Tim Hinrichs is a co-founder of the Open Policy Agent project and CTO of Styra. Before that, he co-founded the OpenStack Congress project and was a software engineer at VMware. Tim spent the past 18 years developing declarative languages for different domains such as cloud computing, software-defined networking, configuration management, web security and access control. He received his Ph.D. in computer science from Stanford University in 2008.
In the past, responsibility for data privacy and security fell on non-development teams, like IT, security or compliance. But this is changing.
Thanks to the adoption of cloud native technologies and trends like policy-as-code, developers are more focused on security than ever. According to the Styra 2022 Cloud-Native Alignment Report, over half of developers think their organization should enhance its data privacy efforts in the next 12 months. And more than three-quarters (77%) of IT decision-makers agree.
This security-focused mindset is a good thing. Developers have an opportunity to step up within their organizations and help future-proof in-app security. But this requires more than just the right attitude.
To make real change, developers need to follow development, security and operations (DevSecOps) best practices and adopt the right technologies.
The Cloud Prompted a New Era of Security
Developers’ interest in security has been a long time coming. Google search data shows that queries for terms like “what is DevSecOps” and “DevSecOps vs. DevOps” first popped up in 2014 and have been steadily rising since 2017.
The cloud, microservices, containerization and APIs are responsible for this burgeoning interest. These innovative technologies aren’t only changing the way applications are built and operated, they’re also changing what’s needed from a security perspective. In a modern environment, developers, engineers and architects need to think about data privacy and security because today’s applications benefit from having security measures baked into discrete components.
Before the cloud became as ubiquitous as it is today, traditional cybersecurity relied on a perimeter-based model. Measures like firewalls and browser isolation systems essentially “surrounded” on-premise networks and systems. Applications and data were secure because they were hosted on physically isolated infrastructure. In this setup, developers focused on application building, and IT teams focused on security.
But as organizations start their digital transformation journeys, IT can’t simply build barriers around their tech environments. This shift to the cloud opens up more attack surfaces, making cybersecurity more complex and requiring security to be built in from the beginning. At the same time, microservices architecture revolutionized software development, making in-app security more important than ever.
Before microservices, most applications consisted of several monolithic chunks of code. Changes to even one line of code could affect the entire application. But today, microservices allow applications to be broken into hundreds of individual software pieces. These pieces of code are more sophisticated than ever and enable software teams to make frequent changes without affecting the rest of the application.
That leaves developers, IT teams and their companies with essentially two choices: 1) Use microservices architecture to their advantage and embed hyper granular security controls within applications or, 2) keep using traditional layered security controls and approach cybersecurity in a siloed, reactionary manner, which we know creates higher security and compliance risks.
3 Ways Developers Can Boost In-App Security
While the cloud and microservices may open up more vulnerabilities for organizations, a DevSecOps mindset and the use of authorization — controlling who and what they can do — can help software teams close the gaps. I’ve seen first-hand how organizations enhance application security by improving their authorization posture, and I believe that with the following best practices, developers can sharpen their authorization skills and improve application security:
- Talk security early and often. No matter how software planning and development operates at your organization, it’s never too late to make a change. Start a dialogue with your architects and security teams to see how your organization can incorporate security into application features from the get-go.
By incorporating security at the design stage, it’s easier to determine where security can be built broadly into platforms and where authorization will need to be built into specific services. For example, with some forethought, you can design your application’s APIs in a way that makes it simple to add authorization. Discussing security early and often can help you develop an application that is both zero-trust and compliant by design.
- Standardize knowledge and language. Though authorization is relatively straightforward, there are many languages and policy structures developers can choose from. Without standardization, it can be difficult for software teams to work together, update policies and scale security.
Encourage your team to adopt open source standards like Open Policy Agent (OPA), the de facto approach to authorization; SPIFFE, a robust approach to machine authentication; and Envoy, a widely adopted network proxy for enforcing policy. These projects, along with others owned by the Cloud Native Computing Foundation (CNCF), are free to use and can be combined to help you consistently enforce authorization policies across your applications and infrastructure.
- Create a framework. The Styra 2022 Cloud-Native Alignment Report found that most IT decision-makers and developers aren’t aligned on which teams manage various policy, compliance and cloud security responsibilities. To prevent the consequences that come from a lack of alignment, like wasted time and redundant work — or worse, missed responsibilities and a vulnerable cloud environment — establish a policy life-cycle framework.
With developers, product managers, operations, security and compliance teams all working on authorization, a framework will ensure clear ownership of responsibilities, clear expectations across the board and streamlined workflows. In addition to improving policy management, a framework will also make it easy to onboard new employees and technologies.
As more applications are designed, built and deployed on cloud native architecture, security will only become more integral to developers’ roles. The longer developers and organizations resist a DevSecOps mindset, the more catch-up they’ll have to do in the end.
By embracing a security-focused mindset now and adopting authorization best practices, your software team can support application security, data privacy and compliance from the very beginning of the development lifecycle.
Feature photo by FLY:D on Unsplash.