There is no question that staying ahead of the trends in application security technology is beneficial and can even help prioritize upgrades or consolidations in a bloated tech stack. But to forgo targeting the root cause of vulnerable software – we mere humans – is going to keep us on the losing side of the cybersecurity battlefront. If we want to get serious about decreasing the number of code-level security vulnerabilities, then developers need to be given the foundations to succeed in sharing responsibility for security.
They need relevant, hands-on education and on-the-job upskilling, and functional tooling that doesn’t disrupt their workflow, or make security a chore to develop. Ideally, some tools would be developer-centric, built with their user experience front-of-mind. To this day, no formal security certification program exists for developers, but every company can benefit from benchmarking and growing secure coding skills, killing common vulnerabilities early and often, and before that big tech stack has to lurch into action and slow everything down.
A team of security-aware developers is a hidden treasure for any organization, but like anything worth having, it will take time and effort to implement an effective dream team. Winning developers over to care about security and view secure coding as a foundation of code quality, takes an organization-wide commitment to put security first. And when entire teams are switched on to the positive impact they can play in eliminating common vulnerabilities as code is written, there isn’t a tool on Earth that can compete.
Read the full article...