Skip to content

Entries from January 2022

Recommended: A Corporate Anthropologist’s Guide to Product Security

I recently read a good essay by Alex Gantman titled: A Corporate Anthropologist’s Guide to Product Security. It's a year old, but I did not notice it before, and in any event, its contents are not time-sensitive at all. If you're responsible for deploying SDLC in any real production environment, then you are likely to find much truth in this essay.

Continue reading "Recommended: A Corporate Anthropologist’s Guide to Product Security"

Getting security requirements implemented

Every company that has both development teams and security teams also enjoys a healthy amount of tension between them. Specifics of the emotions involved may vary, but quite often security guys see developers as: not caring enough about security, focusing on short-term gains in features rather than on long-term robustness, and all-in-all, despite best intentions, still not “seeing the light”. Developers, in turn, often see their security-practicing friends as people with overly intense focus on security, which blinds them to all other needs of the product. They sometimes see those security preachers as people who maintain an overly simplistic view of the product design, and particularly of the cost and side-effects of the many changes they request for the sacred sake of security.

People of both camps are to a certain extent right, and to a certain extent exaggerating and not giving the other side enough credit. And yet, it doesn't even matter where the truth lies, nor if there is truth at all. What matters is that there are two groups that are both essential for product success, and which should work towards a common goal: a product that has many appealing properties, including security.

The rest of this post presents tips for proper collaboration between security and development teams, specifically where it comes to setting and implementing security requirements. Due to my default affiliation with the security camp, the actions I prescribe are targeted primarily at the security people, but I hope that both developers and security practitioners can benefit from the high level perspective that I try to convey in the following five tips.

Continue reading "Getting security requirements implemented"