Alex - stock.adobe.com
Security responsibilities are often placed on end users, with less focus placed on the developers responsible for building the products.
To successfully democratize security for developers, security must be the path of least resistance. It's about making security the simplest choice. Building a secure application must be easier than building an insecure one.
As Wendy Nather of Cisco said in her 2020 RSA keynote: "Security should be designed to be adopted rather than just engineered to be enforced."
As the adoption of modern development practices increases, developers are being encouraged to own the release management lifecycle of their products. The rapid pace of app development, however, has made it challenging for security teams -- which often lack resources -- to keep up. It's difficult for security teams to provide developers with accessible, applicable and actionable guidance in a timely manner. In the end, developers go without the necessary security guidance, which means applications are often deployed with security flaws.
The same development practices exacerbating these challenges, however, have also helped advance technologies to address these issues.
Infrastructure as code (IaC) is one such technology. Modern development practices use IaC to define application architectures as code and automate the deployment of these architectures. With IaC, application architectures become more secure and compliant by simply updating code. IaC helps provide developers with accessible, applicable and actionable guidance on how their application architecture should be designed for security.
What does democratization require?
Security teams are rarely involved in the early stages of the development process. When they do engage, they follow paper-based workflows on a Word document or Excel sheet. Modern security practices should embrace automation in modern development workflows. This will enable security teams to view the entire application portfolio, engage early and provide developers with guidance when making changes through IaC.
Democratization for developers should focus on ensuring security guidance is applicable to the product or feature under development. General guidance will be ignored or rejected by developers, so guidance must be clear and relevant.
Developers and security engineers don't speak the same language. Security terms are often complex or inaccessible to developers. It's important guidance is delivered in simple terms that are easy for developers to understand.
Security training is another key component in the democratization of security. Good security training helps developers understand security concepts without requiring them to become security experts. This strategy also helps developers better understand guidance from their security peers.
A strong feedback loop should also exist between development and security teams. As security guidance is provided, feedback should drive continuous improvement.
How do we automate security features?
To make security the path of least resistance, we need to make security requirements -- the what -- accessible and applicable, but we also need to help developers address the how. IaC builds the guidance associated with the how using code. If you can automate the how, security becomes as simple as developers doing their job.
When best practices are automated with code, developers don't need to be security experts. Instead, developers just need to understand their business use cases and their objectives surrounding security and compliance. Understanding the needs of their application -- who their consumers are, what regulations or standards the application needs to comply with and so on -- is already part of their job description. Using this method removes a lot of the friction and cultural issues that often stand in the way of democratization.
Automating best practices within code helps improve the secure development process. We're approaching a tipping point, where democratized security is not only possible, but will strengthen the relationship between developers and security teams.
About the authors
Aakash Shah is CTO and co-founder of Oak9. He has worked in the cybersecurity industry for more than 17 years, and he has experience with developing cybersecurity strategies, building security products and contributing to industry standards.
Om Vyas is chief product officer and co-founder of Oak9, an organization that helps integrate security into the development lifecycle. He has more than 15 years of experience in leading product development and business process efficiency.
Dig Deeper on Application and platform security
Infrastructure-as-Code series - Ondat: IaC is the means to a DevOps end
Infrastructure-as-Code series - KPMG UK: IaC's critical role in cybersecurity
Infrastructure-as-Code series - Kyndryl: Beyond the ‘box’, into workable cloud
Infrastructure-as-Code series - Couchbase: new skills, but still not child’s play