Product Security and Application Security: The Need for Collaboration

  • Author Lianne Potter & Jeff Watkins,

  • 03.04.2023

With the rise of devops and continuous delivery, now more than ever, security must be shifted left in the development lifecycle. Lianne Potter and Jeff Watkins shed some light on why leaving your security in the dark is no longer a viable option.

An ex-colleague shared a predicament with a product his team developed. It featured a guest checkout that required SMS validation for orders. Attackers exploited the unauthenticated endpoint, leading to mass spamming and high carrier charges.

Victims could have been tricked into paying for orders they didn’t make or calling premium numbers to “cancel”. The proposed solution, a faux captcha, failed to address the problem.

The core issue was not technical, but rather a fundamentally exploitable design created without security in mind. The sad thing is that it probably passed a penetration test. The platform may not have been vulnerable, but it was exploitable. Improved communication, accountability, and ownership throughout the product’s design and development could have prevented this situation.

Product and security are often treated as separate entities with opposing goals: security hindering product release and product prioritising an MVP. However, they should work together for optimal results.

Shifting Security Left

Now more than ever, security must be shifted left in the development lifecycle. With the rise of devops and continuous delivery, security can’t be left in the dark until just before launch.

Engaging security early prevents technical debt and disruptions to planned work. However, security professionals often struggle to influence product owners, who hold the key to prioritising security. They tend to focus on engineers, overlooking the importance of product owners in an agile team.

This oversight contributes to the failure of many security champion programs, which rely on developers to convey the importance of security. If product owners don’t prioritise security, it’s challenging to integrate it into the development process.

Many product owners don’t view security as part of their “definition of done”, leading to delays and technical debt. Shifting security left to the user story stage can help address this issue; it should be framed as part of quality control and a value offering.

Just as customers wouldn’t tolerate buggy code, they value their safety and security. Companies that genuinely prioritise security stand out in a world where breaches are increasingly common.

The core of the problem is that traditional cybersecurity can miss fundamental design flaws in products. While security vulnerabilities are often technical issues, design flaws are product security issues that automated scans may not detect.

User-centric security is essential, as weaknesses like poor passwords are often attributed to operator error. We should avoid blaming users and focus on creating a user-friendly product with security baked in, rather than tacked on as an annoyance.

Balancing User-centric Security

Excessive security can be counterproductive, as overly rigid measures may lead to poor user experiences and workarounds. Striking the right balance requires understanding the user journey and collaborating with the product team.
Gene Kranz was the Flight director on the Apollo 13 mission and when the scientists back on earth were trying to find solutions to fix the malfunction caused by an explosion and rupture of an oxygen tank, they were framing their solutions in a very linear way. He was quoted as saying to his team:

‘I don’t care about what anything was designed to do, I care about what it can do’

It was only through collaborating and reframing the problem that they were able to find a solution that saved the lives of those astronauts. Because like so many things in life, It doesn’t matter what the thing was originally supposed to do, the situation has changed. All that matters is what we can make it do now. Sometimes completely changing direction is needed to get the result you want, sometimes, we need to think like someone else, because not all paths will be the happy path.

Jeff and Lianne are currently keynoting internationally on the subject of product security before the launch of their podcast and book on the subject. If you’d like to keep up to date with these projects, connect with them both on LinkedIn.

About the authors:

A lifelong technologist, first picking up coding at the age of six, Jeff has been in the industry for over 24 years. A servant-leader, he loves growing high-performing technical teams with a focus on sustainable growth and creating new roles in the industry. Outside of his role as Chief Product and Technology Officer for Edinburgh based xDesign, he loves writing and public speaking with particular interest in the topics of CyberSecurity and Artificial Intelligence.

As the Head of SecOps for the largest technology transformation project in Europe, Lianne is building a leading-edge security team to meet the needs of a modern retail organisation.

Drawing upon her expertise as a cyber-anthropologist through her consultancy, The Anthrosecurist, Lianne combines the human and the technical aspects of security to evangelise a cultural security transformation.

She is on the advisory board for Women in Leeds Digital (WILD), is a published author, podcast regular, and international keynote speaker. She recently won Computing.com’s Security Specialist of the Year and was featured in Cyber New Magazines top 40 under 40.

All events

All sponsors