Foreword
Welcome back! After some hiatus from writing and Twitter shutting down the old platform we will be back to regular schedule.
Thank you for continuing to read, let us dig right into it.
Who owns security?
Security used to be a thing you do at the end of a project or a release. Usually ceremonially crowned by the almighty pentest.
This has dramatically changed over the last few years. Today people talk a lot about security by design, shifting left, and other buzzy phrases.
Whose responsibility is security? Who owns it to design, build, and ship software securely? Unless you have a dedicated team, there is usually no clear ownership.
What if a security feature causes issues with the product design & usability?
How do you solve the issues of security negatively impacting onboarding and marketing numbers?
What if your security tooling is adding extra steps and delays for shipping code fast and furiously because you shifted all tooling as far left as possible?
Once security starts to impact the KPIs of individual business units and teams, they will start working around it and pushing it aside, and even silently discarding it.
I believe that security first and foremost starts with the people involved. And is everyone’s job to continuously work and improve on it.
Security in modern startups is a continuous conversation between design - engineering - marketing - business. There is no singular ownership.
Design wants secure features with great UI and UX. Engineering wants to ship code, fast easy, and secure. Marketing wants easy frictionless onboarding and uses security as a differentiator. Business wants to reduce business risk and build trust with clients and investors.
All parties have their business goals but also need to balance risk and reward. This means that leaders and teams must have an aligned security mindset and keep each other accountable.
When you build this kind of security culture, security tooling starts to become useful and not just in the way.
People won't be trying so hard to work around the tools and processes, but rather figure out how to improve them. They then can focus on their work and ship secure products with great features and high business impact.
Modern security is about shifting perspectives and defining ownership of security in daily processes.
Maybe Product Security is a new role in the future to bridge all of these in the future? What do you think, let me know at andy@occamslabs.com.
Links
🔐 The Vault Policy Guide - link
Vault access control lists (ACL) can be confusing and are not always straightforward to handle. This deep-dive is valuable for anyone who wants to set up Vault, but also for folks who have it running and want to review their policies.
☸️ K8sGPT - Ultimate tool for kubernetes scanning - link
Kubernetes being pretty much everywhere security is a big problem here. Combine it with AI and it can be a great tool to tame the complicity it brings. While the tool is mainly designed to find configuration issues, it helps to detect security misconfigurations as well.
🥑 Google GUAC v0.1 Launched - link
Graph for Understanding Artifact Composition (GUAC) is a metadata analysis tool that aims to improve supply chain security. It looks like a promising project to combine many different sources and refine them into a simple-to-use API.
📝OWASP Top 10 for Large Language Model Applications - link
Artificial intelligence is here to stay. It will support our future work and might allow us to reach new levels of efficiency. With great power comes great responsibility and the first attacks have already been successful. The OWASP project released a first draft of the Top 10 security issues to watch out for.
🧠 Hallucinating AI as a security risk? - link
ChatGPT and other LLM systems sometimes make things up including names of opn source libraries . This could be used by an attacker to craft a vicious package and publish it under the made-up package name. While this is a bit hypothetical, it is not impossible at all.
Thank you
Thank you for reading along. If you have feedback or have some questions just send me a message: andy@occamslabs.com