How to build your product's security roadmap
🗺️

How to build your product's security roadmap

By Jay Lloyd. June 2nd 2021

You have an amazing product! Customers are onboarding at a record pace, and your roadmap is packed with tons of new features to keep you one step ahead of the competition. Sounds great, right? It does feel great, but there’s something keeping you up at night. While you’ve been delivering product features at a record pace, you’ve been avoiding that list of security features that seems to be growing. Every week, there's a new threat adding to your worries and there’s a long list of customers in the pipeline who keep asking about your InfoSec policies.

Overwhelming? You bet it is. I’ve felt this pain, and a lot of customers that I speak to feel it too. But I’m here to tell you that it doesn’t have to be this way.

What you need is a plan. A lot of planning goes into the other aspects of your business—pricing, customer segments, hiring, culture. Your security posture deserves the same focus—a weak posture has the potential to tank your business quicker than anything else. Strong security practices not only defend against a data breach but are a must-have feature for customers today. Customers are increasingly aware that one of their biggest security threats is their vendor supply chain. Your goal is to make sure that you’re not your customers’ weakest link.

I do not want you to be the weakest link, nor do your customers, so let's get started on that plan. Start your journey by defining your objectives and the desired outcomes. The objectives need to be quantifiable so you can measure your progress along the way. Progress builds momentum, and momentum leads to wins.

Look over your backlog and pluck out some themes. Your themes should focus on protecting your customers, product, and company. With the right strategy, you may find that you now meet the requirements for that security compliance that you thought was so daunting. Not only have you addressed your biggest security risks, but you also achieved a new certification that’s going to win even more deals.

I must advise you, this isn't a one-time exercise. You should be reviewing and setting objectives a few times every year. Security is an endurance sport. New threats are emerging every day, and you need to make sure that you're addressing the biggest threats in real-time.

You're winning more than ever now, but we haven't gotten to the best part of it all, and also the easiest. You have a Trust Center where you can communicate progress with your team and share updates with your customers. Hopefully, you're sleeping a little better now.

To help get you started, here's a list of items that you can add to your Trust Center's Roadmap.

Goal #1: Protect your company and customers' data from unauthorized access.

  • Security awareness training
  • Don't assume all your employees are up to speed on security matters. Internet Security Awareness Training ("ISAT") is a great way to make sure your employees act as your first line of defense. It's also a great first step towards building a security-focused culture. KnowBe4 is a great option for this.

  • Bug bounty program
  • Bug bounty programs, also referred to as vulnerability rewards programs ("VRP"), allow independent security researchers to report vulnerabilities found in your product and receive a reward. A bounty program is a strong signal of the maturity of your security practices. Bugcrowd has a template to help get you started.

  • Incident response plan
  • When something goes wrong in production, everyone quickly goes into fix-it mode--it can be chaotic. An incident response plan ("IRP") is a playbook that outlines everyone's roles and your communication plan. Your response to an incident can build credibility with your customers more than anything else. Companies have damaged their reputation because they were slow to disclose an incident. Security expert Ryan McGeehan published a boilerplate template to help get you started.

  • Require two-factor authentication
  • Turn on and require 2FA on your employee accounts wherever possible. 2FA protects against compromised passwords. However, be cautious of using SMS for 2FA. Hackers can spoof SMS, so use a tool like Google Authenticator or Duo Security to generate verification codes.

  • Encrypt laptop hard drives
  • There's a lot of information on your employees' laptops. In the event of a lost or stolen device, an encrypted disk will keep data safe. A device management tool like Fleetsmith for Apple devices will ensure that your employee devices enable settings such as hard-drive encryption.

  • Automatically lock employee laptops
  • An unlocked computer is an open invitation for trouble, especially in public workspaces like a local coffee shop or airport lounge. Fleetsmith can also be used to set automatic locking settings--five minutes of inactivity before locking is a good starting point.

  • Automatic OS updates
  • Operating systems are frequently updated to add new features, but more importantly, to fix security bugs. It's easy for an employee to ignore updates, so why not enforce automatic updates? Again, Fleetsmith can help with this.

  • VPN
  • Safeguarding your network is easier in the office, but new challenges exist now that your employees are more mobile and remote. There are well-known risks with connecting to the Wi-Fi at your local Starbucks, but how certain are you that your employees' home router has the latest firmware or changed the default password? NordLayer, which we use at Trustpage, and Perimeter81 are packaged VPN solutions that you can roll out to your employees to provide safeguards no matter where they connect.

Goal #2: Reduce the risk of malicious attacks on your product

  • Use Secure Sockets Layer (SSL)
  • SSL is a no-brainer. There's no reason why any web application should not use SSL. Without it, any computer in between you and your servers can see credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate.

  • Vulnerability management
    • It's a much better strategy to identify vulnerabilities during your build cycle than in production. You're not only building a more secure product, but it's more cost-effective to resolve these issues during development instead of production. Semmle, creators of CodeQL and now part of GitHub, estimates the cost to fix vulnerabilities is as high as 100 times more in production than in development. There are a few initiatives that belong to this bucket--Patch Management, Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST). (Remember, take things one step at a time)

    • Patch management - The servers that your application runs on need to be kept up to date. An unpatched OS can leave you susceptible to major vulnerabilities like DDoS, the elevation of privileges, spoofing, and information disclosure. Hosting your application in the cloud makes your job easier. Patching can be made easy by using a tool like AWS Patch Manager, or using a Platform as a Service (PaaS) like Heroku, which we use at Trustpage, can make managing patches as simple as redeploying your application.
    • Static application security testing - SAST tools analyze your code and identify security flaws in your code. These tools are useful for assisting your developers during code reviews. Snyk, Semmle, and Semgrep are tools that will help prevent security bugs from making it into production. Dependabot is great for keeping your third-party dependencies that have vulnerabilities up-to-date.
    • Dynamic application security testing - DAST tools analyze your code while it's running. DAST works by mimicking an attacker and identifies vulnerabilities with your application. Vendors like Rapid7, Accunetix, Veracode, and Detectify can help in this department.

Goal #3: Ensure your customers have a secure and trustworthy experience with your product

  • Privacy policy
  • Customers are becoming increasingly cautious about who has their data and what's happening with it. Your privacy policy should spell out what data you're collecting and how you're using it.

  • Require strong passwords
  • Not only should you be concerned with your employees' passwords, but your customers too. Avoid difficult conversations with customers about how their account was compromised because their password is '123456'. This is a solid first step but also think about offering an SSO option to make everyone's lives easier.

  • Audit logs
  • Sometimes, the threat comes from within. When a customer asks "Who made this change?" you want to make sure you have audit logs that capture who made the change and when. Being able to provide this information to your customers is good for building trust.

icon

Jay Lloyd is the Lead Evangelist at Trustpage. After work, you can find him on his Peloton. He lives in Detroit.

Join the community: 🐦 👔

Copyright © 2021 Trustpage. All rights reserved.