Modern security leader spotlight: with Marcin Hoppe from Auth0

Marcin Hoppe is the Senior Manager of Product Security at Auth0. Through his role, he empowers the security team to collaborate with engineering in ensuring secure code is deployed throughout the organization. As Marcin describes it, his mission is to help engineers at Auth0 build a more secure product. Read more about his challenges and approach here.

Marcin’s approach demonstrates modern leadership; he is an example for other security leaders who want to become a tighter part of the overall organization and build bridges with engineering, management, and beyond. We asked him a few questions to get more insight into his way of thinking about DevSecOps and the future of security. Here’s what he had to say.

Snyk: What keeps you and your security peers up at night?

Marcin: Unknown unknowns. In other words, the things we do not know we should be fixing—and these always exist. We cannot effectively protect our customers and the company from something we do not even know exists. Yet undiscovered vulnerabilities are one such thing. We rely on Snyk’s extensive vulnerability database and alerting to help us stay on top of these occurrences, as they come to light.  Keeping track of these vulnerabilities is too big a job for any single security team.

Snyk: How does your Auth0 approach to security differ from that of other organizations?

Marcin: One way we approach security differently than many organizations is that we focus on empowering developers to incorporate it right into their workflows. We do this by automating as much as we possibly can, as well as building easily repeatable processes around security. This way engineers don’t have to be security experts; they just need to know the basics, follow the protocols, and rely on the tools  we put in their hands to make their jobs easier.

Snyk: How are you scaling your security processes?

Marcin: An important aspect of scaling security is measurement. Part of my team’s responsibility is to measure security progress across teams at Auth0. We are continually working to improve the security posture not only of individual teams but  the organization as a whole. Right now, we track the number of vulnerabilities resolved each month, how quickly these vulnerabilities are resolved, and how many have exceeded our SLA for responding and fixing. We’re adding to our security metrics over time, as well, to ensure we adhere to the principles of continuous improvement. That’s what scaling security means for us.

Snyk: How do you define DevSecOps?

Marcin: I think it’s a fairly natural extension of the DevOps revolution. DevSecOps, in particular, means breaking down the barriers between development, operations, and QA —but also between infosec and the rest of the enterprise. That’s a big part of what I focus on at Auth0.

Snyk: Why do you think achieving true DevSecOps is hard for many organizations?

Marcin: One thing that might be hard is not having a solid DevOps foundation in the first place. Going from nothing to DevSecOps is hard; but “extending” an already working DevOps approach to incorporate security, is totally doable. So teams may want to start DevOps and build their way from there.

Another issue that is simpler to state, but harder to remedy, is staffing. Companies are struggling to staff their infosec teams well and it's hard to have sufficient capacity to support all the projects in the enterprise. It’s another reason why automation and empowering teams to do their own security is so important.

Snyk: Give us an example of how your team is implementing DevSecOps at the moment?

Marcin: The product security team that I lead strives to be a partner throughout the entire lifecycle of software development —from feature inception through design, development, operations, and finally deprecation. I think that’s a really key aspect of doing DevSecOps right; ot just inserting security at one single point in the software lifecycle, but making it a natural aspect of processes from beginning to end.

Snyk: What tips do you have for getting development and security teams on the same page?

Marcin: I feel that empathy is something that should be promoted both among developers and security engineers. Security engineers need to understand the reality of the business and the reality of software development projects. Fixing all vulnerabilities before a release is, often, not an economically viable strategy and can lead to customer dissatisfaction or even financial losses (e.g. lost revenue due to a missed deadline). So, understanding each other’s priorities helps when navigating multiple timetables, making tough decisions, or when different processes need to be built.

Also, the more open the communication lines are between development teams and infosec team, the easier the collaboration will be. Infosec teams are often centralized — and for good reasons. So, enabling high-bandwidth communication between both sides is paramount to getting on the same page quickly.

Snyk: What is one piece of advice you would give to others in the security industry? What is the key to driving a collaborative approach in securing development?

Marcin: Start early. It is extremely hard to integrate security into already established processes. Full integration of security into the development and operations lifecycle requires a culture shift and that can be difficult for bigger and more stagnated organizations.

Snyk: In the next five to 10 years, organizations will most likely continue to face more and more security challenges. What will the biggest of those challenges be, in your opinion?

Marcin: The rate of change is tremendous, both in security and software development. Keeping up  with new trends in software development is essential for security engineers in order to be good partners with development teams. On top of that, the threat landscape also keeps evolving. So, we need to keep up with developments on this front, as well!

Another trend is the rise of supply chain risks. Traditionally, software development teams relied on tools and platforms provided by commercial vendors. With the rise of open source, this approach has changed. Recently, we have seen numerous attempts to exploit weak controls in the open source supply chain and, right now, we don't have a universal mitigation strategy. Auth0 uses Snyk, in part, to help us address the challenges of open source security.

Snyk: If you could change anything about the way security is handled today, what would it be?

Marcin: Treat security as one more quality attribute for evaluating your product, right from the start. It’s not much different from reliability, performance, or user experience. And it’s certainly not less important.