Aug 22, 2016
Software vulnerabilities are one of the biggest security problems faced by organisations; and despite continual improvements in security awareness and software development, the problem persists.
Whilst it’s easy to point the blame squarely at software developers, there are good reasons why developers don’t prioritise application security. In order to reduce software vulnerabilities, and improve the security of your organisation, it’s important to understand these factors – and create a plan of action to deal with them.
Why Developers Don’t Care About Security
Whilst application security is a primary concern for security experts, developers have to balance dozens of conflicting interests – working to unbelievably tight deadlines, refining and improving the functionality of their code, and creating software that works consistently and reliably. As a result, it’s easy for security practices to take a backseat during the development process.
Developers also approach software from a different perspective to security experts. Code is designed with performance, speed and efficiency in mind. Attempting to incorporate security into an application could undermine these core benchmarks – improving software security at the expense of the application’s efficacy. In development terms, using secure code can be seen as a step in the wrong direction.
The software industry also struggles to prioritise digital security. There are only a handful of security certification programs available in the sector, and these certifications are yet to reach the level of acceptance required to make them an industry-standard. Developer conferences prioritise new tools and technologies over security; and across two years of major conferences, just 3.1% of total talk time was devoted to security issues. This reflects the fundamental fact that developers are judged for the performance of their code – and not its security.
How to Improve Security with Basic Training
Whilst the importance of organisation-wide security is slowly gaining acceptance, it’s important to acknowledge that developers will never prioritise application security. Given that their primary objective is to create fast, efficient code, there’s an argument for saying that security shouldn’t be their primary concern. With that said, it’s still possible to improve developers’ understanding of digital security; and in order to reduce your organisation’s exposure to vulnerabilities, and minimise their impact, it’s essential to implement security training within your own organisation.
Thankfully, security training programs don’t need to be expensive and complex to have a real impact on your organisation’s security. Educating developers about the most basic elements of security can vastly reduce the number of vulnerabilities within their code – protecting your organisation from the exploits used in 80% of security attacks.
Pro-active expenditure on basic security training will greatly reduce the costs associated with testing and remediation. Training will also help developers to speak a common language with security experts, and improve your organisation’s ability to communicate effectively about security threats -overcoming a common problem with security/developer liaison.
Many organisations designate a security-savvy developer to act as a mediator between software and security teams; creating a security ‘bottleneck’, with one person responsible for the security of the entire development process. Training shifts the onus of security away from individual people, and onto an organisation as a whole.