How CISOs can shift from application security to product security
For some companies product security may focus solely on external customers but others consider even internal projects like critical back-end financial or HR systems to be within that product security umbrella. Either way, the product security outlook is more all-encompassing, explains Sam Rehman, CISO at EPAM Systems, a global software development firm. “This involves a broader scope, encompassing operational and technical controls, the overall environment, client identities, as well as mechanisms for detecting and responding to potential issues in the service,” he says.
One way to think of the difference is to imagine applications as cakes, says Christine Gadsby, vice president of product security for BlackBerry. Application security is akin to examining a single cake to be sure that it looks safe and is free from contaminants before serving it to someone. Meantime, product security is the process of improving the way the bakery makes the cakes and the tools they use to ensure that every cake is safe and tastes good. “Product security is more of a ‘big picture’ approach – the entire baking process from start to finish and ensuring you build in the right actions and process at each step to ensure the cake has exactly the correct composition, meets your customers’ delicate and maybe sensitive pallet, and remains ‘fresh’ over its lifetime,” she says. “As an organization, a product security team must consider the security of an entire list of products or systems and what customers use them, which may include several ‘ingredients’ or several cakes.”
Why product security is building steam
The fact that product security has worked its way onto enterprise organizational charts is not a repudiation of traditional application security testing, just an acknowledgement that modern software delivery needs a different set of eyes beyond the ones trained on the microscope of appsec testing. As technology leaders have recognized that applications don’t operate in a vacuum, product security has become the go-to team to help watch the gaps between individual apps. Members of this team also serve as security advocates who can help instill security fundamentals into the repeatable development processes and ‘software factory’ that produces all the code.
The emergence of product security is analogous to the addition of site reliability engineering early in the DevOps movement, says Scott Gerlach, co-founder and CSO at API security testing firm StackHawk. “As software was delivered more rapidly, reliability needed to be engineered into the product from inception through delivery. Today, security teams typically have minimal interactions with software during development. Product teams, on the other hand, engage throughout the entire lifecycle,” he says. “Incorporating security into their skill set and integrating it from product inception to release results in a quicker, more secure product delivery cycle. It’s about putting security closer to the products early on.”
At the same time, product security does not usually supplant traditional application security. Application security continues to play an important part in securing software, ideally within a well-coordinated product security framework. “It’s important to note that product security relies on appsec practices to limit and reduce vulnerabilities within the application,” explains EPAM’s Rehman. “Without addressing application-level vulnerabilities, no amount of additional security measures around the product can ensure a high standard.”
Product security plays a pivotal role in the implementation of security by design principles. It is integrally involved during the design phase of a product or service, according to Rehman. “This involvement extends to defining robust product policies and controls that are intricately woven into the product’s architecture and functionality.”
