Do developers at your company keep application security top of mind when coding? Do they have training in secure code development? Do they have the tools to develop code securely? If they find a security issue, can they quickly fix the issue in all instances throughout a large-scale application? If they use open-source code, do they verify its security?
While many shops can answer “yes” to all of these questions, many others struggle with secure application development. Although the situation is improving, security is often absent from training curricula for development; even those who want to write secure code may simply not know how.
There are products, however, that address these issues. Some will alert coders to security problems in real time, as they are typing code, a kind of hyper-sophisticated “spell-check” for programmers. If they find a problem and fix it, they also have to make sure to eliminate it everywhere it appears in a large-scale application, and there are systems that can do that, too.
As I described in an earlier blog, supply chain risks are growing quickly: do you know if the code you downloaded from GitHub is safe to deploy? Once again, look to the fast-growing application security industry for a solution.
When I ran security programs at Federal agencies, I saw far too often that security was an unwelcome afterthought for many developers. However, with increased attention to cybersecurity in the government and in the public eye, the situation is improving. Developers have a wealth of powerful tools to minimize, or even eliminate security holes, both in their own code, and the code they use from other sources.