3 Ways Developers Can Boost In-App Security

4 min read

In the past, responsibility for data privacy and security fell on non-development teams, like IT, security or compliance. But this is changing.

Thanks to the adoption of cloud native technologies and trends like policy-as-code, developers are more focused on security than ever. According to the Styra 2022 Cloud-Native Alignment Report, over half of developers think their organization should enhance its data privacy efforts in the next 12 months. And more than three-quarters (77%) of IT decision-makers agree.

This security-focused mindset is a good thing. Developers have an opportunity to step up within their organizations and help future-proof in-app security. But this requires more than just the right attitude.

To make real change, developers need to follow development, security and operations (DevSecOps) best practices and adopt the right technologies.

The cloud prompted a new era of security

Developers’ interest in security has been a long time coming. Google search data shows that queries for terms like “what is DevSecOps” and “DevSecOps vs. DevOps” first popped up in 2014 and have been steadily rising since 2017.

The cloud, microservices, containerization and APIs are responsible for this burgeoning interest. These innovative technologies aren’t only changing the way applications are built and operated, they’re also changing what’s needed from a security perspective. In a modern environment, developers, engineers and architects need to think about data privacy and security because today’s applications benefit from having security measures baked into discrete components.

Before the cloud became as ubiquitous as it is today, traditional cybersecurity relied on a perimeter-based model. Measures like firewalls and browser isolation systems essentially “surrounded” on-premise networks and systems. Applications and data were secure because they were hosted on physically isolated infrastructure. In this setup, developers focused on application building, and IT teams focused on security.

But as organizations start their digital transformation journeys, IT can’t simply build barriers around their tech environments. This shift to the cloud opens up more attack surfaces, making cybersecurity more complex and requiring security to be built in from the beginning. At the same time, microservices architecture revolutionized software development, making in-app security more important than ever.

Before microservices, most applications consisted of several monolithic chunks of code. Changes to even one line of code could affect the entire application. But today, microservices allow applications to be broken into hundreds of individual software pieces. These pieces of code are more sophisticated than ever and enable software teams to make frequent changes without affecting the rest of the application.

That leaves developers, IT teams and their companies with essentially two choices: 1) Use microservices architecture to their advantage and embed hyper granular security controls within applications or, 2) keep using traditional layered security controls and approach cybersecurity in a siloed, reactionary manner, which we know creates higher security and compliance risks.

3 ways developers can boost in-app security 

While the cloud and microservices may open up more vulnerabilities for organizations, a DevSecOps mindset and the use of authorization — controlling who and what they can do — can help software teams close the gaps. I’ve seen first-hand how organizations enhance application security by improving their authorization posture, and I believe that with the following best practices, developers can sharpen their authorization skills and improve application security:

As more applications are designed, built and deployed on cloud native architecture, security will only become more integral to developers’ roles. The longer developers and organizations resist a DevSecOps mindset, the more catch-up they’ll have to do in the end.

By embracing a security-focused mindset now and adopting authorization best practices, your software team can support application security, data privacy and compliance from the very beginning of the development lifecycle.

Sign up for the Styra Academy to learn more about OPA, or Styra DAS Free today to see OPA in action.

 A version of this blog first appeared in The New Stack on April 11, 2022

Cloud native
Authorization

Entitlement Explosion Repair

Join Styra and PACLabs on April 11 for a webinar exploring how organizations are using Policy as Code for smarter Access Control.

Speak with an Engineer

Request time with our team to talk about how you can modernize your access management.