Using feature flags for security

Alex Smolen
2 min readApr 27, 2024

--

One reason I joined LaunchDarkly is that I’d been using the product for several years at Clever. I used Decider — a bare-bones internal feature flagging service — at Twitter. I knew the value of these tools for software development. But I’ve also found feature flags to be useful for security. Over time, I expect security teams will adopt these tools to support their work. If your organization uses feature flags, consider using them for these security use cases.

Uncoupling code deployment from security code review

Security code reviews take time, and slow down shipping code. Feature flags let security teams decouple code releases from security reviews. By toggling features off, developers can deploy unreviewed code changes to production. Security reviews can occur before release without slowing down shipping code.

At LaunchDarkly we operate a Federal environment that is subject to FedRAMP change control processes. Security reviews are more stringent (i.e. documentation-heavy) than our standard commercial environment. We use our internal LaunchDarkly instance to disable unapproved features in Federal. Developers can still deploy code and maintain code parity between the environments. When the Federal security review completes, we can just turn on the feature.

Granting access to external security testers

You may want to perform security testing before releasing features to your users. Feature management tools let security teams enable features for external security testers first. You can security “test in prod” without exposing your users to vulnerable code.

HackerOne runs LaunchDarkly’s bug bounty program. We use our internal LaunchDarkly to target HackerOne security researchers. We have a rule based on using their wearehackerone.com email alias as their login email. They get access to product features that other trial users don’t. This makes it easier to get coverage for our security researchers. We use similar functionality to grant access to pen testers and authenticated scanners.

Faster security incident remediation

When there’s a suspected security incident, it’s important to move fast. Feature management tools help security teams respond by toggling off functionality. This immediate action can mitigate risks and prevent further exploitation during investigations.

In several potential security incidents, I was able to “flip a switch” and end the incident. Turning off the problematic piece of code can shut down the attack surface. This is a useful concept to bring to threat modeling sessions for new features. Can we turn this feature off if we identify potential security issues with it? Feature flags are super handy for this.

Are any other security teams using feature flags in interesting ways? Let me know on Mastodon or LinkedIn.

--

--