Striking the right balance between development and security [Q&A]
Developers need access to many devices and internal services in order to build software. But many of these devices and services are exposed to the public web, creating gaps in security.
Add in the challenges of securing remote working and it's clear that there's a tricky balancing act needed to enable development while keeping the organization secure. We spoke to Avery Pennarun, CEO and co-founder of VPN service Tailscale, to find out how this can be achieved.
BN: Why is security such an issue for developers?
AP: Most startups suck at security because they're trying to get things done quickly, and until recently there's been a trade-off -- especially for developers -- between the easy path and the secure one. The path of least resistance was to spin up a dev environment on AWS, open the firewall ports, and hope no one finds it. How many former employees still have access to your startup's GitHub? How many developers accidentally leave ports open? It's like an open invitation for hackers.
Tailscale has seen viral adoption by developers over the last couple of years because it makes the easiest way for developers to operate also the safest. For once security and engineering teams can be on the same page. There doesn't have to be a trade-off.
BN: Is this security blindspot becoming a bigger issue due to remote work?
AP: Shadow IT has become ubiquitous during the pandemic. Most companies still have a connectivity blindspot because there weren't the same risks when everyone was in the office together.
If a developer wants to share something with a colleague, that's no problem if we're both in the same office on the same private network. But if we're both sitting at home, there's no way to do that securely. I have to spin up a dev environment and open ports in the cloud.
These sorts of workarounds are the source of a huge amount of security risk. We’ve tackled this problem by giving developers the ability to create small scale networks, with clear safeguards about what can connect to what, so it's safer to let employees use their personal devices.
BN: How does the deployment of smaller, private networks contribute to the bigger mission?
AP: My co-founders and I collectively spent decades at Google where we built products for global scale. But here's the thing: the vast majority of the time, your tools just need to be reachable from small networks of client devices. Most of the time you don't need to write or use software for billions of users.
Imagine if all of your communications with your friends, family, and colleagues happened on public Twitter. That'd be crazy, right? Twitter certainly has a purpose, but for most of your conversations, you don't need it -- your WhatsApp friends chat or team Slack is much better suited for the task, and doesn't have attackers and spammers joining your conversation.
Yet, the way we're using the Internet today is like relying on Twitter for all communications -- we're using it to do a bunch of stuff we don't need it to do. All of our devices connect through the public Internet by default. Every app or piece of software that involves interaction between people has to build all of that infrastructure for managing social interactions on the public Internet, and the developers make mistakes.
If you shrink the size of the internet down to a small group of people who you trust, it's much easier to write software and accomplish everything else, because almost all the attackers just aren't there.
Think of having a Whatsapp group for most of the tasks you need to do day-to-day -- that’s what Tailscale does We're enabling developers to instantly share any tool or asset with exactly the group of people you want to share it with, without having it intermediated by a complex cloud service and dozens of different apps (that each introduce their own security risks). And you don't have to build authentication and encryption into every new tool.
BN: Developers and security teams have historically had alignment challenges. Do private networks enable better communication in order to build security earlier in the process?
AP: Definitely. The joke about security teams is their job is to stop you from doing your job. What's neat about Tailscale is it makes it easier for developers to do what they want to do, but also simultaneously more secure. So they're solving both problems. Now security can be the heroes for doing something that not only makes the organization safer, it actually makes developers' jobs easier.
More broadly, I think we're going to see a shift toward more accountability for how organizations set up their infrastructure to minimize the impact of breaches when they inevitably happen. Today there's an all-or-nothing dynamic -- we focus on whether or not there was a breach, and as soon as there is, companies throw up their hands and say, "Whoops! I guess the hackers have everything now!" and send out the mandatory disclosure. But the goal shouldn't be just to prevent breaches, but also contain the impact of ones that inevitably happen despite people's best efforts.
Organizations are going to be judged not on whether they have security breaches, but on how well they segregated their systems and took precautions to minimize their impact. Consumers are becoming more savvy about this -- just because hackers got into your network doesn't mean they should've been able to access everyone's data. That last part is just embarrassing, and people are starting to see it that way.
Image credit: Lightspring/ Shutterstock