Software engineer happiness matters

In the never-ending quest for greater developer productivity, security and compliance usually seem like monkey wrenches in the machinery. These aspects of development are essential, but they can slow down the flow of work and frustrate developers.

Security and compliance dog the whole software development process, from the too-often-forgotten build engineering team, tasked with building the open source language distributions to your front-end web team. The direct impact to your developers is frustration and a loss of productivity. Thus, your security and compliance workflows decrease your developers’ level of satisfaction.

Developers need the best tools in order to create their best work. If you give a sculptor dried-up clay, they will spend more time reconstituting the clay than actually sculpting. The same concept applies to developers: enable them to do what they are best at, without disrupting their workflow with compliance and security needs, so they can produce code faster.

The Developer Survey 2018: Open Source Runtime Pains revealed that 51% of developers spend only one to four hours per day programming. In other words, the majority of developers spend less than half their time coding. Further, 67% of developers chose not to add a new programming language when coding because of the related difficulties given corporate policies. And here’s the rub, one of the biggest concerns for developers was security. In fact, 50% of developers surveyed said that security was one of their biggest concerns.

This results in loss of productivity for activities such as retrofitting software for security and compliance criteria checked after software and languages have been built. And your developers won’t choose the best tool or language for the job because of corporate policies. Developer satisfaction goes down and risk goes up.

As a result, higher-value work gets pushed aside and the business risk increases. This is because your time-to-market is slowed and you’re increasing technical debt by not empowering your developers to decide on ‘the best’ technology unencumbered by corporate policy drag.

Creating a Flow of Integrated Security and Compliance

To overcome these challenges, you can flow security and compliance into the software development process. You can do so in four simple steps.

1. Rally the Troops

Getting buy-in across your stakeholders in the software development process is the first and often overlooked step. Make sure to consider a diverse set of stakeholders, including:

• IT Security
• Developers
• DevOps
• Legal/Compliance
• InfoSec

Create a business case for getting rid of the security and compliance checkpoints after software builds. You can consider any or all of the following in building your business case: time savings, opportunity cost, and developer productivity. By integrating security and compliance workflows into the development process, you also avoid retrofitting of languages.
 

2. Choose Your Sources

Next, decide on which vetted sources you can use, along with their license and security requirements. Consider including information like:

• The definition of acceptable vulnerability risk levels, security levels and what risk levels trigger an action, what that action would be and who would be responsible for its implementation
• Usage restrictions based on environment or application type and version controls per language
• Allowable or non-allowable open source components, e.g. specific packages
• Which licenses can be used in which types of environments (e.g. research vs. production)
   

3. Integrate Security and Compliance

When security and compliance and integrated into the development process, it ultimately bakes security and compliance into the first line of code. It eliminates the drag of corporate policy on your developers because they’re coding to spec versus having to fix things after the fact. But to do this, consider mechanisms for automatically scanning code as its being built along with using agentless monitoring of your runtime code. You’re freeing up your developer time and you’ll also be able to programmatically enforce policies to ensure compliance across your entire organization.

4. Deploy and Run Code the Right Way

Monitoring, reporting and updating code in production should be included in the process for deploying and running code. New vulnerabilities arise; new patches and versions are made available. Consequently, security and compliance needs to be considered when deploying code into production and also when running code. You need to know what if any code is at risk and where that code is running.

By baking security and compliance into your first line of code, you can also benefit by tracking where your code is running once deployed and be alerted of new threats as they arise. You will be able to track when your applications were vulnerable and respond by automatic enforcement of your software policies.

You will improve your developer productivity by integrating security and compliance workflows into your software development process. And you’ll be able to measure value through increased developer time spent coding, along with gains in security and stability, and cost and time savings in maintenance and discovery of security and compliance threats.

The Happy Developer and Software Engineer

Imagine a sculptor being forced to sculpt with chains wrapped around her wrists. It’s possible, but a lot harder. This is how it can feel for developers who are bound by security constraints. ActiveState’s 2018 Developer Survey showed that developers indeed do care about security, as do the companies they work for, so a solution must be found to address the needs of both the developer and security/compliance personnel.

The developer’s need to work quickly and creatively can be combined with a move to integrate security and compliance workflows. This improves security, productivity and job satisfaction. Developers can spend more time on high-value work, which will ultimately have a positive impact on your retention and revenue.