With the cyber threat landscape changing daily, it has never been more important for organizations to develop and deploy secure software.
While cybersecurity platforms and defenses remain essential, secure code that can be free of vulnerabilities is also required.
Achieving this, in turn, requires security-aware developers with verified security skills.
While the majority of developers say they are ready to stand up for security and commit to higher code quality standards, they can’t do it without lots of support, as well as an overhaul of metrics. traditions by which they are often judged by their employers and organizations.
Why safety is already a priority
Coding best practices have continued to evolve over the years, in response to business needs and market trends.
In the past, most applications were created using the so-called waterfall development model, in which software engineers worked to prepare their code to achieve a continuous series of stages or goals before moving to the next development.
Waterfall tended to support the development of programs that, having passed all previous milestones along the way, were free from bugs or operational flaws by the time they were ready for the production environment.
But it was slow, with sometimes 18 months or more between the start of a project and the arrival at the finish line.
The Agile Method tended to replace Waterfall, putting much more emphasis on speed.
And that was followed by DevOps, which is designed for even greater speed by combining development and operations to ensure programs are ready for production almost as soon as they clear the last development tweaks.
Putting speed over security, and almost everything else beyond functionality, was a necessity as the business environment evolved.
In a cloud-based world where everyone is online all the time, and millions of mobile transactions can occur every few seconds, it is essential to deploy software and integrate it into the integration pipeline and Continuous Delivery (CI/CD) as quickly as possible. business success.
It’s not that organizations don’t care about security.
It’s just that in the competitive business environment that exists in most industries, speed is considered more important.
And developers who can match that speed thrive to the point where it becomes the primary means by which their professional performance is judged.
Now that advanced attacks are increasing so dramatically, deploying vulnerable code becomes a liability.
The preference changes once again, with security increasingly becoming the primary focus of software development, closely followed by speed.
Hardening security after the fact is not only dangerous, it also slows down the process of software deployment.
This has led to the rise of programs like DevSecOps which attempt to merge speed and security to help generate secure code.
But developers trained in pure speed cannot become security experts without lots of help and support from their organizations.
What Developers Need
The good news is that most developers want to see a shift to secure coding and a reprioritization of security as part of the development process.
In a full survey, conducted by Evans Data, of more than 1,200 professional developers actively working around the world at the start of this year, the overwhelming majority said they supported the concept of creating secure code.
Most also expected it to become a priority in their organizations.
However, only eight percent of respondents said writing secure code was easy to do.
This leaves a lot of room for improvement within the development teams of most organizations between what is needed and what is required to achieve it.
Simply imposing a secure code will not do the job.
Development teams need training, support, and a change in how software engineers are valued and judged within their organizations.
The biggest thing they need is more and better training for them.
And it should be customized so that less experienced developers can start their training by learning to recognize the types of common vulnerabilities that often creep into code, with lots of hands-on learnings and examples.
Meanwhile, more advanced developers demonstrating their security skills may instead be tasked with things like advanced threat modeling concepts.
Teamwork should also be emphasized so that the developer community can help each other develop their skills.
Skilled and willing developers who know security should be appointed as security champions.
Their responsibility as a champion will be to help other developers improve their skills.
And while a safety champion is almost always an informal title, it should be given the respect, rewards, and compensation that such an important position deserves.
Organizations should take certain key steps to improve the security of the code produced by their developers.
In addition to providing access to training and allowing enough time to complete that training, organizations also need to review how their developers are judged.
The key metric should move away from raw code performance and focus on the levels of security achieved.
Producing insecure code can no longer be considered an acceptable risk.
Most developers understand the importance of producing secure code.
They just need proper support and guidance to make sure they can do it.
Matias Madou is co-founder and CTO of Secure Code Warrior.
This content was written by an expert in the field and is not a sponsored post or advertisement.
The information age welcomes opinion pieces from industry leaders. You can find our submission guidelines here.