When you get past those features my opinions start to diverge. There is no product manager in the world that writes requirements and then specifies 'and must be reliable.' These are implicit. There is a strong analogy to the requirement of 'and must be secure.' Just as you wouldn't fault product management for quality issues in a feature release, you should not expect a product manager to specify 'and must validate input' or similar security basics.
So yes, product management should embrace the new reality of the market demand for security 'features' but past that there is still a responsibility for development to also embrace the new reality of secure development as well.
I agree to a large degree. However, as a product person I have seen how security gets deemed "out of scope" or "a future problem", and it happens way more often than we'd like to admit. In the same way as a PM wouldn't release a terribly buggy feature, we should not encourage cutting security requirements. And sure, there are always nuances but the underlying approach should be the one that prioritizes security.
While I largely agree with this I think there is some subtly that should be discussed here.
There are security 'features' such as SSO and logging, etc. that I totally agree with you on (and have some opinions on as discussed here - https://www.nudgesecurity.com/post/why-the-sso-tax-needs-to-go).
When you get past those features my opinions start to diverge. There is no product manager in the world that writes requirements and then specifies 'and must be reliable.' These are implicit. There is a strong analogy to the requirement of 'and must be secure.' Just as you wouldn't fault product management for quality issues in a feature release, you should not expect a product manager to specify 'and must validate input' or similar security basics.
So yes, product management should embrace the new reality of the market demand for security 'features' but past that there is still a responsibility for development to also embrace the new reality of secure development as well.
I agree to a large degree. However, as a product person I have seen how security gets deemed "out of scope" or "a future problem", and it happens way more often than we'd like to admit. In the same way as a PM wouldn't release a terribly buggy feature, we should not encourage cutting security requirements. And sure, there are always nuances but the underlying approach should be the one that prioritizes security.