The Secure Developer: 2021 in review

If the last few years were an exercise in adaptability, then 2021 gave us time to reflect on our performance. The pandemic shock that dominated 2020 gave way to a more grounded perspective on the challenges we’ve overcome in our personal and professional lives.

As host of The Secure Developer, Guy Podjarny (Snyk Founder and President) presented us with an inside look at how application security has evolved. The 22 episodes this year brought 23 guests from across different industries to share their unique insights. On the year end episode, Guy sat down with Snyk Field CTO Simon Maple to discuss the themes, advice, and future expectations that appeared in this year’s episodes.

Common themes across the industry

Over the course of this year, guests on The Secure Developer brought up countless interesting points. As Guy and Simon reflected they found three interesting themes that permeated most of the podcast episodes.

Hiring developers to security teams

The first was the shift toward hiring developers (or people with software engineering experience) when building a security team. Historically, security teams have been outfitted with specialized security experts who, for all their knowledge, were disconnected from the day-to-day development work. Security was another checkpoint for developers, not an integrated part of their job.

Integrating developers into the security team creates a big advantage. As Daniel Bryant (Director of DevRel at Ambassador Labs) explained, “Developers are [...] becoming increasingly responsible end to end. You mentioned, testing, observability. And developers like to engage with tools in a certain way. You need to meet [...] the engineers where they’re at.” (ep. 90)

It’s one thing to try and teach empathy to security teams, to educate them on the developer’s perspective and the challenges they face. When you hire a developer from the start, this is built in. There’s no need for training or translating because the security team implicitly understands the developer’s perspective. This increases engagement and opens doors for development and security teams to integrate more effectively. 

Developer-focused security

Another major theme of 2021 was the need for security teams to adapt to development — not the other way around. Just a few years ago, security teams mitigated vulnerabilities by listing off issues at the end of the development cycle. The separation between development and security teams made developers feel like issues were being dumped on them at the end of each cycle, and cast security professionals into a regulatory (and often critical) role.

In recent years, companies realized that security must be woven into existing SDLC practices and adapted to meet the needs of developers. Once again, we see the importance of empathy and bonding between developers and security professionals. Dev Akhawe (Head of Security, Figma) highlighted this with the way he would approach developers concerning security issues. When he was leading the deployment of security keys at Figma, he “used to apologize, being like, ‘I’m sorry. We haven’t deployed security keys yet.’ You have to be cautious around phishing. [The] trick probably, like that sort of has been very effective, that mental trick of remembering that, really it’s on the security team to make sure that the systems we used and the systems we build cannot misbehave. Rather than telling developers you need to do these hundred things.” (ep. 88)

This shift hasn’t been one-sided. There’s been increasing acknowledgment from the dev tooling world that “security isn't a thing that's off to the side. Every developer tool has some amount of responsibility to build security into their workflows.'' As we continue to interweave development and security, it becomes clear that while “security is adapting to development tools and development practices […] development leaders are really embracing security and thinking about security responsibility.”

Security at scale

The third theme was the importance of security hygiene at scale. The ability to secure systems at industry pace is vital to company success. This means getting the basics right,  not preparing for cinematic-level cyberattacks. The AppSec equivalent of locking and windows is often enough to bolster a company against low-level attacks and prepare them to act efficiently in the case of a severe vulnerability. “Being able to do [basics] at scale and at speed is very hard. Almost all of the programs and drives...this year have been focused on that concept of getting the core done right at scale and at speed.”

When developers know the fundamentals to keeping their systems secure, they can prepare strategies to address bigger issues — like the recent Log4Shell vulnerability. While some companies were scrambling to figure out what had happened and how it affected them, others (with comprehensive security hygiene and structure) were able to largely conduct business as usual. “What we've seen at Snyk is [...] this big surge of people adding projects to them. So, I think what it also has done is [...] added some urgency, even [for] people that were on a good path, it reminded them that you need to have [...] visibility for all of your projects. You can’t just gradually shift it, which is one of the key differences between developer and security.” (ep. 106) While dev tools are often utilized locally and expanded case by case, security solutions require an immediate breadth of coverage in order to be effective. Neither approach is wrong, but Log4Shell and similar incidents taught us that it is risky to approach security tooling like you would a development solution.

Episodes highlights from 2021

Log4Shell might have been our most recent lesson, but it is far from the only thing 2021 taught us. Here are a few can't-miss episodes.

The Codecov Breach (#1022)

Guy was joined by CodeCov’s Jerrod Engelberg (CEO) and Eli Hooten (CTO) to discuss how they handled their 2021 security breach. The episode was filled with insights on how to navigate the competing priorities of a security incident. Engelberg and Hooten began by walking Guy through their internal reaction. Engleberg said, “If even one customer is not able to hear from us […] and take the appropriate action, that's one customer too many.” And from there the conversation evolved from the ethics of disclosure to the implicit risks we must manage as an industry. “There is always this handshake, right? We can make the handshake more and more sophisticated, but it's definitely something that I think a lot about,” said Engelberg.

Containers, Processes, and the Future of Security (#103)

Liz Rice, Chief Open Source Officer at Isovalent, gave us an intro to eBPF along with her thoughts on the importance of cloud native networking. “We’re seeing such rapid adoption of cloud technologies. I think it will be table stakes for any company to be just using the cloud. We won’t be talking about early adopters anymore for sure,” said Rice.

Application Security in the Public Sector (#86, #95):

There were several episodes discussing governments' increased adoption of DevSecOps and the parallels with private software companies. Robert Wood, CMS for Medicare & Medicaid, appeared on Ep 95; while Nicolas Chaillan, CSO for the US Air Force, appeared on Ep 86. Both of these guests were navigating the need to move historically independent organizations to the platform mindset needed for DevOps. For Wood, that means “making sense out of this massive data that we sit on because typically we have all of these security activities that stove pipe themselves. They all sort of operate as a standalone thing or… generate insights but they don’t generate data that can then go and be connected to something else to generate even more valuable insights.”

Chaillan’s discussion with Guy highlighted one of the clear differences between DevOps in the public and private sectors. For governments, the downsides of being on the cutting edge are more clear than the upsides, which creates the lower risk tolerance and slow adoption that characterizes government organizations. Chaillain believes that, “Cybersecurity is going to evolve. I think it's going to be a lot about that continuous monitoring capability. I think that the big risk is the dependencies or the products you use that you don't know much about.”

Areas of interest in 2022

As we take in all the lessons learned this year, also peer into our crystal balls to what 2022 has in store. Guy asks every guest to do just that and hypothesize on the future of our industry to close each episode. To wrap up the year, Simon was able to turn the tables on Guy and get his hit list of topics and expectations. At an industry level, three areas will be critical: supply chain, cloud, and developing ways to measure security as it becomes increasingly decentralized.

Supply Chain Security

The need for supply chain security has been shown with SolarWinds, CodeCov, Log4Shell, and other incidents. “We’ve created a web of dependencies between services, components, individuals and we have to get a handle on that.” As companies become increasingly intertwined, we must come together at an industry level to define and address the supply chain risks.

Cloud Security

Cloud security has traditionally been taken as an extension of IT security. However, we will likely see increased acknowledgement that cloud is software and requires software-level security tools to protect sensitive information.

Quantifying AppSec

Measuring security is important because we need a way to directly relate code activity and risk. As DevOps continues to evolve, this data will be a vital part of business strategy. Being able to correlate measures of uptime to measures of business success ensures that security will continue to grow in application and importance.

More generally, Guy hopes to see a return to thinking about the application as a whole — a single entity with many moving parts. We are rapidly reaching a point where it will be impossible to address every local vulnerability. So, the commonly segmented view of security will not work. We must look at applications, and the supply chain, as a whole and create the taxonomy and tooling set to talk about security at a higher level.

Here at Snyk, our goal is to create tools that make security second nature. We lighten developers' load by enabling them to find and fix vulnerabilities in just 5 minutes. Let us join your application security team and find out what you can accomplish today.