Building An AppSec Program - People To Know
Spoiler Alert - None Of These People Are Developers
While this advice is tailored for mid-size organizations, most of it should translate down to the scrappiest of start-ups (the role exists somewhere, it just may be a hat that one person wears occasionally)
The Product Manager
As a security person responsible for securing the user-facing surface area of your company, knowing what the company is building before they build it is an incredibly powerful asset. This person ideally sits in meetings where product roadmaps are decided one or more quarters in advance and can connect you with designers, UX researchers, and the like.
The product manager can help you with:
- How is this weird edge case I found expected to behave?
- Where can I find product designs/roadmaps?
- What are we building next month?
The QA Lead
This person is just Mirror World You. QA people are cut from the same cloth as security folks and can often help you scale a program out without a ton of time investment. This person can help you navigate your existing QA pipeline, train QAs (both technical and non-technical) how to spot common security bugs, and build security test cases into acceptance tests your organization is probably already doing.
The QA lead can help you with:
- What do we have existing tests for?
- Where are we missing test coverage?
- How do I get a test account for Product X?
Standard lawyer-adjacent disclaimer: I am not a lawyer and this is not legal advice so always make sure you’ve spoken to an actual lawyer and know the stakes before discussing sensitive topics like info disclosure/etc.
Try to be on friendly terms with at least one JD-wielding member of the company legal team. Lawyers have the same mandate you do: protect the company. This is your common ground, they may not be technical but you have the same goals. Bonus points if this person is responsible for privacy or compliance; they have a built-in incentive to cooperate with security initiatives.
The lawyer can help you with:
- Prioritizing audits of data storage
- Context-Specific Legal Stuff
By Your Powers Combined, I Am…Informed
So, why these people and not Engineering Leadership? You are probably already deeply embedded in Engineering for tactical reasons: getting bugs fixed, getting SAST configured, “shifting left”, etc. There are lots of DevSecOps resources out there tackling the Engineering side of things. However, humans are still designing and building software (for now) which means human-based intelligence is still valuable!