By Jennifer Czaplewski, Director of Product Security, Target
May 21, 2020
Predicting the future is hard. I’m pretty sure at least 99% of us had no inclination 3 months ago that the entire world would be operating like it is today. I’ve seen people describe themselves as a “futurist” and that’s not a title I ever expect to be given (or give myself), but I do operate by one of my favorite quotes from Louis Pasteur which is “chance favors the prepared mind.” And for Cyber Security, and my specific field Application Security, I think that’s where the future is headed. We can’t easily predict what our business will need or the newest application exploit, but through preparation we have the best chance to facilitate the secure delivery of applications.
I lead the Product Security team at Target. Our goal is to enable the secure delivery of applications and we do this through several values.
1: Meet developers where they work
We don’t want engineers to stop developing to upload their code to a security scanner or get security approval to move to the next development phase. Anything our security team expects should be embedded in tools that developers use every day.
2: Partner to solve problems, not just find problems
Finding vulnerabilities is only the first step in making applications more secure. As a security team, we’ve shifted our focus from enforcer to teacher. We offer training to developers on how to address security flaws and teach them how to find problems themselves. This end-to-end approach requires partnership beyond organizational boundaries.
3: The “right” way is the easiest way
This goal is aspirational. Our plan is to make the right way (and the secure way) the easiest way for a developer to complete a task. We’ve made some great progress through embedding security controls in our deployment pipelines and via our security advocates program, but the work here continues.
Predicting the future doesn’t usually require a crystal ball; usually you just need to look around. When you join forums like the Cyber Security Summit and hear about other organizations’ wins and fails, you may be able to predict your future. As chance would have it, Louis Pasteur has a quote for this too: “science knows no country because knowledge belongs to humanity.” Well that’s a lot more eloquent than I’d come up with, but sharing knowledge and learning from others is the best way for all of us to be prepared for the future, whatever it may hold.
Jennifer Czaplewski is the Director of the Product Security team at Target. She leads the security ninja program, the product intelligence team and application security testing… full bio