Product security is an essential aspect for companies, whether it is focused on external customers or internal projects. Sam Rehman, the Chief Information Security Officer (CISO) at EPAM Systems, a global software development firm, emphasizes that product security involves a broader scope that encompasses operational and technical controls, the overall environment, client identities, as well as mechanisms for detecting and responding to potential issues in the service.
To better understand the difference between application security and product security, Christine Gadsby, the Vice President of Product Security for BlackBerry, uses an analogy of cakes. Application security is compared to examining a single cake to ensure its safety and cleanliness before serving it to someone. On the other hand, product security focuses on improving the entire baking process, including the tools used, to ensure that every cake meets the necessary standards. Gadsby explains that product security takes a “big picture” approach, considering the security of all the products or systems in an organization, which may involve several “ingredients” or cakes.
The rise of product security in the corporate world does not mean a decline in traditional application security testing. Instead, it recognizes that modern software delivery requires a different set of eyes to identify potential gaps between individual applications. Product security teams not only serve as security advocates but also help incorporate security fundamentals into the development processes and software factory that produces the code. This evolution is similar to the addition of site reliability engineering during the DevOps movement, where reliability was engineered into software from inception to delivery. Scott Gerlach, the co-founder and Chief Security Officer (CSO) at API security testing firm StackHawk, explains that by integrating security skills and practices from the beginning of the product lifecycle, product teams can achieve quicker and more secure delivery cycles.
However, it is important to note that product security does not replace traditional application security. Application security still plays a crucial role in securing software but ideally within a well-coordinated product security framework. Rehman emphasizes that addressing application-level vulnerabilities is essential for maintaining a high standard of security, even with additional security measures surrounding the product.
One of the key roles of product security lies in implementing security by design principles. During the design phase of a product or service, product security is deeply involved in defining robust policies and controls that are integrated into the product’s architecture and functionality.
In conclusion, product security is gaining importance within organizations as it takes a broader approach to securing products and systems. While application security remains vital, product security complements it by incorporating security practices throughout the entire product lifecycle. By addressing vulnerabilities early on and integrating security from the beginning, organizations can ensure quicker and more secure product delivery. With product security in place, companies can confidently provide safe and reliable products and services to both internal and external customers.