Engineering Empathy: Adapting Software Engineering Principles and Process to Security

Adapting software engineering principles and processes to security can help security teams scale, mature, and improve. This involves developing empathy for the constraints, tools, and processes of software engineering teams and aligning security team principles, processes, and culture with those of software engineering teams.

• Security teams should act more like software engineering teams
• Adapting software engineering principles and processes can help security teams scale, mature, and improve
• Developing empathy for software engineering teams is important
• Aligning security team principles, processes, and culture with those of software engineering teams is important
• KISS (keep it small and simple), DRY (don't repeat yourself), and TDD (test-driven development) are everyday principles behind writing good code that can be applied to security engineering

At Salesforce, the security team has a complex cryptographic policy that covers every cryptographic use case at a large company with complicated systems. Instead of sending the policy to engineers who have questions about cryptographic use cases, the security team has found it more effective to provide language-specific guides and prepared libraries for the most commonly used languages and cryptographic use cases at Heroku.

Software engineering has a lot to teach our 'security engineering' teams - this session will be a live retrospective of a professional role reversal - dropping a principal security engineer into a runtime team, and placing a principal software engineer into the platform security assessment team.We've got stories and live object lessons.Attendees will return to work knowing exactly how we have implemented these ideas to partner with engineering to protect a world-class platform as a service running millions of customer containers and data services. This session is aimed at both IC's and management.Shifting left is a great marketing tagline.The valuable work is changing your security team's principles, processes, and culture to align with the principles, processes, and culture of your organization's software engineering teams allows you to develop empathy for their constraints, tools, and processes. It also allows you to build your own tools, processes, and requirements in ways that are more actionable, realistic, and easier to understand and implement.