The art and science of product security: A deep dive with Jacob Salassi
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Jacob Salassi, join us. You can find the main takeaways from our conversation with Jacob just down below!
Jacob's background
Jacob is the Director of Product Security and Regulatory Expansion at Snowflake, where he has played a pivotal role in guiding the company through its pre- and post-IPO phases.
With over 15 years of experience, initially in software engineering before transitioning to security, Jacob is a sought-after speaker at numerous conferences and podcasts, sharing his wealth of insights with others.
Jacob held a strong opinion that product security should be approached as a science, not an art. Therefore, we challenged him on how, in this case, one can nurture developer creativity to build secure applications and asked in-depth about his scientific approach. Dive right in!
Referenced:
- GitHub - Materialize Threats
- Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time
- Measuring and Managing Information Risk: A FAIR Approach.
The Art and Science of Product Security: Main Takeaways
In our conversation, Jacob discusses his approach to problem-solving, his career in network engineering and security, and the challenges of managing people problems compared to technical problems. He emphasizes the importance of a data-oriented approach to security and the continuous problem-solving opportunities in the security space.
Jacob also talks about his experience at Snowflake, where he has witnessed the company's growth and the evolution of product security practices.
He details how his team restructured to improve influence and collaboration across different security functions within the company. Jacob shares insights into threat modeling, the use of data in security, and the integration of threat detection and incident response into product development.
He also discusses the potential of leveraging AI and machine learning to improve security processes and the importance of quantitative risk analysis.
Problem Solving: The Core of Product Security
Jacob's philosophy is straightforward: "I just like to solve problems." This mindset transcends the specifics of the problem at hand, whether it's network engineering or security. He finds excitement in the challenge itself, stating, "the problem is what gets me excited." It's this enthusiasm for problem-solving that has propelled his career forward, even as he transitioned into management roles where "people problems" presented a new kind of challenge.
Whether it's network load balancing or the nuances of security management, the common thread is the thrill of the chase - the process of identifying a problem and relentlessly pursuing a solution.
People vs. Technical Problems
As Jacob's career evolved, he discovered that the problem-solving skills he refined in technical contexts were equally applicable to people management. The transition from technical expert to manager was seamless, not because the problems were similar, but because the underlying approach to solving them was the same: dissect the problem, understand its components, and construct a solution.
However, when it comes to the dichotomy of people and technical problems, Jacob finds the former to be significantly more challenging. People problems are complex and often unsolvable through engineering alone. They require a different approach and strategy, making the management and cultivation of team growth a nuanced and difficult task.
"People problems are much more challenging because they can't be solved. It's unsolvable. You can try very hard to engineer your way out of people problems, but that's not a good abstraction. I think it's good to have structure, but the people thing is different, requires a different approach and actually different strategies to succeed. So I would say it's much harder to take an engineering approach to managing a team and cultivating people."
Security: The Perennial Problem
Security is a domain that seems to be in a constant state of flux, with no permanent solutions. This presents an ongoing opportunity for problem-solving. The recent advancements in technologies like AI have only added layers to the security challenges, prompting professionals to continuously adapt and innovate.
Cultivating a Collaborative Culture in Security Teams
At Snowflake, Jacob witnessed the company's growth from a mid-sized entity to a publicly traded powerhouse. This journey brought about significant changes in how the product security team operated. Initially, as a single team pre-IPO, the security team's influence waned as the company expanded. It became evident that to effectively drive change, the security team needed to integrate seamlessly with the groups they aimed to influence.
This realization led to a restructuring of the security team into a global security organization with corporate and product security as its branches. This structure fostered coordination, autonomy, and self-determination, allowing each team to address the unique needs of their respective domains while ensuring overall safety.
Integrating Security into the Engineering Process
The integration of threat detection and incident response into the product development process was a critical step in enhancing security. By establishing a vertical collaboration between architecture, detection, incident response, and offensive security, Snowflake was able to address security concerns more holistically.
This approach also involved embedding dedicated security personnel within the product teams, ensuring that security considerations were factored into every stage of development. The goal was to anticipate future challenges and integrate security into the engineering mindset, asking developers to consider security implications for each change they make.
The Role of Materialized Threats in Security Integration
One of the tools in Jacob's arsenal is the open-source project Materialized Threats. This tool is for developers and security practitioners who want to perform 'graph' analysis on data flow diagrams - using SQL, fitting seamlessly into Snowflake's processes. "We definitely use it," Jacob confirms, underscoring its active role in their private fork that is continuously developed.
Materialized Threats exemplifies the data-centric approach that Jacob advocates. By capturing and structuring data from security reviews, teams can gain actionable insights into their systems' risks. This structured approach to security reviews ensures that valuable data is not discarded but rather utilized to enhance security measures.
Leveraging Data in Security
A significant part of Jacob's work involves transforming security reviews into valuable data. By capturing and structuring this data, teams can analyze and understand the risks associated with their systems. This shift towards a data-driven approach allows for more informed decision-making and a clearer understanding of where security measures need to be implemented.
The Artistic Approach to Product Security: A Practical Perspective
Jacob offers a pragmatic view on the role of art in product security. He argues that while there is a place for creativity and innovation, the stakes in product security are too high to rely solely on the abstract and unpredictable nature of art. "I have to guarantee security. Therefore, I don't have time for art," Jacob asserts.
He emphasizes the need for structured, repeatable processes that yield consistent and reliable outcomes. In his words, "Art doesn't guarantee anything except that someone might appreciate beauty."
This perspective underlines the importance of codifying and systematizing security practices to ensure that they are not left to the subjective interpretations that art might entail. For Jacob, the essence of product security lies in its ability to be quantified, measured, and managed with precision, leaving little room for the uncertainties that artistic approaches might introduce.
The Future of Security: A Data-Driven Approach
Looking ahead, Jacob sees a future where security is increasingly data-driven. He suggests that security professionals should familiarize themselves with the data approaches used in threat detection and incident response. By understanding the complete picture and integrating security data with enterprise data, teams can make more informed decisions and communicate risks effectively.
Advice for Aspiring Security Professionals
For those entering the field of application security, Jacob recommends exploring how threat detection and incident response teams leverage data. Understanding security as a data problem is crucial, and it's important to consider how to capture and utilize data effectively. Additionally, professionals should familiarize themselves with quantitative risk analysis, as it plays a vital role in communicating security concerns to stakeholders at all levels, including the board of directors.
Final Thoughts
In conclusion, Jacob's conversation underscores the importance of a problem-solving mindset, the integration of security into the product development lifecycle, and the potential of data to transform the field of security. As the industry continues to grapple with new challenges, professionals who can navigate the intersection of technology, data, and human factors will be well-positioned to lead the way in product security.
Recommended reading
Jacob suggests two books for those interested in deepening their understanding of quantitative risk analysis:
- "Measuring and Managing Information Risk: A FAIR Approach." This book introduces the FAIR (Factor Analysis of Information Risk) model, a standard for quantifying information risk.
- "Engineering Trustworthy Systems." This book discusses a government approach to risk computation and, when combined with FAIR, can provide a comprehensive framework for risk analysis.
Action items for Product Security engineers
- Explore the use of data in threat detection and incident response.
- Consider the integration of security into the product development lifecycle.
- Investigate the potential of AI and machine learning in security processes.
- Focus on quantitative risk analysis for informed security decision-making.