By Anne Saita
The technological world in which we live and work continues to accelerate, in no small part due to growing global adoption of cloud environments to store, process and secure the data and applications that we now consume. That faster pace may foster innovation and improvements and help a solution get to market sooner, but it isn’t without negative consequences. For one, mistakes around workload misconfigurations remain a problem. Then there are shifting roles between cybersecurity professionals and developers, the latter of whom can now select cloud-native security tooling that may—or may not—satisfy an organization’s security operations team.
Finding a better way operate in "#fastsecure mode" was the topic of a webinar for Asia-Pacific (ISC)² members that I moderated recently. A similar webcast, led by moderator Brandon Dunlap, took place a few weeks later on the same subject. Both featured a seasoned cybersecurity professional, Kevin Bocek, and a respected developer, Matt Barker.
"In this age of cloud-native technologies and digital transformations, there's a big change underway," said Bocek, who currently is vice president of security strategy and threat intelligence at Venafi. "And especially for us as cybersecurity professionals, it's the change of our careers. It's the change of our generation. And it's exciting."
It's also creating tension between cybersecurity professionals and the developers who now drive businesses. Bocek compared today's shifting roles and anticipated outcomes to a Formula 1 race team, in which everyone (and every company) must go fast while also staying safe. The driver—or developer—may get the glory, but that person needs the support of an entire race team to finish first—and finish strong. That includes an appreciation of the safety measures required to ensure the driver can steer, maneuver and brake as needed.
Barker, who in 2021 was named a top 100 Open Source Influencer by OpenUK, agreed. As the driver, he wants to be faster than everyone else, and know there's a team behind him that anticipates and holds off risks so he isn't slowed down and can bring a product to market as soon as possible. That can be difficult at large, incumbent organizations still reliant on pre-existing knowledge, technologies and structures that limit productivity and speed to develop new solutions.
"Although developers really want to work with security, these existing structures inside those businesses create those boundaries," Barker said. "Although [developers] are getting pressure from the business side to go fast, they are not set up to succeed because they are working with methodologies and tools and knowledge that was maybe good for them five or 10 years ago but isn't relevant in this day and age."
Friction between developers and security teams
Bocek believes the friction that's historically existed among software development and security teams has less to do with individuals or teams and more to do with their bosses that have pushed for different mandates—one to build solutions as quickly as possible and another to reduce risks. "I think it's a leadership issue that has caused this friction to emerge," he said. "These friction points still exist because of leaders that allow it—and that miscommunication, that happens."
He also sees a skills challenge that puts the two groups at odds, given many cybersecurity professionals haven't seriously written a line of code or application and delivered it in recent years, if ever. "And I think that's kind of a shame and why some of these additional friction points persist, and that's a training issue," Bocek noted. He believes if more cybersecurity professionals had backgrounds as coders and programmers, they might have a different perspective on the developer's role within an organization.
Barker agreed, adding that huge market changes and needed cultural shifts factor into the friction as well.
"Every company is now a software company," he argued, and organizations are still trying to adapt to this new world from one in which cloud didn't exist, nor cloud technologies around containerization such as Kubernetes. This also creates internal turmoil when an organization remains rooted in the past, unable or unwilling to adapt to a newer, software-based business world now dependent on different knowledge, tools and technologies that didn't exist a decade ago.
What developers really want
If every company is now a software company, developers now have a prominent, influential role. That's great, but it also means developers have intense pressure to produce—and as quickly yet carefully as possible. This is particularly true for developers working in a traditional enterprise that hasn't yet transitioned (at least fully) to a software-first organization.
"We might not have the tools we need to work at the pace an enterprise wants us to in order to keep up with these huge market forces that are creating these challenges," stated Barker, who is also president and co-founder of Venafi subsidiary Jetstack, a cloud technology services company. "We want freedom and flexibility to choose the software that we know is going to make us most productive. Because that's what is going to enable us to go fastest.
"And for an average developer who's grown up writing code in the cloud, they understand Linux and they understand open source software languages," he continued. "They are going straight to GitHub to get their code, and they are going to make a decision as to which code they're going to use to make them most productive in reaching an outcome that they are trying to achieve on behalf of the business."
Developers want the freedom to bring that code in and work on it in the same way they'd deploy code on home networks—free from the "depressing gravity of the business." In such a mindset, Barker admits developers often forget about non-functional requirements—including security. "It's not that they want to avoid security, it's just that they are getting so much pressure to go fast, they are doing everything they can to make that happen."
So, he added, what developers really want is support from the business to integrate security controls into the processes in which they already work.
Bocek circled back to an earlier point about the need for leadership to reframe roles so that security is no longer viewed as a "non-functional requirement," given a product must be tamper-proof and not contribute to a compromise.
Preparing for a cloud-native future
Barker stressed that he and other developers want to have good relations with their cybersecurity counterparts, because they are all too aware of what can happen if a developer doesn't get it right. He noted instances in which a simple misconfiguration led to catastrophic events, such as a Kubernetes cluster being left open to the internet.
"I'm not infallible; I'm going to make mistakes. And I want assurance from the business that if I'm going fast, I'm going to be supported by people with the right knowledge, tools and skill sets to not put the organization at risk," he said.
This requires cybersecurity professionals to not just approach their roles differently, but do more to narrow the technical skills gap that currently exists—not just to reduce the aforementioned friction but also to prevent developers from taking advantage of that knowledge gap. Global cybersecurity members appear to understand this, given that in the latest (ISC)² Global Cybersecurity Workforce Study, cloud computing security remained the top priority for cybersecurity professionals' skills development. Additionally, the organization's fastest-growing certification continues to be the CCSP (Certified Cloud Security Professional).
What is also most needed is widespread recognition that cloud-native environments will continue to expand within and outside organizations. Coming together for a common cause can go a long way to producing secure software solutions at an accelerating pace.
"Whether you're an analyst, whether you're a coder, we're all leaders and we can start to make a change," Bocek said.
ANNE SAITA is editor-in-chief of InfoSecurity Professional Magazine.