Chapter 31. Security Paved Roads

Nielet D’mello

If you don’t know where you are going, any road will get you there.

Lewis Carroll

In modern software companies, there are usually centralized platform teams and various product teams. The challenge that many security teams face is to empower developers to ship or develop things as quickly and efficiently as possible while maintaining an appropriate level of security that minimizes the business risk.

As AppSec engineers, we embrace the philosophy of paved roads to introduce well-supported and smooth security controls that are automated and integrated across the SDLC.

What Are Security Paved Roads?

A concept first popularized by Netflix, security paved roads involve building software, libraries, tools, and processes (very close to the developer’s workflow) to ensure that developers can build secure things by default. The goal is to make security as transparent as possible and as easy as possible for developers—not to make security a roadblock for them to adopt. An ideal paved road would allow engineers to be fully autonomous in designing, building, and deploying with little to no bottlenecks from security teams because the security baseline requirements are already baked in.

When it comes to AppSec reviews and vulnerability remediations, the paved roads support developer autonomy and accelerate velocity because mitigations can ...

Get 97 Things Every Application Security Professional Should Know now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.