Security by design is hard
How to get more traction for security by design tools
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
We’re hiring for product and application security roles in our organization. Come join me and our awesome CISO, Susan Chiang, in building a secure mental healthcare system that everyone can access. We are looking for a director of product and a senior application security engineer. Feel free to apply using those links or reach out to me!
Someone recently showed me this cool startup, Pangea, which makes it easy to design products securely by default. A common topic in the security industry is “security by design.” The concept has been around as far as I can remember. However, if you look at the big cybersecurity companies, none of them are related to this concept. In fact, almost all of them are layering security on top, or reacting to security problems through monitoring or response. For example, Palo Alto Networks started as a firewall box that you can plug into your datacenter. Their cloud security products are primarily monitoring tools. Similarly, Crowdstrike has an agent installed on endpoints that monitors and takes action. Even Auth0, which is part of Auth0, isn’t security by design, it’s primarily meant as an integration, i.e. it’s supposed to work with various setups and environments.
This isn’t intended to be a blog about Pangea. It’s intended to discuss the concept of security by design. I’ll talk more about Pangea a bit later, but not to bury the lede, I do think Pangea is an interesting concept. In fact, I believe there should be more products like this. As a disclaimer, I haven’t played around much with Pangea, and I’m thinking of them in comparison to Auth0, with which I have hands-on experience.
Seeing Pangea, I wondered why companies that advocate for security by design aren’t successful. It’s because security by design might seem like a good idea, but it isn’t practical and won’t work for most companies.
Does “security by design” work?
It comes down to tech debt. As security people, we hope that people care about security early on in the development process. Unfortunately, that’s not the reality. Almost every person is more focused on delivering a product quickly, and many times, security slows them down and/or is an afterthought. Of course, this isn’t an excuse for poor security. It’s just that most developers don’t have security at the top of their minds nor do they always know the best security practices. Pangea solves this by allowing developers to have basic security from the start. So, why don’t people do this?
Keep reading with a 7-day free trial
Subscribe to Frankly Speaking to keep reading this post and get 7 days of free access to the full post archives.