The relationship between application developers and security teams has always been fraught with tension. At the core lies an ongoing battle — speed versus security — and that tug of war has been further exacerbated by mounting firewall backlog challenges driven by increased reliance on artificial intelligence and automation.
Traditionally, developers submit a firewall rule request before deploying a new application, service, or tool inside an enterprise environment. However, security teams can take weeks to review and approve the request, as they are overwhelmed by sprawling firewall logs used to aid investigations, maintain policies, analyze network traffic, and identify unauthorized access.
Developers don’t want to wait. They want to build their next application. Security teams need time. They want to reduce risk. And as the rate of development and deployment accelerates, the volume of requests piles up.
This dichotomy creates a natural tension across the organization, explains Aviatrix CPO Chris McHenry. Acknowledging that tension, embracing it, and learning how to reduce it is vital for organizations, he urges.
“There can be 3,000 rule requests in backlogs,” he adds. “Response time is anywhere between two and four weeks. Developers just sit, waiting to continue to work.”
A Tale as Old as Time
The strained relationship between developers and security teams can be traced back to the evolution of enterprise IT architecture, explains McHenry. Rapid cloud adoption fundamentally changed how organizations deploy applications and manage user access. AI and automation will only accelerate the process by spinning coding, deployment, and other development functions even faster.
Before the cloud era, security teams occupied the driver’s seat, as organizations operated with physical laptops, desktops, and data centers. However, the emergence of cloud offerings sparked a fundamental shift in organizational operations.
Before, security teams “could literally create physical boundaries that they could control,” McHenry tells Dark Reading. “It’s tough for people to go from full control to no control.”
Cloud adoption improved speed, allowing developers to build applications even faster. Developers became cloud buyers, as they didn’t have to wait for someone else to handle procurement and setup.
“It was such a pickle with cloud security postures in many environments because developers — and the business, more importantly — now expect that speed, and security is trying to play catch-up,” McHenry says.
The friction between developers and security teams is actually improving, says Aaron Rose, Office of the CTO at Check Point. More organizations are treating security as a shared responsibility rather than a last-minute blocker, he adds.
However, developers and security teams face significantly opposing demands that continue to strain the relationship. The former needs to ship code quickly while the latter feels pressure to “reduce risk with limited time and context,” Rose tells Dark Reading.
“When security tooling or approvals sit outside the developer workflow, you get long feedback loops, rework, and frustration on both sides,” he says.
Architecture Evolves, Firewalls Stay the Same
Developers used to be able to bypass firewalls more easily when policies relied on static IP addresses. But in the cloud, these change constantly. Now, it takes forever to get a new firewall rule in place, explains McHenry, noting that there are now more places for the process to break.
If a firewall only knows how to handle IP addresses, organizations are in trouble, he warns. That can lead to significantly larger volumes of changes. Organizations face tight windows for changes, as firewalls represent a “huge blast radius” that can expose entire networks to risk.
“I used to be able to click, click, click; but now I have to go back to opening a ticket and waiting two weeks, and someone will put it in, and they may or may not approve it,” he says. He adds that developers must write 100 lines of approval code to justify the access they requested in the first place.
While hybrid and multi-cloud architectures changed operations by increasing the number of enforcement points and the number of policy translations needed for a single business change, many organizations did not adapt their strategies. They still run firewall operations like they always have, explains Rose. That means tickets, manual review, manual implementation, and period audits, he adds.
“That model can’t keep up with modern delivery cadence, so backlogs emerge,” Rose says.
McHenry observed similar disconnects. Organizations will try to apply previous practices to new cloud services, but the speed developers were accustomed to slows down, and that’s a huge point of frustration for them.
‘It’s Only Going to Get Worse’
In large enterprises, Rose attributes backlogs to multi-vendor sprawl, global organizations, and layered processes. For small-to-medium (SMB) sized businesses, it’s usually a resource issue — or lack thereof. One person may handle networking, security, and cloud, and sometimes the help desk functions, adds Rose.
“Changes get delayed not because of policy bureaucracy, but because there simply aren’t enough hours in a day,” Rose says.
Backlogs slow business operations, heighten network exposure, and drastically reduce visibility. McHenry reveals that people would be “surprised” by how many organizations users interact with regularly have no visibility or control over what comes in or out of their cloud.
Many SMBs don’t use rules at all, because they don’t have the capacity to manage them, says McHenry. Their firewalls are generally wide open, he warns.
Organizations often struggle to balance prioritizing new cybersecurity controls with maintaining operational speed and revenue. But McHenry says those two don’t have to be mutually exclusive.
Automating certain processes and embedding controls into developer workflows can help enterprises address these challenges. Enterprises are now treating firewall policies as an engineered product by defining intent in application terms, automating risk checks, and reserving human review for exceptions or high-risk changes, explains Rose.
Improving the relationship between developers and security presents a significant innovation opportunity for organizations, McHenry adds. Support developers with what they’re accustomed to regarding self-service, but do so in a way that still supports security best practices, he recommends. Organizations respond to the tension in a number of ways, but it’s not just about deploying new technology — processes need to be updated as well.
“If app teams are moving faster with Claude code and AI development, then holy crap, the log is going to grow like crazy,” McHenry warns. “Without changing the process, it’s only going to get worse.”
Source: www.darkreading.com…