Product Engineers and Managers live in git, JIRA, and wikis to develop and release software, so why do security engineers use a fully different set of tools and dashboards to try to drive security fixes onto product teams' roadmaps?
Our team decided to use the 'live where they work' approach to see if we could increase the effectiveness and measurability of our engineering teams' participation in the SDLC.
In this talk, we will show you how our roots on the product engineering team inspired us to live where our engineers live, and leverage existing software development processes to enable our engineers to get security work done when and where it needs to get done, without the overhead of constantly trying to reinforce security-specific processes.
We will talk through the case study of setting up our 3rd Party Library vulnerability detection program. The case study will highlight how we were able to create a zero-overhead approach by leveraging automation and processes that we in had previously put in place. The new system ensures we have an accurate view of the 3rd Party Libraries in use by our products at all times. We integrated this with our project tracking software to automatically file tickets with the team at the discovery of a vulnerability or a vulnerable library. This approach enables us to respond as quickly as possible to disclosure of a vulnerability in a library used by one of our 15+ products with tons of moving pieces. We will also talk about our vulnerability management program and strategy, which heavily leverages our JIRA project tracking system as our source of data, so we’re working from the same dataset as our engineers.
By working where our engineers live, we are able to immediately cut down barriers to getting security work done where and when it needs to be done, and consolidate the source of truth about se. We empower our engineers to know
