Engineering Empathy: Adapting Software Engineering Principles and Process to Security

Conference:  BlackHat USA 2020



Adapting software engineering principles and processes to security can help security teams scale, mature, and improve. This involves developing empathy for the constraints, tools, and processes of software engineering teams and aligning security team principles, processes, and culture with those of software engineering teams.
  • Security teams should act more like software engineering teams
  • Adapting software engineering principles and processes can help security teams scale, mature, and improve
  • Developing empathy for software engineering teams is important
  • Aligning security team principles, processes, and culture with those of software engineering teams is important
  • KISS (keep it small and simple), DRY (don't repeat yourself), and TDD (test-driven development) are everyday principles behind writing good code that can be applied to security engineering
At Salesforce, the security team has a complex cryptographic policy that covers every cryptographic use case at a large company with complicated systems. Instead of sending the policy to engineers who have questions about cryptographic use cases, the security team has found it more effective to provide language-specific guides and prepared libraries for the most commonly used languages and cryptographic use cases at Heroku.


Software engineering has a lot to teach our 'security engineering' teams - this session will be a live retrospective of a professional role reversal - dropping a principal security engineer into a runtime team, and placing a principal software engineer into the platform security assessment team.We've got stories and live object lessons.Attendees will return to work knowing exactly how we have implemented these ideas to partner with engineering to protect a world-class platform as a service running millions of customer containers and data services. This session is aimed at both IC's and management.Shifting left is a great marketing tagline.The valuable work is changing your security team's principles, processes, and culture to align with the principles, processes, and culture of your organization's software engineering teams allows you to develop empathy for their constraints, tools, and processes. It also allows you to build your own tools, processes, and requirements in ways that are more actionable, realistic, and easier to understand and implement.



Post a comment

Related work

Authors: Fredrik Klingenberg, Jonas Samuelsson

Authors: Kim McMahon, Lachie Evenson, Constance Caramanolis, Katelin Ramer, Vaibhav Kamra, Jasmine James, Stephen Augustus, Robert Duffy

Authors: Bob Killen, Thomas Di Giacomo, Ralph Squillace, Vijoy Pandey, Aeva Black, Daniel Mangum, Constance Caramanolis, Stephen Augustus, Carlos Eduardo de Paula, Gar Mac Críosta, Liam Randall

Authors: Kaslin Fields, Tim Pepper, Katie Gamanji, Vijoy Pandey, Constance Caramanolis, Priyanka Sharma, Cornelia Davis, Jasmine James, Stephen Augustus