Take care when pushing security concerns into your platform
One of the benefits of moving to a platform environment is relieving developers from dealing with all of the details of securing their applications.
There's a downside to this, though. We can go too far in abstracting these types of details and end up creating unintended gaps in our security strategy.
In the case of applications, the developer is in the best position to know what kind of security is required for the code in question. They know the sensitivity level of the application and the requirements necessary. This doesn't mean that the developer should be required to understand every nuance of implementing encryption or user authentication. This can be counter-productive and lead to reduced security by introducing lots of extraneous cognitive load and potentially creating misconfigurations that unintentionally leak data or provide system access.
Our answer to this has been to push security concerns down onto the platform, removing the need for the developer to deal with certificate specifics, user authentication or securing communication with other services.
This should have the effect of improving security by removing mistakes, but another consequence is that we are potentially separating concerns that shouldn't be. It is impossible, or at least very unwise, to build modern applications without making security a first-order concern. The risk in absorbing too much of security into the platform is that we take too much of the responsibility for security away from the developer and the application itself could be exposed.
The solution here is to abstract but not completely remove security concerns. The developer should be able to specify that an application requires encryption, for instance, but not need to figure out how to properly handle any and all encryption options, which is where the pitfalls come into the picture.
Remember that we build platforms to limit cognitive load by capturing and abstracting work. It is important to discriminate between those two options when deciding what works for your organization.
