Snyk sponsored this post.
The new normal of a remote workforce happened so quickly that very few, if any, companies were truly prepared for the change. While many made valiant efforts to adapt, there is a learning curve when it comes to scaling new remote processes at every level of a company. However, this is especially true when it comes to your company’s security practices.
You may now be thinking, is there something I missed? Well don’t panic. Instead, let’s dive into some industry best practices that will not only help you and your team at home adapt, but will also aid in scaling practices even when you’re back at your office desks again.
- Establish documented guidelines to empower remote developers.
Working from home means atypical distractions during a “typical” workday. With this in mind, it’s important to empower developers to make decisions on their own, without baking in time for extraneous approvals. Developing clear guidelines helps align teams on expectations and is a crucial component for success. Investing in documenting these guidelines is the key next step toward giving developers the authority and confidence they need to autonomously make the right decisions each and every time.
- Focus less on breaking the build and more on fail Pull Requests.
While “breaking the build” is a popular CI/CD security measure in the face of a security violation, it’s unfortunately a disruptive one as well — leaving developers working on new software in a bind. This becomes an even larger issue when team communications must overcome the separation of remote work. I recommend limiting breakage to only the most extreme cases.
For other issues, give fail pull requests a try instead. Advantages to this approach include testing only the new code changes local to the branch where the code is modified, and the ability to choose whether a given failure blocks a merge or is just informational. These advantages have something in common: they empower developers to make the decision, giving them more autonomy to forge ahead with their projects even in light of unforeseen issues.
- Prioritize the investment of security visibility.
Security visibility can take a lot of forms, but I have a few specific suggestions that apply to most organizations. First, utilize a software bill of materials (SBOM) to capture dependencies packaged into your app. Another way is to crowdsource visibility through a specific Slack channel or notification emails, even leaderboards that show how well each team is handling security issues. These tactics get everyone involved in the process and help teams actively see themselves getting better, or give the opportunity to course-correct if they’re not hitting their goals.
- Take extra time to level up individual skills.
An upside to working from home means time once spent commuting can now be used for professional development. For developers, invest in security education through online resources like MyDevSecOps, OWASP or DevSecCon conference videos, or through commercial tools like SecureCodeWarrior.
- Don’t forget that praise can be sent virtually.
Remember, developers are people too! Especially in these isolated times, it’s important to note that a kind word or team-wide recognition can mean a lot. From a well-placed GIF in Slack to special company swag, don’t forget to celebrate the accomplishments of your team.
- Don’t let distance muddle security and developer relationships.
Remote developers need to know they have someone to turn to when an inevitable security question arises. Luckily, alignment between teams doesn’t require organization changes, just regular connection between teams in daily working practices. I recommend booking recurring syncs between peers, and having security and developer partners join some of the other team meetings to maintain visibility.
- Remember hygiene can be applied to security practices too.
Hygiene is turning into a keyword for 2020, but in this case it applies to more than hand washing. In security, it means prioritizing the basics before the more obscure attacks. For a majority of companies, vulnerable components, configuration mistakes, and leaded tokens should take priority over sophisticated attacks. Once security hygiene is successfully scaled to your remote development teams, you can go back to expanding your horizons.
- Embrace two-factor authentication.
An investment in two-factor authentication infrastructure isn’t just a good idea during times when most employees are working from a VPN or operating in cloud environments. In fact, it can pay dividends in the future, allowing you to extend that capability to other systems on your network or cloud environment.
- Add security to SSH connections.
This can easily be accomplished by enabling mutual authentication and shortening session times. As more production machines go remote, the risk of attack goes up and strengthening authentication on these interfaces becomes critical. I recommend using open course systems like Netflix’s BLESS or SmallStep, or commercial options like Okta or others, to enable stronger identity-based authentication.
- Take advantage of Bug Bounty programs.
One positive outcome from the sad reality of company cutbacks is that many professionals will be looking for opportunities on the gig market. This is an opportunity to strengthen your security assessment strategy via bug bounty programs like Hacker One or BugCrowd. Not only will you help create work opportunities for those in need, but you’ll be adding another layer of security assessment capability.
I hope these tips not only help you keep security practices on track during our time of mandated work from home, but that they actually strengthen your overall approach and stick with you and your teams into the future.
How Pros Implement Secure Development
For even deeper insights into these practices and putting them into motion in your organization, tune into this panel discussion with myself (Guy Podjarny, Snyk co-founder and president), Atlassian Chief Information Security Officer Adrian Ludwig, and InVision Senior Security Engineer Sara Dunnack, on maintaining secure development in a WFH Environment.
Feature image via Pixabay.
The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: MADE.