February 18, 20220 mins read
Over the last few years, the “idea that every company is a technology company [marks] a fundamental shift in our industry” (Suzie Prince, Head of Product, DevOps, Atlassian). The sheer dominance of development as a craft has led to a bigger audience and a much louder voice that centers on the developer perspective. This transition was discussed in several SnykCon talks last year — leading to new insights on how developers have shifted the industry and forged a new and improved approach to software development.
What developers need from their organization
Tooling and company culture greatly affects our productivity and approach. When we’re given the opportunity to work autonomously, investment and team motivation increase. The DORA (DevOps Research and Assessment) State of DevOps research program found that “transformative organizations that give more choice to developers actually perform better”. We know our needs better than anyone, and giving developers more choice in the tools and team structures they interact with every day is vital.
The SnykCon 2021 discussions on developer approach and empowerment had three core principles.
Developers need tools that simplify their job.
Developers need to integrate seamlessly with other tools and their existing workflows.
Company culture should empower them to take ownership of their work.
Tools that make life easier
In her SnykCon session with Gareth Rushgrove (VP, Product, Snyk), Suzie Prince (Head of Product, DevOps, Atlassian) began by explaining that developers want tools that “enable them to be efficient and effective in their day to day work”. Often this means integrating automation wherever possible so that time-consuming, repetitive tasks become less of a lift. Rushgrove, a former developer himself, put it simply — developers seek out “an opportunity to use things that [are] easier”. In the sea of tasks that developers are responsible for, we should favor tools that are easy and strategies that simplify our day to day tasks.
This principle applies to application security just as much as development. If we want to effectively shift left and motivate developers to adopt secure coding practices, we need tools that fit their needs and simplify security education. Ari Kalfus (Application Security Leader, Rally Health) weighed in on this during his SnykCon session on actionable security insights. His team uses the open policy agent Conftest to test their configuration data. They developed customized failure messages within Conftest so that developers would receive actionable insight on why their test failed. Kalfus directs his team to “create the policy and then give it a message that tells developers exactly what is wrong inside their PR and what they need to do to fix it”. “If you’re not giving developers guidance you’re less than halfway” to effectively supporting them (Kalfus).
Tools that integrate seamlessly
No two development teams work in the same way. Even within an organization, each team will have their own methods and an ecosystem of tools customized to their specific tasks. The tools that resonate with developers are the ones that fit their complex ecosystems the best.
A foundational aspect of good tooling is the assumption that you are using other software alongside it. As Rushgrove explained, “developers don't want one tool to do everything”. When developers are given the freedom to choose their tools, compatibility with a wide range of software is a must-have. The second quality developers look for is a low barrier to usage. “If it takes another part of the organization a long time to fit [the tool] into your flow, you'll probably just pick something else.” (Rushgrove) A developer-centered approach prioritizes getting work done over the legwork of filling out forms and contacting other departments for permissions and approval.
Servant leadership and team authority
As the industry transitions from the ivory tower architect to a more evolutionary architecture, the development process is broken down into smaller pieces — granting developers more room for creativity and choice. Much of this was ushered in with the adoption of agile, where ”individuals and their interactions matter more” than the management hierarchy (Prince). Rushgrove was a developer working in operations during the early days of DevOps. As all companies became tech companies, he watched as “engineers, developers, operations people, and software people ended up in management more quickly than they realized, hoped, and even feared. They brought with them the attitude that ‘I want my management to get out of my way, so as a manager I’ll stay out of the way’”. This transformational attitude helped bring down barriers to entry across the industry and paved the way for developers to define their own approaches.
These management principles apply to the partnership between security and development as well. “If you've lived in a world where security testing happens months after your core development and saw how costly it was, you're motivated to address it earlier” (Prince). This is the driving force behind the shift left in application security. As decentralization and the need for fast and secure production increases, the access and responsibilities of development teams increase as well. To protect this new pipeline, security must follow the pattern of decentralization. As Mike Milner (Global Director of Application Security Technology, TrendMicro) explained, the “key role of the security team is to understand what developers are building and what new threats may be introduced.” Passing the daily triage to developers empowers them to establish secure coding practices and frees security professionals to focus on “[giving] development teams time to investigate, implement a proper fix, and actually get it deployed” (Milner).
Autonomous development teams
When building empowered and autonomous development teams, it’s important for management to “listen to what the team is trying to achieve and help them solve the problem themselves” (Prince). Leadership, managers, and security professionals are there to help development teams move forward, not to give the answer every time. Giving developers the opportunity to choose tools that fit their needs and the authority to guide their own teams creates a culture of ownership that will help the organization stay productive and secure for years to come.
There are many tools on the market that claim to put developers' needs first, but none do it quite as well as Snyk. Whether you need to secure your application code in real time, search for vulnerabilities in open source dependencies and container images, or find and fix cloud misconfigurations — Snyk has you covered. Our industry-leading security intelligence will help you develop fast and stay secure. Sign up and secure your projects for free today.