What's Alan Working On

Hello, fantastic readers. I wanted to give you all an update about what I am researching these days. This post is meant to share some ideas and areas I am learning about. If you’ve been following my blog for any amount of time you might be familiar with dev.lab. dev.lab is an internal developer platform with a self-service portal. The purpose is to reduce the waste around project setup and the discovery of internal resources. The goal is to make developers productive as quickly as possible and reduce the waiting caused by submitting tickets to third parties to complete on their time.

Recently, I took over the security function of my platform. Understanding modern security is difficult and surprising. I am excited to solve security at the platform level of an enterprise development platform. The security space is overwhelming and yet to mature. The former VP of security at NetFlix opened my eyes to a brand new world of security. I learned that at NetFlix, there are three areas they focus on: Identity, transaction management, and traffic management. Anyone can sign up for NetFlix thus there is a lot of free trial fraud. Those properties make sense for them. I’m wondering what properties make sense for most small to medium businesses. Based on some cursory research from ebooks like Snyk’s dev first security it seems like Kubernetes makes ramping up security much more possible. Unless the problem is risky enough, it is hard to ask for backlog time on older software systems. Another great read is the NewStack’s Best of DevSecOps Trends in Cloud-Native Security Practices. It’s an exciting time to be on the frontier of this expertise and define and name these new ideas. Tools and processes are outdated in the security realm. The goal for security is to move the security verification earlier in the development process. Typically if we remediate after the software is in production, it causes a lot of angst and worry when taking steps to fix it. Tools like GitLab strongly differentiate on security tooling and dashboards. It is not immediately clear at what scale all these tools and information make you successful. Either the tools and information encourage developers to remediate quickly or overwhelm them with information that causes them to ignore the suggestions. As much as we would love all developers to become security experts, it is not feasible. Platforms provide incredible leverage. When dev.lab becomes the enterprise OS for companies, everyone will need a secure environment by default. I’m excited about the possibilities.

A Kubernetes-based platform makes integrating security tooling much more possible. If you focus on security efforts, I hope you are working on making those guard rails so people can be successful from the start.

If you have made progress on achieving dev-first security, please reach out to me. I would love to learn more about who’s figured this out.