Today’s threat landscape is constantly changing, and now more than ever, organizations and businesses across all industries have an urgent need to consistently produce and maintain secure software. While certain verticals – such as the financial sector – have been subject to regulatory and compliance requirements for some time, we are seeing increased attention towards methods Cybersecurity best practices at the highest levels of government, along with the US, UK and Australia recently highlighting the need to grow secure at every stage of the SDLC.
Despite this, attackers are constantly finding new ways to circumvent even the most advanced protections and defenses. For example, many have shifted their focus from delivering malware to compromising APIs or launching targeted attacks against the supply chain. And while these high-level issues occur with much higher frequency, simpler exploits like cross-site scripting and SQL injection also occur, both of which make it difficult for defenses network security for decades. Last month, a critical SQL injection vulnerability was reported in the WooCommerce WordPress plugin, with a severity rating of 9.8/10.
It is clear that while cybersecurity defenses and platforms are essential components of defense against modern attacks, it is essential that secure code can be deployed open without holes. And that requires a deliberate and committed increase in secure coding standards, driven by security-conscious developers.
Many developers say they are willing to advocate for security and commit to higher standards of code quality and secure output, but they cannot do it alone. We cannot ignore the need of developers to combat common vulnerabilities, and they need the support of the right tools and training, as well as the rework of the traditional metrics they normally use. evaluated by employers and their organizations.
Why most developers haven’t prioritized security ?
Today’s threat landscape is constantly changing, and now more than ever, organizations and businesses across all industries have an urgent need to consistently produce and maintain secure software. While certain verticals – such as the financial sector – have been subject to regulatory and compliance requirements for some time, we are seeing increased attention towards methods Cybersecurity best practices at the highest levels of government, along with the US, UK and Australia recently highlighting the need to grow secure at every stage of the SDLC.
Despite this, attackers are constantly finding new ways to circumvent even the most advanced protections and defenses. For example, many have shifted their focus from delivering malware to compromising APIs or launching targeted attacks against the supply chain. And while these high-level issues occur with much higher frequency, simpler exploits like cross-site scripting and SQL injection also occur, both of which make it difficult for defenses network security for decades. Last month, a critical SQL injection vulnerability was reported in the WooCommerce WordPress plugin, with a severity rating of 9.8/10.
It is clear that while cybersecurity defenses and platforms are essential components of defense against modern attacks, it is essential that secure code can be deployed open without holes. And that requires a deliberate and committed increase in secure coding standards, driven by security-conscious developers.
Many developers say they are willing to advocate for security and commit to higher standards of code quality and secure output, but they cannot do it alone. We cannot ignore the need of developers to combat common vulnerabilities, and they need the support of the right tools and training, as well as the rework of the traditional metrics they normally use. Evaluated by employers and their organizations.
What it takes for developers to really make an impact on vulnerability reduction
The good news is that most developers would love to see the transition to secure encryption and reordering Prioritize security as part of the development process. In a comprehensive survey conducted by Evans Data of more than 1,200 active professional developers around the world earlier this year, the vast majority said they support the concept of secure code generation. Most also expect it to become a priority in their organization. However, only 8% of respondents said that writing secure code is easy to do. This leaves a lot of room for improvement in the development teams of most organizations between what is needed and what is needed to achieve it.
Just imposing a security code won’t get the job done, and without putting in the effort to develop the right skills and awareness, it will seriously disrupt their workflow. Development teams must exist in an environment that fosters their security mindset and fosters a culture of shared responsibility.
The biggest thing they need is better training for them, followed by tools that make secure encryption an integral part of their workflow. And the curriculum should be customized so that less experienced developers can start training by learning to recognize the common types of vulnerabilities that often creep into the code, with plenty of lessons and real-world examples. onion. Meanwhile, more advanced developers, who demonstrate their security skills, may instead be tasked with handling more complex bugs and possibly even model concepts. Advanced threat intelligence.
In addition to funding and supporting training programs, including giving developers enough non-code time to participate properly in these programs, organizations also need to change the way they evaluate their group prices. The main metric to reward developers is staying away from raw speed. Instead, ratings can reward people who can create secure code that is free of vulnerabilities or exploits. Yes, speed can also be a factor to be judged, but above all code must be secure and modern development must chart a path where security at speed is no longer a myth.
Sending insecure or vulnerable code is not an acceptable business risk, and tightening security after the fact is becoming increasingly less effective.