A Security Champion’s Journey

25-minute Talk

To build more secure products, we need to raise awareness for potential security flaws, take action on our findings as a delivery team, and continue learning from their outcome.

Virtual Pass session

Timetable

10:45 a.m. – 11:30 a.m. Wednesday 20th

Room

Room F3 - Track 3: Talks

Audience

Testers, quality engineers, developers, security engineers, InfoSec, AppSec, engineering managers

Key-Learnings

  • Evaluate risks and potential impact based on your domain to get security improvements prioritized
  • Understand the need to experiment with different approaches to advocate for security from inside a delivery team and figure out what works
  • Opt for many small steps continuously and take your team with you
  • Fostering relationships and staying aligned across teams and specialties is crucial for driving outcomes
  • Keep learning with allies - we are all figuring this out and are more effective together

How to Make Things a Bit More Secure than Yesterday Every Day

“Congratulations, you’re the new security champion for your team! Now make sure to get all these important security topics done, okay? But don't get in the way of feature development.”

Even if you’re not an officially appointed champion, building secure products might be dear to you. It definitely is to me. The problem is that security is one of those aspects that people love to advertise, deem important, and still deprioritize and postpone for “later” (whenever that is). And sometimes, it’s even me saying “later.” So, how do we make sure “later” isn’t “never”?

In this talk, I’ll take you on my own journey, from learning more about security to supporting our information security team. Spreading awareness enabled us to include known topics in our roadmap and finally make our product more secure. Creating an application security strategy was key to finding the next most important measure while allowing us to share our endeavors across teams. We updated dependencies to get our components in shape before reviving automated dependency checks in our pipeline to combat prevailing alert fatigue. We fixed reported security issues, got rid of insecure implementations to reduce our product’s attack surface, and more - all this while still delivering new features and reducing other technical debt.

Hear about what worked, especially what didn’t, and what we really shouldn’t have done in the first place. I can’t offer you a magic recipe, yet I will share the pieces of advice that actually helped make things a bit more secure than yesterday every day.

Related Sessions

Thu, Nov 21 • 2:45 p.m. – 4:45 p.m.
Room D3+D4 - Track 8: Workshops

120-minute Workshop

Virtual Pass session
Thu, Nov 21 • 10:45 a.m. – 11:30 a.m.
Room F1 - Track 1: Talks

25-minute Talk