Original Post: The Journey to Security Perfection | by Thomas Bertling | Jun, 2024
The article discusses the process of achieving the ideal state of product security, a challenging goal due to constantly emerging threats, vulnerabilities, and new security controls. It outlines the following key stages:
-
Initial State: A starting point where security requirements are identified, gaps are analyzed, and a threat model is documented. This helps in estimating the effort needed to move towards ideal security.
-
Acceptable State: Represents achievable security goals within a specified timeframe. Product teams aim for temporary mitigations and reductions in risk, acknowledging not all vulnerabilities can be addressed immediately. This state includes multiple milestones on the path to the ideal state.
- Ideal State: A state of complete security perfection where all threats and vulnerabilities are addressed. This is a dynamic, evolving target as new threats constantly emerge.
The author emphasizes the importance of collaboration between product and security teams to set realistic security goals, prioritize tasks, and steadily progress from the initial state towards the ideal state. Measuring progress should focus on how far a team has moved from the initial state rather than how close they are to the ideal state, to avoid unrealistic expectations and foster continuous improvement.
Go here to read the Original Post