The deployment of a productive and secure application development process is often a struggle for many organizations. This is the main challenge that my co-founder and I have been tackling since we created Strong Network back in 2020.
The name “Strong Network” was chosen to embody the power of collaboration and connectivity within the technology and development community, highlighting the strength that comes from a well-coordinated, productive network of developers working together. It represents the robust and secure infrastructure that facilitates the creation of superior IT products and solutions through smart associations between developers and applications.
Increasingly, developers are being continuously targeted by hackers, notably around credential theft, leading to severe data breaches and exposing personal information and source code. For a long time, virtual desktops have been candidates to address this issue by providing data loss prevention measures. More recently, enterprise browser companies position themselves as a web-based alternative to virtual desktops, although the focus is primarily securing access to web-applications and SaaS (but desktop access is possible).
Here comes the kicker: these general-purpose technologies can be fraught with usability and performance issues in the context of protecting code development. If you want to understand in detail how these technologies are used in the scope of development process security you can read this post.
Combine security and productivity in cloud development
We created the first secure cloud development platform to address the dual challenge of enhancing the efficiency and governance of the application development process within the DevOps cycle while simultaneously safeguarding against data leaks.
Like other platforms, the basic goal is to streamline container-based development environments, yet in our case we aim to provide robust security measures at the same time. Even better: we design security measures and controls such that they become part of the developer’s productive workflow.
Cloud Development Environments (CDEs) have recently become a technology category proposed by Gartner, and Strong Network is mentioned as one of the vendors within it. CDEs are still early on Gartner’s Hype curve, but their support shows that the industry has clear incentives to move development environments online. Some of the benefits mentioned by Gartner are centralized management, ease of access to environments, and better security. We got fixated on that last one.
In this other post, I delve into all the characteristics and benefits that secure cloud environments bring; here, I’ll focus on the main conceptual differences between Strong Network’s and other platforms.
How a secure cloud development platform is different
The central discussion of this article is to differentiate a secure cloud development platform from other platforms like Codespaces, Google Workstation, OpenShift DevSpaces as well as other smaller players in the market like GitPod and Coder.
These platforms provide access to development environments via an Integrated Development Environment (IDE) with the purpose of starting a coding task more rapidly. In other words, these platforms are primarily a productivity-enhancement play.
Notably, there is no goal of protecting the data in the IDE (or outside) from being leaked. In contrast, a secure platform aims at jointly enhancing productivity and protecting the entire development workflow from data leaks. And this workflow extends beyond the IDE. This is the perspective that we took when designing the platform.
Although some of the platforms mentioned above make security claims, the only security measures that are delivered in effect are: the platform is self-hosted (in some cases; this is also not really a security measure) and that, like for any cloud development platform, the development data does not land on the developer’s physical device because it remains online in the cloud environment.
However, when working with any of the platforms mentioned above, it is actually trivial to leak data via clipboard or network operations or steal any data repository credentials accessed via any one of these environments and leak data out of it, even if MFA is enabled. We actually tested all the existing platforms and were able to easily exfiltrate data (ask me for the exfiltration tutorial videos for any of the above vendors).
How we made Strong Network both productive and secure for software development
For security goals against data leaks to really be fulfilled, adding data loss prevention (DLP) to the IDE—to protect the data from leaking via the developer’s operations—is a necessary yet insufficient measure.
The basic role of the secure platform is to provide joint productivity and security during code development activities. From a process perspective, the platform manages development environments with native security measures against data exfiltration. Importantly, most security mechanisms can be made context-aware so that they have no impact on the developer’s workflow. Examples of security mechanisms that can be implemented are explained in this article.
Since data security must take a workflow perspective, the access to all DevOps applications part of the developer’s workflow (GitHub, GitLab, etc) must be secured as well. This is achieved through the joint use of a specialized secure browser available on the secure platform and dedicated to access and use workflow applications. When enabled, all web applications necessary to the developer for collaboration (e.g. source code, task management) and DevOps are available via the secure browser.
Hence, as you can see a secure cloud development platform is in essence a conjunction of a secured IDE and a secure browser working together to protect the entire development workflow.
This puts the Strong Network platform in the same range of solutions as a virtual desktop infrastructure and potentially secure browsers when these technologies are applied to securing the development process.
The future of secure cloud development is productive security
In summary, a secure cloud development platform focuses on securing all data in development environments (i.e. the CDEs), web applications (GitHub, Jira, etc) used by the developer as well as the access to the organization data resources from the development environments. Measures range from protection against data extraction via phishing attacks or malware and against data leaks, including from insider threats.
The design of the platform allows control over the entire workflow, from coding in the IDE using web applications to working in the secure cloud environments. From a developer experience perspective, the aim of the platform is to provide an optimal developer experience via lightweight web technology that does not compromise productivity.
In conclusion, we bet that the future of secure cloud development is driven by productivity-enabling, transparent security that doubly benefits organizations and developers.
