Everyone knows how vulnerable today’s web-based, mobile, and desktop applications can be to a security breach. But what is the best way to assess risks and eliminate vulnerabilities? Just how good are today’s developers at writing secure application code and why is that important?
“People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.”
Training is key
If the goal is to rid applications of potential vulnerabilities before they get out in the world, then training has a major role to play in that equation. It allows you to embed security into your end-to-end SDLC process, and it teaches your teams how to design, develop, and implement secure code. Many developers don’t know what secure code looks like, and many more aren’t fully aware of the more than 1,000 categories of security mistakes that developers can make.
bogus reasons for down-playing the importance of application security
Too costly? Is no one in these organizations reporting the cost of fixing insecure software after it has been released?
A lower priority? Has anyone looked at the downstream impact of rushed, and consequently buggy, insecure code – not only to the user, but to the reputation of your brand?
Find and fix? Wouldn’t it be better to make applications secure at the source, where security vulnerabilities can be eliminated long before applications are deployed?
A study by the Aberdeen Group showed that companies adopting a “secure at the source” approach to development realized a fourfold return on their application security investments. “The clear takeaway,” the report concludes, “is that application security initiatives of any kind represent extremely good business value.”
Secure coding training for developers – the most effective application security strategy
Most application security incidents stem from defects in the code committed by software engineers when designing, implementing, and integrating applications. This should not be a surprise, given that software security is typically not a part of standard educational programs.
A critical first step in developing secure applications is an effective training plan that allows developers to learn important secure coding principles and how they can be applied, then integrates these into SDLC architecture and design elements.
From a project management point of view, it’s an easy formula:
Why training developers in secure coding practices is key
Without training in secure coding practices, developers continue making the same mistakes over and over again, and you are opening yourself up to considerable risk.
The bottom line
Never forget that the best security defense begins and ends with your people. Be clear about their roles, invest in their training, and set priorities that drive smart decisions throughout your organization. The result will be better products, happier users, and far fewer problems for you to deal with down the line.
WhiteHat Security announced a five-part developer training webinar series and certification program that introduces developers to application security, secure coding techniques and best practices in identifying and fixing security vulnerabilities.