4/22/2016
Developers Shouldn't Be Responsible For Security - Forbes
Tech
Developers Shouldn't Be Responsible For Security APR 21, 2016 @ 12:34 PM
223 VIEWS
Tom Gillis
CONTRIBUTOR
I write about directions in cloud, security and enterprise computing. FOLLOW ON FORBES (93)
Starting At
29,010
$
Opinions expressed by Forbes Contributors are their own.
MSRP* FULL BIO
THE 100% ELECTRIC 2015
NISSAN LEAF ®
An interesting “separation of church and state” conundrum is bubbling up in the software industry. While the new public cloud model demands developers to take ownership of security, there’s still room and reason for security controls to become an
*More Price Information As Shown $36,790 MSRP 2016 LEAF SL, other optional equipment shown, see dealer for details
SHOP NOW
http://www.forbes.com/sites/tomgillis/2016/04/21/separate-is-good-developers-shouldnt-be-responsible-for-security/#774963737560
BUILD
1/6
4/22/2016
Developers Shouldn't Be Responsible For Security - Forbes
entity handled on their own—separate and transparent from the developer. Historically developers have focused on developing software, not on configuring a security posture, but that model has changed of late. In today’s dev-ops world, everything has converged. The software developer has become responsible for many operational aspects, including security. A lot of this change stems from the rise of the self-service model. Developers go to AWS and they’re on their own; nobody else is in charge of security. Therefore, software developers have to think about security—how do I set up access control, how do I set up security groups, and how do I encrypt data, or not? Security controls are built into the developer workflow. As I see the world evolving, I believe IT needs will drive us back to a paradigm where security controls are independent of developer activity. There’s a strong appetite on the part of customers to have a set of controls that are managed independently of developers and operations. I think that’s a good thing. Why is separate good? Because security requires focus. The job of developing software requires tools and capabilities that are different from the job of designing security tools and enforcing them. And organizations can http://www.forbes.com/sites/tomgillis/2016/04/21/separate-is-good-developers-shouldnt-be-responsible-for-security/#774963737560
2/6
4/22/2016
Developers Shouldn't Be Responsible For Security - Forbes
hold each party accountable for what they are focused on—developers rapidly produce new business logic, while security teams balance risk and efficiency to keep the enterprise safe. New technological advances will enable this shift back to putting control in the hands of central IT. As the hybrid cloud evolves, we’ll see a whole class of controls that are totally transparent to the developer. These controls are like an invisible fence that you have in your yard—your dog can run all around the yard, but when Fido tries to run out of bounds, the fence stops him. This invisible fence enables developers to launch servers, create new databases, and test their applications—but the data is always going to be encrypted. Residency and access control policies will be enforced, and the developer doesn’t need to think about those things or have the ability to make mistakes that defeat those capabilities. Security will live on a plane that is almost orthogonal to the plane of the developer. These advances will be applied through automation. Automated security products that are tightly integrated with infrastructure can provide the assurances that customers need, underneath the tools that developers use. Developers can then launch their servers and put stuff out http://www.forbes.com/sites/tomgillis/2016/04/21/separate-is-good-developers-shouldnt-be-responsible-for-security/#774963737560
3/6
4/22/2016
Developers Shouldn't Be Responsible For Security - Forbes
there, but the security team can be assured that their compliance requirements, data residency requirements, and key rotation policies are all going to be met. By making the security controls fully automated and transparent, they will never get in the way of the application developer, allowing both groups to achieve their objectives—to provide rapid new application development and security assurance. Recommended by Forbes
The Future of Security: Isolation
CommunityVoice: Must-Ask Questions For Potential Software Developers
Comment on this story
Report Corrections
Reprints & Permissions
SEE ALSO TOP HOME
BUSINESS
BEST
ADVANCED
TOP
SECURITY IN
SECURITY
NETWORK
http://www.forbes.com/sites/tomgillis/2016/04/21/separate-is-good-developers-shouldnt-be-responsible-for-security/#774963737560
4/6
4/22/2016
Developers Shouldn't Be Responsible For Security - Forbes
From the Web
Ads by Revcontent
This Shaving Startup Is Dominating. Here's HARRY'S Why
Ditch The Mattress Store Find Out Why Sleep Experts LULL Are Raving About
6 Most Common Employee Lawsuits
Homeowners Who Have Not Missed A Payment in 3 Years COMPARISONS Are In For A Big
23 Celebrities You Would Never Guess Are Actually Black
You're In For A Big Surprise in 2016 If You Own A Home in MORNINGFINANCE CA
POPHITZ
TRUSTEDCHOICE.COM
CBD Oil Now Available In CA, Says Hemp HEALTHY REPORT Company
1 Easy Exercise That Destroys High Blood Sugar SMART BLOOD SUGAR
http://www.forbes.com/sites/tomgillis/2016/04/21/separate-is-good-developers-shouldnt-be-responsible-for-security/#774963737560
5/6
4/22/2016
Developers Shouldn't Be Responsible For Security - Forbes
http://www.forbes.com/sites/tomgillis/2016/04/21/separate-is-good-developers-shouldnt-be-responsible-for-security/#774963737560
6/6