Spending Developers on Security - Part 1
July 10, 2018

Hillel Solow
Check Point

Securing cloud native applications presents an interesting challenge. Cloud native application developers view the cloud as an operating system, and they write for and run on that operating system. When it comes to security, this means spending time configuring this operating system to enforce security policies on the various parts of the application. In the cloud, this often translates into IAM roles, VPC configurations, etc.

In the shift to cloud native, many organizations have also adopted a configuration-as-code approach. This helps drive up application deployment velocity by letting developers and DevOps teams reconfigure their deployments as their needs arise. Other organizations, particularly the more regulated ones, still have security people owning these tools, but that creates increased pressure on the security organization to keep up.

Your Mileage May Vary

How much are organizations investing in this process, and how much is it getting them? I recently spent some time talking with developers using primarily serverless technologies, to understand how they handle security configuration.

If I oversimplify, there are three types of developers in the serverless arena:

Extreme Minimalists: This strategy can be summed up as "do nothing until you have to", or "why procrastinate today when you can procrastinate tomorrow", and basically means, don't touch security configuration until something you deploy to staging doesn't work, see what error you got, add a permission or configuration as needed.

Balanced Realists: Here the strategy consists of spending about two minutes before deploying a function reviewing roles and configuration, and trying to catch any missing or perhaps extra permissions or configurations before rolling it out. Handle the rest as exceptions.

High-Functioning Security Fundamentalists: This is less common, but not as extinct as one might think, and involves really reviewing the entire security configuration before each deploy, revalidating all permission, and tracking anything that might be missing.

As you can imagine, each profile ends up spending dramatically different amounts of time on security, and getting very different results. By and large the first group spends zero time on deployment, but then spends a lot more time when permissions are missing. In the end, they tend to still come out on top in terms of time spent, but are worst off in security, as by the time they see an error in the logs for some function that's missing permission, they're almost certainly going to drop a big wildcard in to get it working.

The second group tends to spend about two to three minutes per deploy, and still hit the occasional exception. Their security outcomes are somewhat better than the first group, but not a whole lot. They too have a lot of wildcards, but they are slightly better at removing old permissions that are no longer needed.

The third group spends 5-8 minutes per deploy but has a pretty low rate of exception after, and tend to have a much better security posture than the first two groups, both because they spend more time, but also because that time is spent within the mindset of "let me get the exact profile I need and no more." Bravo to them, but honestly, I don't think I could keep that up for long.

Read Spending Developers on Security - Part 2 to answer the question: What's it Going to Cost Me?

Hillel Solow is a Cloud Security Strategist with Check Point
Share this

Industry News

June 26, 2025

Backslash introduced a new, free resource for vibe coders, developers and security teams - the Backslash MCP Server Security Hub.

June 26, 2025

Google's Gemma 3n is the latest member of Google's family of open models. Google is announcing that Gemma 3n is now fully available for developers with the full feature set including supporting image, audio, video and text.

June 26, 2025

Google announced that Imagen 4, its latest text-to-image model, is now available in paid preview in Google AI Studio and the Gemini API.

June 26, 2025

Payara announced the launch of Payara Qube, a fully automated, zero-maintenance platform designed to revolutionize enterprise Java deployment.

June 25, 2025

Google released its new AI-first Colab to all users, following a successful early access period that had a very positive response from the developer community.

June 25, 2025

Salesforce announced new MuleSoft AI capabilities that enable organizations to build a foundation for secure, scalable AI agent orchestration.

June 25, 2025

Harness announced the General Availability (GA) of Harness AI Test Automation – an AI-native, end-to-end test automation solution, that's fully integrated across the entire CI/CD pipeline, built to meet the speed, scale, and resilience demanded by modern DevOps.

With AI Test Automation, Harness is transforming the software delivery landscape by eliminating the bottlenecks of manual and brittle testing and empowering teams to deliver quality software faster than ever before.

June 25, 2025

Wunderkind announced the release of Build with Wunderkind — an API-first integration suite designed to meet brands and developers where they are.

June 25, 2025

Jitterbit announced the global expansion of its partner program and new Jitterbit University partner curricula.

June 24, 2025

Tricentis unveiled two innovations that aim to redefine the future of software testing for the enterprise.

June 24, 2025

Snyk announced the acquisition of Invariant Labs, an AI security research firm and early pioneer in developing safeguards against emerging AI threats.

June 24, 2025

ActiveState expanded support of secure open source to include free and customized low-to-no vulnerability containers that facilitate modern software development.

June 24, 2025

Pythagora launched an all-in-one AI development platform that enables users to build and deploy full-stack applications from a single prompt.

June 24, 2025

Cloudflare announced that Containers is in public beta.

June 23, 2025

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the launch of the Agent2Agent (A2A) project, an open protocol created by Google for secure agent-to-agent communication and collaboration.