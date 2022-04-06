Six stages to secure what you sell

Discover: A project in this early stage might be just a gleam in the eyes of the product team, but this is the time to conduct risk assessments, threat intelligence assessments, and possible abuse scenarios. Those can address security and privacy implications the product team may not have considered. It’s the beginning of the maturity activity called “planning ahead.”

Define: To design security into a product, security teams need to know its range of intended uses, who is going to be using it (target markets), and any regulatory requirements. It should also include requirements on upgrading, maintenance, and support throughout the product’s lifetime. The security team can then collaborate with the product team to design what Forrester calls “the thresholds of minimum viable security—the minimum controls necessary to protect the business when the product deploys.”

Align: This means setting staffing, tooling, and licensing requirements to protect the product once customers are using it. It may require new or custom-built tooling if the product will employ new technologies or development approaches. If the product uses open source or third-party software components (as almost all do), it’s important to determine how to manage that third-party risk. That includes creating an inventory, or software Bill of Materials, for all third-party supply chain dependencies including data, code, and materials.

Build: For those with expertise and experience in DevSecOps, the activities at this stage will be familiar. They include automated testing tools like static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) integrated into the CI/CD pipeline. This will help developers address security issues throughout the process—instead of “shifting left,” the goal is to “shift everywhere” so that the right test is done at the right time. During penetration testing, security pros should consider misuse scenarios and test the product not just for what it should do, but also what it shouldn’t be able to do.

Launch: At this stage the product is generally available, so the security team must protect it with tools like web application firewalls, bot management, runtime application self-protection, and tamper proofing. These should be designed to protect both the product and customer data based on the risks and threats identified earlier in the life cycle. The team should also collect telemetry to help detect and respond to attacks.

Grow: The job of the security team at this final stage is to analyze feedback from protection technologies and compare the product’s security metrics with established baselines and benchmarks. A key goal is to make product security a competitive differentiator. That means analyzing the customer experience to make any changes that will improve the balance of security and usability.