Product Security Engineer

Skillsets for a Product Security Engineer

May 07, 2023

Being a product security engineer involves multiple skill sets based on the market and the company. In a product-based company where no of employees < 100, you would have to take care of the entire product security. Acquiring and navigating skills are crucial here. Product Security Engineer can mean different and the scope would be different depending on the size of the company and the team you are in. This scope is for companies having < 100 employees and does not include other roles such as offensive security, pentesters and threat analyst. I have broadly classified the scope into

  1. Application Security

  2. Cloud Security

  3. GRC

  4. Non-Technical Skills

Application Security

Application security covers security on the applications. Clients and application products are covered here. The skillsets that are needed here are

  1. Web Application Security

  2. Client Application Security includes portable devices such as smartphones, Operating System Binaries, IoT

  3. Secure Design Review

  4. Secure Code Review

  5. Threat Modeling

  6. Virtual patching

  7. Cryptography

  8. Security Training

  9. BugBounty/Vulnerability Disclosure Program

  10. Application Posture Management

    1. WAAP

    2. ASM

Application Security pre-requisite is security testing. In most of the interviews, you would be accessed on security testing capabilities and the above skills. Concentrate on how to defend the product from the attacks rather than focusing on attacking and going deep. You have to maintain the balance between defence and attack.

Cloud Security

As companies want to find PMF faster, they have to build products faster and don’t worry about infrastructure. Cloud Security is around IaaS.

  1. IAM

  2. cloud native Security

    1. Kubernetes

    2. Docker

  3. Access Control

  4. Perimeter Security

    1. reducing attack surface

  5. Secret Management

  6. Provable Security via policies

  7. Cloud Posture Management

    1. CSPM

    2. CWAPP

  8. IaC

  9. Detection & Monitoring

    1. AWS Guardduty

    2. GCP Security command center

Application x Cloud Security

The skills that are common for both

  1. CICD

    1. GitHub actions

    2. Gitops

  2. Vulnerability Scanning Tools

    1. SAST

    2. SCA

    3. IaC

    4. Container Scanning

    5. Secret Scanning

    6. Vulnerability Correlation and management platform

  3. Posture Management

  4. Detection & MonitoringThough the above skills can be the same and can be applied individually ( app or cloud security). I have recently seen jobs asking for SAST, and SCA knowledge for a cloud security engineer. So both application security and cloud security skillset need knowledge of vulnerability scanning and management tools.

GRC

  1. Policy making for org level based on compliance and business needs

  2. Risk Management

  3. Vulnerability Management

  4. Security Metrics

  5. Enterprise and IT Security

    1. VPN

    2. DLP

    3. Onboarding and Offboarding Employees, contractors

    4. access management in tools

    5. MDM

    6. Audit and evidence collection

    7. Endpoint Security / XDR

    8. SSE, ZTNA

  6. Security Training

    1. Phishing and general security training

  7. Compliance

    1. ISO 27001

    2. SOC 2

    3. BCDR

    4. Incident & Response management

    5. External audit & pentesting

  8. Compliance as Code

GRC is abbreviated as Governance, Risk and Compliance. Most of the big organisations have them separately but a huge chunk of startups have combined them into one as they go hand in hand. Governance revolves around policies and getting stakeholder alignment. One of the main resources for policies which I look upon are from open companies are sourcegraph and GitLab.

GRC x Application Security

  1. Risk Management

  2. Vulnerability Management

  3. Security Frameworks like SSDLC, NIST

  4. Privacy Security

    1. Privacy as Design

  5. Driving and enforcing Governance, policies, and compliance in applications, products, and developer experience

  6. Incident & Response Management in product applications

  7. Evidence collection and driving

GRC x Cloud Security

  1. Evidence collection and driving

  2. Data Security

    1. Encryption at rest, motion, transit

    2. Key Ownership

    3. DB Encryption, columnar encryption

  3. Driving and enforcing Governance, policies, and compliance in IaaS, DevOps/sre engineers

  4. Incident & Response Management in IaaS

GRC x Cloud Security x Application Security

  1. Automation, coding skills

  2. Critical/0day vulnerabilities tracking and remediation

  3. Driving and enforcing GRC

Non-Technical Skills

Even though the above technical skills are useful and prioritised enough by peers. being blind and not concentrating on non-technical skills can leave you behind. Technical skills can give you wings to fly but non-tech skills give you the boost. Having the boost (leverage) can help you in the long run. I had the privilege to learn a few of them while I worked at Hotstar.

  1. Problem-Solving

  2. Mental Models

  3. Design thinking

  4. Stakeholder Management

  5. Productivity

    1. LNO

    2. Maker vs Manager

    3. Time/Energy Management

  6. System Thinking

  7. Decision Making

  8. Strategy & tactics

  9. Business knowledge and networking

Reply

or to participate.