SmartBear announced a new version of its API design and documentation tool, SwaggerHub, integrating Stoplight’s API open source tools.
Spending Developers on Security - Part 2
July 11, 2018
How much are organizations investing in the shift to cloud native, how much is it getting them? ...
Start with Spending Developers on Security - Part 1
What's it Going to Cost Me?
Let's boil that into time spent. Let's assume a 50 person development organization, managing 500 functions, where each developer deploys a new version 3 times a week. Remember, in serverless, people tend to roll out changes more frequently, but then again the changes are often small (which is why the two-minute strategy can work in the first place).
So you're rolling out 3 ⨉ 50 = 150 versions a week across your teams, or 150 ⨉ 52 = 7,800 versions per year. From my experience, this is a low estimate. We have customers with considerably higher rates.
Let's assume that we measure how much time a developer or devop engineer spends on security per deploy, how frequently the permissions are missing which causes an exception during testing or production, and how much time is spent. Of course, these are just based on a small survey and you can play with numbers as you see fit.
As you can see, exceptions are pretty costly, as they are out of context. Also, as you read the impact of this, bear in mind that the level of security attained (as in, how well the security posture prevents future attacks and damages) varies drastically between the three strategies. Also, I've tried to estimate the yearly average rates. Exception rates are much higher for new functions, and drop much lower for mature functions, so this is just a simplification.
Here's how that adds up per year:
If we translate that into dollars, assuming a cost of $150k per engineer ($120k salary + $30k additional costs), you are spending:
Can I Improve on That?
You can, of course, try to make all your developers fundamentalists when it comes to security. There is no doubt that a little security awareness goes a long way. Having said that, it's a pretty expensive way to get the security you need.
Let's compare that to using tools to help you close the gaps. The idea is that if you have the right tools in place, within your deployment and monitoring workflows, then you catch things as early as possible, give developers detailed guidance on when, where and what to focus on, and keep security overhead to a minimum. You can achieve or even exceed the levels of the Fundamentalists, while spending less time than the Minimalists.
Let's add in the security tool strategy to the mix:
The main trick is to spend under a minute on average per deploy (mostly that's adding permissions you know you need, and handling build-time errors that come from wrong permissions). A side benefit is that the number of exceptions also drops significantly, since the security tools usually catch missing permissions as well, and you can fix that while the files are still open in your IDE.
How does this add up yearly?
So as you can see, while freeing up significant developer time, you can also improve your security, if you have the right tools in place.
Industry News
April 18, 2024
Red Hat announced updates to Red Hat Trusted Software Supply Chain.
April 18, 2024
Tricentis announced the latest update to the company’s AI offerings with the launch of Tricentis Copilot, a suite of solutions leveraging generative AI to enhance productivity throughout the entire testing lifecycle.
April 17, 2024
CIQ launched fully supported, upstream stable kernels for Rocky Linux via the CIQ Enterprise Linux Platform, providing enhanced performance, hardware compatibility and security.
April 17, 2024
Redgate launched an enterprise version of its database monitoring tool, providing a range of new features to address the challenges of scale and complexity faced by larger organizations.
April 17, 2024
Snyk announced the expansion of its current partnership with Google Cloud to advance secure code generated by Google Cloud’s generative-AI-powered collaborator service, Gemini Code Assist.
April 16, 2024
Kong announced the commercial availability of Kong Konnect Dedicated Cloud Gateways on Amazon Web Services (AWS).
April 16, 2024
Pegasystems announced the general availability of Pega Infinity ’24.1™.
April 16, 2024
Sylabs announces the launch of a new certification focusing on the Singularity container platform.
April 15, 2024
OpenText™ announced Cloud Editions (CE) 24.2, including OpenText DevOps Cloud and OpenText™ DevOps Aviator.
April 15, 2024
Postman announced its acquisition of Orbit, the community growth platform for developer companies.
April 11, 2024
Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.
April 11, 2024
Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.
April 11, 2024
Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.
April 10, 2024
Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.
