In the world of cloud computing, the relationship between developers and security teams is often fraught with tension, which can significantly affect the overall effectiveness of cloud security. Developers tend to be frustrated when security teams impose guidelines that seem to obstruct their progress, especially under tight deadlines. On the other hand, security teams are often discontent when developers disregard these guidelines, necessitating patches and fixes after applications are already in production. This ongoing conflict hampers collaboration and creates a challenging environment for both parties. Achieving a unified approach between these two critical teams is easier said than done.
According to a software security study conducted by Chainguard and the Harris Poll in December 2023, almost two-thirds of Chief Information Security Officers (CISOs) and developers acknowledge that the lack of communication and collaboration between their teams is a significant issue when it comes to implementing better software supply chain security. The study also highlights that the tools required by security teams often interfere with developers’ productivity and innovation, with 73% of developers agreeing with this sentiment.
However, resolving the tension between these teams does not necessitate external mediation. The key to resolving this issue lies in the formation of platform teams. These teams can help eliminate one of the most significant barriers: conflicting toolchains. Conflicting toolchains can introduce inefficiencies and vulnerabilities, leading to costly errors. Additionally, the absence of automation hinders organizations from efficiently managing their cloud resources.
To ensure that development and security teams can work together seamlessly, there needs to be a shift in the tooling associated with cloud migration. This includes introducing automation for scaling and provisioning dynamic infrastructure. Many existing toolchains, especially in the realm of cybersecurity, were designed for the static, on-premises era of infrastructure. Without automation, platform teams struggle to transition from static to dynamic infrastructure when using these outdated toolsets.
Platform teams are pivotal, albeit often underappreciated, in resolving these challenges. This article recommends several tested tools and products that help establish a secure and efficient developer pathway, reducing friction and satisfying the objectives of both teams.
The "shift-left" movement, introduced decades ago, aimed to address friction between teams by moving security and quality assurance testing to the early and middle stages of development. This approach was intended to prevent the discovery of numerous issues at the end of a development cycle, which would necessitate extensive redesigns. With the advent of DevOps philosophies, the shift-left movement complemented cross-team skill development, encouraging developers and IT professionals to become proficient in everything from development to operations, occasionally including cybersecurity.
However, expecting all developers to become cybersecurity experts so that controls and strategies can be implemented during the design phase is unrealistic. Instead of focusing solely on shifting security left from a cultural or skill perspective, it should be achieved through tools, as software ultimately influences culture. This approach can be considered a "further" left shift, as secure designs are integrated into the templates developers use to initiate a project in CI/CD (Continuous Integration/Continuous Deployment) and their infrastructure platform.
When organizations implement a platform-based shift-left strategy that leverages APIs, automated checks, self-service tooling, and guardrails like secure modules and policy as code, they can avoid bottlenecks. These bottlenecks are often created when development teams submit changes for manual review by security, operations, or compliance teams. Concurrently, security teams can be reassured, knowing that required policies and best practices are embedded before code and applications reach production. This approach reduces the number of tickets security teams need to handle.
Developers will appreciate that they can focus on coding without needing to be well-versed in cybersecurity best practices or keep up with constantly changing compliance and security policies. As long as the guardrails do not become restrictive rather than facilitating a smooth path, developers should be able to work more efficiently. Ultimately, platform teams aim to make the security experience for developers feel seamless, minimizing manual touchpoints. For instance, with the right secrets management solution, developers should barely notice they are managing secrets within their workflow.
The National Institute of Standards and Technology (NIST) strongly endorses DevSecOps, partly because it reduces friction between development, operations, and security teams. This approach maintains the speed and agility necessary to support an organization’s mission while taking advantage of modern and innovative technology. Despite NIST’s ongoing efforts to identify best practices for software supply chain and DevOps security, many organizations have embraced DevSecOps without deploying modern technology to enhance cloud security and reduce the stress between infrastructure and development teams.
Today, a modern platform must prioritize cloud security and the developer experience, establishing a secure and consistent workflow that supports all teams in the delivery pipeline. Platform teams should select tools and products that excel in the following areas:
- Version control tooling
- Static and dynamic scanning tools
- Secrets management platforms
- Secret scanning tools
- Infrastructure as code provisioning platforms with built-in policies as code engines
- Secure remote access tools
- Image and module lifecycle management
Platform teams should focus on the lifecycles that matter most to developers and security teams:
- Infrastructure Lifecycle Management (ILM): A systematic and repeatable approach to creating, securing, and maintaining infrastructure.
- Security Lifecycle Management (SLM): A systematic way for organizations to manage their most sensitive data, especially secrets and credentials, from creation to expiration or revocation. This also includes a platform for managing remote access sessions.
While executives and managers can spend years shopping for dozens of products to build holistic ILM and SLM solutions, savvy leaders are focused on consolidating tools with a small number of trusted partner vendors. Currently, half of CISOs are requesting tool consolidation.
HashiCorp is a trusted partner for thousands of customers in ILM and SLM, offering a consolidated solution called The Infrastructure Cloud. It includes the world’s most popular infrastructure as code provisioner, HashiCorp Terraform, and the gold standard of secrets management platforms, HashiCorp Vault. Organizations can deploy Terraform, Vault, and other components of the Infrastructure Cloud as on-premises, self-managed software, or as managed services on the HashiCorp Cloud Platform (HCP).
Modern ILM empowers developers to quickly provision cloud and on-premises resources without burdensome, ticket-heavy or review-heavy workflows. Platform teams avoid these problems by providing a standardized shared service with curated self-service workflows, tools, and templates for developers. This approach propagates best practices for every deployment while automating secure practices and guardrails.
HCP Terraform and Terraform Enterprise support secure provisioning, enabling best practices including:
- Standardized workflows: Incorporating security fundamentals into the workflow with templates that empower even junior developers to be highly productive.
- Secure modules: Simplifying version control and provisioning by codifying, storing, versioning, and deprecating modules in one place.
- Policy as Code guardrails and gates: Automating the enforcement of identity and access management (IAM) controls, CIS benchmarks, proper infrastructure tagging, and the storage location of data (for GDPR compliance).
- Custom condition checks: Platform engineers can add ongoing security checks at all phases of the infrastructure lifecycle to detect insecure modules that might slip through other guardrails.
- Drift detection and continuous validation: Teams need a system to detect problems leading to outages, higher costs, and vulnerabilities.
- Observability: Teams need visibility into workspaces, a reporting component, and a clear audit trail for all changes.
For modern SLM practices, secrets management is the core focus since compromised credentials are still the number one cause of most breaches. It is also the antidote to secret sprawl, where secrets such as passwords are kept in obvious, often unguarded places for attackers to find and exploit. HashiCorp Vault simplifies implementing a scalable, secrets management program with solid governance, auditing, and security. The key is centralizing management through one control plane.
Here are five best practices for a well-managed secrets management platform:
- Central secrets control plane: Reduces errors, speeds up debugging and auditing, and simplifies security management.
- Access control lists: Limit lateral movement through your systems.
- Dynamic or auto-rotated secrets: Temporary credentials that reduce the time of breach.
- Encryption as a service: Prevents breaches and enables encrypted data during transit as a service.
- Auditing: Better understanding of your security posture and breach detection.
Canva, an online platform for visual communication and graphic design, sought to simplify secrets management for its developers using Vault. They aimed to streamline the process by allowing developers to obtain keys with minimal effort, integrating with a wide array of products and major cloud providers. The impact of Vault on Canva’s security was impressive:
- Closed a whole risk category in the business by removing direct engineering access to secrets kept in Vault.
- Reduced processes around secret provisioning by 87.5%.
- Issued 1.2 million secrets by Vault in May 2024, with continued growth.
- Enabled attribution of 100% of secrets back to an owner with access to a complete audit trail in seconds.
Misaligned priorities, mismatched tools, and inconsistent workflows are the root causes of friction between security and development teams. Prolonged issues between these teams elevate security and compliance risks and hinder development speed and time to market. Platform teams recognize that the right tools can facilitate a cultural shift, reducing risk and cost while accelerating production.
An effective cloud security program eliminates friction, enables reproducibility, and establishes infrastructure automation. The Infrastructure Cloud helps organizations shift left, lifting the burden of implementing security requirements from development teams and removing many common friction points between security and development teams.
To bridge the gap between developers and security teams, and to move fast while ensuring security, it is essential to explore further on this topic. For more information, consider reading the white paper on this subject.
For more Information, Refer to this article.
