days
0
-18
0
hours
-1
-7
minutes
-4
-2
seconds
-1
-6
search
Baked in security

Five security principles developers must follow

Joe Drumgoole
devsecops
© Shutterstock / anucha sirivisansuwan

The stakes are higher. Security must be the number one priority. Agile, MicroServices and DevOps are all disciplines that have worked hard to increase the rate at which software can adapt to changing business requirements. How do we bake security into the mix so we don’t end up adding it badly in a rush at the end? The answer is DevSecOps.

Developers and their applications are the backbone of organisations across the world.

But in recent years, large scale security breaches have put data protection at the forefront for product development teams. With the likes of the GDPR now in place, security must be a priority.

So who is stepping up to take responsibility for the future and current applications being rolled out on a daily basis by modern IT organisations?

We put these questions to over 1,500 developers and IT decision-makers (ITDM) across Europe. In this post and the zine below, we’ll analyse the findings, unpick the tensions and set some key next steps.

SEE ALSO: DevSecOps Panel – Best DevOps Security Practices & Best Tools

What can developers do

The stakes are higher. Security must be the number one priority. The good news is developers agree.

devsecops

Image attribution: MongoDB

Developers (92%) and the decision-makers (88%) reassure us that they take appropriate precautions when building new applications.

What’s more, both agree that the security of data is their top concern when procuring new software – 53% of ITDMs and 47% of devs. This is good to see.

devsecops

Image attribution: MongoDB

What about the software we build?

This alignment, however, splits when it comes to writing software. But why?

It falls down to balancing priorities.

There is no security without first having functionality, so the responsibility is naturally distributed across different organizations. The good news is ITDMs and developers are mostly well aligned on the ratio of responsibilities, which means there is no source of conflict here.

When we asked developers who has the most responsibility for securing an application, just 29% cited themselves while the rest pointed the finger at security specialists (22%), the business leaders who briefed the project (18%), the ops team (16%) and even security members they don’t know (14%).

This compares well with ITDMs. The majority of them (28%) believe a security specialist holds the most responsibility. Yet a further 21% see it to be developers and an additional 21% point at the business leader who briefed the build.

devsecops

Image attribution: MongoDB

So what does it all mean?

Lena Smart, Chief Information Security Officer at MongoDB articulates the challenges well:

“Control and convenience have long clashed. Developers are under relentless pressure to deliver – on time, to specification, securely and at scale. It’s a challenge that will only continue.”

How do we ensure that we can reconcile strong security with a need to deliver utility quickly to users?

Agile, MicroServices and DevOps are all disciplines that have worked hard to increase the rate at which software can adapt to changing business requirements. How do we bake security into the mix so we don’t end up adding it badly in a rush at the end?

The answer is DevSecOps.

Direction in disruption

Creating a ‘security as code’ culture with ongoing, flexible collaboration between release engineers and security teams will help mitigate the challenges. This is a people, process and technology task across the application delivery pipeline – from design and coding to testing and support.

It will help ensure a working balance between control and convenience where feedback loops give security the priority it deserves.

devsecops

Image attribution: MongoDB

DevSecOps won’t be a smooth process right off the bat. It will take both skill and culture changes. Which means work and patience.

“When done properly, DevSecOps can provide deeper visibility and a better understanding of how resources are being used. It should become and remain a key part of an organisation’s development strategy,” shared Smart.

Here is how to get started.

SEE ALSO: The path to agile DevSecOps – a holistic approach of automation, orchestration and correlation

Five principles of DevSecOps

1. Baked in

Security must be baked in. Consider any and all negative impacts a new feature may unknowingly cause, rather than just focusing on the positive impact it may generate.

2. Get specific

Determine your own organisation’s needs and goals and choose the right solutions for your situation. Not one size fits all.

3. Adopt a people approach

Infuse security principles at every step, and into every collaborator, including developers. It’s a team sport where skills and culture matter equally.

4. Share information

Open collaboration is essential in DevSecOps. Share, learn and improve constantly by communicating internally to meet your goals.

5. Be ambitious

Don’t put your ambitions on the back burner. Many cloud platforms today offer built-in security controls for all your data. Take the leap to the cloud.

About MongoDB

MongoDB is the leading modern, general-purpose database platform, designed to unleash the power of software and data for developers and the applications they build. Headquartered in New York, MongoDB has more than 15,000 customers in over 100 countries. The MongoDB database platform has been downloaded over 70 million times and there have been more than one million MongoDB University registrations.

Data background

* In June and in partnership with CensusWide, we surveyed 1516 people split evenly across France, Germany and the UK. There were two groups we spoke to – developers and IT decision-makers.

Developers were defined as ‘An individual that builds and creates software applications. Their role includes writing, debugging and executing the code of an application’.

IT Decision Maker, which I know is a slightly made-up industry term, were defined as ‘an employee who is empowered to make strategic IT decisions within a company including (but not limited to): recruitment processes for IT professionals, procurement of new IT software and hardware, technologically-focussed R&D decisions, data management and data security.’

Author
Joe Drumgoole
Joe Drumgoole is Director of Developer Relations at MongoDB. He has over 30 years of product development experience. He still writes software (slowly) most days. His programming weapon of choice is Python. In his career, he has founded startups, and led development teams that have built back end financial systems, internet banking software and core infrastructure. At MongoDB, he runs the global advocacy and developer content programs.

Leave a Reply

avatar
400