EP 33 — Democratizing Security and Implementing Change with Twilio’s Ariel Shin

In this episode of the Future of Application Security, Harshil speaks with Ariel Shin, Senior Product Security Engineer at Twilio, a company that provides businesses the tools to connect with customers through automated messaging. Ariel shares the story of how she implemented a democratized, centralized vulnerability management program at Twilio, which included conducting interviews to gauge the current state of vulnerability management, designing a new process that got everyone on the same page, getting buy-in by going on a roadshow across the company, and how they’re currently managing the program after rollout.

Topics discussed:

• Ariel’s journey through Twilo’s acquisition of Segment, going from a culture of a few hundred developers to a few thousand building many different projects.
• How Ariel designed and implemented a democratized, centralized vulnerability management process by getting buy-in from security, engineering, and leadership, and socializing the process.
• The importance of a centralized vulnerability management process to reduce confusion and easily see all vulnerabilities in one place, and how to make risk everyone’s responsibility.
• How, in order to uncover problems to address, Ariel interviewed security team members, developers, engineers, and other stakeholders, and created a flowchart of the current state of vulnerability management.
• The necessity of approaching security holistically, and not thinking about security just in terms of the industries or silos created in an organization.
• Identifying the pain points of an organization’s security approach, and how to use those pain points to articulate the change needed for an organization.
• How Ariel rolled out the new vulnerability management program through a roadshow across the organization, articulating what the changes were and how they improved security to increase buy-in.
• How Ariel and the security team created three dashboards so stakeholders could better understand their security posture: one for ticket triage, one for engineers to understand the tickets, and the third for leadership.

Guest Quotes: 

“So right now we’re focused on building application product security. That means building those foundational programs so we can scale our influence, and that includes threat model trainings, threat modeling. It includes using tooling like SAST and DAST, and edge scanning. And it also includes building those relationships with our stakeholders. So if that’s working with compliance teams, working with cloud security, we have a pretty broad approach to things as, how do we influence the developer to do the right thing? And anything that comes along with that, we’re involved in it.” (4:09)

“We should have a unified front when it comes to working with engineers, because part of this experience is a whole experience. It’s not, do XYZ for cloud security, do ABC for product security, and then another team will then pool your time. That’s an engineer. They’re thinking about security very broadly, not in terms of these industries that we have created within security.” (14:03)

“So that’s really important for when you’re looking holistically at the program and the vulnerabilities, you want to know what your top ten risks are. I don’t want to just solve tickets and not ever see an end in sight or be able to pull meaningful insights from the findings we’re seeing. I want to see, What is our number one vulnerability type. Is it broken access control? Is it SQL injection? Is it cross-site scripting? Because a lot of times the OWASP Top Ten doesn’t reflect your organization’s reality.” (18:10)

“It provided just a really great opportunity for us to connect with our developers and to build that relationship a little bit. And beyond that, many leaders knew about it. Since we prioritized breadth, many leaders were in the know. And so I always tell people that we took a bottoms-up and a tops-down approach, because we did go to the leaders. We had buy-in from the security leadership side. So security leadership was really influencing engineering leadership and telling them, we do have to focus this year on our P0s and our P1s. We don’t want any of them to be out of SLA. So we’re going to take these steps to ensure that we have this operational excellence across the company.” (33:30)

“So we have this concept of BISOs, which are Business Information Security Officers. They’re kind of like CISOs for a specific business unit. They’ll go in with their partners —  they’ve already built this great relationship because they focus on other things beyond just the vulnerability management metrics. They talk through long-standing security problems, the goal of the security for their program, their roadmaps. We also have this thing called non-negotiables, which are kind of non-negotiables for your team to have. And so they’re already having those conversations.” (39:26)