How Do You Justify Investment In Product Security?

How do you justify investment in product security?

On a recent episode of the Future of Application Security, FullStory’s VP of Product Security and Compliance, Mark Stanislav shared his views. Here’s what Mark advised AppSec and ProdSec teams to do:

“Yeah, one that I really like, and in the spirit of product security and really thinking product security is not just AppSec or just CloudSec, it really is about the product development lifecycle, partnering with product managers, understanding the product fit and market fit and your TAM, those are things that make a product security team successful. And so one thing that I had done at Duo Security, we actually had kind of a product security enhancement roadmap where this wasn’t necessarily vulnerabilities that was like a defect we were remediating, it was actually kind of forward looking, something about the product that we know could actually reduce friction in the sales cycle, that could actually help build confidence in the market or trust with our customers. And we had a few examples of these. One that comes to mind in terms of internal selling, we have historically had a finding on our annual pen test report. There were some nitty gritty details about basically like serialized objects for the number of people on the podcast listening, you know, where the dragons are beyond those, but basically we had worked around the problem enough and it never felt complete, and customers still kind of turn their head a little sideways and said, “Yeah, that’s good, but not great”. And I was actually able to get our product team and our engineering managers to kind of commit a couple of quarters to go through the entire code base and eradicate this entire very pervasive, like, hundreds of instances of this thing. And they made the investment because the business relationship there was that sales can sell faster, customers will have more confidence, it’s the right thing to do, and we know it’s the right thing to do. And being able to get that buy and actually allocate cycles to technical debt or to things that are not crisis level security, that’s a culture of an organization that people would buy into that with me and I wouldn’t have to threaten security compliance 101. They understood why it was good for our customer and you know, from the buyer’s sense. And that’s like a great example where if you put that on a roadmap you talk to product people as a product roadmap and you bring it to them in a way that’s still time-boxed and still has a value proposition. Reasonable people are going to do their job well, and in this case Duo Security had amazing product managers I worked with and we shipped a lot of those kinds of forward looking or just like better than expected levels of security to our customers which is amazing.” 

Check out Mark’s full episode here: How FullStory Measures & Improves Product Security