Tim Hinrichs is co-founder of the Open Policy Agent project and CTO of Styra. Before that, he co-founded the OpenStack Congress project and was a software engineer at VMware. Tim spent the last 18 years developing declarative languages for different domains such as cloud computing, software defined networking, configuration management, web security, and access control. He received his Ph.D. in computer science from Stanford University in 2008.
In the past, responsibility for data privacy and security rested with non-development teams, such as IT, security, or compliance. But this is changing.
Thanks to the adoption of cloud-native technologies and trends such as policy as code, developers are more focused than ever on security. According to the Styra 2022 Cloud Native Lineup Report, more than half of developers think their organization should improve its data privacy efforts in the next 12 months. And more than three-quarters (77%) of IT decision makers agree.
This security-focused mindset is a good thing. Developers have the opportunity to step up within their organizations and help future-proof application security. But this requires more than just the right attitude.
To achieve real change, developers must follow development, security, and operations (DevSecOps) best practices and adopt the right technologies.
The cloud ushered in a new era of security
Developer interest in security has been a long time coming. Google search data shows that queries for terms like “what is DevSecOps” and “DevSecOps vs. DevOps” first appeared in 2014 and have been steadily increasing since 2017.
The cloud, microservices, containerization, and APIs are responsible for this growing interest. These innovative technologies are not only changing the way applications are built and operated, they are also changing what is needed from a security perspective. In a modern environment, developers, engineers, and architects need to think about data privacy and security because today’s applications benefit from having security measures built into discrete components.
Before the cloud became as ubiquitous as it is today, traditional cybersecurity was based on a perimeter-based model. Measures like firewalls and browser isolation systems essentially “wrapped around” networks and local systems. Applications and data were secure because they were hosted on physically isolated infrastructure. In this setup, developers focused on building apps and IT teams focused on security.
But as organizations begin their digital transformation journey, IT can’t just build barriers around their technology environments. This shift to the cloud opens up more attack surfaces, making cybersecurity more complex and requiring security to be built in from the start. At the same time, microservices architecture revolutionized software development, making application security more important than ever.
Before microservices, most applications consisted of multiple monolithic code snippets. Changes to a single line of code could affect the entire application. But today, microservices allow applications to be broken up into hundreds of individual pieces of software. These pieces of code are more sophisticated than ever, allowing software teams to make frequent changes without affecting the rest of the application.
That leaves developers, IT teams, and their businesses essentially with two options: 1) use the microservices architecture to their advantage and embed hyper-granular security controls within applications, or 2) continue to use traditional security controls. layered and approach cybersecurity in an isolated and reactionary way. that we know creates higher security and compliance risks.
3 Ways Developers Can Increase App Security
While the cloud Y microservices can open up more vulnerabilities for organizations, a DevSecOps mindset and the use of authorization (controlling who and what they can do) can help software teams close the gaps. I’ve seen firsthand how organizations improve application security by improving their authorization posture, and I believe that with the following best practices, developers can improve their authorization skills and improve application security:
- Talk about safety early and often. No matter how software planning and development operates in your organization, it’s never too late to make a change. Start a dialogue with your security architects and teams to see how your organization can build security into application features from the start.
By building security in at the design stage, it’s easier to determine where security can generally be built into platforms and where authorization will need to be built into specific services. For example, with a little forethought, you can design your application’s APIs in a way that makes adding authorization simple. Discussing security early on and often can help you develop an app that is both zero-trust and compliant by design.
- Standardize knowledge and language.. Although authorization is relatively straightforward, there are many languages and policy structures for developers to choose from. Without standardization, it can be difficult for software teams to work together, update policies, and scale security.
Encourage your team to adopt open source standards like Open Policy Agent (OPA), the de facto approach to authorization; SPIFFE, a robust approach to machine authentication; and Envoy, a widely adopted network proxy for policy enforcement. These projects, along with others owned by the Cloud Native Computing Foundation (CNCF), are free to use and can be combined to help you apply authorization policies consistently across your applications and infrastructure.
- Create a frame. The Styra 2022 Cloud Native Lineup Report found that most IT decision makers and developers are not aligned on which teams manage various policy, compliance, and security responsibilities in the cloud. To avoid the consequences that arise from misalignment, such as wasted time and redundant work, or worse, lack of responsibilities and a vulnerable cloud environment, establish a lifecycle policy framework.
With developers, product managers, operations, security, and compliance teams all working on authorization, a framework will ensure clear ownership of responsibilities, clear expectations across the board, and streamlined workflows. In addition to improving policy management, a framework will also make it easier to bring in new employees and technologies.
As more applications are designed, built, and deployed on cloud-native architecture, security will become increasingly integral to developer roles. The longer developers and organizations resist the DevSecOps mindset, the more they will eventually have to catch up.
By adopting a security-centric mindset now and adopting authorization best practices, your software team can support application security, data privacy, and compliance early in the development lifecycle.