EP 43 — Avalara’s Derek Samford on Building a Security Culture with Data, Collaboration, Education, and Empathy

In this episode of the Future of Application Security, Harshil speaks with Derek Samford, Senior Director of Product Security at Avalara, a company that builds cloud-based tax compliance solutions. They discuss Derek’s approach to product security, including how his team uses data to drive visibility, how feedback loops can build maturity, and how they create application grade cards that inform remediation efforts. They also discuss how everyone is invited to contribute to product security solutions, how they create custom training for each new process, and the importance of empathy.

Topics discussed:

• How Derek’s varied background brought him from network engineering to scalability and performance testing, to field support, to building a security validation team, to today building applications at Avalara from the ground up.
• Why empathy is the most important skill you can have in security, and why it allows you to help others do their best work.
• How Derek’s team practically approaches security, from running the same tools developers do, to having a strong security champions program, to encouraging open feedback.
• How Alavara builds collaboration by inviting anyone who wants to contribute to security solutions to be part of the working group.
• How Alavara uses data to help them understand what they’re protecting, to gain greater visibility, and to unify their processes.
• How standardized processes and feedback loops create maturity over time.
• The importance of education, and why they create training specific for the organization that focus on “our tools, our processes, and our recommendations around security.”

Guest Quotes: 

“Everybody wants to do a good job. Not everybody is equipped with the tools, the training, or the knowledge, or the experience to do things the right way, especially under the timelines and the deadlines it takes to deliver software.” (7:08)

“We operate in the same environments with the same tool sets that Dev and operations do to run our services. This is to force empathy on my team as well. They should understand the real environments we’re working in, not theoretical environments that they’re trying to secure, but really understand the impacts of their suggestions.” (10:26)

“A data-driven approach is saying, these are the things that we are protecting against. These are our control frameworks. These are what we will evaluate on. And having a meaningful and consistent way of reporting on that. Everything in any program starts with visibility.” (24:55)

“By creating these processes and funneling the teams through them, over time, the process matures. You create the maturity you’re looking for. … Part of security’s job is to help engineering teams mature, right? That is part of our role.” (30:29)

“Education is a parallel track to all of this. Everything that we do, every process we release, every standard we make that becomes officially approved, every time we have new tools, we create new training. … As we build the program, training is a pillar that holds up every piece of it.” (36:30)