Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

Using security champions and automation to create an effective SPLC

Taylor Lobb (Adobe), Julia Knecht (Adobe)
3:50pm–4:30pm Wednesday, November 1, 2017
Tools and processes
Location: Sutton North
Average rating: ****.
(4.50, 2 ratings)

Who is this presentation for?

  • Security analysts, program managers, and other leaders

Prerequisite knowledge

  • A basic understanding of SPLCs

What you'll learn

  • Learn how Adobe established an effective SPLC by establishing and utilizing security ambassadors and providing seamless automation to support these key initiatives

Description

A secure product lifecycle (SPLC) is integral to ensuring software is written with security in mind, but companies struggle to create a successful process with limited security resources and minimal impact to engineering teams. Taylor Lobb and Julia Knecht explain how a team of just two security analysts in Adobe’s Digital Marketing business unit created a successful SPLC program that has scaled to support thousands of engineers by leveraging automation and establishing security ambassadors (champions) within the product engineering teams.

Defining security requirements and KPIs for engineering teams is just the first step in creating the SPLC. In order to make the design a reality for several products, thousands of engineers, and millions of lines of code, Adobe’s team was organized into an “as a service” model and utilized automation to scale to meet this demand. Establishing a strong security ambassador program helped ensure the success of the SPLC. The centralized ambassador network has been crucial to the success all product security initiatives throughout the business unit. Taylor and Julia share examples of how ambassadors have assisted with incident response, driven training and security culture initiatives, and championed security-related projects on their individual teams.

Taylor and Julia dive into a case study of one of the most successful SPLC-driven programs—static code analysis. By fully automating the process from code check-in to delivery of results, the team achieved 100% buy-in from all engineering teams in Digital Marketing. The process was designed to have minimal impact on the engineering teams and to be integrated into their existing workflows, allowing for a very low-overhead program that adds value. The engineers code and commit as they normally would. On the backend, the static code analysis engine is constantly scanning and will inject any findings into the existing bug-tracking system.

You’ll walk away with on-the-ground knowledge you can use to establish an effective SPLC in your own organization by establishing and utilizing security ambassadors and providing seamless automation to support these key initiatives.

Photo of Taylor Lobb

Taylor Lobb

Adobe

Taylor Lobb is manager of security and privacy at Adobe, where he focuses finding vulnerabilities within Adobe’s products. He leads a team of penetration testers and is responsible for centralization and automation of many key security initiatives.

Photo of Julia Knecht

Julia Knecht

Adobe

Julia Knecht manages product security and privacy engineering at Adobe, where she created and is responsible for the secure product lifecycle of Adobe’s digital marketing business. An integral and invaluable piece of the SPLC is her successful Security Champions program.