How to have security and usability with your development environments in regulated industries

The blog post discusses the challenge of balancing security and usability in development environments for companies in regulated industries. It suggests that while security is crucial to prevent leaks or backdoors, it can sometimes hinder efficiency. To address this issue, the author recommends several frameworks and guides such as those from the UK National Cyber Security Center, OWASP Devsecops Maturity Model, and NIST's Secure Software Development Framework (SSDF). The post also emphasizes the importance of reducing attack surface by implementing controls like version control, separated environments, secure secrets storage, standardized environments, and staff education on common vulnerabilities. The author then explores how to maintain usability while ensuring security in development environments. They compare local environments, VDIs, and cloud development environments (CDEs). Local environments provide high usability but low security, while VDIs offer good security but poor usability. The post recommends CDEs as the best option for striking a balance between security and usability. It also mentions different deployment models of CDEs such as self-hosted and self-managed, self-hosted and vendor-managed, and vendor-hosted and vendor-managed. The author concludes by recommending self-hosted and vendor-managed CDEs like Gitpod for security-conscious organizations in regulated industries. These environments provide out-of-the-box security requirements while maintaining usability.