author photo
By Harshil Parikh
Thu | May 19, 2022 | 12:53 PM PDT

The wide adoption of cloud-native applications and infrastructure has propelled DevOps and a self-service culture enabling developers to go from code to cloud in hours. Meanwhile, legacy AppSec systems and processes have impeded security teams from being able to scale at the speed of DevOps with very little visibility or control over security risks. Security teams are entirely unprepared to govern and secure the modern SDLC in this agile world.

This article examines security guardrails—the practice of security teams defining security policies and controls and applying them within developer workflows—as the ultimate security shift-left by enabling developers to go from code-to-cloud, securely.

What are security guardrails?

The concept behind security guardrails in AppSec is not new. Providing tools and processes to ensure developers can build secure software by default has long been recognized as the best way to avoid security pitfalls and prevent security bugs from being introduced in the SDLC. Over the years, organizations have referred to this idea as a secure-by-default framework, security paved road, DevSecOps guardrails, and several other monikers.

Because legacy AppSec systems and processes historically impeded security teams and prevented them from scaling at the speed of DevOps, the need for context-specific security policies and controls that teams define and apply within developer workflows has become acute. That need is at the root of security guardrails for AppSec.

In its simplest form, security guardrails are controls that prevent deviations from expected behavior. Organizations who adopt security guardrails see the following benefits:

Benefit 1: Developers can operate at speed without requiring active involvement from the security team.

Benefit 2: AppSec teams can scale by automating security controls in developer workflows. This automation assures enforcement without having to perform reviews and track remediation of vulnerabilities manually.

Benefit 3: Development teams are less likely to ignore and bypass security when the controls are baked into the development process. They don't have to take the extra step of reaching out to the security team.

Why security guardrails are essential for secure development

Large enterprise organizations like Netflix and Airbnb recognize the necessity of enabling engineering teams to build secure software while providing them with the appropriate security context to make decisions. These organizations are just two of the many organizations bringing security guardrails into CI/CD. Below are some reasons why modern organizations depend on security guardrails to provide consistent, actionable, self-service security guidance to developers in the SDLC.

Reason 1: Digital transformation and cloud-native adoption have transformed how developers produce and deploy software. Instead of monolithic software built in a waterfall model, microservices have led to software development and deployment at an exponential rate. This modern SDLC means developers cannot rely on traditional AppSec methods, waiting for security teams to perform security reviews on a per-application basis. The modern SDLC goes from code-to-cloud before security teams are aware.

Manual security controls are entirely ineffective, and it is exponentially more difficult and expensive to have developers go back and fix security tech debt. The only solution to this is to build security policies and controls as guardrails in CI/CD systems to proactively ensure that vulnerabilities are not introduced during development.

Reason 2: The developer-owned modern SDLC has led to a world where developers have autonomy in selecting their tech stack (open source and commercial) and can go from code-to-cloud in a matter of hours. This developer empowerment has enormous benefits for the business as it drives tremendous innovation at an unprecedented pace. However, it also means that external teams, like security and compliance, have lost visibility and governance over what is built and deployed.

Security controls will not have a place in a modern development model if they require developers to stop their work and wait for security. The only way to ensure security and compliance of the software being built is to create security controls that are enforceable guardrails within the modern SDLC.

Reason 3: Software supply chains are now highly complex and interdependent global ecosystems. The risks of not building assurances in this complex software pipeline are painfully evident from the ever-increasing list of events like Log4j, Spring4Shell, SolarWinds, etc. These issues go beyond traditional AppSec and merely scanning for vulnerabilities. They require a broader set of security controls and policies—guardrails—to enforce secure defaults and safe practices throughout the development and deployment lifecycle.

Why security guardrails are the future of application security

Security guardrails are the future of application security. They empower organizations to associate context-specific security policies and controls that can be defined by security teams and applied within developer workflows. The security function must adapt to the speed at which developers are deploying.

Security guardrails are the only way to ensure that developers adopt security processes into their rightful place within the modern SDLC. This adoption eliminates the friction between developers and security and ensures developers can go from code-to-cloud, securely.

Conclusion

The DevOps culture has enabled development teams to produce applications at breakneck speed, and legacy AppSec gatekeeping has no chance of keeping up with the pace of development. Security guardrails solve this problem by building security into the modern SDLC. Inherently ensuring that the quickest path to deployment is also the most secure. The entire SDLC benefits and friction between teams is virtually eliminated by allowing developer teams to develop and deploy software continuously with little active input from AppSec teams.

Comments