How Atlassian CISO Adrian Ludwig built a world-class product security team

At last week’s SnykCon, Snyk’s Co-founder and President Guy Podjarny sat down with Adrian Ludwig, CISO of Atlassian for a fireside chat about the modern security market, how his security team is structured, and how to help developers embrace security.

Guy and Adrian continued their conversation after the fireside chat, discussing what it takes to build a world-class product security team—from what the role means, to hiring practices, to empowering engineers, to taking ownership of security.

Here are some of the key takeaways.

The emerging role of product security

Depending on the organization, the role of product security may be similar to that of a traditional application security hire. But, at Atlassian, product security is a mission. The product security team focuses the majority of its time on issues that relate directly to customers, versus the internally focused corporate security team. Both teams report to Adrian so that there’s no ambiguity over who owns security at the organization.

Product security’s goal is to improve the security posture of products and represent customers’ security expectations internally to the development team. Domain expertise on the team spans application security, cloud security, and facets of incident response. It’s really a “Renaissance Team” that touches every aspect of the product’s security. Their purview goes beyond Atlassian’s product features alone and includes looking at how products securely connect with third-party applications and services.

Supporting Adrian’s team are software developers who create products that are used internally by the security organization. This includes automation and integration tools, such as an asset inventory, and a “vulnerability funnel” that consolidates and tracks vulnerabilities across everything at Atlassian. The security team supports engineering by ensuring that all of the products within the platform are secure by design.

Building a diverse product security culture

Adrian says Atlassian has a collegial and open culture where there’s a collaborative, give and take approach—both within teams and between functions. When his team looks to hire a product security professional, they look for people who are excellent individual contributors and team players. Diversity is also incredibly important, including traditional ethnic, religious, and gender diversity vectors, as well as diversity of thought.

As the team has grown, one of the huge advantages is hiring people from different security backgrounds, not just from a single company or school of thought. This gives the ability to engage in constructive discussions about Atlassian’s fundamental approach to security, and revamp it as necessary. If you hire from the same pool of talent, it’s easy to get caught up in sharing the same opinion without pushing the boundaries of how things are done.

It helps also to have a culture of collaboration between engineering and security teams. At Atlassian, software is built with security in mind. Features like key management, isolation, segmentation, inter-service authentication, and other core security components of the platform are built and managed by the engineering team. Product security functions in a consultative role for the design and management of those components.

Helping engineers take ownership of security

One of the best ways to strengthen product security is to empower engineers with ownership of security within the products they develop. At Atlassian, engineers develop their own security metrics based on industry standards and best practices. For example, if you are the person that owns source code, static analysis, and scanning, it’s good to know what metrics indicate success.

• Is there security coverage across all of the different code repositories?

• Are all of the issues flowing into Atlassian’s vulnerability funnel so that people are responding to them quickly?

• Do you have a false positive rate that's viable?

Adrian says that defining and tracking their own metrics helps engineers really care about the security of the products they're working on. The product security team helps the engineers advance in their metrics over time. Ultimately, the sense of pride and craft that comes with ownership helps motivate engineers to think of security as code. And, if there’s a security issue, there’s a clear path to quickly addressing risks.

Want to learn more about how Snyk can help support a culture of collaboration with engineering and security teams to build secure applications?