New O’Reilly book — Cloud Native Application Security: Embracing Developer-First Security for the Cloud Era

We’re excited to announce the release of the latest O’Reilly book from Guy Podjarny, the Founder and President of Snyk. In Cloud Native Application Security: Embracing Developer-First Security for the Cloud Era, Guy explores changes in the security landscape that are being driven by digital transformation. As more companies become software companies, he emphasizes the importance of modernizing to developer-first security while exploring its practices and benefits.

Cloud native applications don’t just run on a different platform; they overhaul the scope of the applications, the methodologies with which they’re built, and the skills and ownership around them. To stay relevant, security practices need to undergo a transformation of a similar magnitude. We have to embrace a developer-first (dev-first), Cloud Native Application Security (CNAS) approach and anchor our practices to this new organizational reality.

While “developer-first” is in the title, this book is for anyone that’s looking to update their existing practices for the cloud native era that we now live in. That includes Security and AppSec teams that want to learn how to better work with developers, executives that want to tear down silos and bottlenecks, and even DevOps practitioners that want to implement security into their existing CI/CD workflows. To be clear, developer-first does not mean developer-only. It means developing securely from the start.

Let’s take a look at what’s inside…

Digital transformation

More companies are becoming software companies, regardless of their industry. Companies that weren’t even tech-adjacent 20 years ago now have engineering departments that develop apps and services to drive core parts of their business. Banks, insurance companies, media outlets, grocery stores — all of these industries (and many more) require a software component in order to drive their success. And in order for digital transformation to be successful, they need to be secure.

As companies make this shift, a major focus for them is speed of delivery in order to respond quickly to market needs. In this chapter, Guy explores a few of the different things that make high-speed delivery possible, including moving to the cloud, implementing DevOps practices, adopting cloud native development practices, and updating security practices to remove bottlenecks.

Dev-first security

After identifying the flaws in implementing traditional security practices within cloud native application development, Guy presents a solution for empowering developers and maintaining continuous operation: developer-first security. Embed security into development practices early into the SDLC — where it’s faster and more efficient — not downstream as a post-build activity. Essentially, apply the successes of DevOps to security.

This is a big shift in how teams think about security, though, and Guy takes a look at things to consider before implementing this new practice. For starters, most developers lack the security expertise to start building securely, which means that they need new tools in their toolbox. And those tools must be developer-friendly to drive adoption, meaning they need to integrate into existing tools and workflows to find and fix vulnerabilities.

Additionally, Guy uses this chapter to examine dev-first in terms of shift left and DevSecOps. While shifting left is important, integrating security into the CI/CD lifecycle is more important. Security should start at the developer, but AppSec and DevOps are still important in dev-first security.

Securing the entire cloud native app

Another key component of digital transformation is the AppSec evolution from IT security to cloud native security to CNAS. The first shift Guy explores is the move from VMs to containerization. While VMs are traditionally managed by a Security team, containers — which are a part of CI/CD workflows — are the responsibility of AppSec. This means that containers should get the same security treatment as application code.

The next shift is that to infrastructure as code (IaC). As with containers, IaC also lives in the same repositories as application code, so it also needs to undergo the same security treatment. This means that security vulnerabilities in code, containers, and IaC all need to be considered and prioritized for a holistic security posture.

Adapting to dev-first CNAS

In the final chapter of this book, Guy ties the previous chapters together to envision the future of secure development. He starts by exploring the three most common team scopes he sees in the AppSec world: Core AppSec, Security Engineering, and Product Security. While Core AppSec is a traditional model and Security Engineering is similar to DevOps with a security focus, Product Security is the only model that fully embraces CNAS and sees security as a feature that can be used to drive sales.

After that, Guy urges us to rethink security tooling in order to drive developer adoption. Developer tools need to be self-service, seamlessly integrated into workflows, API-rich and automation-friendly, and adopted by the open source community — and they need to address Security team needs too.

Build securely and thrive

When security starts with developers, organizations will be able to reap the rewards of digital transformation. Markets move fast, and developers need to move faster. The traditional bottlenecks of AppSec are unacceptable, but they can be removed with dev-first security. We just need to give developers the tools, practices, and support they need to have security start with them.

Security has the opportunity similarly to help the organization thrive. By helping dev teams build secure software without slowing down, you can not only reduce risk but also grow the top line. You can help your business respond to customer needs faster while differentiating on being more secure and trustworthy. This could similarly turn security from a cost center to a true business partner, driving the company’s success—which is an even bigger security transformation.

Download Cloud Native Application Security: Embracing Developer-First Security for the Cloud Era for free.