Why security goes beyond tooling
Keeping things secure in your software delivery lifecycle is a bit like keeping your kitchen clean at home: No matter how many kitchen cleaning supplies you have, it’s the habit of using them regularly that will keep your health safe.
The same happens in organizations that implement high-end security solutions just to find out that their security posture has been severely compromised due to tools not being properly used or procedures not being followed. When tools and processes go hand in hand, the frustrating experience that made a company say "we can scan ourselves to death but can't act on the findings", can be avoided.
At the same time it is crucial that technology and processes are used and followed properly, that they help improve efficiency, and offer convenience and a good user experience to developers. Developers need to be put front and center of any security strategy to understand what they need, how they need it and how they can act to achieve anticipated results. The responsibility of platform engineering teams is to work closely with development teams to understand how they can constantly evolve their security posture. Teams that adopt a Smarter Platform Engineering approach invest time and energy to come up with the right solutions and make sure they get applied to keep environments “clean”.
Traditional security approaches can easily impact and impede success of the journey to cloud-native software development. Over the years, we have seen implementations where security settings that were supposed to be ready for the cloud have made clusters crash and severely impeded time to deploy.
DevSecOps puts developers first and requires them to take an active role in preventing, discovering and resolving security risks for their applications. However, this isn't easily done when there’s ever growing complexity of interdependencies between requirements, technology and risks that sometimes require deep knowledge and expertise.
As the platform engineering team, it is your responsibility to not only provide technology, but also support developers to make smart choices. After scanning for vulnerabilities, for example, you need to ensure they can focus on resolving the most important issues, but you also need to empower them to continuously improve processes, workflows and practices, so that vulnerabilities are prevented in the first place.
This is something we helped adidas with, as part of their security journey.
In the course of deploying a security solution, adidas was faced with a flood of vulnerability findings that development teams could not handle.
To prevent such overwhelming situations from happening, we collaborated closely with the platform team to help facilitate secure developer practices that incentivise devs to simply keep their software up to date. As such, we leveraged automation to make it easier for devs to approve and merge pull requests and recommended using tracking metrics to ensure the respective PRs get merged and the projects get released. Additionally, we put a process in place for vulnerabilities that have existed for a long time or haven’t been resolved within a reasonable time frame.
By incentivising good developer practices that turn “security” into a default capability, a win-win-win situation was created for security, development and platform teams, enabling them to cut inefficiencies, improve visibility into progress and status of projects, and increase productivity.
Before building the security capabilities within the development team, platform engineering teams need a solid technological basis for cloud native security.
There are many great technology products on the market with advanced features to cover all needs. However, without proper implementation and execution, they will not be able to deliver value. Teams should not be limited by choices that are out of their control, that unfortunately make execution difficult and limit their abilities.
Luckily, the open source technology landscape is mature enough, enabling a solid cloud native security posture. In this blog article, Zach Stone, the PO of our security team "Shield" describes the choices and technology we use to bring security to life for our customers.