Cloud security should never be a developer issue

I dare to say this: “companies need to stop playing the game of pin the blame on the developer whenever a security vulnerability is discovered or exploited in applications.” Rather than pointing fingers at developers, organizations need to empower these professionals to help them build and expand their cloud-based initiatives without having to worry about security.

For sure, cloud security is an area of concern for many businesses. And as research firm Gartner has reported, much of the security problem is brought on by the companies that are using cloud services. The challenge exists not in the security of the cloud itself, the firm notes, but in the policies and technologies for security and control of the technology.

In nearly all cases, Gartner says, it is the user, not the cloud provider, who fails to manage the controls needed to protect an organization’s data. The firm predicts that through 2025, 99% of cloud security failures will be the cloud service customer’s fault.

Despite the ongoing risk of security failures in the cloud, organizations can not treat cloud security as a task that should be randomly dropped on software developers. Making unreasonable demands of developers—or worse, blaming them for security shortfalls—is counterproductive and can lead to resentment and low morale.

For that matter, educating developers about security issues might not be the best long-term solution either. Threats are constantly changing, and developers have enough on their plates already, learning new coding techniques, languages, frameworks, etc.

Developers are people who like to write code, create algorithms, and solve problems. Talking about code security and application security is not new, but it is definitely becoming more mainstream. Sometimes it’s required due to the emergence of new data security or data privacy regulations, or because of headline news about hacker attacks and data breaches.

The more we create cloud-native applications, the more developers are being forced to deliver more than just code. The rise of cloud-native applications means developers are expected to perform infrastructure and security tasks, as well as standard coding.

The problem is, most developers are not equipped to take on these additional tasks. They were probably not trained in a formal way to handle such responsibilities, and, as a result, they just go through the motions with the aim of seeing that their application runs smoothly and doesn't break anything else.

Unfortunately, we can't always double-check everything developers do. If they passed all the automated or manual tests, and made it safely through the continuous integration/continuous delivery (CI/CD) process, their code will end up in production—even if it’s using insecure infrastructure.

All of this is not the fault of the developers, given that we never taught them how to do security. We also can't blame them for not getting security right, when we typically measure their performance by closing tickets, finishing the sprint, or deploying the next feature. We simply didn't provide them with the right resources in order for them to get better at safeguarding applications.

A better solution to the challenges of providing security for cloud-based applications is to equip developers with the right tools, so that security basically becomes a non-issue. We have the ability to create good automation tools for security, so that potential threats and vulnerabilities do not stop or slow organizations down as they move faster and faster toward cloud deployments.

Such tools ideally would be integrated with existing workflows rather than trying to change them, and address security challenges by creating and maintaining a least-privilege security policy for cloud native applications. They would analyze cloud assets and monitor for conditions such as misconfigurations, excessive permissions, administrative privileges, and third-party access, all with the goal of automatically and continuously enhancing data and application security by creating granular policies.

By automating a number of processes, we can eliminate the need for developers to make multiple decisions and conduct multiple procedures related to security. In many cases, automating these efforts results in better, faster, and more accurate decisions, and it can be performed at scale.

With machines handling many of the cybersecurity responsibilities, developers are then free to do what they do best: create innovative software that adds value to the business and its customers.

This sort of automated solution to making cloud-based applications more secure will become increasingly important as more organizations move workloads into the cloud. In an October 2020 report, research firm International Data Corp. (IDC) said the Covid-19 pandemic has largely proven to be an accelerator of cloud adoption and extension, and will continue to drive a faster conversion to cloud-centric IT.

A key to success in this emerging cloud-focused environment will be ensuring strong security—without taxing the developers who are helping to create the cloud applications companies need.

Shira Shamban, CEO and co-founder of Solvo, is a security researcher and technical expert with a focus on threat intelligence. She started her professional career in cybersecurity as a Military Officer in the elite intelligence unit 8200 of the Israel Defense Force. During her 13-year service in the unit, Shamban acquired hands-on experience in cybersecurity and intelligence operations while earning an engineering degree from Tel-Aviv University. After her military service, Shamban turned to security innovation in business. She volunteers as a Lecturer and a Mentor in forums such as SheCodes and OWASP-WIA.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.