The Secure Product Lifecycle
From Concept to Consumer - Episode 1
Has anyone ever asked you what “product security” means or what it actually is? I’ve gotten this question more than a few times and my answer usually comes down to the ecosystem that surrounds the delivery of value to a customer. But, there is more to it than that.
To that end, I’m debuting a series of articles on what product security is and what it means for an organization. Regardless of what they do. But first, before you can ask about securing a product, we have to talk about what a product is.
What is a product
Products entail combining applications, services, operations, and the business needs together. Unlike individual software applications that perform specific tasks, a software product offers a comprehensive solution that integrates various applications and technologies to provide a cohesive user experience and address broader objectives.
Bottom line: A product is an amalgamation of different technologies and services put together to bring value to a customer.
These products combine the core application(s), user interface (UI), databases, external services, IT applications, data, and APIs.That last one is important since APIs include the ones the organization exposes as well as the ones that they ingest from other organizations or services.
The developed software goes through a series of pipelines (continuous integration/continuous deployment (CI/CD) pipelines) for building, packaging, deployment, automated testing, and delivery. There are monitoring tools for performance tracking, development tools and frameworks, version control systems, and source control managers.
Operationally the product needs to run in an environment that is accessible to the customers. That means server infrastructure, cloud services for hosting, and containerization platforms like Docker or Kubernetes for deployment.
And don’t forget about the supply chain. All those different components and parts that the product stitches together with their internally developed software, provide further opportunity for malicious actors to expand the attack surface by finding and exploiting the weakest link in the overall chain. That chain gets bigger each day as organizations offload more of their work to outside services, tools, and products. There have been several high profile supply chain attacks including at Norton, Microsoft, and Colonial Pipeline.
That’s a lot of parts, and they all combine to create a product. But how does that get secured?
From AppSec to ProdSec
The primary goal of AppSec is to defend the software that is developed inside an organization. This means leveraging tools like static, dynamic analysis, software composition analysis, web application firewalls, and integration of tools in the development environment. More mature organization may operate tools like run-time protection, other more bespoke scanning or protection tools, and advanced training for their developers. The goal was to identify issues and resolve them early. Colloquially known as “shift-left”.
But this was all in the service of protecting the software and enabling a more secure developer. Of course there is nothing “wrong” with that, but there is more to keeping an organization, and their products, secure. And we do that by ensuring that the attack surface is reduced across the organization by synthesizing the data from all available points to provide a more robust security posture. Put another way: Product Security.
Note: AppSec has always focused on the development of secure code. That has expanded over the years to broaden into areas such as the supply chain, cloud, and container security. However, as the environments have become more complex and the product often being more than a single monolithic application with a single modality (webapp), the time has come to broaden to securing the overall product.
The broadening from AppSec to ProdSec marks a deliberate shift within the cybersecurity landscape, reflecting a more inclusive perspective on safeguarding software systems. By focusing on ProdSec, we are prioritizing the security of the entire software product that integrate numerous applications, systems, services, environments, and other elements. This approach not only aligns with current development practices but also addresses the comprehensive needs and expectations of users and organizations, ensuring robust protection throughout the product lifecycle. From inception to decommission.
What I’ll cover in upcoming releases
As you can tell, there is a lot to product security. Too much to cover in one newsletter. Over the next few months, I will take several editions to cover the topics included in product security including how we integrate other disciplines in product security like information security, network security, cloud security, infrastructure security, application security, and security operations. I’ll discuss how they integrate together to create one cohesive product security function in an organization.
Product security also goes beyond what we think of as an enterprise software product and includes devices (think internet of things), vehicles, and medical devices. While software may run in all of these it is not the main character.
I’ll also cover the role of the various posture management tools and platforms that exist to support product security throughout the lifecycle as well as the various compliance and regulatory impacts that are making security a more prominent focus for public and private organizations.
There is a lot to unpack here and I hope you are ready for this journey through product security. I invite you to stay tuned for upcoming newsletters. Each edition will delve deeper into the world of securing products, from integrating various security disciplines to navigating regulatory frameworks. Your engagement and insights are invaluable to us. Subscribe to ensure you don't miss out on these critical discussions, and please, share with peers who could benefit from this knowledge.