A Security Champion’s Journey

“Congratulations, you’re the new security champion for your team! Now make sure to get all these important security topics done, okay? But don't get in the way of feature development.”

Even if you’re not an officially appointed champion, building secure products might be dear to you. It definitely is to me. The problem is that security is one of those aspects that people love to advertise, deem important, and still deprioritize and postpone for “later” (whenever that is). And sometimes, it’s even me saying “later.” So, how do we make sure “later” isn’t “never”?

In this talk, I’ll take you on my own journey, from learning more about security to supporting our information security team. Spreading awareness enabled us to include known topics in our roadmap and finally make our product more secure. Creating an application security strategy was key to finding the next most important measure while allowing us to share our endeavors across teams. We updated dependencies to get our components in shape before reviving automated dependency checks in our pipeline to combat prevailing alert fatigue. We fixed reported security issues, got rid of insecure implementations to reduce our product’s attack surface, and more - all this while still delivering new features and reducing other technical debt.

Hear about what worked, especially what didn’t, and what we really shouldn’t have done in the first place. I can’t offer you a magic recipe, yet I will share the pieces of advice that actually helped make things a bit more secure than yesterday every day.