For years there has been a gap between software developers and application security practitioners. On one side, developers seek to keep their work efficient, delivering market-capturing software swiftly. On the other side, application security seeks to ensure all applicable privacy constraints are met and protect data. But this may slow the development process.
According to ESG Master Survey Results: Modern Application Development Security, forty-eight percent of organizations push vulnerable code into production. Forty-five percent say it’s because the vulnerabilities were discovered too late in the cycle to resolve them in time.
It’s not enough to test and fix code at the end of the development pipeline. Too many security flaws survive the process and make their way into production. Application security must dive deep into the heart of the development process when developers first stroke their keyboards.
But developers see application security as a roadblock to timely software delivery. They don’t feel they have the skillset or the person hours to touch application security. They want the security organization to address it without adversely affecting their work.
Thirty percent of respondents said that ensuring that business-critical applications arrive without vulnerabilities was the top challenge. Secure coding circumvents those vulnerabilities. But security needs to coax developers along in a way that makes writing secure code palatable for them. Security needs to expose developers to the philosophy of secure coding and its many benefits.
Fortunately, a culture shift is underway to unite developers and security. The new culture maps a common destination for both groups to inject security into applications painlessly. Secure coding is the destination.
The whitepaper Secure Coding Culture Playbook shows a way to address the challenges teams may face as they navigate their way to a secure coding culture.