By Jyotirmoy Bandyopadhayaya in VULNCON 2025

Product Security Maturity: From Startup to Enterprise

Product Security Maturity: From Startup to Enterprise
The VULNCON 2025 CXO Panel, titled "Product Security Maturity: From Startup to Enterprise," brought together leading experts to discuss the evolution of product security functions as companies scale. Moderated by Vandana Verma, the session featured insightful discussions from Ashwini Siddhi, Neelu Tripathy, and Sai Lakshmi Sathyanarayanai. The core focus of the panel was to explore how organizations, from early-stage startups to established enterprises, successfully build, integrate, and mature their security programs.

Defining Product Security: More Than Just AppSec

The panelists first established a holistic definition for product security.

Sai Lakshmi Sathyanarayanai emphasized that product security is crucial across any organization—not just technology firms—that uses technology to manage, monitor, or build products. For an enterprise, product security expands to ensure that everything it creates for its businesses is secure. She views the concept as ensuring that products are being built the right way, encompassing the People, Process, and Technology elements.

Neelu Tripathy simply defined it as the enterprise that ensures product security, ensuring that everything it builds for its businesses is secure. Security of the product end-to-end. This includes securing the entire chain, starting from the design and ideation phase, through the development requirements, and extending until deployment and protection of end-customer data. She coined it as "AppSec+product"—Application Security plus additional layers covering hardware or cloud components.

Building vs. Scaling: Prioritization at Different Stages

A key discussion centered on why security practices differ drastically between startups and large enterprises.

Company StageFocus and StrategyKey Advantages/Challenges
Startup / Seed StageFocus on what is critical: data, intellectual property (IP), and online assets.Advantage: Scale is not an issue; processes and automation are highly manageable and controllable. The organization can afford to evolve security gradually.
Enterprise LevelThe product represents the organization's brand; security failure affects reputation. Security must be assessed across the entire life cycle (risk, process, technology, and people).Challenge: Scale introduces immense complexity. Processes must account for vendors, suppliers, customers (B2B/B2C), and numerous regulations. Systems can break down when securing or scanning at enterprise scale (e.g., millions of requests or thousands of people).

You don't worry about AI security if your product doesn't use AI, underscoring the need for prioritization based on the business context.

Foundational Strategies: Frameworks and Threat Modeling

The discussion provided concrete strategies for integrating security into the Software Development Lifecycle (SDLC):

  1. Leveraging Frameworks: Ashwini Siddhi recommended using OWASP SAM (Software Assurance Model), which covers various stages of development (design, requirements, testing, deployment). SAM defines maturity levels (1, 2, and 3).
    • Level 1 Maturity: Focuses on foundational implementation (e.g., just performing threat modeling).
    • Level 3 Maturity: Requires the process to be managed, repeatable, optimized, and efficient so that development teams are not overburdened.
  2. Context-Driven Threat Modeling: While frameworks like STRIDE are helpful, Neelu Tripathy noted that high-maturity teams should move beyond just theoretical models. Instead, they should focus on understanding the specific risk context and data integration points of their system to identify threats that truly impact the business. Prioritizing based on practical business impact ensures remediation efforts are sustainable.

Managing Third-Party and Open Source Risk

With 80% to 90% of current software based on open-source components, addressing third-party dependencies is critical.

  • Engineering Controls (Inside-Out): Neelu suggested that a strong, declarative dependency management system is a big win. This system helps scan, version, and pin dependencies. A declarative approach to building ensures transparency by defining the exact versions required in the product, which, coupled with commit signing, strengthens open-source security.
  • Enterprise Governance (Top-Down): Sai highlighted that enterprises manage this risk through Third Party Risk Management (TPRM). TPRM requires external suppliers and vendors to meet security credentials and provides a basis for accountability. Sai also advised organizations to leverage existing enterprise security functions instead of creating siloed controls solely for product security.

The Human Element: Mindset and Champions

The most powerful lessons from the panelists focused on the importance of people and cultural change.

  1. The Power of the Business Champion: Sai shared a story about a mainframe migration project that was stuck for six months, stalled by the need for 75 different approvals. The turning point came when they brought in a Security Champion from the business team—someone who could translate the technical requirements into clear business value. With that alignment, a six-month delay became a one-month implementation. The takeaway: when the business isn’t invested, product security remains just a “tech story.”
  2. Collective Mindset – Neelu’s Story: During the Log4j vulnerability crisis, Neelu’s small security team was flooded with remediation demands. They succeeded by activating their network of 300 Security Champions across the organization. This widespread “security mindset” enabled them to rapidly implement alternate controls and address issues across diverse technology stacks. It proved that a strong, mature security culture is invaluable when confronting large-scale, unexpected security challenges.
  3. Understanding Scope – Ashwini's"s Story: Ashwini recalled a pivotal early-career moment when she unintentionally brought down an entire network during a vulnerability scan. The experience taught her a critical lesson: always understand the scope. Security is a continuous game—so focus first on delivering the smallest, smartest solution that meets the core objective before attempting to solve everything at once.

Looking Ahead: The Impact of EU CRA

The panel also addressed future regulatory shifts, specifically the impact of the upcoming EU Cyber Resilience Act (CRA), which is expected to apply around 2027.

Ashwini viewed the CRA as a positive necessity. The CRA aims to clarify the ambiguity around "reasonable security" which currently varies widely across organizations. It will standardize cybersecurity controls, even for open-source products, offering consumers a trust factor ("CRA Certificate"). While implementation will require significant effort and force enterprises to "reinvent some things," it will also push organizations to achieve higher maturity levels sooner if they intend to sell products in the EU.