CDEs Provide Security Benefits to Both Organizations and Developers

Our third blog accompanying our CDE Adoption Report.
author avatar
Rob Whiteley
 on April 3rd, 2024
Updated on October 4th, 2024
4 min read

While many developers may think of Cloud Development Environments primarily as productivity tools, they bring tangible benefits for security and compliance – to both organizations and developers themselves.

In a survey we conducted for Coder’s recent Cloud Adoption Report, we asked developers why they rejected CDE products in the past, and five out of 10 tools were most frequently rejected due to a lack of security features. Overall, security was the #1 consideration when selecting tools, with 43.9% of respondents indicating it as a key feature when selecting CDEs.

However, CDEs actually ease organizations’ security concerns. With a CDE, IT eliminates the ability for anybody to download source code; no one can copy the files out into a separate environment, and there’s no way for them to download the content. The only thing they see is the Integrated Development Environment that’s running on a cloud instance. They can see and work on the code, but they can’t pull that code out and put it on a device IT doesn’t control.

Removing the ‘Shift Left Tax’

For developers themselves, CDEs remove a lot of the hassle that comes with having to manage organizations’ security policies in their own environments. Some in the industry refer to this as an element in the “Shift Left Tax” – extra work imposed on them by organizational moves to integrate testing and quality control early in the development process.

In conventional coding environments, developers have to configure their own settings to authenticate tokens, keep antivirus tools up to date and manage mobile devices to comply with organizational regulations. The information is usually on FAQ documents, intranets or checklists, and it all has to be configured manually. The onus is on the developer. It’s often unclear if they’re doing things correctly, until they suddenly lose access or get locked for becoming noncompliant.

The beauty of a CDE is it’s all moved to a central provisioning system. IT can configure the workspace to stay compliant without having to tax the developers directly.

If organizations already have virtual desktops, they may have taken care of some of these functions. But even in virtual desktop environments, the workspace is still tightly coupled to the device. The device just happens to be a virtual machine. In cloud development, the workspace is decoupled from the device. Now developers don’t have to put all their energy into securing devices. This severely mitigates the risk of security breaches happening at device level.

No need for shortcuts

Then there are the hassles posed by the shortcuts developers often take to secure systems in conventional coding environments. We recently heard of one of these horror stories taking place at a large company. The company required developers to authenticate into the corporate system to start their coding process, using a key to generate a token that allows them in. Turns out, the developers were taking the key and pasting it to a public website to generate the tokens, which equates to leaving a key out in the public for anyone to use. Every time a security leader saw this happening, the company had to invalidate every key and reissue new ones. When a company has 25,000 developers, that’s a massive issue. It only takes one of those 25,000 to make a mistake, and an organization has to invalidate all 25,000 and start all over again.

Compliance benefits

Another major benefit CDEs provide is in the compliance area. Centralizing control over IT environments allows companies more visibility into the development environment. Enforcing encryption becomes a lot easier when it’s a centralized network-based activity rather than a decentralized device.

In the enterprise version of Coder’s CDE, organizations can access logs of all developer activity, which can then be audited. You have a very detailed change history of what’s happening in every developer workspace, ultimately helping organizations comply with federal regulations. If a breach or a data loss takes place, organizations have to prove they knew about it – it’s how disclosure laws work. Having that rich auditing capability, if something goes wrong, security leaders can go back in and pinpoint what went wrong.

While the CDE Adoption Report highlights the many productivity, cost, and developer experience benefits CDEs provide, its security benefits shouldn’t be underplayed. They meet the needs of security-conscious organizations requiring comprehensive auditing, role-based access control, user provisioning and deprovisioning, and data exfiltration to run zero-trust environments.

Subscribe to our Newsletter

Want to stay up to date on all things Coder? Subscribe to our monthly newsletter and be the first to know when we release new things!