Securing a great Developer Experience - v1.3

Editor's Notes

• #3: If you are passionate in ditching traditional security and helping companies in Asia getting into the age of DevSecOps then drop me a line. We are always looking for great people. At GuardRails we are working on a very different approach to security, which puts developers first and I’m excited to announce that we have launched last week.
• #5: We gonna briefly discuss how the technology landscape has changed and what the implications are of that. How security is keeping up with the change, or rather how it isn’t. And what mindset shift security as an industry has to adopt to have a sustainable impact. We have a chance to be a part of development for the first time in a meaningful way. Let’s not blow it by adding the same old security toolchain to DevOps.
• #6: Origin of Software and Development, how it is tied to the proliferation of computer systems.
• #9: we are talking early 2000s here.
• #11: This still looks fairly simple, you have git your scm, Jenkins your bukld system, docker as containers, and kubernetes as the orchestration layer. That’s not too bad, is it?
• #12: This is just tools you have to use to get an application from an idea in someones head to code running in production. There are no security tools in that picture.
• #13: Have you looged into AWS/Google cloud platform lately? This is the high level menu overview of the offered services respectively. These pics were taken on Sunday, I bet you if you log in today, there are more services already 
• #14: Feels a little bit like this, doesn’t it.
• #16: When googling security complexity to illustrate this problem, I stumbled over this little gem. We understand that it’s already too much to understand modern development workflows and tooling. Understanding the security implications is almost impossible. So what you see on this slide, is a AWS expert sitting down to understand the security areas they have to consider for their AWS account. This gentlemen is by no means a security expert, not even a self proclaimed one. The response he got on hackernews is a real eye opener.
• #17: This is just tools you have to use to get an application from an idea in someones head to code running in production. There are no security tools in that picture.
• #18: It used to be infrastructure, open ports, patch management, Then it was about building security in. And now it’s all about shifting left. We are getting closer to the developers and have more automation and give faster feedback. But I tell you one thing, developers probably liked it better when we only bothered them once at the end of every release, not now when it’s every time they are committing code. But has the quality improved? Or did we just get better at automating the nagging of developers.
• #19: What ever happened to the KISS principle. How many people do you think understand that full end to end flow nowadays? Not specially from a security point of view, but from a general technology and process point of view? And yes besides DevSecOps and the wonderful things that we are trying to achieve and we are trying hard, what is really happening.
• #20: Think Application Performance monitoring for security Understanding how your app is abused and misused helps with prioritization.
• #23: Security Debt is huge Because security wasn’t a part of it and the tooling didn’t make it appealing for the reasons stated earlier. Tools compound the issue, because they just make devs fix the issues they get, without actually taking ownership. They point to the debt and show huge amounts of issues, over and over again. They don’t actually fix any issues, at all. Most of them have been developed For the wrong audience And boy does it show.They are not proactively doing these things, whatever gets put on their desks, they take care of it. Security tools should be made for developers. Yet, most of them are designed for security analysts. And it shows in many areas, such as setup, user experience, and workflow integration.
• #25: This may sound mean, but I think realizing this is an important step in the evolution of our industry. But yeah to continue, with the advance of new technologies and automation the answer was as always more security tools. The most humbling experience was switching from an advisor/consultant to an implementer and being responsible for the Security of a high profile product (large team).
• #26: That’s great, right? But is it really working well? And I don’t even mean as an organization, I mean as in reaching 28 Million developers on github. And even this is quite exclusive to certain organizations around the world. None of this is really available to the majority of the 28M devs on Github. And guess what, you are using the code of that majority in your production env.
• #28: It’s the same audience. It’ hasn’t solved it fully yet, but quality is becoming more and more a first class citizen and the only reason it managed to do that Is because of developer experience.
• #29: Another good example of a quality tool that has done a tremendous job is codecov. It made unit test coverage sexy, and that’s no easy feat :)
• #30: Let’s explore the term developer experience. Usability can be modeled as the question “Can the user accomplish their goal?” whilst user experience can be phrased as “Did the user have as delightful an experience as possible?” Usability is concerned with the “effectiveness, efficiency and satisfaction with which specified users achieve specified goals in particular environments Bring up the apple example, Apple is priding themselves with the high level of usability they have created for their devices. Using the iphone is supposed to be so simple and nice, and effective (your mileage may vary, but let’s just take this as an example, and not start an android vs ios war). User Experience on the other hand starts already in the apple store, when you look a the device that you fancy, when you open the box for the first time (there are thousands of hours of people unboxing their gadgets on youtube) and how much joy it brings you in your daily life. DX describes the experience developers have when they use your product, be it client libraries, SDKs, frameworks, open source code, tools, API, technology or service.
• #31: Ok, I’m excited, I love this stuff. So let’s dive right into it, what are the three things that will help us secure a great Developer Experience.
• #32: Nowadays, there are too many distractions that are fighting for our attention. That’s by design, product designers know how to addict us in the race to dominate the attention economy. Security tools only add to these distractions. They find everything that could be a possible issue. Most of the tools running against your codebase produce thousands of results. Security is already intimidating enough. Let’s not make it worse by flooding developers with lots of security issues. Security tools have to report issues that have a high impact if left unfixed. Less is more. Don’t give them 1000s of user input is printed in command. Maybe focus on only dependencies With a csvss score of 7 or higher. Ignore dev dependencies. Don’t value the devs time, lots of issues, vague descriptions and solutions (sad devs) Value the devs time -> relevant results -> actionable feedback (happy devs)
• #33: Security experts have developed a very specific and unique language over the years. (XSS, CSRF, SAST) But if you haven’t spent a good part of your career in application security, these terms are confusing. Don’t try to sounds important Especially traditional security tools produce hundreds of pages of PDF reports. Have you ever been on the receiving end of one of those reports? Or even worse, the one responsible for fixing those issues? Imagine looking at hundreds of security issues with lots of cryptic details. Details about how attackers can abuse your app full of references that don’t make sense. But the key sections on how to fix the issues are thin. There is rarely any actionable, framework-specific content — if there is anything at all. Let us use plain, easy language and give useful instructions on how to fix issues.
• #34: Get started in minutes. Doesn’t matter if they are curious and want to try it out. Or if they want to deploy it for dozens of their apps. That means no scheduling of demos with sales reps. That means clear pricing on the website. If spacex can do it, so can you. (This includes clear pricing ) Typical Security Tools are clearly targeting enterprise sales, typically as part of the CISO organisation. If developers can’t easily take security software for a spin, then that’s a red flag already. No developer is going to click on that book a demo button. Workflow integration (understand your audience) Out of workflow (IDE plugins are not enforceable and manageable, plus too many IDEs out there) I don’t just mean make it part of the CI/CD pipelines, I’m not talking about IDE plugins. I’m talking about right there where the review happens in the PR comments. If you are doing it right, then no developer is ever going to look at your dashboards. All in one, Don’t make them look For tool a for this, tool b for that If it’s already hard to wrap your head around SASt, dAST iast, rasp, ngwaf, secret management and all of these things. Then nobody is going to have time for that.
• #37: Ok, so we recognize that developers are key Therefore as the main audience for application/devops security tools should be developers, ensuring a great Developer Experience is and absolute must. These security tools must be designed for DX from day 1. Developer experience requires security to be a first class citizen that ideally is not differentiable from the other work tasks. There will always be complexity, our job is to provide focus. Also, most of the development is not happening in enterprises, security has to become a commodity, otherwise it’s going to be a battle that we can’t ever win. The goal should be that a bootstrapped startup, can and wants to use security tools from the beginning. If we can get closer to solving this, then we will be able to get developers to drive security themselves and ensure that the digital economy becomes a safer place for everyone.