Modern cyber security tooling should empower developers
I truly believe in the necessity of Cyber products, but modern companies will truly improve their security if and only if their developers are engaged to the effort.
This article is about talking and surfacing the gap of the traditional Cyber world, which is stuck all the way to the right, waiting for dev-first companies to shift it left.
A bit about myself
In the last year I have been working as an engineering team lead in Snyk, a dev-first open source security company aiming to help developers use open source in an easy and secure manner. In the years before I was deep in the Cyber world, which is classically divided into major categories like endpoint protection, VA/VM, BAS (breach and attack simulation) and more. I have met closely some of the categories above during the years.
I have always worked as a developer/engineering team lead and wanted to share my perspective on why it is crucial to the Cyber world to shift left and give much more attention to developers.
The traditional cyber world
Let’s talk a bit about the traditional Cyber world! Traditional Cyber relies on the technologies that ruled the world and on functions that managed security in the past. Therefore most of the traditional Cyber products target the CISO/CIO/ops/security functions in companies, and in order to do so those products normally feature beautiful dashboards that can be showed in big SOC/NOC screens, extensive reporting options, SIEM integrations etc.
Additionally the traditional Cyber products are many times on-prem only, focusing on non-modern methodologies like using virtual machines in your production environments, relatively long deployment cycles and more. Thus the security/ops departments are the ones responsible to patch those virtual machines, setting the network configurations, the security configuration and more.
This gets a little twist if we look at a bit more modern Cyber companies, where the exact same concepts are applied to the cloud environments, targeting Kubernetes clusters or other cloud environments as the production environments.
Traditional Cyber divides the world into the good vs the bad, which are called by different names in different contexts: attackers vs defenders, red team vs blue team and more.
Enter modern Cyber world
The ops world is changing quickly, it moved from deploying on dedicated virtual machines in VPS hosting providers to virtual machines in cloud providers to container-based environments in the cloud.
As a result the operations ownership which was previously owned solely by the ops team gradually moves towards the ones who build the software and the containers wrapping them — the developers!
The security ownership also gradually moves left towards developers due to the exact same reasons.
So as I said, the traditional Cyber world is divided to attackers vs defenders, which leads to products that target the ops/security departments. This approach is missing the most important ingredient to actually improve your company’s security — the ones who are responsible to fix those issues, the developers.
Dev-first Cyber products
This gap of not targeting developers as consumers lead sometimes to some resentness from the developers towards the ones who order them to fix security issues in a non-actionable manner.
We, the developers, are a very different kind of people :) we don’t care so much about beautiful dashboards; we prefer a clear, simple and actionable tools. We want maximum value with minimum effort, and if some effort is needed it is better to be dev-friendly.
I truly believe in the necessity of Cyber products, but modern companies can truly improve their security if and only if their developers are engaged to the effort.
If talking in shift-left terms: from my experience I believe that the future Cyber world will be dominated by dev-first companies coming to the right rather than traditional Cyber companies moving to the left.
Therefore in order to keep the pace I think Cyber companies will have to adapt their products to the developer audience, which means to suggest remediation in a dev-friendly way, for example:
- Convert traditional patch management systems to features that help developers reduce vulnerabilities in their container images
- Opening pull requests to fix found vulnerabilities
- Opening pull request to change network configuration in Kubernetes yaml files/helm charts to reduce security risk
The security world, with the Cyber security world as a subset, is owned by developers. so why not targeting it as consumers?
I hope this article will raise awareness to this gap, help developers realize it is our interest to own our own security, and for non-developers help us be part of it.