One of my biggest takeaways from my experience leading the product management team at Signal Sciences was the value of focusing on the ultimate end-user of the product - the WAF operator. Unlike most WAF companies, we prioritized the jobs to be done of the WAF operator, including:
- Convincing other teams (like devops) to install a WAF
- Interpreting what the WAF was doing
- Tuning the WAF so that it provided meaningful protection
This relentless focus on the end user experience allowed us to build a strong community of product champions and advocates, which helped us continually improve the product and ultimately achieve company success.
To help us execute a similar strategy at Impart in API security, we formed a Security Advisory Board, comprised of highly accomplished security professionals. In this post, I'm excited to share more about the depth of expertise these advisors bring, how we collaborate, and how this collaboration ultimately makes our product and company better.
Giving Security Practitioners a Seat at the TableHow Our Security Advisory Board works
We've designed our Security Advisory Board program to optimize for product innovation. What this means is we targeted advisors who bring deep operational experience with application and API security and who can provided detailed feedback about the types of threats they are seeing, organizational realities they have to navigate, and experience running successful security programs.
What does this mean? It means that our advisors come from the front lines of cybersecurity. They have seen the various ways security breaches can happen, the damage they can cause, and most importantly, how to prevent them in the real world - across multiple industries, multiple tech stacks, and with different organizational cultures.
By bringing these perspectives into our product development process, we can make our product experience stand out.
We collaborate frequently with our Security Advisory Board members, and ask them to help us in multiple ways. Some examples include:
- Showing them demos of new features before anyone else and getting feedback on them
- Installing and using our product themselves in their environments
- Suggesting future Roadmap items that can help them in their business
- Evaluating our security effectiveness and testing rules and models
This depth of collaboration gives us very high quality feedback and is a win-win situation, where our advisors get to influence and shape our product in a way that fits their needs, while also providing us with guidance that can make our product experience the best it can be.
Meet Some of Our Security Advisors:
Our experts come from varied backgrounds to ensure our board offers a broad spectrum of knowledge and perspectives. These advisors are leaders in their respective fields, bringing a wealth of experience from top organizations across the security industry.
Jeremiah Kung, Global Head of Information Security, AppLovin: Jeremiah Kung is an experienced figure in the realm of cybersecurity, data privacy, and risk management. His extensive experience spans over two decades and includes stints at large financial institutions such as Visa, Bank of America, Capital One, and East West Bank. Jeremiah's insights ensure that we consistently bear in mind the perspectives of Chief Information Security Officers (CISOs), thereby enabling us to deliver value not only to individual security engineers but also to comprehensive security teams and enterprise-level organizations.
Bradley Schaufenbuel, CISO, Paychex: Bradley Schaufenbuel brings a profound understanding of how to safeguard sensitive customer information via previous FinTech experiences at organizations such as Paylocity, Midwest Bank, and Experian. These experiences guide us in developing robust controls and efficient reporting capabilities, thereby aiding our customers in meeting their compliance requirements.
Travis McPeak, CEO, Resourcely: A pioneer in product security, Travis McPeak, has been at the helm of security leadership at numerous major organizations including Netflix, Databricks, IBM, HP, and Symantec. His hands-on experience, coupled with his deep domain knowledge in application and product security, provides insights into the full customer lifecycle experience.
Phillip Maddux, Security Lead, Compass: A former information security executive at Goldman Sachs, Phillip Maddux is known for his vast knowledge about financial security and deep experience with Detection and Response. His in-depth expertise in safeguarding sensitive financial data and mitigating risks, but also as a key services team member at Signal Sciences, has been instrumental in shaping our products and services.
Some Innovations from the Advisory Board
We've been working with our Security Advisory Board for months and building quite a few innovations together. Here are a two examples we can share!
Native Rule Editor - No Professional Services Required!
One example is our native rule editor. During early discussions with our advisors, we received feedback that security professionals often find themselves frustrated with the traditional process of writing complex business logic. They had to rely heavily on back-and-forth email exchanges with professional service teams from security vendors, which was cumbersome and inefficient.
Listening to this feedback, we developed an in-product rule IDE. This feature gives security professionals a way to create and edit their own security policies with the first class experience expected from modern security tools..
Our rule IDE offers users the same level of power that our own engineers have to create rules directly within the product. We took it one step further and designed our rule builder with a 'practitioner first' mindset. It comes equipped with a comprehensive rule testing suite, fully featured templates and examples, and an auto-complete feature similar to modern IDEs like VS Code. For ease of use, it offers robust versioning, enabling easy comparisons between different rule versions.
Resilient JSON Payload Inspection
A more in the weeds example of a feature developed in collaboration with our advisory board is a custom parser that enables us to inspect all fields in JSON payloads. These fields are important because attacks or malicious requests can be injected in these payloads, or smuggled into request fragments, resulting in a lack of visibility and unnecessary security exposure.
Based on feedback from our Security Advisors on the importance of robust and adaptable parsing, we built our own in-house parser that not only inspects all fields in JSON payloads, but can also handle complications such as partial requests that cause traditional parsers to error out.
What does this mean? When we talk about a partial request, it could mean that some of these components are missing or haven't fully arrived yet. This often happens in the real world due to internet congestion or packet loss. For example, perhaps a HTTP request isn't fully transmitted to a server and the headers or the body is truncated. Many parsers will wait for the request to be completed, and if it doesn’t complete, throw an error. Security tools that rely on those types of parsers will subsequently not have any visibility to the partial context that was in that request.
Since injection and smuggling attempts are so common in application security, our custom parser is much more resilient and smart enough to provide visibility to payloads even if the parser throws an error. This allows us to provide visibility to not only the fact that parsing errors are happening, but also some of the context along with the malformed request.
These are just a few examples of practitioner-focused innovations that were developed directly from our security advisors' input. We continue to collaborate with our advisors and are excited about many other capabilities we'll be able to share soon!
Our Security Advisory Board is an integral part of our commitment to robust, effective security for our customers. We continuously draw on the deep expertise of our advisors, allowing us to craft solutions that meet the real and evolving needs of the security community.
Stay Connected:
For the latest in API security developments, follow us on LinkedIn or Twitter.