Why You Need to Train Developers to Improve App Security

The state of South Carolina recently reported a massive security breach in which unencrypted social security numbers and credit card numbers were stolen by hackers. Additionally, in late October, a group of hackers stole credit card data and pins from multiple Barnes and Noble stores.

Before you start to appreciate the hackers’ prowess, take a look at the Open Web Application Security Project (OWASP) top ten security risks. Most of the vulnerabilities are related to insecure application code.

Hackers use these well-published vulnerabilities to crack applications and steal data. Between Q1 and Q2 2012, there has been an estimated 69 percent increase in SQL injection attacks.

On the other hand, IT departments worldwide are spending massive amounts of money on securing their infrastructure. Moreover, IT security spending will continue to grow in the foreseeable future.

What gives? It looks like IT departments are missing the skills necessary to build secure applications. A study by the Ponemon Institute found that more than half of developers say that they have no formal training in securing applications.

Consequently, this lack of training makes application security a low or non-existent priority for development teams. The point is that while developers are busy packing applications with useful features, the security aspect often remains either an afterthought or completely forgotten.

So, what can be done about this, you ask?

An obvious requirement to build secure applications is to provide the right training to development teams. If you want to secure an application, you have to think like a hacker. Security training will help in developing the right mind-set to create secure applications.

Applications of threat modeling, peer reviews, and vulnerability testing are rare and far between. It is important to equip teams with the tools needed to understand security vulnerabilities and incorporate countermeasures throughout the development lifecycle.

As an example, frequent peer reviews at different levels in the development cycle can catch up to 60 percent of the defects. Many of those defects could be security related. Similarly, threat modeling allows you to apply a structured approach to addressing the top threats that have the greatest potential impact to your application.

In the continuously evolving technology landscape, new security challenges need to be mitigated constantly. This calls for reinforcing existing skills and learning new skills to defeat the ever-evolving risks in application development. Learning the most recent security advances will also help put you a step ahead of the bad guys.

What is the priority of software security in your organization? Please comment below.

Up Next

November 16, 2012

About the Author

TechWell Insights To Go

(* Required fields)

Get the latest stories delivered to your inbox every month.