To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “What do developers need to keep in mind with regards to application security?” Here’s what they told us:
- Developers should focus on security that requires human thinking, such as abuses of business logic. Developers should not worry about technical security issues in the same way that they do not worry about memory management or garbage collection.
- When the security team does show up to keep the company, data, and app safe, developers should cooperate with security and teach their security counterparts about how fast they move now. Reach more customers, make more money, provide a better customer experience. Care enough about security and teach security about how to be effective in the developer’s world.
- Accept responsibility and don’t shove it off to “the security people.” For every 100 developers, there’s one security guy. That won’t scale. It would behoove developers to leverage the plethora of security tools that plug directly into their IDE and CI systems. Cybersecurity training and awareness is important but is not enough by itself. Another powerful technique is explicitly addressing security during spring planning— so-called Evil User-Stories that focus on remediating a security vulnerability during feature design.
- Developers need to take a holistic view of security in the application. Viewing security as an add-on, plug-in or afterthought could have disastrous consequences. Developers also need to understand how application data flows through a network. The path traffic takes can have serious ramifications on the secure operation of an application.
- You can teach best secure programming, deployment, and ops practices, but it is useless until they adopt the services companies are providing. Developers are paid to deliver functionality on time and on budget. Until security is part of their job description, it will be ignored.
Here’s who shared their insights:
- Erik Costlow, Developer Relations, Contrast Security
- James McClay, Product Manager, Cybera
- Doug Dooley, COO, Data Theorem
- Joseph Feiman, Chief Strategy Officer, WhiteHat Security
- Vincent Lussenburg, Director of DevOps Strategy, XebiaLabs