LambdaTest announced the launch of the HyperExecute MCP Server, an enhancement to its AI-native test orchestration platform, HyperExecute.
Spending Developers on Security - Part 1
July 10, 2018
Securing cloud native applications presents an interesting challenge. Cloud native application developers view the cloud as an operating system, and they write for and run on that operating system. When it comes to security, this means spending time configuring this operating system to enforce security policies on the various parts of the application. In the cloud, this often translates into IAM roles, VPC configurations, etc.
In the shift to cloud native, many organizations have also adopted a configuration-as-code approach. This helps drive up application deployment velocity by letting developers and DevOps teams reconfigure their deployments as their needs arise. Other organizations, particularly the more regulated ones, still have security people owning these tools, but that creates increased pressure on the security organization to keep up.
Your Mileage May Vary
How much are organizations investing in this process, and how much is it getting them? I recently spent some time talking with developers using primarily serverless technologies, to understand how they handle security configuration.
If I oversimplify, there are three types of developers in the serverless arena:
■ Extreme Minimalists: This strategy can be summed up as "do nothing until you have to", or "why procrastinate today when you can procrastinate tomorrow", and basically means, don't touch security configuration until something you deploy to staging doesn't work, see what error you got, add a permission or configuration as needed.
■ Balanced Realists: Here the strategy consists of spending about two minutes before deploying a function reviewing roles and configuration, and trying to catch any missing or perhaps extra permissions or configurations before rolling it out. Handle the rest as exceptions.
■ High-Functioning Security Fundamentalists: This is less common, but not as extinct as one might think, and involves really reviewing the entire security configuration before each deploy, revalidating all permission, and tracking anything that might be missing.
As you can imagine, each profile ends up spending dramatically different amounts of time on security, and getting very different results. By and large the first group spends zero time on deployment, but then spends a lot more time when permissions are missing. In the end, they tend to still come out on top in terms of time spent, but are worst off in security, as by the time they see an error in the logs for some function that's missing permission, they're almost certainly going to drop a big wildcard in to get it working.
The second group tends to spend about two to three minutes per deploy, and still hit the occasional exception. Their security outcomes are somewhat better than the first group, but not a whole lot. They too have a lot of wildcards, but they are slightly better at removing old permissions that are no longer needed.
The third group spends 5-8 minutes per deploy but has a pretty low rate of exception after, and tend to have a much better security posture than the first two groups, both because they spend more time, but also because that time is spent within the mindset of "let me get the exact profile I need and no more." Bravo to them, but honestly, I don't think I could keep that up for long.
Read Spending Developers on Security - Part 2 to answer the question: What's it Going to Cost Me?
Industry News
April 14, 2025
Cloudflare announced Workers VPC and Workers VPC Private Link, new solutions that enable developers to build secure, global cross-cloud applications on Cloudflare Workers.
April 14, 2025
Nutrient announced a significant expansion of its cloud-based services, as well as a series of updates to its SDK products, aimed at enhancing the developer experience by allowing developers to build, scale, and innovate with less friction.
April 10, 2025
Check Point® Software Technologies Ltd.(link is external) announced that its Infinity Platform has been named the top-ranked AI-powered cyber security platform in the 2025 Miercom Assessment.
April 10, 2025
Orca Security announced the Orca Bitbucket App, a cloud-native seamless integration for scanning Bitbucket Repositories.
April 10, 2025
The Live API for Gemini models is now in Preview, enabling developers to start building and testing more robust, scalable applications with significantly higher rate limits.
April 09, 2025
Backslash Security(link is external) announced significant adoption of the Backslash App Graph, the industry’s first dynamic digital twin for application code.
April 09, 2025
SmartBear launched API Hub for Test, a new capability within the company’s API Hub, powered by Swagger.
April 09, 2025
Akamai Technologies introduced App & API Protector Hybrid.
April 09, 2025
Veracode has been granted a United States patent for its generative artificial intelligence security tool, Veracode Fix.
April 09, 2025
Zesty announced that its automated Kubernetes optimization platform, Kompass, now includes full pod scaling capabilities, with the addition of Vertical Pod Autoscaler (VPA) alongside the existing Horizontal Pod Autoscaler (HPA).
April 08, 2025
Check Point® Software Technologies Ltd.(link is external) has emerged as a leading player in Attack Surface Management (ASM) with its acquisition of Cyberint, as highlighted in the recent GigaOm Radar report.
April 08, 2025
GitHub announced the general availability of security campaigns with Copilot Autofix to help security and developer teams rapidly reduce security debt across their entire codebase.
April 08, 2025
DX and Spotify announced a partnership to help engineering organizations achieve higher returns on investment and business impact from their Spotify Portal for Backstage implementation.
April 07, 2025
Appfire announced its launch of the Appfire Cloud Advantage Alliance.
