Strategy and roadmap

- [Instructor] Before you can align tactical software lifecycle management activities with your long-term plan, you first need to lay out that plan. You'll be much more successful in this effort if you take time to define your strategy and your product roadmap. Each application development shop follows a software development lifecycle, or SDLC. This is a collection of processes that the teams rely on when planning, building, testing, and deploying software. The SDLC is often represented as a circle since every new feature and every new fix should set this wheel in motion again, encouraging your developers to perform their due diligence in each phase before deploying any updates to production. However, product owners take a much broader view than developers. Once an app goes live, there are a number of additional responsibilities the product owner will likely track. This expanded view is often referred to as application lifecycle management or product lifecycle management. Even as an app is in the early development stages, product owners are already looking at additional features and functionalities that they want to introduce in future versions of the app. They're also on the hook for deciding when to retire or sunset applications that no longer align with the priorities and direction of the business. And one of the most important tools that product owners rely on to do this strategic planning is a product roadmap. Every development team I've ever worked with has had limited time and limited resources. To make things even more challenging, the technologies that they're using to build their apps are changing at an amazing pace. Product owners build product roadmaps as a way of keeping the team focused on what needs done in the short term, while simultaneously tracking how they anticipate the app will evolve or change over time. Product roadmaps include changes to existing functionality, the introduction of new functionality, changes in the underlying technologies, and even when they anticipate the app will be retired or replaced. Companies that specialize in software development often track and update these roadmaps on a quarterly basis. As product owners are developing their strategy, you should make every effort to ensure that your security strategy is well aligned. Those strategies are going to be heavily influenced by a number of internal and external factors. Internally, the most common challenge is finding the right balance of time, money, and quality when building your app. Product owners make projections based on the resources at their disposal and the requested features on their list. They then plan out what they'll implement and when based on feature priority and on how much effort it should take to develop each feature. Your security strategy should be in lockstep with a product roadmap. Taking those same limitations into account, you'll be wasting time and money putting security in place for features that won't be in the app for another year. At the same time, you'll be leaving the app exposed to attack if the roadmap includes functionality to be released in the next quarter that you haven't even considered testing for security. The external factors that influence your strategy are a bit more challenging. The landscape of security standards, industry regulations, and legal requirements around data security and data privacy is always shifting. When GDPR was launched in 2016, every application that collected private consumer data had to be reviewed and modified in order to avoid crippling fines. The downstream effect of these changes are that customers and partners are becoming more security savvy. They're asking for things like multifactor authentication, data security agreements, and other assurances that your app is secure. Your knowledge of and influence over the product roadmap will help ensure that the product owner is including these expectations in their planning efforts. When you turn your attention toward a more technical conversation, factors like platform integration and cloud adoption are having sweeping changes on product insecurity roadmaps alike. Every API that your development team adds or modifies is another attack vector that you need to secure. And a shift from on-prem technologies to cloud services has already been tied to a number of data breaches. As a CSSLP, it's your responsibility to understand how all of these factors might influence the product roadmap, and to engage the product owner, to make sure that the product strategy and the security strategy go hand in hand.