In this week’s edition of “Not a new theme, but new thinking…” it’s time to look at security as a factor in software development. Indeed, security’s place in development is a perennial topic and will likely continue to be one for quite some time. This is because software development, and the people who do it have never had a good relationship with IT security.
Developers don’t like to be involved in security even if they know how to do it. It’s not wise to assume that developers are knowledgeable in security, in any event. And, security tends to slow down the development cycle, which nobody likes. “Having security in the critical path of development is going to slow the process down,” explained Jeff Williams, Co-Founder and CTO of Contrast Security, which makes solutions for secure software development. “In addition, you’ve got the whole, ‘Oh great, here come the cops’ aspect to it, which creates a cultural tension that benefits precisely no one.”
“You’ve got the whole, ‘Oh great, here come the cops’ aspect to it, which creates a cultural tension that benefits precisely no one.” – Jeff Williams, Co-Founder and CTO of Contrast Security
It’s arguably even challenging to define who is a developer and what is software development. Creating software is now certainly far more than writing and releasing code. Today’s software developer is a person who writes code, but also imports pre-written open source code into the application and then connects the code base with any number of containers, microservices and web services. Risk exposure multiplies as these activities get faster, more varied and complex.
Such realities notwithstanding, everyone agrees that security needs to start earlier in the development process (shifting left) and become more consistent and pervasive. There are simply too many risks in releasing software that contains vulnerabilities or malicious code. What can be done about this predicament? One answer is to embed security into the software development process, development tools and the code itself. This way, developers are more naturally part of the security process. Security becomes part of their workflow, at least in theory.
Contrast Security’s answer is to build security processes into the coding workflow. The solution places vulnerability identification and assessment into the Integrated Development Environment (IDE). “The developer gets instant information about a vulnerability so he or she can remediate it, right in the IDE. There’s no ‘cop’ stopping by the cube farm to put you back to work on something you thought you already finished,” Williams added. Contrast also gets the development team out of the practice of software scanning, which also slows things down.
“We pull declarative data from Kubernetes to give the developer visibility into configuration management and risk profiling,” said Michelle Rae McLean, Vice President of Marketing at StackRox.
StackRox takes a slightly different approach to solving the same problem. It focuses on security for DevOps and the use of Kubernetes containers. “We pull declarative data from Kubernetes to give the developer visibility into configuration management and risk profiling,” said Michelle Rae McLean, Vice President of Marketing at StackRox. “We can do this because our solution taps the controls built into Kubernetes itself to enforce security policies.”
According to McLean, DevOps is destined to become the predominate mode of software development. “It’s already gaining a lot of ground, but in our view, virtually all development will be DevOps in the near future. That’s why we have designed our solution to enable policy as an integrated part of the build and deploy steps of the process.”
These are just two perspectives on this crucial issue in the worlds of IT and cybersecurity. Contrast Security and StackRox are showing, however, that it’s possible to be innovative and disrupt the existing negative dynamics between developers and security—and create software that’s more secure even as it’s pushed into production more quickly than ever.