Navigating the delicate balance between an expanding number of engineers and the imperative for robust Application Security (AppSec) practices is no small feat. In this interview, we delve into the invaluable perspective of Jeevan Singh, the Director of Security Engineering at Rippling, the #1 workforce management platform. He shares insights and strategies that have allowed him in his career to successfully navigate the intricate maze of security amidst a high engineer-to-AppSec ratio. Join us as we uncover the approach to maintain a strong security posture in dynamic and challenging environments.
Introducing Jeevan, Rippling and its Security Posture
Nipun Gupta: Hi Jeevan, thanks for doing this! Can you please introduce Rippling, its core activities, and then elaborate on your specific responsibilities in shaping and maintaining the company’s security posture?
Jeevan Singh: Rippling is an integrated platform that helps businesses manage their HR, IT, and Finance operations. With Rippling's automation capabilities, it allows G&A teams to simplify payroll tasks, administrate benefits and make compliance easier. Rippling allows administrators to handle complex HR functions with ease.
My role as Director of Security Engineering is to build security into the fabric of the organization and to focus efforts on the Security Development Lifecycle (SDL). It is important that my Engineering and Product counterparts are thinking about security when they are building out features. I do this by coordinating security efforts from a top-down perspective. I work closely with Execs, VPs, and Directors to make sure that they understand risk, our security priorities, and why we need to invest a certain percentage of Engineering time to both prevent vulnerabilities from getting into the system and fix vulnerabilities that are already there. We also focus on a bottom's up approach by training and educating Engineers themselves to make the right security decisions.
Automating Security Processes for Efficient Vulnerability Management
Nipun Gupta: Given the vast number of engineers and projects, how do you automate security processes to manage vulnerabilities efficiently?
Jeevan Singh: Engineering teams grow faster than security teams, which means if we don't adjust our programs, we'll always be playing catch-up. To handle vulnerabilities well, both engineering and security need to share the responsibility.
In the past, security teams had to constantly remind engineers to fix vulnerabilities within the SLA or to ask for an extension. We need to flip the script. If an engineer needs more time, they should talk to their Engineering Risk Owner. These Risk Owners can say yes or no to the extension, and security doesn't have to be part of that decision.
By making the engineering team responsible, we let the Risk Owners control their own outcomes for security. The security team should look at the macro picture and figure out where the organization needs the most help. They can then focus their efforts on those areas to reduce the risk effectively. This way, we're being more proactive about keeping things secure.
Prioritizing Security in a Lean Setup
Nipun Gupta: In such a lean setup, how do you prioritize which projects, applications, or teams get the most security attention and resources?
Jeevan Singh: You need to collaborate closely with the business to understand its priorities.
Start with identifying the critical assets within the organization i.e. what are the crown jewels?
- Determine what could potentially lead the business to failure if these assets were compromised.
- Once a list of the most vital assets is compiled, prioritize securing them.
Devote 80% of your time to securing these crucial assets and ensure that your security measures are scalable.
- Utilize automation and build security into the fabric of those assets.
- Empower your security champions with the knowledge and skills to handle more responsibilities.
- Concentrate your efforts to gradually reduce the reliance of that business segment on the Security team.
In addition, businesses are more inclined to invest in security when they witness an effective implementation. No one wants to throw money and resources into areas where it is not providing value. As a Security team, it is important to demonstrate the value you bring to the business. Identify potential risks, gather metrics, quantify your impact, and your efforts will be recognized and rewarded.
Ensuring Consistent Security Practices Across a Large Engineering Team
Nipun Gupta: With a large engineering team, what strategies do you employ to ensure consistent security practices across the board?
Jeevan Singh: This is a tough challenge even with smaller engineering teams.
With large engineering orgs, you need to have a combination of automated and manual checks to ensure consistent security practices across the board.
Automation is a bottom’s up approach and it is impactful to the Engineers doing the work. Make sure that you have all of your automated checks within development tools. I recommend that you add comments or blockers on their PRs; that fast feedback will reduce developer’s context switching and provide a great development experience.
With respect to manual checks, that should be done top-down. Work closely with your VPs and Directors in the Engineering organization. Ensure that they know how well (or poorly) their teams are doing and what they can do to get better. The goal isn't to do a quick burst of security work, but rather have consistent progress in the right direction over a long period of time.
Prioritizing SAST Findings Compared to Other Vulnerability Types
Nipun Gupta: When the security team identifies vulnerabilities through various channels such as SAST, SCA, DAST, and manual assessments, how do you prioritize SAST findings compared to other types of findings, and what criteria influence this prioritization?
Jeevan Singh: At large organizations, when you fully integrate security tooling into the ecosystem, you may have millions of vulnerabilities. I have seen it time and time again and the various companies that I have worked at in my career. The most important thing to do is to determine which vulnerabilities need to be addressed and when they need to be addressed.
The goal is to burn down as many vulnerabilities as possible and you can only do that with prioritizing vulnerabilities and not drowning the Engineering team.
Ideally you already have an asset inventory, which specifically maps out the most important areas of your ecosystem. If you can correlate that with critical vulnerabilities that are discovered within your security tooling, you will have a good first phase of vulnerability remediation. Tackle the critical and high vulnerabilities there first. Then focus your energy on critical and highs in other sensitive areas and finally the non-sensitive areas. If you approach prioritization that way, you are likely focusing on hundreds or thousands of vulnerabilities instead of millions.
When it comes to SAST findings, I would group them in with all of the other security tools and focus efforts on severities of the vulnerabilities discovered versus which tool discovered them. Having said that, my goal for SAST is to shift left and be proactive. I would integrate SAST tooling into where our developers are and make sure that SAST is providing comments on the appropriate PRs. That way we are not introducing the critical and high findings and having to remediate them down the road. SAST is a tool that I would leverage to reduce vulnerabilities discovered from all of the other security tools.
Tracking and Reporting Security Metrics for AppSec Effectiveness
Nipun Gupta: How do you track and report security metrics in this setup to ensure that vulnerabilities aren’t slipping through the cracks and to demonstrate the effectiveness of the AppSec role?
Jeevan Singh: There are a number of strategies to employ to ensure that vulnerabilities don’t slip through the cracks:
- Focus on security tooling coverage - in large enterprises, coverage metrics are king. For example, I want to make sure that my SCA tool scans the 100s Github Orgs and 70k+ repos. In order to ensure that I have consistent data across the ecosystem, I need coverage metrics.
- Centralize your security data - ensure that all of your security data is centralized and consistent. When you need to run queries on your data, you should be able to get the latest information in your ecosystem. You should be able to determine where all of the critical vulnerabilities are within all of your tools (SAST, DAST, SCA, Bug Bounty, Container Security, etc).
- Reduce Risk - now that you have consistent coverage and you have centralized your data, you need to employ tactics to reduce risk. Some companies generate tickets, other companies leverage dashboards, whatever your approach, make sure that critical and high vulnerabilities are trending downwards.
Once you can quantify risk reduction, it is easy to demonstrate the effectiveness of security engineers within the organization.
Conclusion
Navigating the intricate dance between an expanding engineering force and robust Application Security practices demands a nuanced strategy. Jeevan Singh's approaches shed light on the importance of collaboration, automation, and a proactive approach to risk reduction in high engineer-to-AppSec ratio environments.
Jeevan underscores the need for constant adaptation and collaboration in addressing security challenges. Empowering engineering teams, effective prioritization, and consistent tracking of metrics are identified as key elements. It's an ongoing journey, essential in our ever-evolving digital landscape.
Stay tuned for more expert insights on cybersecurity, and a sincere thank you to Jeevan Singh for sharing his valuable experiences with us today!
Jeevan Singh is a passionate Security Leader with over 20 years of experience. His journey into cybersecurity began in his youth when he played soccer and developed a fascination for defensive strategies. Today, Jeevan applies these principles to protect companies and customer data. He believes in building security from the ground up, collaborating with teams to create transparent security solutions. Jeevan is dedicated to fostering a positive security culture, sharing his knowledge, and teaching others to eliminate vulnerabilities. With a strong track record of leadership and innovation, he continues to make significant contributions to the field of cybersecurity.