Join Justin Garrison, a security and DevOps expert, Deepak Prabhakara, co-founder of BoxyHQ, and Schalk Neethling, Community Manager at BoxyHQ, as they dive into the critical topic of shifting left in software security. They discuss how developers can take ownership of security early in the development process and the vital differences between authentication and authorization. The conversation highlights the importance of modern tooling, fostering a security-aware culture, and adapting to evolving software landscapes for more secure applications.
Shifting left involves bringing security responsibilities closer to developers and implementing it in the software development lifecycle.
Vercel's frontend cloud focuses on making it easy for developers to write code in their preferred frameworks while leveraging Vercel's managed infrastructure.
Treating security as code and integrating it into the software development lifecycle allows for automation, testing, and evidence gathering to ensure a minimum viable secure product.
The concept of shift left security involves considering security early in the development process, making it everyone's responsibility, and tailoring security efforts based on the specific context and expectations.
Deep dives
Shifting left and the burden of security
Shifting left is about bringing security responsibilities closer to the developer. It involves understanding and implementing the concept of shifting left, the role of the developer in security, and the burden of security. Tooling and authentication vs authorization are key aspects to consider.
Vercel's frontend cloud and framework-defined infrastructure
Vercel's frontend cloud supports over 35 frameworks and focuses on making it easy for developers to write code in their preferred frameworks while leveraging Vercel's managed infrastructure. This framework-defined infrastructure allows developers to write code in their framework's native way and have it transformed to work with Vercel's scalable and flexible infrastructure.
The concept of the frontend cloud
The frontend cloud is an approach that focuses on providing tools designed and built specifically for frontend developers. It streamlines the entire process of building frontend applications, from writing code in preferred frameworks to deploying and scaling the application globally. The goal is to allow developers to focus on product and user experience while letting the frontend cloud handle the infrastructure and tooling.
The importance and challenges of shifting left in security
Shifting left in security involves treating security as code and integrating it into the software development lifecycle. It allows for automation, testing, and evidence gathering to ensure a minimum viable secure product. However, it also presents challenges, such as the constant need to adapt and update security practices, the need for collaboration between developers and compliance managers, and the balancing act between security and the developer's workload.
Importance of External Signals in Trusting Security
In the podcast episode, the speaker emphasizes the importance of external signals in determining the level of trust in a company's internal security. The lack of a unified tool makes it challenging for security leaders to assess internal security practices, resulting in a heavy reliance on external signals. The speaker suggests that this reliance on external signals can be improved with the adoption of security as code, which allows for automated gathering of security information.
Shift Left Security and Mindset Change
The podcast discusses the concept of shift left security, which involves considering security early in the development process, rather than as an afterthought. The speaker highlights the importance of a mindset shift where security is everyone's responsibility, not just the security specialists. By incorporating security into daily thought processes and considering potential compromises of actions, individuals can contribute to overall security. The speaker also mentions the significance of minimum viable secure products and tailoring security efforts based on the specific context and expectations.
The Trade-off between Build versus Buy and the Rise of SaaS
The episode explores the trade-off between building and buying software solutions, particularly in the context of security. The podcast highlights the advantages of SaaS solutions, which allow for faster development and scalability. It also emphasizes the importance of integrating trusted and reliable third-party tools into the development process. The speaker acknowledges that while open-source solutions have their benefits, companies should consider their specific needs and evaluate whether building or buying is the most viable option. Lastly, the episode discusses the impact of security regulations like GDPR, which aim to compel companies to prioritize proper data handling and security.
This week we’re going deep on security and what it takes to shift left, seriously. Adam is joined by Justin Garrison (co-host of Ship It), plus two members of the BoxyHQ team — Deepak Prabhakara, Co-founder & CEO and Schalk Neethling, Community Manager and DevRel as well as fellow Changelog Slack member.
We discuss how to shift left, the role of the developer and the burden of security, the importance of tooling, the difference between authentication and authorization, and a mindset change for when security takes place — it’s a matter of “when” not “who.”
Changelog++ members get a bonus 10 minutes at the end of this episode and zero ads. Join today!
Sponsors:
Vercel – With zero configuration for over 35 frameworks, Vercel’s Frontend Cloud makes it easy for any team to deploy their apps. Today, you can get a 14-day free trial of Vercel Pro, or get a customized Enterprise demo from their team. Visit vercel.com/changelogpod to get started.
Synadia – Take NATS to the next level via a global, multi-cloud, multi-geo and extensible service, fully managed by Synadia. They take care of all the infrastructure, management, monitoring, and maintenance for you so you can focus on building exceptional distributed applications.
Read Write Own – Read, Write, Own: Building the Next Era of the Internet—a new book from entrepreneur and investor Chris Dixon—explores one possible solution to the internet’s authenticity problem: Blockchains. From AI that tracks its source material to generative programs that compensate—rather than cannibalize—creators. It’s a call to action for a more open, transparent, and democratic internet. One that opens the black box of AI, tracks the origins we see online, and much more. Order your copy of Read, Write, Own today at readwriteown.com
Fly.io – The home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.
