Finding the sweet spot between developer experience and security assurance

By Michael Man, DevSecOps Advisor at Veracode.

  • Friday, 25th August 2023 Posted 1 year ago in by Phil Alsop

In recent years, there has been a growing emphasis in software development on the developer experience (DX). Previously, it was all about ensuring the experience of the end user was as good as it could be, and the focus lay mostly on the end product as a result. Yet over time, making the process of writing, testing, and deploying code easy and enjoyable for developers has become an equally important aspect of application development. For most tech enterprises, creating an environment that enables this way of working is critical for creating a positive DX, and what’s more, to their bottom line. Happy developers are often conducive to better quality code and reduced burnout, which ultimately means better applications and secure software are built.

But whilst this focus on DX has sparked significant improvements in the software development process, some argue that the pendulum has swung too far in the other direction, and that software security assurance objectives has now moved too far down the priority list.

So how can we find a happy medium between these two vital components of software development?

Finding the balance

First, we must understand why a sense of balance between these two components is key. Too heavy of a focus on DX could compromise the fidelity of good software security practices. For example, a team could fixate on fast security scans, then neglect the triage and remediation of the output from such scans.

Another example would be developers championing tools that are familiar to them, even if they do not support requirements for a software security improvement programme - which most, if not all, businesses need. Additionally, a laser focus on just DX can lead to a lack of attention to detail when it comes to having a consistent set of security guardrails to help shape the software security practices across the whole organisation. Developers may assume that if the code works correctly, the required product security controls are also satisfactory.

Addressing the needs of both developers and users

Addressing these issues means providing software development platforms that prioritise both security and experience of software engineers. An example of this would be having a seamless onboarding process for software engineers to gain access and have the appropriate security scans invoked as part of their software development lifecycle. The platform itself should be intuitive to use and therefore frictionless and user-friendly, as this will create a more pleasant experience for the software engineers who use it daily.

It then all comes down to how easy it is to augment your development process when using the platform. For a software engineer, incorporating changes such as multiple stages of security testing into their development pipeline can sound like a burden. They must feel assured that security is an integrated and seamless feature of the software they’re using, rather than a bottleneck.

By simultaneously prioritising the needs of developers and security, software development platforms will foster a harmonious environment where secure, user-friendly experiences blend seamlessly with efficient development processes. This ultimately produces quality software products that satisfy both business and security requirements and expectations.

Prioritise usability

Once software engineers are settled with new security solutions, it is important that they can access the information they need to understand the “operating model”: how to gain access, how to scan, and how to remediate the security defects in their application code. Security solutions also must understand the needs of end-users, which requires taking a user-centric approach to development. This means establishing clear usability goals, developing an understanding of user characteristics and preferences, and designing software accordingly. Ensuring this approach is implemented at every step of the design process is what differentiates well-built software from the rest.

Frequent testing verifies that the produced software is both functional and secure. It helps identify technical security risks early in the development process and ensures that the final product is in line with the risk tolerance for each business application or service.

Ultimately, while DX is important for improving the efficiency and quality of software development, it should not come at the expense of software security. The two must exist symbiotically. By taking a user-centric approach and prioritising testing and usability, software engineers can create software that is efficient, user-friendly, and, most importantly, secure.

Moreover, incorporating user feedback throughout the development cycle is crucial for refining the software and aligning it with the expectations and requirements of the target audience. By actively involving end-users in the testing and improvement process, developers can gather valuable insights and make informed decisions that enhance the overall user experience.

In short, we need balance. While DX plays a significant role in improving the efficiency and quality of software development, it should not overshadow the importance of software security. Both aspects must be prioritised and integrated seamlessly to create software that meets all the required needs.

By recognising the symbiotic relationship between DX and software security, developers can deliver software solutions that not only meet functional requirements, but also achieve the required security assurance of the business service they are providing.