Imagine you need to travel from one city to another. You have two choices: hack your way through a dense forest or take a well-maintained highway. Most people would choose the highway because it’s faster, safer, and requires less effort. In cybersecurity, “Paved Roads” work the same way.
Contents
- What Are Paved Roads?
- Why Do We Need Paved Roads?
- Core Principles of Paved Roads
- How Paved Roads Work
- Common Use Cases
- Real-World Examples
- Building Your Own Paved Roads
- Benefits of Paved Roads
- Common Challenges and Solutions
- Measuring Success
- Getting Started
- Conclusion
What Are Paved Roads?
Paved Roads are pre-built, secure paths that developers can follow to build and deploy applications. These paths include ready-made templates, configurations, and tools that have security built in from the start. Instead of figuring out security on their own, developers can use these proven solutions.
Why Do We Need Paved Roads?
When developers build applications, they face many security decisions. Which encryption library should they use? How should they handle authentication? What’s the right way to store secrets? Without guidance, developers might make mistakes or choose insecure options because they seem easier.
Paved Roads solve this problem by making the secure choice the default choice. When the secure way is also the easy way, developers naturally build safer applications.
Core Principles of Paved Roads
1. Security by Default
Every Paved Road starts with security built in. Developers don’t need to add security later - it’s already there.
2. Easy to Use
If a secure solution is hard to use, developers will find workarounds. Paved Roads must be as easy as, or easier than, the insecure alternatives.
3. Well-Documented
Clear documentation helps developers understand what they’re using and why it’s secure.
4. Continuously Updated
Security threats change over time. Paved Roads need regular updates to stay secure.
How Paved Roads Work
Here’s a diagram showing how Paved Roads fit into the development process:
Traditional Development:
Developer → Makes many security decisions → Potentially insecure app
With Paved Roads:
Developer → Uses pre-built secure components → Secure app by default
Common Use Cases
1. Container Base Images
Instead of letting developers choose any base image for their containers, you provide approved base images that include:
- Latest security patches
- Hardened configurations
- Logging capabilities
Example: Your organization creates a Python base image that includes:
FROM cgr.dev/chainguard/python:latest
# Uses distroless image (e.g., chainguard, google distroless, etc.)
# Security updates already applied
# Non-root user configured
# Logging configured to central system
- Distroless images are a good choice because they are very minimal, secure, and have a minimal attack surface.
2. CI/CD Pipeline Templates
Rather than each team building their own deployment pipeline, you provide templates that include:
- Automated security scanning
- Secrets management
- Compliance checks
- Secure deployment practices
Example: A Jenkins pipeline template that automatically:
- Scans code for vulnerabilities
- Checks for exposed secrets
- Runs security tests
- Deploys using secure methods
3. Infrastructure as Code Templates
Pre-built Terraform or CloudFormation templates that create secure cloud resources by default.
Example: An AWS template for a web application that includes:
- Encrypted databases
- Secure network configurations
- Proper IAM roles
- Logging and monitoring
4. Authentication Libraries
Instead of developers implementing authentication from scratch, provide libraries that handle:
- Multi-factor authentication
- Session management
- Password policies
- Token generation
5. Secrets Management
Pre-configured tools and patterns for handling sensitive data:
- Vault integration
- Environment variable management
- Key rotation
- Encrypted storage
Real-World Examples
Example 1: Spotify’s Golden Path
Spotify created “Golden Paths” for their developers. These are recommended ways to build services that include:
- Pre-configured service templates
- Built-in monitoring and logging
- Security best practices
- Automated deployment
When developers use the Golden Path, they get a production-ready service in minutes instead of days.
Example 2: Netflix’s Paved Road
Netflix provides developers with:
- Pre-built application frameworks
- Security libraries
- Deployment tools
- Monitoring solutions
Their “Paved Road” approach reduced security incidents because developers no longer needed to make security decisions - the right choices were built in.
Example 3: Google’s Borg
Google’s internal platform provides developers with:
- Secure container runtime
- Automated security updates
- Built-in access controls
- Standardized logging
Developers deploy applications without worrying about infrastructure security.
Building Your Own Paved Roads
Step 1: Identify Common Patterns
Look at what your developers build repeatedly. Where do they make security mistakes? What do they struggle with?
Step 2: Create Secure Templates
Build templates that solve these common problems with security built in.
Step 3: Make It Easy
Ensure your Paved Roads are easier to use than building from scratch. Provide clear documentation and examples.
Step 4: Get Feedback
Work with developers to improve your Paved Roads. If they’re not using them, find out why.
Step 5: Maintain and Update
Keep your Paved Roads current with security patches and new best practices.
Benefits of Paved Roads
For Developers:
- Faster development - no need to solve solved problems
- Less security knowledge required
- Fewer decisions to make
- More time to focus on business logic
For Security Teams:
- Consistent security across applications
- Fewer vulnerabilities to fix
- Easier to enforce policies
- Better visibility into application security
For Organizations:
- Reduced security incidents
- Faster time to market
- Lower development costs
- Better compliance
Common Challenges and Solutions
Challenge 1: Developer Resistance
Problem: Developers feel restricted by Paved Roads.
Solution: Involve developers in creating Paved Roads. Make them flexible enough for different use cases.
Challenge 2: Maintenance Overhead
Problem: Keeping Paved Roads updated takes effort.
Solution: Automate updates where possible. Create a dedicated team to maintain core Paved Roads.
Challenge 3: One Size Doesn’t Fit All
Problem: Different teams have different needs.
Solution: Create multiple Paved Roads for different scenarios. Allow customization within secure boundaries.
Measuring Success
Track these metrics to see if your Paved Roads are working:
- Adoption Rate: What percentage of new projects use Paved Roads?
- Security Incidents: Are vulnerabilities decreasing in applications using Paved Roads?
- Development Speed: Are teams delivering faster with Paved Roads?
- Developer Satisfaction: Do developers find Paved Roads helpful?
Getting Started
To implement Paved Roads in your organization:
- Start small - pick one common use case
- Build a proof of concept
- Get feedback from early adopters
- Improve based on feedback
- Expand to more use cases
- Create a culture that values using Paved Roads
Conclusion
Paved Roads transform security from a roadblock into a highway. By making secure choices the default choices, we help developers build better applications faster. The key is making security invisible - when developers use Paved Roads, they get security without thinking about it.
Remember: the goal isn’t to restrict developers. It’s to give them better tools that happen to be secure. When we get this right, everyone wins - developers build faster, security teams sleep better, and organizations deliver safer products.
Start building your Paved Roads today. Pick one common security challenge your developers face and create a solution that’s both secure and easy to use. Your future self (and your developers) will thank you.
Feel free to contact me for any suggestions and feedbacks. I would really appreciate those.
Thank you for reading!