With the cyberthreat landscape evolving by the day, it has never been more important for organisations to be developing and deploying secure software.
While cyber security platforms and defences remain critical, what is also required is secure code that can be free from vulnerabilities.
Achieving this, in turn, requires security-aware developers with verified security skills.
While the majority of developers say they are willing to champion security and commit to higher standards of code quality, they can’t do this without a lot of support, as well as a reworking of the traditional metrics by which they are often judged by their employers and organisations.
Why security already prioritised
Coding best practices have continued to evolve over the years, in response to business needs and market trends.
In the past, most applications were created using the so-called waterfall development model where software engineers worked to get their code ready to meet an ongoing series of milestones or goals before moving on to the next phase of development.
Waterfall tended to support the development of programs that, having met all of the previous milestones along the way, were free from bugs or operational flaws by the time they were ready for the production environment.
But it was slow going, with sometimes 18 months or more between starting a project and getting to the finish line.
The agile method tended to replace Waterfall, putting a much greater emphasis on speed.
And this was followed by DevOps, which is built for even more speed by combining development and operations together to ensure that programs are ready for production almost as soon as they clear the final development tweaks.
Putting speed over security, and nearly everything else beyond functionality, was a necessity as the business environment evolved.
In a cloud-based world where everyone is online all the time, and mobile transactions by the millions can happen every few seconds, getting software deployed and into the continuous integration and continuous delivery (CI/CD) pipeline as quickly as possible is critical for business success.
It's not that organisations don’t care about security.
It's just that in the competitive business environment that exists in most industries, speed is seen as more important.
And developers who can match that speed thrive to the point where it becomes the primary means by which their job performance is judged.
Now that advanced attacks are ramping up so dramatically, deploying vulnerable code is becoming a liability.
The preference is once again shifting, with security increasingly becoming the primary focus of software development, with speed a close second.
Bolting on security after the fact is not only dangerous, it also slows the process of deploying software.
That has led to the rise of programs like DevSecOps that attempt to merge speed and security together to help generate secure code.
But developers trained for pure speed can’t become security experts without a lot of help and support from their organisations.
What developers need
The good news is that most developers want to see a shift to secure coding and a reprioritising of security as part of the development process.
In a comprehensive survey, conducted by Evans Data, of over 1,200 professional developers actively working around the world earlier this year, the overwhelming majority said they were supportive of the concept of creating secure code.
Most also expected it to become a priority in their organisations.
However, only eight per cent of the respondents said that writing secure code was easy to accomplish.
That leaves a lot of room for improvement within most organisations’ development teams between what is needed, and what is required in order to get there.
Simply mandating secure code won't get the job done.
Development teams need training, support, and a change in how software engineers are valued and judged within their organisations.
The biggest thing that is needed is more and better training for them.
And it should be customised so that less experienced developers can begin their training by learning how to recognise the kinds of common vulnerabilities that often creep into code, with lots of hands-on learning and examples.
Meanwhile, more advanced developers who demonstrate their security skills can instead be tasked with things like advanced threat modelling concepts.
Teamwork should also be emphasised so that the developer community can help one another grow their skills.
Skilled and willing developers who know security should be appointed as security champions.
Their responsibility as a champion will be to help fellow developers improve their skills.
And while a security champion is almost always an informal title, they should be given the respect, rewards, and compensation that such an important position deserves.
There are some key steps that organisations need to undertake to improve the security of the code their developers are producing.
As well as providing access to training, and allowing sufficient time to complete that training, organisations also need to review the way their developers are judged.
The key metric needs to shift away from raw code performance and focus on the levels of security being achieved.
Producing insecure code can no longer be regarded as an acceptable risk.
Most developers understand the importance of producing secure code.
They just need proper support and guidance to ensure that they can do it.
Information Age welcomes Opinion pieces from industry leaders. You can find our submission guidelines here.