Two years ago, I joined the Digital Marketing Product Security Team and took on the responsibility of establishing and managing the Secure Product Lifecycle (SPLC) process for Digital Marketing Product Engineering. There are currently eight Digital Marketing Solutions with engineering teams located all over the world. Many of these solutions came to Adobe by way of acquisition. I work with differing stacks, languages, company cultures, and time zones. I knew some of the engineers from having run our 3rd Party Penetration Testing program for three years – however, I was mostly starting the process from scratch. My main goal was to lower security overhead in the product development cycle and leverage existing processes.
I am very passionate about quickly making improved security an integrated part of our product development and leveraging as many existing processes and tools as possible. In order to promote security knowledge throughout the large Digital Marketing engineering organization. I created a human “botnet” of security champions. These champions come from positions all over the organization and coordinate with our security team to facilitate ongoing management and enforcement of our SPLC process.
Security, admittedly, has a bit of an “image problem” among development teams. It is something that developers often think of as this big, scary set of tasks intended to make their jobs more difficult or less enjoyable. We placed a big emphasis on changing this perception. The Digital Marketing Security team is focused on being a supportive, service organization – a far cry from the perception that we can be a terrible force of nature leaving engineers feeling like they’ve been hit by a truck or would like to be. Rather than coming in with the metaphorical hammer, we thought, “can we get people to actually enjoy their interactions with our security team? How can we make this incredibly important, but often dreaded, piece of software development an integral and easier to implement piece of the existing process?”
The first thing I did was to meet with the solution owners and program managers to learn about how these teams develop and deliver software for these SAAS offerings. Adobe has an incredible program management network, and an existing Service Lifecycle program that I was able to leverage and adapt to help meet requirements of our Secure Product Lifecycle. I worked with the program managers to figure out how we could best add SPLC steps to their development and release process. I also ensured we had a clear process for adding security requirements and checkpoints to the release process. I worked with solution engineering directors to identify Security Champions on their engineering teams who would work with me to continue to improve our approach to security for the solutions.
A Security Champion is: ‘An advocate of security and the Digital Marketing Security team’s point of contact for the solution. The champion has a good understanding of the technology, an interest in ensuring better security for their offering, and a strong personal network in the engineering organization.’ Once this human “botnet” of Security Champions was established, the heavy lifting began. I set key performance indicators (KPIs) for the different elements of the SPLC around security training, threat modeling, static/dynamic analysis and penetration testing. The very first KPI that we focus on, for the purpose of enabling the proper background for having security conversations with the engineers, is technical security training. Adobe’s corporate secure software engineering team (known as “ASSET”) has created a fantastic training program that focuses on technical security topics and awards certifications in the form of white and green belts, similar to karate training. Each of the program managers have added this training to the new engineer onboarding steps and they and the security champions have helped to develop strong measurements for the other KPIs.
My Security Champions helped increase the pervasiveness of our “security culture” more than I could have imagined when first starting this program. They are one of the driving forces in helping to further improve security across Adobe’s Digital Marketing solutions. They have been an amazing force multiplier helping to prioritize security practices in their teams’ design process, roadmap development, and mindset.
About 6 months after kicking off the Security Champions program, Digital Marketing Engineering had grown their base of security knowledge to have over 95% of their engineers white and green belt certified. We’d also increased the number of threat models, penetration tests, ongoing security projects, and automated security testing. Our metrics against these initiatives have continued to increase and improve. The teams are more proactively involving the Digital Marketing and corporate security teams in their design discussions helping to ensure better security implementations throughout the process.
Messages like this from the teams show it’s working and make it all worth it:
We’re committed to building and maintaining the trust of our Digital Marketing customers by developing and providing them with the most secure software possible – solutions that help meet business demands and allow configurations to help meet their security and compliance needs. The SPLC and Security Champions program have helped to broaden the security knowledge and awareness of the Digital Marketing engineering teams. We will continue to raise that bar by continuing to iterate and improve on these programs.
Security Analyst, Digital Marketing