Webinar Transcript:
Tools & Best-Practices to Optimize Security in Development
The need for secure development environments is driven by the imperative for organizations to safeguard their intellectual property. This protection spans essential assets such as source code, data, and credentials, which are vital for accessing and managing the infrastructure for code development. The discussion centers on the necessity to secure these assets comprehensively. Diverse scenarios in the software development process require robust security measures. This includes collaborations with not only internal development teams but also remote developers, contractors, consultants, and freelancers. Given the range of interactions, it's critical to establish solid security protocols to ensure assets are well-protected against any potential threats. The aim is to avoid a lax security environment, instead ensuring rigorous governance over the development process to maintain asset integrity.
The challenge lies in accommodating the varied security needs of these different use cases without hampering developer productivity. The quest for an optimal security setup is a complex one, reflecting the myriad of scenarios that need to be addressed. The goal is seamless security integration, where security measures do not disrupt the development workflow. Envisioning a scenario where developers are equipped with secure laptops that incorporate all necessary security measures—this represents the ideal intersection of security and productivity. Such laptops would be outfitted with advanced DevSecOps tools, secure Linux configurations, and embody the best practices in laptop security, making them the best laptops for cybersecurity. This approach ensures the dual objectives of protecting intellectual property and enabling efficient development processes are met.
Balancing Security with Efficient DevSecOps Practices
Security measures, while crucial, can hinder productivity and come with significant costs, making them a challenge for both large and small organizations. The expense and logistics of distributing secure devices or setting up secure systems for developers are substantial. This creates a dilemma: balancing the need for security with economic sustainability.
It's essential to develop efficient policies and DevSecOps solutions that offer cost-effective security, particularly in protecting intellectual property. Despite their size, all organizations must navigate these financial constraints. Smaller entities, in particular, might compromise on security due to budget limitations, opting for riskier practices like using personal devices for work.
This situation underscores the importance of implementing scalable DevSecOps tools and secure laptop practices. By leveraging DevSecOps automation and secure Linux systems, organizations can achieve a more secure environment without the prohibitive costs, ensuring the protection of sensitive data across all operational scales.
DevSecOps Lessons from the Past Around Securing Assets
In large organizations, the availability of resources allows for the implementation of specific security policies, which can vary significantly across industries. Particularly in regulated sectors like banking and insurance, there's a heightened demand for securing laptops and other assets to ensure data protection. This need, while more pronounced in certain industries, is not exclusive to them.
Reflecting on the evolution of data security, it's insightful to consider the changes over the years. During my early experiences, notably around 2010, when I was working across different global cities, it became evident that most enterprise data, including sensitive customer information, was stored on laptops. This practice posed a significant risk; losing a laptop with customer data could lead to substantial fines and reputational damage due to the mishandling of personal information. This historical perspective highlights the critical need for robust security measures, not just for protecting organizational data but also for complying with regulations concerning personal data privacy.
Data Security Evolution From Physical Storage to Cloud
A pivotal study titled "The Billion Dollar Lost Laptop Problem*,*" published in 2010, underscored the significant financial impact organizations face when laptops containing customer data are lost. This issue was notably critical at the time, highlighting the substantial risks associated with data security. The period between 2008 and 2012 marked a transformative era in data management, characterized by the shift from storing data on physical devices to cloud-based solutions. Thomas Friedman's book, "Thank You for Being Late," offers an insightful exploration of this transition. Salesforce emerged as a frontrunner in this movement, especially regarding customer data, by pioneering the shift to cloud-based customer relationship management (CRM) systems. This evolution meant that losing a laptop became less concerning from a data loss perspective, as critical information was no longer stored directly on the device, but rather accessed through cloud services like Salesforce, with only the access credentials remaining on the laptop. Difference Between Securing Credentials & Development Data
While the shift to cloud storage has significantly mitigated the risk of data loss from misplaced laptops, the security of access credentials remains a critical concern. Tokens or credentials stored on laptops, which grant access to cloud services, are designed to expire quickly to reduce security risks. However, if a laptop is left unsecured and does not automatically lock or encrypt its contents, sensitive information could still be vulnerable.
The migration of data to the cloud, including customer relationship management (CRM) systems, has transformed how data is stored and accessed, with much of it now securely housed online. Despite this, development data on laptops remains one of the few remaining areas of concern. As more applications and services have moved online, becoming accessible through web applications like Google Docs or Microsoft 365, the necessity for local data storage has diminished. This transition means that most data, except for development-related information, no longer resides on personal laptops but in the cloud. This evolution has made data loss from physical devices less problematic, though it underscores the ongoing importance of securing development data still stored locally.
Securing Dev Environments: Lessons from High-Profile Breaches
The landscape of data security is evolving. Industries keen on safeguarding their data have developed strategies to minimize risks, especially concerning the sensitive information residing on developers' laptops, such as credentials.
Recent incidents involving high-profile companies like Okta, Slack, and CircleCI highlight the ongoing vulnerability of developers to cyberattacks. These attacks specifically target the source code stored online and the credentials on developers' desktops and laptops, which are then exploited to gain unauthorized access to organizational repositories. Understanding the mechanics of these breaches is crucial. Through detailed analysis, such as the one in my recent collaboration with cybersecurity researchers, we've delved into the methods by which developers' laptops are compromised and how attackers exploit credentials. This exploration, focusing on client-side vulnerabilities and phishing attacks, sheds light on the sophisticated tactics employed by cybercriminals. It emphasizes the importance of robust security measures to protect sensitive data effectively. Balancing Security and Usability with Cloud-Based Development
Companies seeking to protect data from being lost or stolen, particularly within development teams, are turning to virtualization as a solution. By using virtual machines (VMs), developers can access their work environments remotely, transforming their physical devices into simple terminals. These VMs can be hosted either on-premises or delivered via the cloud, effectively removing sensitive data from local storage on developers' laptops.
This approach aligns with the strategy of leveraging web applications to minimize local data storage, specifically targeting the challenge of securing development data. However, transitioning to a virtual machine-based workflow introduces its own set of complications, notably in terms of usability. Working on a remote VM means relying on a video stream to interact with the development environment, which can impact productivity and prove cumbersome, especially for those working remotely or in transit. This compromise between security and usability is a critical consideration for organizations implementing virtual desktop infrastructures.
To counteract data security risks, adopting remote access technologies is a strategic move. Solutions like Citrix's Virtual Desktop Infrastructure (VDI) are popular for facilitating secure, remote work environments. Windows also offers an integrated option with its Windows Remote Desktop, allowing users to access their work machines from afar.
However, those experienced in using these technologies acknowledge their limitations. Despite their security benefits, VDIs and remote desktop solutions can be cumbersome and user-unfriendly. This lack of ease and efficiency often leads organizations to bypass these solutions, which, in turn, can increase vulnerability to cyberattacks. The challenge lies in balancing the security advantages of remote access technologies with the need for a seamless and productive user experience.
Adapting Security Measures: VDI’s Alternative
In the banking sector, Virtual Desktop Infrastructure (VDI) is selectively used, often for external developers or to maintain regulatory compliance. It's not applied universally across companies but may be deployed for highly sensitive projects due to its complexity, infrastructure demands, and resource costs.
Notably, technology companies rarely adopt this cumbersome infrastructure. Many opt to "take the chance" with managed devices, implementing health checks and restricting developer permissions to prevent data breaches, such as disabling USB ports. However, these measures don't fully mitigate risks like phishing or malware, and lost laptops still pose a threat of data exposure.
An emerging trend is the shift from virtual machines to virtual processors, offering a lighter, more efficient approach to secure application access and testing. This innovation reflects the industry's search for more agile and less intrusive security solutions, as observed by insights from Strong Network. Enhancing Security & Productivity with Cloud Environments
Containers symbolizes a pivotal shift towards using lightweight virtual environments. Developers leverage Docker not just for security measures like preventing data exfiltration but also for enhancing productivity. Docker facilitates code development, testing, and the isolation of dependencies, serving as a more efficient alternative to traditional virtual machines by embodying the concept of virtual processes. The key advantage of Docker lies in its lightweight nature, enabling rapid startup times—seconds instead of minutes compared to conventional virtual machines. This efficiency allows virtual environments to be easily defined and managed as code through Dockerfiles. Developers can specify the software and applications within these containers, streamlining the development and deployment process significantly.
Cloud IDEs & Secure CDEs : Secure Development Process
Inspired by the evolving landscape of data protection on developers' laptops, we considered the potential of containers as a modern alternative to virtual machines. Containers, initially used primarily on developers' laptops for development tasks, have increasingly been hosted online, marking a significant shift in development practices.
This move to online containers caught the attention of our team at Strong Network, co-founded by myself and my partner. We recognized this trend as reminiscent of using virtual machines to prevent data exfiltration by keeping sensitive information off local devices. Early adopters in this space, like AWS Cloud9, introduced solutions that allowed developers to work directly in the cloud, eliminating the need for local data storage for code development. Although initially not container-based, Cloud9 and similar platforms like Gitpod, Coder, and GitHub CodeSpaces, offer cloud-based development environments, facilitating a range of development activities without the need to store code locally. This innovation represents a significant step forward in secure, efficient development practices, reflecting a broader industry move towards cloud-based solutions like Google Workstations.
The concept involves hosting containers online, accessible through cloud IDEs (Integrated Development Environments) that run directly in the browser. This setup offers developers a transparent connection to remote containers, serving as a versatile environment for their development needs. It simplifies setting up development environments, specifying necessary tools, and implementing applications.
While appealing, the implementation of such cloud-based solutions is complex, requiring careful consideration of user experience to ensure it adds value. This approach inspired Strong Network to explore using online containers not just for enhancing productivity but also as a means to safeguard code development. The initial motivation behind deploying containers was to streamline environment provisioning for development tasks, without a direct focus on security aspects like data exfiltration prevention, a role traditionally filled by VDI and other security measures. This innovation reflects a shift towards leveraging cloud technologies for both efficient development practices and enhanced data protection. Shifting Paradigms: Cloud-Based Development Workflows
The transition from traditional virtual machines and Virtual Desktop Infrastructure (VDI) to more dynamic solutions like desktop as a service emphasizes a shift towards streaming desktops for development. These traditional methods often incorporate data loss prevention mechanisms to secure remote data access, focusing on the security of development datasets.
The emergence of container-based solutions, such as Docker containers, represents a pivot towards enhancing productivity rather than solely focusing on security. Platforms like GitHub CodeSpaces exemplify this trend by enabling developers to swiftly access and edit code branches directly in the cloud, bypassing the need to configure a full IDE locally. This approach prioritizes efficiency and ease of use, facilitating quick changes and development processes.
Similar to GitHub CodeSpaces, Google Workstation has adopted this model for its flexibility and productivity benefits. While initially not designed with data loss prevention as the primary goal, these solutions reflect a growing interest in removing sensitive assets from local devices to enhance security indirectly. Inspired by these advancements, the concept evolved to integrate robust security features into these productive environments, aiming to combine the best of both worlds: safeguarding data while optimizing development workflows.
Creating a Secure Virtual Developer Laptop
To enhance Zero-Trust Architecture Design and developer laptop security, we've devised a solution that merges the agility of online containers with the robust data protection seen in Citrix VDI, VMware Horizon, and similar technologies. This integration forms a secure yet efficient development ecosystem, serving as the blueprint for our virtual developer laptop concept. We welcome any feedback on this innovative approach. Four-Step for Virtually Provisioning a Secure Developer Laptop:
- Local Data Elimination: Use online containers to remove data from local storage, leveraging virtual machines for remote access to enhance security. This setup aims to minimize data traces on local devices, ensuring a solid security model through controlled user permissions.
- Data Exfiltration Prevention: Implement comprehensive data loss prevention strategies, focusing on protecting developers from external threats rather than intrusive monitoring. This approach seeks to shield against unauthorized data access and malware, benefiting the developers' workflow.
- Resource Access and Security: Introduce a security proxy to facilitate easy resource access, akin to single sign-on technology. This feature is designed to streamline developers' access to necessary tools and resources, enhancing productivity without compromising security.
- Comprehensive Data Protection: Extend security measures beyond the integrated development environment (IDE) to cover all aspects of the development workflow, including code management and collaboration tools like Git and JIRA. This broad approach ensures data security across all development activities, not just within the IDE.
By focusing on these key areas, we aim to provide a secure, virtual workspace that supports developers' needs without hindering their productivity, reflecting our commitment to creating security solutions that benefit the development process.
Improving Developer Experience with Secure Virtual Laptops
To effectively tackle the challenge of securing developer workflows, we're going beyond traditional online container solutions like GitHub Code Spaces or Google Station. Our approach integrates container-based access with remote browser isolation, ensuring developers can securely access necessary applications throughout their entire workflow.
The concept simplifies yet secures the developer’s environment, making the creation of a virtual developer laptop straightforward. Here's a glimpse into this process: I’m crafting a virtual laptop from scratch, tailor-made for a developer, ensuring it encapsulates the entire team's workspaces. This setup allows visibility across the team, with each virtual laptop linked to its user, streamlining collaboration.
In this environment, shared access becomes a seamless part of the workflow. For example, my colleague Bjorn and I can easily share workspaces. His virtual laptop, primarily an IDE in this scenario, doesn't require sharing other applications, simplifying collaboration. This method underscores our commitment to a DevSecOps approach, blending security with productivity without compromising on either.
DevOps Strategy with Engineering Collaboration Platform
First, I need to log back into the platform; apologies for not authenticating earlier. Once logged in, I'm able to view our current sprint details.
Navigating back to our workspaces, I find Bjorn's workspace and open it. Similar to collaborating on a Google Doc, this setup allows me to work alongside him seamlessly, enhancing our ability to collaborate directly.
Now, let's introduce a new scenario: adding a developer focused on data science. I proceed to create a new workspace, which serves as the virtual laptop for this purpose. Assigning myself as the owner, I select a Docker container image that defines the workspace's environment and tools, tailored for data science tasks. I can also link this workspace to specific repositories and projects but will keep it simple for now.
After reviewing the setup, I launch the new workspace, which materializes within seconds. This visibility isn't just for me; our entire team, including our security officer, has insight into the comprehensive team workspace, fostering a collaborative and secure development environment.
Improve Remote Development With Streamlined Workspaces
This setup caters to remote developers, providing a comprehensive platform once logged in. Besides the core workspace, the platform integrates browser apps for seamless access to tools like GitHub and other applications needed for development tasks, all centralized within the workspace.
Using remote browser isolation, developers gain secure access to GitHub, allowing for coding and pull requests without local installations—ideal for environments like a Chromebook. Upon entering the workspace, it's already pre-configured with necessary software and the project fully cloned, eliminating the need for manual project setup or authentication hassles. This automation simplifies the developer's workflow significantly.
To demonstrate the workspace's capabilities, I'll launch an application named 'science,' making it publicly accessible. This application, running within my workspace, showcases the platform's ability to host and run applications directly, further emphasizing the streamlined and secure development environment we've created.
Demonstrating the ease of collaboration within this platform, I've made an application public and generated a QR code for easy access. Scanning this QR code with a smartphone instantly opens the application that's currently running in my workspace, showcasing the seamless integration and sharing capabilities.
This approach significantly simplifies collaboration, making it faster and more efficient to code. The initial setup is already done for you, eliminating the need for time-consuming installations on your laptop. For instance, installing a complex environment with TensorFlow and various Python libraries is handled automatically. As a result, the application is readily accessible and running, visible to anyone connected, further illustrating the platform's capability to streamline the development process.
The Evolution of Secure Development From VPN to Cloud
Wrapping up, our journey from 2010 highlights a dramatic shift in data management. Initially, data was stored locally, requiring VPN access for remote work, a process fraught with compliance nightmares and financial risks for organizations in the event of data loss.
The response involved leveraging remote machines for critical applications, allowing data access through the cloud, with VPNs still in play for certain needs. Between 2010 and 2015, we witnessed a pivot to cloud computing, moving away from a heavy reliance on virtual machines towards a preference for online containers for work-related activities by 2020.
With the introduction of Strong Network, the value of online containers became evident, not just for their efficiency and productivity but also for their significant security benefits. These containers enabled the seamless integration of resources, effectively simulating a secure developer laptop environment virtually. This evolution towards a fully online developer setup introduces numerous advantages, which I look forward to exploring in future seminars. As we now embrace an online-centric work environment, the possibilities for innovation and security in development are boundless. I'm eager to delve into more details in our next session and am ready to answer any questions you might have.
All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network 
