What Developers Should Or Should Not Do.
Recently I was in a conversation where someone seriously suggested that Web Application Acceleration and WAN Optimization should be the job of developers, since they are in the code and creating the network traffic. At first I was taken aback by this suggestion. I was a manager of a small team of developers and admins when Web Application Firewalls first started to be bandied about (though I don’t think they had the fancy name then), and went through this entire discussion then. Never in my wildest dreams did I think we’d revisit it on the much grander scale mentioned. But that does bring up the question…. What is best left in the hands of app developers and what is not?
Not so long ago, a friend of mine who repaired complex systems for a retail chain was laid off and his job eliminated. Even though he could prove that he saved the company a lot money, it was no longer seen as cost effective to maintain a test bench and the tools necessary to fix complex computer systems. It is just too easy to buy extended warranty plans or replace gear before it is worn out to warrant paying someone to do that job anymore. That may change again in the future, but I honestly don’t know many enterprises that keep bread-board level repair staff around these days. Why? Because the specialty of making and repairing breadboards is centralized in a place where that is all they do, making it much more cost-effective than every enterprise keeping someone on staff for the eventuality of a breakdown. Even knowing that you will have unexpected failures, you will have them whether you have someone handy to repair them or have to call a service in to repair them.
There’s a similarity here. The things that a developer can do well are vast, because we don’t really have vertical market developers. Oh there are a few, and some places want experience in their vertical, but there’s no schooling to be a utility company developer or financial services developer, there’s schooling to write software, and the problem domain you’re taught to write it for is “everything”. You differentiate based upon languages or operating systems in college, but not on vertical market. And that is both a plus and a negative.
Developers are not security experts, they’re software development experts. They’re not Web App Acceleration experts, nor are the WAN optimization experts. They’re development experts. Very good at turning ideas into applications. Some are specialized closer to the metal, others are specialized at more business development. Some like myself have done a bit of it all. But only those working for companies that make WAN Optimization, Web App Acceleration, or Security solutions are specialists in their respective areas. There are a few Web App Acceleration developers in the wild, and a few Security developers in the wild, but most have gone to the place where they can utilize their specialty full-time… Shops that make these products.
And that is reason number one why it is not something developers should be doing. At a minimal level, not making fifteen trips across the network when two will do it, or checking for buffer overflows and SQL insertion attacks before deploying code? Certainly. But overarching security or Web App Optimization? No. They won’t be as good at is as a dedicated staff, and they won’t update it as often as a dedicated staff.
The second reason is just as straight-forward. You don’t own the source to a whole bunch of your applications, so your developers can’t do these things. Of course you could insist that your vendor do in-depth catch-all security or implement web app acceleration in their product, or you could let them develop features your business needs to get the job done with their software. Of course the latter is a better choice if you have a choice. Chances are you will fall somewhere on the spectrum closer to “You are not our only customer… No” than to “Oh yes, we have a whole team with nothing better to do, we’ll start rearchitecting right away.” Again, it is reasonable to expect a certain level of proficiency be built into your purchased apps, but not complete solutions for all these issues.
The third reason is a bit more esoteric. This is not what you hire developers for. It just isn’t. And it’s not what your vendors are hiring developers for. You’re hiring them to make apps the business can use. Is it a wise use of someone who is extremely proficient in the tools you use and has developed for your vertical to write non-business code? Not really.
And fourth? Well fourth is a question of possibilities. In WAN Optimization, some of the solutions are across applications. Or more to the point across streams. Putting that functionality somewhere that sees more than a single application’s streams is necessary to get the benefits. The same is true in different ways for Security (SEIM for example) or Web Application Acceleration (you don’t optimize streaming or logo download per-app unless there is a specific reason to). So developers really cannot effectively write this stuff into an application. At least not and get the benefits offered by tools readily available today. In all of these cases, they are dealing with data on the wire also, so unless your staff writes network drivers, there are some optimizations/solutions that just cannot be achieved from within the application.
Fifth is re-use or the lack thereof. Some code that would suit these needs would be highly reusable. Much of it would have to be rewritten with each product/platform/OS, simply because they’re not on the wire detecting things, they’re speaking a development language, not network protocols.
And finally, a point hinted at above, what happens when a better way to do something in one of these specialized areas comes along? Do the developers trained in these things drop whatever they’re doing to respond? In the case of security I would say “yes” for the other two, as long as your apps are meeting SLAs or business expectations, probably not, even though the new way of doing things might bring a lot of benefit to the organization.
So don’t push things onto developers that they are not in a position to deliver. Get them training in developing secure software – while you install a WAFS and other security tools. Get them training in network communications protocols – while installing a WAN Optimization solution. And get them training in optimizing web development projects – while installing a Web Application Acceleration product. And keep them primarily focused on building solutions that make your business responsive to the market and your customers. Don’t force them to reinvent the wheel, and don’t ask them to be a specialist for a short amount of time on a highly complex topic – they get enough of that already.