Presentation Material
Abstract
As organizations scale and security demand increases, a lot of queue-based product security programs struggle to keep up, resulting in overworked security engineers and insecure products. In this session, presenters will share a successful product security program strategy that helped them partner effectively with engineering, product, and design teams to create and deploy trustworthy products.
AI Generated Summary
The talk details the transformation of Duo Security’s product security program from a reactive, queue-based model to an integrated and services framework. The previous model relied on an intake system for discrete security activities (threat modeling, code reviews), which created backlogs, caused context switching for engineers, and failed to align with engineering’s rapid release pace, leading to low team morale and stakeholders bypassing security.
The new model, developed through a mind-mapping exercise and skills matrix, split responsibilities. Integration engineers act as embedded subject matter experts (SMEs) for specific product teams, building relationships and aligning security work with engineering’s Objectives and Key Results (OKRs). A centralized services team provides scalable offerings like training, security champion programs, and paved-path automation. Key techniques included replacing ad-hoc assessments with a feature lifecycle-bound process, integrating security tasks directly into engineering’s sprint workflows via their defect tracking system, and establishing bi-weekly security councils for cross-functional prioritization. A point-based questionnaire objectively prioritized activities across products.
Practical outcomes included guaranteed resourcing in engineering’s development pod planning, improved visibility into security-driven work, and higher team and stakeholder satisfaction. The model evolved further by tiering security effort based on OKR criticality and investing in self-service “level zero” capabilities (lightweight threat models, automated scanning) to free SME capacity for high-impact manual assessments on business-critical features. The core takeaway is that effective product security requires deep integration with product development lifecycle planning, relationship-focused embedding, and a flexible, tiered service model that acknowledges finite security bandwidth while ensuring business risk is explicitly understood.