Payatu > What would you recommend as must-have elements of a robust Product Security Framework?
Minatee > For a robust Product Security Framework there are a number of things which should be set up.
- Security policy framework– This framework should lay down the product security policies, processes, guidelines required to be followed in the organization. This sets the security standards and standardizes the security processes across the organization.
- Some of the key elements to be embedded in the development process are
- Security embedded on requirement phase itself. The security requirements are best captured and updated centrally (as per the standards, regulations and business best practices).
- Security risk assessment framework as per industry best practices (NIST SP 800-53) with adequate threat modelling aspects being covered.
- Secure development. Appropriate tooling and security expertise to assure secure software. e.g tools for secure code analysis, secure open source components, integration of security tools in the CI/CD pipeline, security trainings and awareness.
- Security testing e.g. white box, black box, gray box testing.
- Secure deployment. e.g. infrastructure security of the deployment environment
- Security lifecycle management e.g. patch updates, managing OS obsolescence.
Payatu > What are some key areas to keep in mind while developing the threat model of a product?
Minatee > There are various ways to do threat modelling. Irrespective of the methodology used, the most important aspect of threat modelling is knowing the complete system well especially all internal and external interfaces, and a sound understanding of the threat vectors possible.
Payatu > Product leaders sometimes have to de-prioritize security risks to meet business demands of a faster time to market. How would you recommend leaders balance the need for speed without security tradeoffs?
Minatee > We always aim for risk management, only in an ideal world we would have zero risks. There has to be a clear and standard understanding of the risk appetite of an organization to take any security tradeoff decisions.
Payatu > What are some of the best practices of aligning product security teams to work closely with an engineering organization?
Minatee > In the ideal world, in my view, we shouldn’t have a separate security team, but security gets embedded in the engineering team. Till we reach the ideal situation, the endeavor of the security team should be to understand the products – its design and technology used. And, the engineering team should understand the security aspect of the product. This can be achieved with training, awareness sessions, brainstorming, workshops etc.
Payatu > Product security cannot prevent or fix all software vulnerabilities. Do you agree with the statement? If it is true, what would you recommend are some of the best practices to seamlessly align product security and incident management.
Minatee > Yes, in the ideal scenario product security should be well integrated into product development. As the product team handles product defects, similarly security vulnerabilities need to be addressed by the product team too. Many a times, having a hub and spoke model for security team works well, wherein the common security issues across platforms / technologies are addressed by the central team of security experts, and the product specific vulnerabilities or mitigation needs to be done by the product security team.
Payatu > Is there an ideal ratio of product security engineer to product engineers?
Minatee > Unable to comment on an ideal ratio, as my philosophy is every developer needs to be aware of security aspects. As a developer is responsible for code quality, similarly they should be responsible secure code also. In the same lines, every architect needs to be aware of security aspects of architecture when designing and developing products.
This might seem a bit difficult now, but going forward his would be the new normal. This doesn’t mean the product security team wouldn’t exist, but I see both the development team and product security team merging to form a well-oiled product development team.
There would still be need in having a core security team focusing on common security issues, new security technologies, regulations, tools, research etc – and these would be best centralized in an organization
Payatu > Do you recommend the use of Automatic Vulnerability Testing, Fuzzing tools? Help us understand the human element vs. automation in product security.
Minatee > Yes, I firmly believe human should be involved only where machines fail. Issues which can be found by tools should be left to the tools. Finding Logical issues or analyzing issues found by tool, customizing tools to a specific product, creating wrappers around the tools to help automation and much more should be the focus of humans.
Payatu > Can you share your insights for an aspiring product security engineer? What does a career in product security engineering look like?
Minatee > The career in security is quite promising considering the digitalization era and the threat landscape around us. For an aspiring security engineer, apart from having robust offensive and defensive security skills, one should understand the system and technology on which one is, working to be able to give valuable inputs. So the horizons of security engineer overlaps with the product engineer.
Payatu > What has helped you the most in your career as product security leader?
Minatee > My team. The entire credit goes to the team, who keep on inspiring me every day.
Payatu > How do you enjoy your time when you are not keeping products secure?
Minatee > I like spending time with family, gardening, yoga and reading.