Spending Developers on Security - Part 1
July 10, 2018

Hillel Solow
Protego

Securing cloud native applications presents an interesting challenge. Cloud native application developers view the cloud as an operating system, and they write for and run on that operating system. When it comes to security, this means spending time configuring this operating system to enforce security policies on the various parts of the application. In the cloud, this often translates into IAM roles, VPC configurations, etc.

In the shift to cloud native, many organizations have also adopted a configuration-as-code approach. This helps drive up application deployment velocity by letting developers and DevOps teams reconfigure their deployments as their needs arise. Other organizations, particularly the more regulated ones, still have security people owning these tools, but that creates increased pressure on the security organization to keep up.

Your Mileage May Vary

How much are organizations investing in this process, and how much is it getting them? I recently spent some time talking with developers using primarily serverless technologies, to understand how they handle security configuration.

If I oversimplify, there are three types of developers in the serverless arena:

Extreme Minimalists: This strategy can be summed up as "do nothing until you have to", or "why procrastinate today when you can procrastinate tomorrow", and basically means, don't touch security configuration until something you deploy to staging doesn't work, see what error you got, add a permission or configuration as needed.

Balanced Realists: Here the strategy consists of spending about two minutes before deploying a function reviewing roles and configuration, and trying to catch any missing or perhaps extra permissions or configurations before rolling it out. Handle the rest as exceptions.

High-Functioning Security Fundamentalists: This is less common, but not as extinct as one might think, and involves really reviewing the entire security configuration before each deploy, revalidating all permission, and tracking anything that might be missing.

As you can imagine, each profile ends up spending dramatically different amounts of time on security, and getting very different results. By and large the first group spends zero time on deployment, but then spends a lot more time when permissions are missing. In the end, they tend to still come out on top in terms of time spent, but are worst off in security, as by the time they see an error in the logs for some function that's missing permission, they're almost certainly going to drop a big wildcard in to get it working.

The second group tends to spend about two to three minutes per deploy, and still hit the occasional exception. Their security outcomes are somewhat better than the first group, but not a whole lot. They too have a lot of wildcards, but they are slightly better at removing old permissions that are no longer needed.

The third group spends 5-8 minutes per deploy but has a pretty low rate of exception after, and tend to have a much better security posture than the first two groups, both because they spend more time, but also because that time is spent within the mindset of "let me get the exact profile I need and no more." Bravo to them, but honestly, I don't think I could keep that up for long.

Read Spending Developers on Security - Part 2 to answer the question: What's it Going to Cost Me?

Hillel Solow is CTO and Co-Founder of Protego
Share this

Industry News

February 26, 2020

Perforce Software released a free tool for organizations considering open source software - OpenLogic Stack Builder.

February 26, 2020

Applause announced a new partnership with Infosys to provide broader end-to-end digital experience testing services to clients.

February 26, 2020

RapidMiner announced the release of its platform enhancement, RapidMiner 9.6. This update prioritizes people – not technology – at the center of the enterprise AI journey, providing new, unique experiences to empower users of varying backgrounds and abilities.

February 25, 2020

JFrog announced the availability of the "JFrog Platform," a hybrid, multi-cloud, universal DevOps platform.

February 25, 2020

Nureva added new agile canvas templates to Span Workspace, including a heat map developed by Jeff Sutherland, the co-creator of Scrum and founder of Scrum Inc. and Scrum@Scale.

February 25, 2020

Agiloft announced the addition of its new Agiloft AI Engine, complete with prebuilt AI Capabilities for contract management and an open AI integration that allows customers to incorporate custom-built AI tools into the no-code platform.

February 24, 2020

Cloudify announced that its latest product update - Cloudify version 5 - features an Environment as a Service component, designed to achieve consistent delivery and management of hybrid-cloud services and network infrastructures across CI/CD pipelines - at scale.

February 24, 2020

Checkmarx announced new enhancements to its Software Security Platform to empower more seamless implementation and automation of application security testing (AST) in modern development and DevOps environments.

February 24, 2020

Rapid7 and Snyk announced a strategic partnership to deliver end-to-end application security to organizations developing cloud native applications.

February 20, 2020

The American Council for Technology and Industry Advisory Council (ACT-IAC), the premier public-private partnership dedicated to advancing government through the application of information technology, officially announced the release of the DevOps Primer.

It was produced through a collaborative, volunteer effort by a working group from government and industry, hosted by the ACT-IAC Emerging Technology Community of Interest (COI).

February 20, 2020

DLT Solutions, a subsidiary of Tech Data, launched the Secure Software Factory (SSF), a framework that provides the U.S. public sector with consistent development and deployment of high-quality, scalable, resilient and secure software throughout an application’s lifecycle.

February 20, 2020

Netography announced the general availability of the company’s Security Operations Platform.

February 19, 2020

Perfecto by Perforce announced its integration with Katalon Studio.

February 19, 2020

Radware announced the Alteon Cloud Control as part of its Alteon Multi-Cloud Solution designed to simplify the deployment of secured application delivery services across public and private cloud environments.

February 19, 2020

BluBracket introduced its product suite, a comprehensive security solution for code in the enterprise.