Product Manager Security Training Reference Guide – The Product Manager Checklist

Learn more about Dell’s Security Inquiries

• External/Internal security inquiries are submitted to the Customer Security Request Portal.
• Initial review handled by Security and Customer Trust team (S&CT). Any security inquiry about products, or applications unrelated to physical security are escalated to the Product, and
Application Security, Customer Security team.
• To find answers to customer security and enterprise security question, reference Customer Product Security FAQ.

Implement Steps to Reduce the Cost to Deliver Software

Ensure that
✓ Customer feedback for enhanced security capabilities have been evaluated, and prioritized.
✓ Necessary resources have been allocated to complete the security requirements
✓ Necessary resources have been allocted to complete the activities and plan to integrate security in technical debt addressed as part of the product backlog.
✓ Appropriate time has been set aside to perform security activities, and velocity has been adjusted to ensure the security requirements are properly implemented.

Internal Use - Confidential

Int
 1. Implement 5 Principles of Product Security Mindset
1. Balance the Product team
✓ Be sure product team understands that security is everyone’s responsibility.
✓ Establish security roles -Product management, Product engineering, Secure Development Champions, Vulnerability Response Champions
✓ Ensure security role personnel trained on security practices.

1. Manage the Unexpected - Be sure to always plan for scope creep which will allow you to respond with little impact.
2. Employ Security Business Requirements – Be sure to understand the industry security trends and defining the security capabilities to meet customer’s needs.
3. Manage Third party risk - Make sure you are identifying the risks, and addressing those risk through the security terms in the supplier contract.
4. Integrate Security Into the development Lifecycle - Be sure to integrate security into the development lifecycle to increase the product quality by discovering, and remediating
vulnerabilities.
Understand Vulnerabilities. A vulnerability is a weakness in supported products, applications or cloud services that can be exploited, resulting in a negative impact to the confidentiality,
integrity, and/or availability of the supported products, applications, or cloud services. A vulnerability can be in two states:
• Potential vulnerability - a security weakness in which it has been determined that it can be exploited. However, the vulnerability has NOT been determined to have impact. It
would move from potential to confirmed when there is a determination of impact.
• Confirmed vulnerability - a security weakness that has been evaluated and confirm that if exploited WOULD have an impact on the product, application, or cloud service.
In Requirements Phase, be sure to meet security terms in contractual agreements and Review and sign off on the Security Engineering Plan for those teams following the Offer Lifecycle
Process framework.
Designing security in your product, application or cloud service is accomplished by incorporating secure design principles. Examples: Threat Modeling, Design to Deliver Security Updates.
Perform security testing. The most effective methods of finding security defects in a product, application or cloud service. Four distinct security testing services available: Network
Vulnerability & STIG Scanning, Web Application Security Testing, Verify SDL control implement, and Independent Security Testing.
Consider the DevSecOps program. This program focuses on "Security by design" practice ingrained and automated in the DevOps, continuous monitoring, measurement and reporting of
SDL controls, automatic enforcement of SDL controls and efficient security vulnerability handling through instrumentation of audit and logging.
Understand business impact of a vulnerability.
• Technical risks - The impact that the vulnerability has on the product, application, or cloud service - difficulty of exploitation; pervasiveness; ease of discovery; CVSS Score; and
workaround and mitigations.
Privacy Risk
The potential loss of control over personal information. Complete Privacy Impact Assessment (PIA) within Archer
•

Internal Use - Confidential

Int
 1. Balance the Product team - Ensure product team functions as a strong team, and that they understand that security is everyone’s responsibility. Each member of the product team are
responsible for security. Dell requires that organizations establish roles within their teams to ensure that security is integrated into Dell’s products, applications, and cloud services, and
remains secure throughout their supported lifecycle. Individuals with these security roles are trained by the Security & Resiliency Organization Product & Application Security Team, and
then these individuals ensure that their product team is trained on these security practices

Integrating Security In Development

Plan Start Plan Develop Launch Sustain
Engineering Team Completes Security • Implements the • Ensures RFD items Sustains with maintenance
Engineering Plan (SEP) commitments in SEP. complete. releases:
• Completes the SDL • Completes • Updating Third Party
Assessment in Virtual documentation / Open-Source
Security Consultant. deliverables. Components.
• Archives SDL Assessment • VR Response
with SRO/PAS. • DSAs.
Program Manager Ensure correct version of Verify: • Track the commitments Verify: Track and verify activities as
Security Engineer Plan (SEP) • Security Engineering made by engineering • RFD checklist completed if initial launch.
is used by Engineering Team Plan has been filled team. by Engineering Team and
out. • Review SEP and obtain yourself.
• There are answers for attestation to ensure • Deliverable
each OLP phase in the activities are completed. documentation
document. • Verify: completed.
▪ The SDL Assessment • The SDL Assessment
completed. archived.
▪ And confirm the SEP
and the SDL
Assessment archived.
Internal Use - Confidential
Int
 Internal Use - Confidential
Int