Software Engineering Institute

Product Teams balance the competing interests for new features based on business value, but oftentimes there are no voices for security. How do we make the product value of security visible? Who advocates for security in a product-driven lifecycle?

Security is more than just checklists of common vulnerabilities and addressing questions from the security team. The business value of a system cannot be realized if the system is un-trustworthy. Development teams must add security to their full lifecycle view of product development. From product planning through development and testing to the operation of system security should permeate each phase of product development.

During planning, product teams need to perform threat modeling to evaluate what risks are present and how to prioritize them. Risks can be broken down and addressed iteratively, just like other product features. Adding security tests to the product framework will help the team to ensure that the product remains robust as features are added. Adding monitoring for security events will help the product team gain deeper insights into emergent risks.

These are a few ways that teams can practically address security in their products. Building a bridge for collaboration with the security team is another way. When a team is unsure of how to evaluate a given security risk, or if a threat model is accurate, they can reach out to their security team and ask for assistance.

When was the last time you heard of a development team reaching out to the security team with questions, rather than the other way around?

Mark is the Director of Cloud Strategies, SRE, and DevOps. Responsible for all things related to software velocity and reliability for all development teams throughout HTC/Ciber’s consulting practice. Leading the cloud delivery consulting practice with over 100 million in annual sales of development, implementation, and advisory services. Showing clients how to build trust in agile methods and a cloud-native distributed systems world built for DevOps and rapid change. Work with sales teams to find and close projects which bring value to clients using cloud-native technologies. Fully conversant in today’s cloud and mobile environment where data must be secured across its full lifecycle. A rare high-level professional who maintains exceptional hands-on technical proficiency.