To improve developer productivity, you need to consider how you can streamline your security and compliance workflows. These workflows, although imperative to keeping your organisation’s data and IP safe, inherently add friction and lag on shipping software; but most importantly contribute to developer frustration and loss of productivity. These blockers impact your developers throughout the entire software development process; from the too often forgotten build engineering team tasked with building the open source language distributions to your front-end web team. The direct impact to your developers is frustration and a loss of productivity. Thereby your security and compliance workflows decrease your developers’ level of satisfaction.
A developer is like an artist painting on a blank canvas; they need to be armed with the best tools in order to create their best work. If you give an artist dried-up paint, they will spend more time creating the colours they need than actually painting. The same concept applies to developers: enable them to do what they are best at, without disrupting their workflow with compliance and security needs, so they can produce code faster.
ActiveState’s Developer Survey 2018: Open Source Runtime Pains (opens in new tab) found that 51 per cent of developers—more than half—spend only one to four hours per day programming. In other words, the majority of developers spend less than half their time coding. Further, 67 per cent of developers chose not to add a new language when coding because of the related difficulties given corporate policies. And here’s the rub: one of the biggest concerns for developers was security. In fact 50 per cent of developers surveyed said that security was one of their biggest concerns.
So, you’re faced with developer productivity lost on things like retrofitting software for security and compliance criteria checked after software and languages have been built. And your developers won’t choose the best tool or language for the job because of corporate policies. Developer satisfaction goes down and risk goes up.
Your developers can’t spend time on high-value work and you add business risk because your time-to-market is slowed and you’re increasing tech debt by not empowering your developers to decide on “the best” tech, unencumbered by corporate policy drag.
Integrated security and compliance workflows
The solution is to integrate security and compliance workflows into the software development process. You can do so in four easy steps:
The first and often overlooked step is getting buy-in across your stakeholder groups in the software development process. Make sure to consider a diverse set of stakeholders, including:
- IT Security
In order to get buy-in, build the business case for eliminating the security and compliance
checkpoints after software builds. You can consider any or all of the following in building your business case: time savings, opportunity cost and developer productivity. By integrating security and compliance workflows into the development process you also avoid retrofitting of languages.
Vetted sources, license and security requirements
After buy-in is obtained, define the vetted sources that can be used, along with their license and security requirements. Consider including information such as:
- usage restrictions based on environment or application type and version controls per language
- allowable or non-allowable open source components, e.g. specific packages
- what licenses can be used in which types of environments (e.g. research vs. production)
- definition of security levels, acceptable vulnerability risk levels and what risk levels trigger an action, what that action would be and who would be responsible for its implementation
Bake security and compliance into code
Integrated security and compliance workflows ultimately bake security and compliance into the first line of code. It eliminates the drag of corporate policy on your developers because they’re coding to spec versus having to fix things after the fact. But to do this, consider mechanisms for automatically scanning code as it’s being built, along with using agentless monitoring of your runtime code. You’re freeing up your developer time, and you’ll also be able to programmatically enforce policies to ensure compliance across your entire organisation.
Considerations for deploying and running code
The process for deploying and running code should include monitoring, reporting and updating of code in production. New vulnerabilities arise, and new patches and versions are made available. Consequently, security and compliance need to be considered when deploying code into production and also when running code. You need to know what, if any, code is at risk and where that code is running. By baking security and compliance into your first line of code, you can also benefit by tracking where your code is running once deployed and be alerted of new threats as they arise. You will be able to track when your applications were vulnerable and respond by automatic enforcement of your software policies.
By integrating security and compliance workflows into your software development process, you will improve your developer productivity. And you’ll be able to measure value through increased developer time spent coding. Along with this comes gains in security and stability, as well as cost and time-savings in maintenance and the discovery of security and compliance threats.
Make your developers happier and your bottom line will show it
Developers are a critical element in the enterprise machine, but they need the freedom
to work quickly and creatively without being bogged down by the very necessary needs of compliance and security. Yet, as evidenced by ActiveState’s 2018 Developer Survey, developers also are concerned with security – they aren’t just ignoring it in favour of wanting to use their choice of tools. By integrating your security and compliance workflows you will also provide your developers with more freedom and ultimately increase not only their productivity and time spent on high-value work but also improve their satisfaction level. In other words, integrating security and compliance workflows into your software development process makes your developers happy and your bottom-line will show it.
Bart Copeland, CEO and president, ActiveState (opens in new tab)
Image Credit: Geralt / Pixabay