Secure Product Lifecycle (SPLC) as a Service - AppSecUSA 2017


A Secure Product Lifecycle (SPLC) is integral in ensuring software is written with security in mind, but companies struggle to create a successful process with limited security resources and minimal impact to engineering teams. This session will discuss lessons learned, soup-to-nuts, through the process of designing, rolling out, and measuring a scalable SPLC.

In Adobe’s Digital Marketing business unit, two security analysts created a successful program that has scaled to support thousands of engineers. Defining security requirements and KPIs for engineering teams is just the first step in creating the SPLC. In order to make the design a reality for several products, thousands of engineers, and millions of lines of code, we organized our team into an ‘as a service’ model and utilized automation to scale to meet this demand. Establishing a strong security ambassador program helped ensure the success of the SPLC. The centralized ambassador network has been crucial to the success all product security initiatives throughout the business unit. We will give examples of how ambassadors have assisted with incident response, driven training and security culture initiatives, and have championed security-related projects on their individual team.

We will explore a case study of one of our most successful SPLC-driven programs - static code analysis. By fully automating the process from code check-in to delivery of results, we achieved 100% buy-in from all engineering teams in the Digital Marketing business unit. The process was designed to have minimal impact on the engineering teams, and to be integrated into their existing workflows, allowing for a very low-overhead program that adds value. The engineers code and commit as they normally would. On the backend, our static code analysis engine is scanning and will inject any findings into their existing bug-tracking system.

You will walk away from this talk with on-the-ground knowledge to establish an effective SPLC by establishing and utilizing security ambassadors and providing seamless automation to support these key initiatives.


Julia Knecht
Manager, Security & Privacy Architecture, Adobe
Julia Knecht manages Product Security and Privacy Architecture at Adobe. She created and is responsible for the Secure Product Lifecycle of Adobe’s Experience Cloud Business. An integral and invaluable piece of the Secure Product Lifecycle is her Security Champions program.

Taylor Lobb
Manager, Security and Privacy, Adobe
Taylor is responsible for vulnerability detection and remediation for Adobe’s Digital Marketing Business. In addition to leading a team of penetration testers, Taylor has designed and successfully automated vulnerability detection systems that support all of Digital Marketing.


Managed by the official OWASP Media Project

Secure Product Lifecycle (SPLC) as a Service - AppSecUSA 2017 Secure Product Lifecycle (SPLC)  as a Service - AppSecUSA 2017 Reviewed by Unknown on January 19, 2018 Rating: 5