Today’s threat landscape is constantly evolving, and now more than ever, organizations and businesses in every sector have a critical need to consistently produce and maintain secure software. While some verticals – like the finance industry, for example – have been subject to regulatory and compliance requirements for some time, we are seeing a steady increase in attention on cybersecurity best practices at the highest levels of government, with the US, UK, and Australia all shining very recent light on the need for secure development at every stage of the SDLC.
Despite this, attackers are constantly finding new ways to bypass even the most advanced protections and defences. For example, many have shifted their focus from delivering malware to instead compromising APIs, or launching targeted attacks against a supply chain. And while those high-level incidents are happening with much greater frequency, so too are the more simplistic exploits like cross-site scripting and SQL injection, both of which have been a scourge on cybersecurity defences for decades. Just last month, a critical SQL injection vulnerability was reported in a WooCommerce WordPress plugin, with a 9.8/10 severity rating.
It’s becoming apparent that while cybersecurity platforms and defences are critical components in defence against modern attacks, what is truly needed is secure code that can be deployed free from vulnerabilities. And that requires a deliberate and committed lift in secure coding standards, actioned by security-aware developers.
Many developers say they are willing to champion security and commit to higher standards of code quality and secure output, but they can’t do it alone. We cannot afford to ignore developer needs in the fight against common vulnerabilities, and they need the support of right-fit tools and training, as well as a reworking of the traditional metrics by which they are often judged by their employers and organizations.
images from Hacker News