A secure product lifecycle (SPLC) is integral to ensuring software is written with security in mind, but companies struggle to create a successful process with limited security resources and minimal impact to engineering teams. Taylor Lobb and Julia Knecht explain how a team of just two security analysts in Adobe’s Digital Marketing business unit created a successful SPLC program that has scaled to support thousands of engineers by leveraging automation and establishing security ambassadors (champions) within the product engineering teams.
Defining security requirements and KPIs for engineering teams is just the first step in creating the SPLC. In order to make the design a reality for several products, thousands of engineers, and millions of lines of code, Adobe’s team was organized into an “as a service” model and utilized automation to scale to meet this demand. Establishing a strong security ambassador program helped ensure the success of the SPLC. The centralized ambassador network has been crucial to the success all product security initiatives throughout the business unit. Taylor and Julia share examples of how ambassadors have assisted with incident response, driven training and security culture initiatives, and championed security-related projects on their individual teams.
Taylor and Julia dive into a case study of one of the most successful SPLC-driven programs—static code analysis. By fully automating the process from code check-in to delivery of results, the team achieved 100% buy-in from all engineering teams in Digital Marketing. The process was designed to have minimal impact on the engineering teams and to be integrated into their existing workflows, allowing for a very low-overhead program that adds value. The engineers code and commit as they normally would. On the backend, the static code analysis engine is constantly scanning and will inject any findings into the existing bug-tracking system.
You’ll walk away with on-the-ground knowledge you can use to establish an effective SPLC in your own organization by establishing and utilizing security ambassadors and providing seamless automation to support these key initiatives.
Taylor Lobb is manager of security and privacy at Adobe, where he focuses finding vulnerabilities within Adobe’s products. He leads a team of penetration testers and is responsible for centralization and automation of many key security initiatives.
Julia Knecht manages product security and privacy engineering at Adobe, where she created and is responsible for the secure product lifecycle of Adobe’s digital marketing business. An integral and invaluable piece of the SPLC is her successful Security Champions program.
©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org