Why security should be a priority in the software development process


Article by CEO and co-founder of Secure Code Warrior, Pieter Danhieux.

Ask a typical software developer to name their top priority when writing code, and the answer will likely be “creating new features.”

Striving to produce code that meets a need and adds real business value, developers tend to focus on building as much functionality as possible. They want their code to be both efficient and elegant.

What is less of a priority, unfortunately, is security. Many developers just don’t see this as an area of ​​focus and think it’s someone else’s responsibility.

The problem was highlighted in a recent report compiled by Evans Data, which explored the attitudes of 1,200 active developers. He revealed that only 14% of the group consider security a priority when coding.

Although the result is alarming, it confirms that security is simply not on most developers’ radar screen. They don’t see that they have a role to play when it comes to addressing common vulnerabilities or issues.

Secure Coding Awareness

The report highlights the importance of increasing awareness in the developer community about secure coding. This is vital in a world where the cyber threat landscape is rapidly changing and where organizations face new potential attacks every day.

Cybersecurity is a multi-faceted and unwieldy beast at the best of times. Although secure coding is only part of the overall landscape, it is a complex piece of a system that requires specialized attention.

The survey also revealed that the concept of working with secure code is something quite siloed for the average developer. They tend to limit their scope to a single category instead of taking a more holistic view of the whole challenge. Many developers have also indicated that they rely on using existing or pre-approved code rather than writing new code that is free of vulnerabilities.

Code-level vulnerabilities are typically introduced by developers who have learned poor coding patterns, which is not surprising given the general lack of emphasis on writing secure code in their KPIs. This culture is not the fault of the developers as they are not equipped to handle long-standing security issues in code.

Security managers can do a lot to resolve this situation by first ensuring that the development cohort has a full picture of what secure coding entails. Testing and scanning pre-approved code is a feature. Nevertheless, reducing vulnerabilities requires hands-on training in good, secure coding patterns in languages ​​and frameworks that are actively used.

The rise of DevSecOps

The concept of a DevSecOps methodology is to put security at the very heart of the software development process. It is based on the idea that everyone shares the responsibility for security, and it is a key consideration early in the software development lifecycle.

The problem, however, is that within many organizations, DevSecOps is far from becoming a norm. In 2017, a study by the Project Management Institute showed that 51% of organizations still use Waterfall for their software development.

This study is now five years old; However, given the slow pace of change within large enterprises, it is unlikely that there has been an abrupt transition to the latest security-focused methodologies.

Legacy processes like waterfall development can create an uphill battle for security professionals trying to cover all the bases with a comprehensive cyber threat protection strategy. Readapting developers and their needs into this landscape is a challenge.

However, this should not be used as an excuse to do nothing. Development managers should conduct comprehensive security training for their developers so that they can fully understand the challenge. They will then be in a better position to integrate security into their overall technology stacks and workflows.

Pulling security out of the basket “too hard”

The Evans Data report highlighted an alarming 86% of developers who find it difficult to practice secure coding. At the same time, 92% of developer managers also admit that their teams needed more training on security frameworks. The fact that 48% of respondents admitted to knowingly leaving vulnerabilities in their code was very concerning.

The picture these results paint is very worrying. This shows that many developers do not receive adequate security training or are not sufficiently exposed to security best practices. The bottom line is that it’s just not a priority for developers to factor security into their work.

This is a situation that needs to be addressed urgently. With the number of cyber threats increasing daily, all developers need to understand the crucial role they play in preventing attacks.

Senior management must take the necessary steps today to create a security-focused culture within their developer teams. By encouraging them to take a DevSecOps approach to their work, vulnerabilities can be removed from code before it is introduced into the overall IT infrastructure.

The result will be better security for the entire organization.


Comments are closed.