Applied Lessons from Product Security Teams in Vulnerability Management.

About The Guests

  • Patrick Garrity: Security Researcher and VP Marketing at Nucleus Security
  • Scott Kuffer: Co-founder and COO at Nucleus Security
  • Matthew Clapham: Senior Director of Product Security at Activision Blizzard


Product security and vulnerability management have become critical components of an organization’s overall cybersecurity strategy.

However, these two teams often face challenges in working together effectively, leading to misalignment and potential security gaps.

Patrick Garrity hosted a roundtable discussion with industry experts Matthew Clapham and Scott Kuffer to share applied lessons from product security teams and vulnerability management.

Key Takeaways

Challenges in Product Security and Vulnerability Management

  • One of the main challenges in product security and vulnerability management is the potential misalignment between the two teams.

Product security teams focus on designing and developing secure products, while vulnerability management teams are responsible for identifying and patching vulnerabilities in software and systems.

“One of the biggest differences I’ve seen there is when you think of it as what their goals are for the individual teams and who their target audience is for the particular deliverable.”

– Matt Clapham, Senior Director of Product Security, Activision Blizzard

This difference in focus can lead to tension and challenges in prioritizing and addressing security issues.

  • Timing is another significant challenge in product security and vulnerability management.

Product teams often face tight deadlines and may be reluctant to address security issues that arise late in the development cycle.

This can create a trade-off between meeting release dates and addressing security concerns.

“Product security struggles with the fact that we’re agile or everybody’s trying to be agile. And the reality is that security is really difficult to be agile with because there’s a lot of work, whether it’s through a scanning tool, whether it’s through manual QA, whether it’s through some other process to essentially audit what’s happening, right? And so every time you want to make a change, it’s exponentially difficult.”

– Scott Kuffer, Co-Founder and COO, Nucleus Security

The agile nature of product development can make it difficult to incorporate security measures effectively, as security processes often require additional time and resources.

Prioritizing Vulnerabilities

Vulnerability prioritization is a critical aspect of both product security and vulnerability management.

However, the approach to prioritization may differ between the two teams.

Product security teams focus on addressing security issues throughout the development process, while vulnerability management teams often prioritize patching existing vulnerabilities in deployed systems.

The challenge lies in determining the severity of vulnerabilities and establishing a consistent prioritization framework.

Traditional vulnerability management often relies on the Common Vulnerability Scoring System (CVSS) to assess severity.

That being said, product security vulnerabilities may require a more asset-specific approach, considering factors such as the impact on the product’s functionality and the potential for exploitation.

View Our CISA KEV Catalog Vulnerabilities

The Role of Threat Modeling in Product Security

Threat modeling is a crucial practice in product security that can help identify potential security risks and guide the development of secure products.

“I’m very passionate about threat modeling for a variety of reasons. But I think if there’s one thing you do, it’s threat model because it unlocks all that other stuff as well as has some really practical benefits.”

– Matt Clapham, Senior Director of Product Security, Activision Blizzard

By conducting threat modeling exercises, product security teams can gain a better understanding of the system’s design and potential vulnerabilities.

This process involves creating data flow diagrams or system diagrams and analyzing potential security failure modes.

Threat modeling not only helps identify security risks but also fosters collaboration and alignment among development teams.

By involving developers in the threat modeling process, a shared understanding of the system’s security requirements can be established.

This collaboration enables developers to take ownership of security and make informed decisions to mitigate potential risks.

Upcoming Webinar: How to Operationalize Vulnerability Threat Intelligence. | December 20th at 2pm ET. Save your seat!

Regulatory Requirements and the Future Outlook

Regulatory requirements are increasingly driving organizations to prioritize product security and vulnerability management.

Regulations such as the Essential Eight in Australia and various data protection laws worldwide emphasize the importance of secure development practices.

These regulations aim to ensure that organizations address security risks and protect sensitive data.

While regulatory requirements provide a framework for security practices, the vagueness of some regulations can pose challenges.

They want to make sure that the thing is getting patched so that the underlying security problems of some component don’t become the thing that breaks the device or makes it risky to someone or causes any sort of other problem. They want to make sure that that part of the process happens. The verbiage they have around that might be vague and confusing. In fact, Scott, when you mentioned the timeline of 48 hours, I’m like, okay, when do you start the clock?

– Matt Clapham, Senior Director of Product Security, Activision Blizzard

Organizations must interpret and implement these requirements in a way that aligns with their specific context and risk profile.

Additionally, organizations need to consider the implications of end-of-life planning for products, especially in industries where products have long lifecycles.

Looking ahead, the future of product security and vulnerability management will likely involve increased automation and integration of security practices into the development process.

Tools such as software composition analysis and software bill of materials can provide valuable insights into the security posture of products.

Organizations need to foster a culture of security awareness and collaboration to ensure that security is a shared responsibility across all teams.

Closing Thoughts

Organizations must prioritize security and work towards aligning product security and vulnerability management teams to ensure the development and deployment of secure products.

By doing so, organizations can mitigate security risks and protect sensitive data in an increasingly complex and evolving threat landscape.

More Useful Resources