Jeevan Singh is the Director of Product Security at Twilio, where he is embedding security into all aspects of the software development process. He enjoys building security culture within organizations and educating staff on security best practices. He’s responsible for architecting security programs, driving security strategy, and mentoring and growing security engineers and managers. Before life in the security space, Jeevan had a wide variety of development and leadership roles over the past 20 years.
Abdul Wahab is a Senior Tech Lead who loves growing engineering teams that are inquisitive, hungry to learn, and deliver lasting business solutions. When he’s not doing that, he writes tech articles & tutorials via Medium to teach and give back to the global software community, and bakes cakes & pizzas.
Abdul’s key expertise: API development best practices, technical architecture, leadership & staff development, AWS cloud, data engineering & movement between cloud & on-prem platforms.
I had the pleasure of hosting Jeevan and Abdul on this week’s episode of Champions of Security. Here’s the full episode and the key takeaways from our conversation.
#1: Celebrate Security Wins Company-Wide
People take pride in successful outcomes. Abdul suggests that developers document how they resolve security issues. These success stories, when distributed across engineering teams, provide several benefits. First, developers are educated on security issues – the company also gains reference material for similar problems in the future. Second, developers are incentivized to fix issues so their efforts are recognized.
Jeevan brought up a similar concept known as “democratized vulnerability management.” Under this mindset, engineers take ownership of insecure code and are encouraged to use the security team for guidance. If developers miss their Service Level Agreement (SLA) timeline, they’re responsible for communicating and requesting an extension. And, because the metrics are available to management, engineers can be directly recognized for their security efforts.
#2: Collaborate with Engineering for Stakeholder Support
Trade-offs are everywhere in business. All features require time, and time directly translates into dollars. Engineering and security teams must collaborate for stakeholders to understand the importance of secure software. The information presented to the decision-makers should include case studies, scope of work, recurring costs, and security risks. Engineering and security teams can advocate for secure software by working together to create the business proposal.
#3: Offer the Carrot Before Resorting to the Stick
Jeevan encourages everyone to say, “Yes, and…” Set up your security policies so engineers are empowered to take ownership of security best practices. Believe it or not, developers don’t want to write insecure code that puts the business at risk. Rely on people’s positive intentions first.
The time will come for security people to put their foot down. This behavior is sometimes necessary, but should not be the default response.
Interested in talking security with me? Reach out to me on LinkedIn.