Updated on: August 30, 2024
SafetyDetectives recently had the opportunity to sit down with Mackenzie Jackson, the Head of Developer Relations at Aikido, to explore the innovative approaches this company is taking in the ever-evolving field of cybersecurity. With a background as a developer and a former founder, Mackenzie brings a unique perspective to the challenges developers face when it comes to integrating security into their workflows. At Aikido, he is at the forefront of bridging the gap between development and security, ensuring that the tools built are practical, efficient, and cater to the real needs of developers.
In a crowded market filled with complex and often overwhelming security solutions, Aikido stands out as a straightforward, no-nonsense platform designed to streamline security processes for developers. Mackenzie shared insights into how Aikido simplifies security by prioritizing critical issues and eliminating noise from false positives, a common frustration with many existing tools. This interview delves into the current cybersecurity landscape, the impact of cloud computing, and best practices for developers to embed security seamlessly into the software development lifecycle.
Can you introduce yourself and talk about your role at Aikido?
I am Mackenzie, the head of Developer Relations at Aikido. As a developer and a former founder, I know exactly the challenges developers face when dealing with security. It’s my role to be connected to developers at the grassroots and ensure we are building security tools for developers that go beyond a token IDE plugin.
What makes Aikido stand out in a crowded market?
Aikido was built as an all-in-one no BS security platform that helps developers get security done. The security market is crowded with expensive, noisy, over-complicated tools that look like the cockpit of a F35 and are designed to alert you on every possible concern. These tools are often evaluated by how many alerts they give and do little to prioritize the most important results. Aikido differs because we centralize multiple open-source security solutions in an easy-to-use platform and focuses on ruthlessly prioritizing the most critical issues and removing false positives.
What do you think are the most critical emerging threats in web application security today?
Modern applications are no longer these giant stand-alone monoliths. They are built up of lots of different building blocks like open-source dependencies, SaaS solutions, and Micro-services. This not only increases the attack surface it also makes us more vulnerable to software supply chain attacks. These attacks have changed the types of applications that can fall victim to cyber-attacks. Making it harder to protect our applications as now we also need to consider the security of our third-party components in addition to our applications. Supply chain attacks can feel like being a passenger in a car crash as it is ultimately out of our control. These threats are still emerging and while we can’t completely avoid them, unless we want to go back to writing code on punch cards, we can limit damage and mitigate risk with the correct tools and implementation.
What do you see as the biggest challenge currently facing cybersecurity teams in tech companies?
Cybersecurity is no longer just a problem for large enterprises, new compliance regulations and criminal threats now mean security sits on the shoulders of already stretched developers. But developers want to be developers, not security experts, they want to build applications not learn how to use security tools not designed for their needs. The biggest challenge I see is getting developer buy-in for security, especially when having dedicated security teams is a luxury most companies simply can’t afford, and small security teams lack the resources to tackle security alone.
How has the shift to cloud computing influenced your security strategies?
Cloud computing has enormous benefits, namely the ability to rapidly scale without the need for dedicated DevOps teams. But this has also led to increased risk and a large skills shortage as misconfigurations remain a prominent security issue that can have widespread consequences. We have been focused on this issue from the beginning by building out our cloud security coverage (CSPM) tool that not only finds vulnerabilities in your application but also the within cloud environment it runs in.
Could you share some best practices for developers to ensure security is integrated throughout the software development lifecycle?
Done correctly, integrating security throughout the software supply chain allows us to catch vulnerabilities early and build faster more secure applications. But this is seldom done correctly.
- Don’t plug existing security tools into the supply chain and expect security to be solved:
Security engineers want an abundance of data to drill into, developers want only the most relevant and critical alerts that affect them directly. This means existing security tools are too noisy and will be quickly ignored. If you want to effectively integrate security into the development lifecycle, make sure tools are purpose-built for developers (and no just having a VS code integration doesn’t count). - Ensure developers are aware of the threats
No developer wants to release insecure software but often they don’t completely understand the risks and threats we are facing. Sharing actionable information about threats and how malicious actors exploit vulnerabilities in a TL;DR format and gets critical buy-in for security. - Keep track of security analytics
Security can be demotivating with the near-endless run of alerts, this is why it is critical to keep track of analytics and understand what is working, where you are catching vulnerabilities, and where you aren’t. We will never ‘solve’ security but seeing improvement and celebrating it will keep everyone motivated.