How are developers trained?
Usually, developers are taught to design and develop software that works.
The goal is to write code which performs a specific task. Everything else comes second, from efficiency, to maintainability and security.
When software developers are put under tight deadlines, this becomes exceptionally clear. Anyone who has seen the “working” code that results from a team of developers that have hardly slept in a week to meet a launch deadline will know what I mean.
The emphasis is all on getting the job done, and that means that everything else tends to suffer.
Security, especially.
Secure software developers have a different mindset, and organisations that develop secure software tend to have a different culture.
They don’t just prioritise designing and developing that works. Instead, they prioritise creating software that cannot fail.
When developers think about creating software that cannot fail, they stop taking shortcuts.
They start to think about everything they learned during their secure development training.
They remember that course they took at university on designing dependable systems.
So take a step back and think carefully about your organisation, and software development team.
How do you work? What do you prioritise?
Are you just trying to develop software that works? Or build software that cannot fail?
Whilst you will never achieve perfect software that cannot fail, the change in mindset invariably results in much better outcomes, and infinitely more secure software.
