Bridging the Gap Between Engineering and Security

With the widespread adoption of cloud computing, software development has taken on new responsibilities. Driven by the need to speed up application deployment across increasingly complex and dynamic cloud environments, the shift-left approach has become a common practice to balance the conflicting needs for faster delivery and maintaining code quality and security in the cloud

The shift-left approach aims to identify and resolve bugs and vulnerabilities in the code as soon as possible by equipping developers with the necessary tools and skills that were previously the domain of DevOps professionals

Through the adoption of shift-left practices such as CI/CD, infrastructure as code (IaC) and security automation, developers can assume more control over their tasks, leading to a more efficient and streamlined development process.

Despite the growing availability of DevSecOps tools to automate security tasks as part of a shift-left strategy, security remains a major pain point for organizations that rely on public cloud infrastructure. The key reason is the difficulty of achieving effective collaboration between traditionally siloed engineering, DevOps and security teams.

Different mindsets of developers and security professionals

Cloud application developers and security professionals approach software development from opposite ends of the spectrum, often leading to a disconnect that may put a company’s cloud infrastructure at risk.

Developers tend to focus on functionality, delivering feature-rich applications that meet user’s needs. They typically view security as an afterthought and may prioritize delivering new features over securing their code. They want to stay in their own creative flow and work at their own pace to avoid the context switching of repetitively fixing issues identified by the security team, which slows them down.

Security professionals, on the other hand, are trained to think about risks and vulnerabilities. They approach development from a risk management perspective and focus on securing cloud applications against cyber threats.

Another challenge is that these teams often have different levels of understanding of cloud security. Developers may not be familiar with the specific security risks associated with the cloud, while cybersecurity professionals may not be familiar with the technical aspects of cloud development.

The gaps between engineering and security can lead to significant operational disruptions. Even a minor code change, if done by a cloud application developer lacking adequate security knowledge, can create misconfigurations that expose critical cloud resources to unauthorized access and misuse.

As more applications are being deployed in the cloud, and software release cycles become shorter, the implications of the disconnect between engineering and security become acutely apparent.

Developers take on more responsibilities of security tasks. They are expected to continuously evaluate and update policies and configurations, shifting more time and effort to non-functional
tasks – often without adequate skills to carry them out successfully – instead of focusing on writing functional code. Consequently, security and productivity issues due to misconfigurations caused by human error become more frequent, further increasing friction and frustration.

A single version of the truth

To address the disconnect between cloud application developers and security professionals, collaboration must be encouraged from the outset. Security teams should be involved early in the development process to ensure that secure coding best practices are followed. Developers must be trained to think about the security implications of their code and the potential risks involved.

In addition, security professionals must understand the needs and pressures of developers. They should be able to communicate the risks and potential impact of insecure code in a way that is meaningful to developers, emphasizing the importance of secure coding practices and their role in maintaining the integrity of the company’s cloud infrastructure.

Establishing effective collaboration on cloud security along these lines depends on the ability to create “a single version of the truth.” One of the main reasons for the lack of adequate collaboration is that developers are not always on the same page with the security team regarding the security implications of the code they produce.

To bridge this gap, both parties should be looking at the same operational picture so they can share an understanding of the impact of code changes on the cloud environment. To accomplish that, they must be provided with a unified, holistic view of the cloud security posture across cloud infrastructure, applications, users and data.

Such multidimensional visibility is essential in cloud environments as it supports contextual understanding of security risks. It enables security teams to effectively identify, evaluate and prioritize vulnerabilities and misconfigurations, and guide developers to focus on the most critical issues instead of frustrating them with endless, often unnecessary work that slows them down.

Contextual understanding can be leveraged to implement consistent security policies, configurations and controls. It facilitates centralized provisioning, access management, and policy enforcement, ensuring that all cloud resources adhere to the desired standards and compliance requirements.

The next step is automation, which can play a vital role in enabling collaboration and accelerating the shift-left process by eliminating repetitive, labor-intensive, and time-consuming operations that cause friction. However, establishing automated and continuous deployment pipelines that include security checks requires careful planning, tool selection, and implementation.

The ability to prioritize the remediation of misconfigurations and vulnerabilities based on an accurate risk assessment is a prerequisite for the automation of security-related operations. This can be achieved by pinpointing critical vulnerabilities that require human intervention while automatically assigning policies and controls in no-risk situations, thus reducing the burden on all the relevant stakeholders.

Solvo’s practical shift-left approach

Solvo provides organizations with contextual, comprehensive visibility into their cloud environments, which is critical for obtaining the aforementioned “single version of the truth” and eliminating the disconnect between engineering and security.

Solvo operates by monitoring and analyzing infrastructure resources, applications and user behavior, and the data associated with them, and identifying deviations from best practices and corporate policies. Based on this multidimensional analysis, Solvo automatically generates new security policies for cloud assets that have been granted excessive access. The policies can be easily enforced either directly or as part of the CI process

By providing accurate and granular security configurations and policies, Solvo reduces the friction between stakeholders, enabling developers to keep their focus on writing functional code.

As cloud environments are highly dynamic, Solvo was designed to continuously monitor and analyze code change, and automatically update access policies in real-time. The same process is applied when new code or cloud resources are detected to ensure that the cloud infrastructure is protected against unauthorized access based on the least privilege concept of restricting access to the bare essentials.

By providing a clear and up-to-date view of all access paths, Solvo bridges the gap between engineering and security teams, bringing all stakeholders to a shared and accurate understanding of the cloud security posture.

Illuminate Cloud Risks, Empower Security.

Discover and address cloud risks effectively and empower your security team with the autonomy they need.

Or explore on your own time with a free trial

Request a demo