Aug 16·edited Aug 16Liked by Ross Haleliuk

While I largely agree with this I think there is some subtly that should be discussed here.

There are security 'features' such as SSO and logging, etc. that I totally agree with you on (and have some opinions on as discussed here - https://www.nudgesecurity.com/post/why-the-sso-tax-needs-to-go).

When you get past those features my opinions start to diverge. There is no product manager in the world that writes requirements and then specifies 'and must be reliable.' These are implicit. There is a strong analogy to the requirement of 'and must be secure.' Just as you wouldn't fault product management for quality issues in a feature release, you should not expect a product manager to specify 'and must validate input' or similar security basics.

So yes, product management should embrace the new reality of the market demand for security 'features' but past that there is still a responsibility for development to also embrace the new reality of secure development as well.

Expand full comment