Guard rails and paved roads — how do they fit together in application security? Guardrails are security tools in the pipeline that help ensure the software doesn’t drift too far from established standards. These guardrails allow developers to maintain their creativity and flexibility while building features that ultimately go to the customer. Guardrails do not dictate precisely how something is done but instead provide a container around the solution and ensure that the finished feature doesn’t stray into the land of insecurity.
Paved roads are platforms that developers can build on top of without having to worry about aspects like identity and access management. Paved roads and guardrails funnel developer activity without breaking their freedom to do what they need to do. Paved roads could include vetted libraries or tools without the need for admin rights inside cloud platforms. Paved roads enable developers to work with the best security features and functionality in a way that is easier for them and saves them time.
Guardrails and paved roads fit together nicely in a modern application security program. Anna Weselius’s talk from RSA 2023, Construction Time Again: A Lesson in Paving Paths for Security, is an excellent reference to see this come together.