Careers 
Partners 
News 
Customers 
Resources 
Blog 
Cookies Notice
This site uses cookies to deliver services and to analyze traffic.
How Shell enables autonomous secure software delivery
Apiiro Co-Founder and CEO Idan Plotnik sat down with Adam Jordan, Distinguished Engineer & Head of Secure, Sustainable Software at Shell, to talk about Shell’s approach to secure software development. In the video, they discuss how Shell enables autonomy for engineers to deliver secure software, the importance of defining strong security controls and leveraging automation, and how to measure and articulate AppSec success.
Video Transcript
Adam Jordan: Delivery teams need to deliver software that delivers some business value. If they can do that without having to worry about risk controls, that we have enough security mechanisms that also sit around them that we don’t need to try to micromanage our teams. It gives them autonomy to deliver with some freedom, which is really required when you talk about hundreds of teams or thousands of engineers.
Idan Plotnik: Thank you very much for joining us today. Can you tell me a little bit about yourself, about your role at Shell?
AJ: I’m Adam Jordan. My title is a distinguished software engineer and also the head of secure and software development, which is more or less a group that’s focused end to end on software and application security.
IP: Can you tell me a little bit about your team’s day-to-day?
AJ: So my team consists of just a handful of experts primarily focused on application security that then facilitate groups all over the rest around the company to be able to understand how best to apply software engineering/application security type skills. We’re looking at how do we continue to revise our controls so they make sense while enabling the delivery team to do it successfully.
IP: Are you a blocker or enabler for these software developers?
AJ: We play both roles depending on the circumstance. It’s more about how do we manage risk in a way that allows us to deliver software. Because if we’re not delivering software, then the team doesn’t need to exist in the first place.
IP: What are your top application security goals today?
AJ: Our overarching goal is, more holistically, to keep Shell safe. The way we do that is providing sort of a comprehensive view of how do we build secure software while giving enough guidance to be able to understand risk, tie it to our controls, and then also see how it’s working once we deliver it out of shell, including cybersecurity.
IP: How do you manage the risk at the scale of Shell?
AJ: It can’t be done person by person. It requires automation and oversight, because if you handle everything on case-by-case and your mechanisms don’t allow that freedom, your team will get heavily bogged down or you end up with an organization with hundreds of people.
IP: How do you measure success around application security?
AJ: Our teams, using the tools, are supposed to scanning appropriately, meeting policies such that it’s within a reasonable risk tolerance from an organizational health standpoint, and that we provide tools that are actually able to fulfill those needs to deliver it in an efficient way.
IP: How do you articulate that value up the chain to the business?
AJ: We treat that as an investment. So we are going to invest x dollars. What do we get in return? And that return could be in the case of managing risk, it could be in a productivity, it can be in a simplification of our organization or other set of factors that play into that. But really it’s just a value proposition.
IP: What are the biggest challenges you face?
AJ: Often what we’re seeing is that it’s adopting of new practices and process. So even if it’s a net positive, it’s still a change. And changes take time. It takes that whole adoption curve for delivery teams. And so that’s always going to be a challenge. It’s still people at the end of the day.
IP: What advice do you have for other organization facing similar challenges?
AJ: Is it getting safely to the consumer at the end of the day? And remember that core responsibility in order to do the job effectively.
IP: So how do you see the secure software development space evolving?
AJ: I’ve always been a fan of zero config tools and operations so that they don’t need to think about anything and we can just oversee it. That’s clearly going to be the trend, and that’s just because software engineers just cannot survive in the current climate without a drive to make it simpler.
IP: Adam, thank you so much for joining us today. It was a pleasure. Thank you.