API Security & Identity

The New Developer Dance

Image by eommina from Pixabay

Grace Francisco is a global expert on developer relations and developer strategy. Currently, she is the CMO and head of developer relations at a cybersecurity company called Pangea. In this article, she discusses how developers can add security aspects to code.

Many of you’ve heard the term “shift left security.” Shift left security is about looking at code that’s already been built, doing static or dynamic analysis, and monitoring that code. So that’s all after the code has already been built and deployed somewhere. The gap is in helping developers put security functionality within their code and meet them where they are. Because most developers are not security experts are not given the time to acquire those very deep skills. It is important to meet the developers where they are to deliver secure user experiences.

In 2022, there has been an estimated 2.41 trillion dollars in costs to US businesses because of bad software. That’s just an estimate, and we think that’s a lot larger.

Most of us deal with Personal Identification Information (PII), like phone numbers, email addresses, etc., in our application code and web and mobile interface. This is important information and needs to be protected. If an identity is stolen, a person may be unable to get medical care, insurance, etc.

Another case in the US was an attack on US infrastructure, and people had to go to gas stations to buy fuel in plastic bags. The solution took so long that they had to go to their default backup plans to get things back up and running.

So, from happy coding days, you are in the middle of sad days. You are stuck in the middle of these remediations of all these threads, re-architecting your code, and dealing with all these problems on your application software. Then, you look at the landscape of cybersecurity. And it’s so complex, and there are many players, and not all are doing anything specific to help you, the developer.

Now, we have ChatGPT and AI. People are rapidly adopting it without looking at the potential threats.

When you put in PII or any confidential information into an LLM, you are inherently putting things that may be unencrypted and can be prone to a breach an attack. People don’t think about that when they’re putting their prompts, asking questions, and creating new content. The other reverse of this is that output. It may send you to a phishing site with a malicious link. You need to consider securing both the inputs and the outputs that are coming back.

Here is a short story. Two women were walking along a stream. They heard this child crying and drowning in the water. They both jumped in to save this child and pulled it out. Right after they got out, there was one more child, and then one more, and then one more, and so on. The women were exhausted and flailing. One of them decided to go upstream, where someone was throwing kids into the stream.

This happens when software developers try to plug security breaches as they come. We’re all flailing because of all this insecure software that’s out there in the world.

CISA (Cybersecurity and Infrastructure Security Agency) has recently been publishing around this need for software developers in the vendor community to embrace our responsibility, securing our software making and delivering software that gives secure user experiences.

It is a cultural shift that we all need to embrace in terms of that responsibility. You must continue to educate your developers. It takes time, and this is a continual education process. We, as leaders, need to help build that culture. Security is about safety.

Grace Francisco
As the Chief Marketing Officer and Head of Developer Relations for Pangea, I am responsible for the adoption and growth of our new product category, Security Platform as a Service (SPaaS). This is the industry’s first solution that enables software developers to incorporate security functions into their applications with a simple set of APIs. I have 15+ years of experience across enterprise, SMB, gaming, consumer, and fintech industries, working with companies of all sizes – from some of the smallest startups to some of the largest global enterprise organizations. Prior to my role at Pangea, I was VP Developer Relations Strategy and Experience at Cisco, where I was responsible for creating new capabilities and programming for DevOps, Site Reliability Engineers, cloud architects, and developers working toward a cloud-first world. I also led Cisco DevNet, Cisco's 500,000-plus-strong developer community, which features programs that catalyze innovations and accelerate automation and digital transformation throughout the industry. Prior to Cisco, I led developer relations at Intuit, Yodlee, Atlassian, Roblox and MongoDB. As someone who is passionate about and committed to promoting diversity, equity, and inclusion in our industry and beyond, I have created and sponsored multiple initiatives and volunteer-driven programs to advance underrepresented groups in tech. At Microsoft and Atlassian, I launched a diversity speaker series and peer mentoring program to empower and support women in technology careers. I previously served on the board of the Drupal Association and am the co-author of three patents. I graduated cum laude and hold a BBA in Business Management from Golden Gate University.

APIdays | Events | News | Intelligence

Attend APIdays conferences

The Worlds leading API Conferences:

Singapore, Zurich, Helsinki, Amsterdam, San Francisco, Sydney, Barcelona, London, Paris.

Get the API Landscape

The essential 1,000+ companies

Get the API Landscape
Industry Reports

Download our free reports

The State Of Api Documentation: 2017 Edition
  • State of API Documentation
  • The State of Banking APIs
  • GraphQL: all your queries answered
  • APIE Serverless Architecture