A software developer, a sysadmin, and a security architect walk into a bar…

The three coworkers sit down at the bar and the bartender asks them what they’ll have. “We’ll take 3 beers,” says the developer, “but before you pour them we need you to settle an argument for us.” The bartender, who was used to such requests smiled and said “Sure, what’s the argument?”

So the sysadmin started it off: “We are having an argument about how we can deliver ‘secure’ applications. Management is pissed and is pushing us for change because we’ve had a high profile data breach recently.” The bartender nodded knowingly as another voice chimed in. “We’ve been arguing about this for years and its getting really old. We need you to decide which one of us has the best solution,” says the security architect, “I’m pretty sure that I’m right as I have the most certifications and am the only one here that really understands security. Do you want to see my certifications?” The bartender looks confused so the sysadmin jumps in again. “I’ll start!” and clears his throat, “The operations teams have been delivering environments to developers and other internal customers for years! We know what we are doing, and the best way to solve this problem is to build golden images that have all the development *stuff* in them but more importantly will have the latest OS, endpoint protection and talk to our active directory domain so that we can manage the users safely. The devs can spin those golden images up and voila! they’re good to go. In this way, we define what is allowed and if the developer needs something new added to the environment, they just need to let us know and we’ll be able to update those golden images in a couple of weeks after we vet it. Or maybe, I guess, if we want to be really cutting edge we could implement a service catalog with more golden images, and maybe we could support VMware AND AWS. It would be a lot of work from my team but it would be a little more ‘self-service’ oriented.” He smiled slyly and finished by saying “That’s what we gave the DevOps team a few years back and they seem to be happy!”

The developer rolled her eyes and said “That’s so 2008! How can you still be in charge of all the infrastructure?! Jesus christ you don’t get it!” Her face contorted in anger as she continued: “Obviously the right way to build secure applications is to get out of the way of the developer and just let us do what we do really well! Which is build applications!” She continued, “We’ve been telling you this for years! The business loves us because we give them whatever stupid features they want. We’ve optimized our whole delivery process to be able to give them features quickly. If you guys would just let us use the bleeding edge tools we wanted to we’d be secure by design! You can’t hack these new tools and cloud providers, you dig? Also, we’ve added some code scanning right before we deploy to PROD so we understand better than any of you how to deliver secure applications!”

The security architect had a look of disgust on his face. “Both of you are wrong! You can’t fix system security issues with golden images and you sure as hell can’t let the developers build whatever they want! That’s anarchy!” He laughed and pointed down the bar at the other two. “What you need is to identify and mitigate RISK and the only way to do that is to create principles that describe what security requirements are, and then audit against those standards! This is how we’ve been doing it for years, first in the data center and now in the cloud!” He slammed the bar hard with his fist for emphasis and said: “So the way we build secure applications is to make sure that all applications go through a design review process and follow our security principles! We can verify they meet compliance through vulnerability assessments and external pen tests. Unfortunately, because you dickheads deploy so much stuff and our security team is so undermanned we won’t be able to run the vulnerability scans for 2 to 3 weeks.” He finished and smiled looking pleased with himself.

The developer, the sysadmin, and the security architect looked at the bartender expectantly and the developer asked “So who’s right?!”

The bartender smiled again and looked down at the bar. After a short pause, she said “This bartending job is my side hustle, my real gig is working in network engineering. The answer to how you build secure applications is really simple and it doesn’t matter if it's in the data center, private or public cloud: You isolate their networks, and firewall the shit out of it all because everybody knows that you three can’t deliver a secure application to save your fucking life!”