AWS re:Invent 2022
Developers Do Care about Security Building a More Collaborative Path Prt274

Title

AWS re:Invent 2022 - Developers do care about security: Building a more collaborative path (PRT274)

Summary

  • Madeline Vanderpelt, a development manager at Trend Micro, discusses the friction between security and development teams and how to foster collaboration for securely deploying applications.
  • She emphasizes the cognitive load on developers, who must consider numerous aspects beyond security when building software.
  • AWS managed services can reduce cognitive complexity, allowing developers to focus on customer requirements and user experience.
  • The talk highlights the importance of building knowledge, getting buy-in, analyzing services with AWS Well-Architected tools, automating security checks, and using threat models.
  • Post-deployment security involves understanding services, regular operational reviews, and using tools like AWS Well-Architected tool, AWS organizations, Control Tower, AWS Config, IAM, Cost Explorer, CloudTrail, Trusted Advisor, and more.
  • The session covers managing AWS accounts, establishing baselines, and applying best practices across accounts.
  • Vanderpelt discusses the use of infrastructure as code, the principle of least privilege in IAM, and networking and data security tools.
  • The talk concludes with an encouragement to experiment with the tools and an open invitation for questions.

Insights

  • The session underscores a common industry challenge: the tension between rapid development and maintaining robust security practices.
  • Developers often prioritize features and user experience over security, which can lead to vulnerabilities if not properly managed.
  • AWS provides a suite of tools designed to integrate security into the development lifecycle without significantly increasing the cognitive load on developers.
  • The AWS Well-Architected tool and its serverless application lens are particularly useful for teams focused on serverless architectures.
  • Infrastructure as code is a common practice among Vanderpelt's teams, which helps maintain consistency and automate security practices.
  • The principle of least privilege is a critical security practice, and AWS IAM tools like Access Advisor and Access Analyzer can help enforce it.
  • Cost Explorer's anomaly detection feature can serve as an indirect security tool by identifying unusual spikes in service usage, which could indicate a security issue.
  • Regular operational reviews and proactive monitoring are essential for maintaining the health and security of services post-deployment.
  • The talk highlights the importance of cross-functional collaboration between developers and security teams to ensure secure and efficient deployment practices.
Dev First Security from Code to Cloud and Back to Code Prt291Developing an Observability Strategy Cop302