he is an information

00:17

security professional of over a decade

00:19

he's currently a principal security

00:21

engineer at 30 Madison which is a

00:23

Healthcare company and he's worked for

00:26

some pretty big names atlassian Intuit

00:29

and Dell as well and this is his first

00:31

time on the shows I've been in this

00:34

industry for about 13 14 years now and

00:36

I've worked in both big Enterprises and

00:40

smaller companies as well application

00:42

and product security is something that

00:44

I've been doing pretty much all my

00:46

career and over the years I've also had

00:50

the opportunity to look into other

00:53

domains like infrastructure security

00:54

automation uh incident response so I I

00:57

feel very fortunate to have those

01:00

opportunities during my career and you

01:03

know I believe in giving back to the

01:05

community I have open sourced a few

01:07

tools security tools and I really

01:10

believe in Innovation and solving some

01:12

challenging security problems using some

01:15

of the new technologies and automation

01:17

could you give us just a a very brief

01:20

definition you know how do you define

01:21

product security what does that look

01:23

like in today's modern Enterprise

01:25

product security you can think of it uh

01:27

it's a plague of function within an

01:31

organization that allows uh you know you

01:35

do establish processes activities like

01:37

setup tooling security scanners what not

01:41

to ensure that the customer data data or

01:44

information that the company's products

01:46

either store process or transfer is a

01:50

protected against unauthorized access by

01:53

malicious actors like that's a very high

01:56

level overview of how we can think about

01:59

it uh product security can uh you know

02:03

contain things like application security

02:05

which is more focused on just

02:07

applications but I know folks use both

02:09

the terms interchangeably securing

02:11

applications is one thing but then how

02:13

do you deploy those applications on the

02:16

cloud infrastructure like these is it so

02:18

it's all about Cloud right like right

02:20

right AWS Google Cloud Azure right so uh

02:24

apart from securing the application uh

02:27

you know the deployment piece also I

02:30

believe false under product security

02:31

okay

02:33

you want to make sure the product is

02:35

from the point where it's committed like

02:37

when the code gets committed to the

02:39

point where it's actually deployed so

02:41

the entire life cycle so getting into

02:42

the meat of our topic and the article I

02:45

read on your blog that inspired me to

02:46

invite you here to shortcuts is you

02:49

wrote an article about a product

02:50

security roadmap and I learned a lot in

02:52

that article and so you know first of

02:55

all why does this matter you know in the

02:57

context of having a successful product

02:59

security program hasn't been you know

03:01

you join

03:02

um you know like the first part security

03:04

engineer uh we are onboarded onto an

03:07

organization you have different

03:08

stakeholders that you're supposed to

03:10

work with right these might be your VPS

03:13

or different engineering organizations

03:15

these might be your EMS right supporting

03:18

different smaller teams engineering

03:19

teams so it's really important as a

03:22

founding product security engineer to

03:25

have your stakeholders come to a shared

03:28

understanding of what the risks are that

03:30

your organization faces and what are the

03:33

product security engineer you suppose

03:34

you're planning to do to address them

03:37

and in what order right so a uh making

03:40

sure everybody is speaking the same

03:42

language when it comes to the risk and

03:45

then B making sure uh there's like a

03:48

good understanding of how how to address

03:51

it and how to prioritize what so now in

03:53

Broad Strokes how does one go about

03:55

building a product security roadmap I

03:57

think of the overall product security

03:59

function being broadly divided into

04:01

three major categories uh first one is

04:03

vulnerability management or how do you

04:07

deal with vulnerabilities that you

04:08

discover right second is security

04:10

Partnerships or in other words you know

04:13

how how do you make sure you are working

04:17

with your engineering counterparts and

04:19

integrating Security in the hdlc so

04:21

those kind of relationships Partnerships

04:23

there are different activities projects

04:25

you can do underneath that so that all

04:27

falls under this the third is security

04:30

tooling and operations this basically

04:32

contains you know uh deploying your

04:34

scanners uh making sure you know any

04:39

programs that you run

04:41

you are collecting valuable data from

04:45

them to make sure that you make

04:46

continuous continuous progress things of

04:49

that nature

04:51

um and so like I said each of these

04:52

categories will have a bunch of

04:55

activities projects that you could be

04:57

doing underneath them it's really

04:59

important to highlight that uh you can't

05:01

be doing everything together at once you

05:04

know so you should really be thinking

05:05

about splitting the overall roadmap into

05:08

a multi-year plan can be a three year

05:10

Prime can be a five year plan really

05:12

depends on the resources and the

05:13

priorities and and this roadmap the way

05:17

you divide it it's really about working

05:19

on smaller tactical projects in a

05:22

prioritized order which eventually

05:24

contributes towards uh overall strategic

05:27

roadmap of how you go about improving

05:30

the security posture of the organization

05:31

got it got it so you mentioned three

05:33

buckets there you have your VM security

05:35

Partnerships and security tooling and uh

05:39

for me what came up also is you know I

05:42

think contained in all those buckets is

05:44

the classic people process and

05:46

Technology right okay areas of concerns

05:50

um and then once you have that road map

05:51

then you're building out those tactical

05:53

projects uh and prioritizing them to

05:56

make sure you're making progress on the

05:57

longer term road map right right yes

06:00

exactly now in your article you called

06:02

these uh work streams I think which yeah

06:04

I kind of like that word

06:06

um you know your workflows a lot work

06:08

streams I I like and that's an

06:11

interesting way to break out I guess

06:14

categories of work

06:16

yeah like if you think about it in other

06:18

words right like again uh based on my

06:21

experience

06:22

um the the places where I've heard work

06:25

stream being uses so for let's say uh

06:27

there's there's a big project right that

06:30

that your company is undertaking and it

06:32

impacts pretty much all the

06:34

organizations within that right so it

06:37

can be HR can be legal it can be

06:38

engineering can be advertising sales

06:40

marketing whatever right so really what

06:43

you need is a team of individuals that

06:46

represent each one of these functions

06:48

right and they're working towards this

06:51

project so you can think of it like a

06:53

work stream where you don't necessarily

06:56

have the entire teams working with you

06:58

but your individuals representing those

07:00

teams so I think yeah work stream is a

07:03

good way to sort of make make that sense

07:05

before we wrap up Angela would you

07:08

please tell people where they can go to

07:10

check out your blog and learn more about

07:12

the stuff you're writing about

07:13

yeah sure thing uh you can uh check out

07:17

my blog on anshumanbartia.com that's

07:20

just my first name last name.com uh you

07:23

can also follow me on Twitter I'm uh

07:26

available at lunch one underscore BH

07:28

yeah and you know you can feel free to

07:31

email me I'm more than happy to

07:33

collaborate share ideas that's great

07:36

well we'll link to the article that

07:37

inspired this uh this episode so people

07:40

can take a look at that and I just want

07:42

you to thank you for coming on uh today

07:44

I know you're very busy guy in the

07:46

security World

07:47

um this is excellent and um you know the

07:50

the last thing I want to ask like in

07:52

your view is there one most important

07:54

thing you'd like folks to walk away with

07:55

from this conversation

07:57

yeah sure thing so I think you know

08:00

since we are talking about like uh

08:02

product security and how to get started

08:05

and how to build a program I think not

08:07

getting overwhelmed and being able to

08:09

ruthlessly prioritize I I like that word

08:11

ruthless prioritization and then

08:13

bringing along everybody else with you

08:15

on the journey like all your

08:17

stakeholders is probably the most

08:19

important important thing you can be

08:21

doing in order to be successful at it

08:23

right and then just being very

08:25

thoughtful about what to do and when and

08:27

how to uh leverage smaller wins in

08:31

improving the overall security strategy

08:33

and and the culture that goes a long way

08:35

so that would be my recommendation yeah

08:38

thank you and I love that phrase

08:39

ruthless prioritization I'm going to

08:41

call that the phrase of the episode here

08:43

uh you have to do it right because

08:46

there's there's always the demand to do

08:48

more with less and we need to make real

08:51

progress see you again soon on the next

08:52

nuclear shortcuts thanks anjuman sounds

08:55

good thank you so much for having me

08:57

[Music]