As modern businesses shift technology to infrastructure-as-a-service (IaaS), development teams have begun to take on a more strategic role in the direction and success of their organizations. This includes the creation and delivery of cloud-native applications as companies move more operations to the cloud.
In a growing trend, developers are taking on the management of the very infrastructure supporting today's digitally driven businesses. What does this mean for IT and application security?
Traditionally, infrastructure has been managed by system administrators who manually configured the hardware and software necessary to run applications. With the adoption of cloud computing, manual configuration has given way to infrastructure as code (IaC), enabling greater efficiencies in costs, labor and time.
Increasingly, organizations’ development teams are becoming more involved in strategic infrastructure decisions, defining exactly what their software infrastructure looks like. Infrastructure is becoming developer-defined, and anything done outside the dev team is the exception instead of the rule. Developers reading, writing, and modifying code is becoming the process by which systems are built and managed, and how technology is deployed.
Security as Code
This is interesting when one considers the security of this infrastructure and the applications that run on it. Automation is a key element to modern application security. By automating manual processes in code, developers can turn their attention from the infrastructure to focus on finding and fixing software issues earlier in the production cycle.
Tracking what they build and where it’s deployed also allows developers to react to changes in the threatscape. When they learn of new threats, they can quickly change their Infrastructure as Code (IaC) to update software or API versions or configuration and redeploy it. They can then commit those changes and now every release moving forward is remediated.
Through security as code, developers can also encode specific processes and rules in a script in the build pipeline, thereby ensuring 100% compliance. An example would be using command line static analysis to test for the OWASP Top 10 and failing a deploy if any were detected. Removing the human element speeds up the development process and improves security. This process and policy is in code and committed to the repo just like the source code of the project.
It’s not just IaaS users automating security — cloud providers like AWS are patching operating systems as new threats are detected. All of computing is becoming more automated and security is benefitting as a result.
Security and development - an evolving partnership
As speed and time-to-market continue to be competitive advantages for software providers, there are several considerations enterprise organizations need to think about. The traditional software security model has been highly operational with the security team testing software and submitting tickets for fixes, auditing code and overseeing compliance. Now, with developers managing and configuring the applications directly, the role of the security team is shifting.
In this evolving model, security takes on a consultative role for developers focusing on policy, governance, and oversight. Security teams will leave the testing, triaging and fixing of flaws to developers, and instead will define policy enforced through compliance as security as code.
This model only works if the development team has the education and training to fix security issues. Solution providers should consider the following steps to empower developers to manage security:
- Meet in the middle. Developers don’t need to be security experts, but they need to have AppSec awareness to understand what the problem is and identify a path to address it.
- Identify security champions. Find developers interested in security to act as champions for the development team to help acquire and deliver the knowledge to address security needs across teams.
- Decentralize security decisions. Some decisions the security team currently owns, such as mitigation approvals, can be decentralized and owned by the development team. This paves the way for security teams to audit decisions after the fact, removing a common roadblock in the app security process.
- Provide security training. There are countless training tools and opportunities for developers to learn basic application security, but very often this training is left to the individual developer. By providing hands-on, interactive training, developers can build the skills necessary to shift security left.
Cloud computing and automation continue to accelerate the speed of application development and delivery. As a result, development teams will become more involved in application and infrastructure management and security, leveraging automation to mitigate inefficiencies and improve speed of deployment.
By ensuring developers have the security support and training they need to address security issues on their own, organizations can best meet the demand for faster time-to-market.