Security in an Agile, Developer First organization is a constant ”tug-of-war” between “more security controls vs more developer usability”. The reason for this is primarily the need of Security professionals to maintain control over the “hacky” by nature developers. I am a big fan of Mordoc and the comic strip below shows exactly how this tug-of-war is:
Developers typically use a lot of tools in their machines like:
- Build Tools (iOS, Android EMU, IDE, VM, Containers etc.)
- Browsers
- Repo tools constantly updating
- Testing tools.
On such machines, there is always a risk of developers being the target to steal source code or sensitive information. In order to protect these developers, Security teams become overzealous and implement several security tools like Endpoint Security solutions (AV, EDR, HIDS etc.) and Compliance tools (DLP, Web Proxy, Patching, logging etc.).
A typical machine that has all the security tools installed and running looks something like this. This pattern is true across typical enterprise organizations.
The question always is – Where is the balance between Security controls vs Developer productivity?
I gave a talk at a conference on this topic and the slides are available here. There are various strategies we can employ to secure the developer machines or in general any enterprise computing asset. Some of the innovative ways (they are real and implementable) we can use are described with examples. I thoroughly enjoyed working on this talk and all the associated research that went with it.
Please leave your comments below. Until next time!!!