Web application coding errors provide ample opportunity for exploitation by malicious actors. With the average number of applications in use by organizations on the rise, any undetected or unpatched vulnerability heightens risk, not just for specific users of that application, but for the entire organization. Given the potential negative effects of a vulnerable app, and the charge to protect the entirety of their company’s systems and data, it’s no wonder security teams are anxious about the application development lifecycle.
It’s a long-held belief among security practitioners that developers don’t care about the security of the apps they build. Per Veracode’s Chris Eng, though, this belief is more dismissive than true. Citing his many personal conversations and the results of a 2016 study, security is of concern to developers, it’s just not the number one priority given the other pressures and goals placed on developers by the business. Being revenue generators—as compared to security, which is seen as a cost center for the business—“developers have a lot of power,” said Eng in a recent video interview with InfoSec Insider during RSA Conference 2017. This means that security needs to find a way to integrate with development rather than the other way around, which is how security has typically approached development in the past.
“In the traditional world, security is always the one who comes in, calls your baby ugly, and then wonders why developers don’t listen [to us] or seem to not be happy when [security shows] up on their doorstep,” said Eng. That said, things starting to shift in the development world; organizations realize that they must innovate faster but in a secure way. Consumers are beginning to expect that security will be baked into the tools they use, be they websites, applications, or the devices themselves.
Eng sees positive movement towards improved collaboration between security and development, but this requires security to adopt a slightly different mindset than “security first!”
“Security, in the long run, is going to be viewed as a subset of quality. It already is to a degree,” said Eng, pointing to quality assurance. “The more we can get developers to think about security as one factor of QA testing, the more it will be accepted” and considered critical.
Check out the full Infosec Insider interview with Eng to learn how Veracode is working with developers, how companies using eLearning are fixing exponentially more vulnerabilities than those without, and what you can do, as a security practitioner, to better affect the development process.