Five security principles developers must follow
The stakes are higher. Security must be the number one priority. Agile, MicroServices and DevOps are all disciplines that have worked hard to increase the rate at which software can adapt to changing business requirements. How do we bake security into the mix so we don’t end up adding it badly in a rush at the end? The answer is DevSecOps.
Developers and their applications are the backbone of organisations across the world.
But in recent years, large scale security breaches have put data protection at the forefront for product development teams. With the likes of the GDPR now in place, security must be a priority.
So who is stepping up to take responsibility for the future and current applications being rolled out on a daily basis by modern IT organisations?
We put these questions to over 1,500 developers and IT decision-makers (ITDM) across Europe. In this post and the zine below, we’ll analyse the findings, unpick the tensions and set some key next steps.
What can developers do
The stakes are higher. Security must be the number one priority. The good news is developers agree.
Developers (92%) and the decision-makers (88%) reassure us that they take appropriate precautions when building new applications.
What’s more, both agree that the security of data is their top concern when procuring new software – 53% of ITDMs and 47% of devs. This is good to see.
What about the software we build?
This alignment, however, splits when it comes to writing software. But why?
It falls down to balancing priorities.
There is no security without first having functionality, so the responsibility is naturally distributed across different organizations. The good news is ITDMs and developers are mostly well aligned on the ratio of responsibilities, which means there is no source of conflict here.
When we asked developers who has the most responsibility for securing an application, just 29% cited themselves while the rest pointed the finger at security specialists (22%), the business leaders who briefed the project (18%), the ops team (16%) and even security members they don’t know (14%).
This compares well with ITDMs. The majority of them (28%) believe a security specialist holds the most responsibility. Yet a further 21% see it to be developers and an additional 21% point at the business leader who briefed the build.
So what does it all mean?
Lena Smart, Chief Information Security Officer at MongoDB articulates the challenges well:
“Control and convenience have long clashed. Developers are under relentless pressure to deliver – on time, to specification, securely and at scale. It’s a challenge that will only continue.”
How do we ensure that we can reconcile strong security with a need to deliver utility quickly to users?
Agile, MicroServices and DevOps are all disciplines that have worked hard to increase the rate at which software can adapt to changing business requirements. How do we bake security into the mix so we don’t end up adding it badly in a rush at the end?
The answer is DevSecOps.
Direction in disruption
Creating a ‘security as code’ culture with ongoing, flexible collaboration between release engineers and security teams will help mitigate the challenges. This is a people, process and technology task across the application delivery pipeline – from design and coding to testing and support.
It will help ensure a working balance between control and convenience where feedback loops give security the priority it deserves.
DevSecOps won’t be a smooth process right off the bat. It will take both skill and culture changes. Which means work and patience.
“When done properly, DevSecOps can provide deeper visibility and a better understanding of how resources are being used. It should become and remain a key part of an organisation’s development strategy,” shared Smart.
Here is how to get started.
Five principles of DevSecOps
1. Baked in
Security must be baked in. Consider any and all negative impacts a new feature may unknowingly cause, rather than just focusing on the positive impact it may generate.
2. Get specific
Determine your own organisation’s needs and goals and choose the right solutions for your situation. Not one size fits all.
3. Adopt a people approach
Infuse security principles at every step, and into every collaborator, including developers. It’s a team sport where skills and culture matter equally.
4. Share information
Open collaboration is essential in DevSecOps. Share, learn and improve constantly by communicating internally to meet your goals.
5. Be ambitious
Don’t put your ambitions on the back burner. Many cloud platforms today offer built-in security controls for all your data. Take the leap to the cloud.
MongoDB is the leading modern, general-purpose database platform, designed to unleash the power of software and data for developers and the applications they build. Headquartered in New York, MongoDB has more than 15,000 customers in over 100 countries. The MongoDB database platform has been downloaded over 70 million times and there have been more than one million MongoDB University registrations.
* In June and in partnership with CensusWide, we surveyed 1516 people split evenly across France, Germany and the UK. There were two groups we spoke to – developers and IT decision-makers.
Developers were defined as ‘An individual that builds and creates software applications. Their role includes writing, debugging and executing the code of an application’.
IT Decision Maker, which I know is a slightly made-up industry term, were defined as ‘an employee who is empowered to make strategic IT decisions within a company including (but not limited to): recruitment processes for IT professionals, procurement of new IT software and hardware, technologically-focussed R&D decisions, data management and data security.’