The annual RSA Conference is coming up, and security is top of mind for more teams than ever. Recent reports of breaches at Reddit, T-Mobile, the U.S. Marshals Service, among uncomfortably many others, have inspired teams across every industry to invest in building and maintaining more secure, reliable infrastructure. With RSAC 2023 expected to draw over 43,000 attendees, you can expect the conference to feature a myriad of new ways to strengthen your organization's security posture.
We may be biased here, but we think one of the most exciting areas for SREs and security engineers to explore is developer tools. These tools help organizations "shift left" by integrating security and reliability into the development cycle. By engaging developers early in the process, shifting left can promote a culture of security, ease communication, and lighten the load for SREs and security engineers.
What does it mean to shift left with security and reliability?
Security and SRE teams have traditionally focused on enforcing checks on code after it’s written. If you’ve ever tried manually keeping tabs on dozens of launch readiness items across multiple engineering teams, you know how difficult this can be.
Now, we’re seeing a surge in tools targeted at developers, helping them build code that meets security and SRE requirements from the beginning. By shifting security and reliability to the left in the implementation timeline, these tools can benefit everyone.
It’s a well known fact of software engineering: The later an issue crops up in the development cycle, the harder and more expensive it is to fix. When developers have the tools they need to follow SRE and security best practices—whether that’s access to the right documentation at their fingertips or a quick way to spin up a reliable service—issues are more likely to be caught and addressed before they become a bigger problem.
Furthermore, developer tools can help break down communication barriers between SREs and security engineers and the rest of the engineering organization. They automate away the need for nagging over Slack or tracking in a spreadsheet to ensure that code is compliant and safe. And they become a common place for everyone to reference how security and reliability is defined and measured at the organization—such as what SLAs are essential or what the requirements are for logging data.
Developer portals and Scorecards
Developer portals are rapidly becoming the standard way to combine all the resources a developer needs on the job—tools, documentation, runbooks, a service catalog, and much more—into a single pane of glass. This can be essential when there’s a security breach or the site goes down, and whoever is on call needs to quickly find the information they need to address the incident.
A developer portal doesn’t just help with issue resolution, but also helps with the left shift of security and reliability best practices. Security and SRE teams can make it easy for developers to build compliant services with a built-in tool like Cortex’s Scaffolder. And the Service Catalog can help developers visualize dependencies and understand service performance against SLOs so they can take ownership of improvements.
Scorecards are another key tool that lets you define best practices and hold teams accountable. They fetch data automatically from your integrations without manual work to give services a score and a list of what’s missing. In just a few clicks, you can set up a Scorecard to track a specific initiative, such as mitigating a security vulnerability across a large codebase. With an element of gamification—can you get all your services to 100?—this ends up being a lot more enjoyable than a spreadsheet, too.
Wrapping it all up
As a security or SRE professional, one way to amplify your team is to invest in developer tools. This can left-shift your security and reliability metrics, initiatives, and goals, so they become part of development-as-usual at your organization. The result: an engineering culture of shared responsibility where issues get resolved faster, and SRE and security teams operate with more influence (and less nagging).
Interested in learning more? Book a demo with our team to see how Cortex can help you shift left.
P.S. If you're going to be in San Francisco for RSAC 2023, you might see our new billboard. It's our first one, and we're all pretty proud! Let us know if you sneak a peek.