Security in a SaaS product, It’s Not Just About the Product

The work to secure a product, its data, architecture, the people who create that product, and the people who support it, is never done. The challenge we are always facing is how do we continue to grow our understanding in a threat landscape that produces hundreds of thousands of attacks every day? How do we make sure that the information is reaching all employees in a way that informs and can be applied to their day to day work? We knew from day one that our approach to security couldn’t be theory or unacted upon whitepapers. It needed and still needs to be aggressive, impactful and continually evolving. Let’s explore how we accomplish those three things:

Being aggressive means having a clear goal of catching any vulnerability before it even gets close to production. Before a line of code is written the security implications of the work that is to be done is considered by the product managers and scrums. Grooming for security is the start which continues to: teams reaching out to a security analyst in our CTO’s office for guidance when needed, running code through a variety of vulnerability scans, and executing security tests that are a standard part of our software development lifecycle. We are determined to find vulnerabilities as early as possible.

Impactful is a simple concept but one of the harder things to do with security. For us, it means making sure our aggressive and evolving posture reaches all parts of our products and business.

And when we break it down, when we say parts we mostly mean people. From the CEO to the part-time intern, we all need to be thinking about security in what we do. A great case study is Heartland Payment Systems who have suffered two major breaches in their company’s life: one was a SQL injection that had been in the product for eight years, and hackers spent eight months finding and then exploiting. The other was a brazen late-night break in which thieves grabbed desktops. Such a wide and varied threat landscape requires our thinking to be wide and varied as well. Reaching every member of our organization to be thinking about security as it pertains to their role creates a culture where security is not a passing fad but a daily consideration in all the things we do. We will talk more about how we do this in another blog about Security Guilds.

The evolving nature of our security posture requires a constant evaluation of the threat landscape. We accomplish this by having a number of security engineers and analyst continually perform a variety of tasks to implement scanning and monitoring tools, perform white hat hacking, work with development engineers to help make architecture and coding recommendations, and ensure that our processes are working efficiently. The process evaluation is probably one of the most important parts of our evolution. It cannot be emphasized enough, a variety of processes for different situations are necessary, but making sure that every engineer, manager, executive, administrator, accountant, etc understands what a potential issue could be and understands how and why to report is paramount.

The goals of being aggressive, impactful, and evolving around security require action from all areas of the business. SailPoint’s Executive Leadership Team, Product Managers, Engineering and Technical Leadership all are aligned and are dedicated to these principals.  From funding and prioritization to engineering solutions and innovations, we all seek to adhere to the three principals. That alignment and action is nothing without the individuals who are closest to our products and the day to day operations. SailPoint believes this and we show that belief by practicing it daily.

Discussion