2024-11-11 –, WestIn - Munich
"Congratulations, you're the new security champion for your team! Now make sure to get all these important security topics done, okay? But don't get in the way of feature development."
Even if you're not an officially appointed champion, building secure products might be dear to you. It definitely is to me. The problem is that security is one of those aspects that people love to advertise, deem important, and still deprioritize and postpone for "later" (whenever that is). And sometimes, it's even me saying "later." So, how do we make sure "later" isn't "never"?
In this talk, I'll take you on my own journey, from learning more about security to supporting our information security team. Spreading awareness enabled us to include known topics in our roadmap and finally make our product more secure. Creating an application security strategy was key to finding the next most important measure while allowing us to share our endeavors across teams. We updated dependencies to get our components in shape before reviving automated dependency checks in our pipeline to combat prevailing alert fatigue. We fixed reported security issues, got rid of insecure implementations to reduce our product's attack surface, and more - all this while still delivering new features and reducing other technical debt.
Hear about what worked, especially what didn't, and what we really shouldn't have done in the first place. I can't offer you a magic recipe, yet I will share the pieces of advice that actually helped make things a bit more secure than yesterday every day.
Key learnings:
* Evaluate risks and potential impact based on your domain to get security improvements prioritized
* Understand the need to experiment with different approaches to advocate for security from inside a delivery team and figure out what works
* Opt for many small steps continuously and take your team with you
* Fostering relationships and staying aligned across teams and specialties is crucial for driving outcomes
* Keep learning with allies - we are all figuring this out and are more effective together
DevSecOps, AppSec, SecurityChampion, Change
Lisi found tech as her place to be in 2009 and has grown as a specialized generalist ever since. She's passionate about the whole-team approach to holistic testing and quality and enjoys experimenting and learning continuously. Building great products that deliver value together with great people motivates her and lets her thrive. Security is a big part of this, and she's enthusiastic about all things AppSec to help build more secure solutions. Having received a lot from communities, she's paying it forward by sharing her stories and learning in public. She posts on Mastodon as @lisihocke@mastodon.social and blogs at www.lisihocke.com. In her free time, she plays indoor volleyball or delves into computer games and stories of all kinds.