Security Concepts for Developers: Package Hijacking
Insights into how to stay vigilant against malicious actors tampering with your dependencies.
DevSecOps: The buzzword's faded, but the security struggle is real. Developers are closer than ever to shipping code at lightning speed, yet the stereotype of the security-oblivious coder persists. Why? It's a clash of cultures: builders vs. breakers, features vs. firewalls. Different incentives, different skillsets.
The idea was that developers would take more control over their apps' security. Just like DevOps where developers are responsible for running their code in production, DevSecOps was supposed to introduce security practices throughout the development lifecycle.
With breaches and vulnerabilities making headlines daily, security is even more important, but DevSecOps just didn’t work.
So what’s going to happen?
Forget the tired "shift left" mantra, I think the future looks more like the rise of Site Reliability Engineering (SRE): elite teams of platform builders who empower developers to create reliable systems, stepping in only when necessary.
SRE teams are responsible for creating platform tooling that helps developers build reliable systems at scale. They might temporarily join a team as an advisor when needed, but they mainly focus on the big platform issues, allowing developers to take responsibility for the specifics of their application.
I think the same happens with security. Developers will be expected to deal with the specifics of their code, whereas security teams will work across the platform. Building tools. Advising on best practice. Providing guiding rails with secure defaults.
Very much like platform engineering, just with a security focus.
I’m not sure what it’s going to be called, but hopefully we can retire “DevSecOps”...
Insights into how to stay vigilant against malicious actors tampering with your dependencies.
Build a modern, secure Node.js API with Express, TypeScript, and ESM. Learn to configure TypeScript with Express, enable hot-reloading with nodemon, and secure your API using Arcjet for rate-limiting and bot protection.
How can you tell if a traffic spike is an attack or just your largest customer using your service?
Get the full posts by email every week.