 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Snyk sponsored this post.
The new normal of a remote workforce happened so quickly that very few, if any, companies were truly prepared for the change. While many made valiant efforts to adapt, there is a learning curve when it comes to scaling new remote processes at every level of a company. However, this is especially true when it comes to your company’s security practices.
You may now be thinking, is there something I missed? Well don’t panic. Instead, let’s dive into some industry best practices that will not only help you and your team at home adapt, but will also aid in scaling practices even when you’re back at your office desks again.
Working from home means atypical distractions during a “typical” workday. With this in mind, it’s important to empower developers to make decisions on their own, without baking in time for extraneous approvals. Developing clear guidelines helps align teams on expectations and is a crucial component for success. Investing in documenting these guidelines is the key next step toward giving developers the authority and confidence they need to autonomously make the right decisions each and every time.
While “breaking the build” is a popular CI/CD security measure in the face of a security violation, it’s unfortunately a disruptive one as well — leaving developers working on new software in a bind. This becomes an even larger issue when team communications must overcome the separation of remote work. I recommend limiting breakage to only the most extreme cases.
For other issues, give fail pull requests a try instead. Advantages to this approach include testing only the new code changes local to the branch where the code is modified, and the ability to choose whether a given failure blocks a merge or is just informational. These advantages have something in common: they empower developers to make the decision, giving them more autonomy to forge ahead with their projects even in light of unforeseen issues.
Security visibility can take a lot of forms, but I have a few specific suggestions that apply to most organizations. First, utilize a software bill of materials (SBOM) to capture dependencies packaged into your app. Another way is to crowdsource visibility through a specific Slack channel or notification emails, even leaderboards that show how well each team is handling security issues. These tactics get everyone involved in the process and help teams actively see themselves getting better, or give the opportunity to course-correct if they’re not hitting their goals.
An upside to working from home means time once spent commuting can now be used for professional development. For developers, invest in security education through online resources like MyDevSecOps, OWASP or DevSecCon conference videos, or through commercial tools like SecureCodeWarrior.
For security, invest time and resources in improving the team’s coding skills. I recommend resources like Cybrary: Python for Security Professionals, Lynda/LinkedIn: JavaScript Training and Tutorials, and Codecademy: Learn Go Programming.
Remember, developers are people too! Especially in these isolated times, it’s important to note that a kind word or team-wide recognition can mean a lot. From a well-placed GIF in Slack to special company swag, don’t forget to celebrate the accomplishments of your team.
Remote developers need to know they have someone to turn to when an inevitable security question arises. Luckily, alignment between teams doesn’t require organization changes, just regular connection between teams in daily working practices. I recommend booking recurring syncs between peers, and having security and developer partners join some of the other team meetings to maintain visibility.
Hygiene is turning into a keyword for 2020, but in this case it applies to more than hand washing. In security, it means prioritizing the basics before the more obscure attacks. For a majority of companies, vulnerable components, configuration mistakes, and leaded tokens should take priority over sophisticated attacks. Once security hygiene is successfully scaled to your remote development teams, you can go back to expanding your horizons.
An investment in two-factor authentication infrastructure isn’t just a good idea during times when most employees are working from a VPN or operating in cloud environments. In fact, it can pay dividends in the future, allowing you to extend that capability to other systems on your network or cloud environment.
This can easily be accomplished by enabling mutual authentication and shortening session times. As more production machines go remote, the risk of attack goes up and strengthening authentication on these interfaces becomes critical. I recommend using open course systems like Netflix’s BLESS or SmallStep, or commercial options like Okta or others, to enable stronger identity-based authentication.
One positive outcome from the sad reality of company cutbacks is that many professionals will be looking for opportunities on the gig market. This is an opportunity to strengthen your security assessment strategy via bug bounty programs like Hacker One or BugCrowd. Not only will you help create work opportunities for those in need, but you’ll be adding another layer of security assessment capability.
I hope these tips not only help you keep security practices on track during our time of mandated work from home, but that they actually strengthen your overall approach and stick with you and your teams into the future.
For even deeper insights into these practices and putting them into motion in your organization, tune into this panel discussion with myself (Guy Podjarny, Snyk co-founder and president), Atlassian Chief Information Security Officer Adrian Ludwig, and InVision Senior Security Engineer Sara Dunnack, on maintaining secure development in a WFH Environment.
Feature image via Pixabay.
