Your approach to security compliance is destroying developer culture – The New Stack

When we think of compliance processes, we often think of them as top-down, business-focused processes, unrelated to our code and tech stack, and mostly an intrusive nuisance to developer workflows.

Chris Koehnecke

Chris is VP of Security Engineering and CISO at Jit with over 20 years of cybersecurity experience. Chris focuses on cloud security, security program development, security strategy, cyber risk assessment and management. Chris is also a Cisco Certified Network Associate (CCNA), Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Archer Certified Consultant (ACC) and holds a TS/SCI security clearance.

However, the reality is that good security posture and culture takes up more than 80% of the heavy lifting in compliance processes. So if we foster a dev-sec mindset from the very first lines of code, not only will we better prepare our developers for emerging threats and risks, but we’ll also make compliance processes much lighter for our organizations.

In my 15 years of managing compliance programs at KPMG (prior to joining Jit), I’ve discovered that companies that seek regulatory compliance and certifications without embedding a DevSecOps mindset to begin with destroy their compliance culture. ‘engineering.

When security is compliance-driven, emphasizing audits as the primary driver of security without a process of prior institutionalization of security tools and processes, security practices end up drifting as soon as auditing is ended in “theatrical security”. state of mind. Another downside is that this kind of approach also feeds the belief that safety is a business metric and completely removed from engineering processes. There couldn’t be anything further from the truth.

Progressive engineering and security leaders want to achieve real, continuous security, where compliance is simply an operational derivative, not the end goal. With the scale of operations and data in the cloud today, the threat landscape continues to grow and evolve, with potential attackers becoming more sophisticated.

Security has become an equally important engineering discipline that can no longer be divorced from our technology stacks and products. Like the “worked in dev, now operating problem” meme popularized in DevOps culture, security is no longer someone else’s problem. Our code, our security.

But how does this all relate to compliance?

Compliance is not a silver bullet

Compliance processes emerged to provide a standardized way of operating in the modern cloud native engineering landscape to help organizations reduce risk by thinking both technically, as well as operationally and administrative systems and data. This is why many organizations in the public sector, healthcare or financial services, among others, make it a requirement to enable market access and product penetration.

That said, compliance completely decoupled from a good security posture will not protect you from mitigating real risks, both from existing and emerging threats. Additionally, if your security is compromised, your compliance achievements will add nominal value to your business.

There is a common misconception that compliance or security certifications such as SOC2, ISO, FedRAMP, and HITRUST are a silver bullet, and once you get them you can rest easy.

That means there has to be an early and fine balance between compliance and security, and you have to prioritize both. I would say that security should be built in from the first line of code in a left-born security mindset.

There is a common misconception that compliance or security certifications such as SOC2, ISO, FedRAMP and HITRUST are a silver bullet and once you have obtained these certifications you can rest easy knowing that you have ticked all of them. boxes to reduce organizational risk.

This is not reality. Compliance is not synonymous with safety. If you make the mistake of becoming single-threaded in achieving compliance, you risk missing out on potentially significant areas of risk and vulnerabilities that are not part of the compliance process.

Robust developer-owned security enables compliance

If you create your products with a strong security mindset from the beginning of your development processes, you will eventually find yourself managing compliance processes quite easily and with minimal friction in your organization. A robust security program is ultimately symbiotic with compliance.

If we look at the most common security and compliance certifications, they overlap quite a bit when it comes to the technical aspects they require. What’s interesting is that the technical requirements actually account for the vast majority of the effort required to get through these often grueling processes.

When it comes to security certifications and compliance, they will all ask questions about:

  • Securing the software development lifecycle.
  • How your organization secures known vulnerabilities.
  • How your organization tracks and responds to emerging threats.

New tools and DevSecOps are key to simplifying and even enabling these efforts. When I chose to join Jit, after years of helping some of the top Fortune 500 companies achieve compliance, it was because I understood that security as code would be the backbone and enabler. to make this much easier for the whole industry.

With platforms that provide easy access to developer tools and the checks and balances that secure their code, infrastructure, execution, imports, and third parties, we empower developers to take ownership of security. In the context of compliance, securing code is about securing your software delivery lifecycle (SDLC) and software delivery processes.

By ensuring cloud and CI/CD security, as well as managing integrations appropriately, we take steps to mitigate known threats and prevent the introduction of future risks to our systems, code and configuration. to its supply chain. These examples are just a small sample of what can be achieved with great open source security tools and developer-owned security.

If you don’t start with security from the bottom up, you will find that it will become a morale killer and quite detrimental to your engineering organization.

Unfortunately, I also had the experience of seeing this process reversed. Often, early stage startups focus on delivering their MVP and code as quickly as possible, without worrying about how security is built into this process. As they begin to scale and require market access, they receive requests for security certifications from companies.

What ends up happening is that security is applied after the fact, creating a lot of friction in development processes as new, unknown tools are added to the stack, where mitigation processes are not well defined and incorporating these changes delays shipping and frustrates developers who only want to be shipping code.

If you don’t start with security from the bottom up, you will find that it kills morale and is very detrimental to your engineering organization. This will create an environment that will encourage developers to circumvent these controls and expose your organization to unnecessary risks and breaches.

DevSecOps Metrics as Business Enabler

DORA Metrics, widely adopted today, have measured through years of data that elite engineering teams become elite teams by focusing on four core capabilities. They can be divided into driving speed and risk reduction measures. In the context of DevOps, risk reduction is measured in mean time to restore (MTTR) and change failure rate (how often changes introduced in production cause failures).

In the context of DevSecOps, risk reduction can be quantified in the time it takes to address them and the frequency with which security vulnerabilities are introduced into production. Fortunately, however, there are many exceptions open-source security tools that dramatically reduce security risks and integrate natively into developer workflows, from helping to analyze and fix known exploits to preventing them from reaching production. Whether it’s in the code or the configuration, the containers you’ve checked out or the packages you’ve imported, threats are everywhere.

If we just focus on theatrical security in the form of security certifications and don’t make sure to build in security and controls over our technology stacks, user data, and infrastructure, we’ll soon find the show is over. Genuine developer-owned security will keep the show going.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Jit, Real.

Characteristic picture Going through Pixabay.

Comments are closed.