Vulnerabilities are the result of human error. Many don’t like it, but most web application security issues are the result of errors during the coding process.
Therefore, if we think more clearly, the best approach to creating secure software is to do everything possible to avoid errors in the development process.
When we talk about training on the most common mistakes made by developers, we also say that many of the mistakes could be easily avoided by following the guidelines present in various development guides, such as the Open Web Application Security Project (OWASP).
The developer will basically find details on how to proceed with input validation, output coding, access control, communication security, data protection, cryptographic practices, etc.
1. Failures in Education and Awareness
We mentioned above that developers are responsible for the vulnerabilities present in the code.
However, these vulnerabilities are not deliberately left in the code, what we see is that many developers do not have the proper knowledge for creating secure code.
One of the problems we can identify is that even though universities have a focus on teaching details of languages and how they should work, few if any have specific chairs for code security.
This point is even more evident when we have several generations of developers, the older ones were educated at a time when security concerns were much less.
Therefore, in order to ensure that the teams have a more level knowledge, it is necessary to create a leveling and education program for the teams so that in this way everyone has the initial knowledge on the topic.
We talked about this a lot in our article about the importance of training.
However, a major problem is that often the managers of development areas do not have the view that the lack of proper education of their teams carries a very high risk within companies.
A developer without the proper knowledge of security can be trained, educated, but a manager who does not realize the importance of security in his daily life will hardly understand the risks to which he is exposed.
Many managers assume that these professionals already leave the colleges with adequate knowledge to work with safe development, however this is not true!
Certainly, we need to understand that no matter how good our developers are, we will always have new techniques and new attack methodologies, and this can only be solved with a constant training program.
Your developers will make mistakes, and this can be a great learning opportunity.
Do not keep development and security teams at bay, they must work together, they must have common goals. These two teams can learn a lot from each other and this knowledge and opportunity cannot be lost.
2. Lack of validation
Even if your developers are more aware and have more security knowledge, they will still make mistakes.
An experienced manager cannot simply rely on the knowledge of his developers to create secure code, that is not enough.
You need tools to help you identify possible flaws in your codes.
In an ideal development model, we will have tools integrated into the development process and thus conduct code scans whenever the process goes through a stage.
We have already covered tools in secure development processes in one of our articles.
We believe that tools are necessary within the development process, however we must not believe that they alone will be the only solution to our code security problem.
Although, you have a great code scanning tool, you will need a qualified and experienced professional to analyze and validate the results of the tool, so we come back to the issue of training and education.
Although the tests are carried out during the development process, it is necessary to carry out additional tests, which bring the certainty of an operationally safe application.
The goal is to create layers of protection for the software code, allowing coding errors to be identified and corrected more quickly and as soon as possible.
3. Late Tests
To achieve better code security, it is not enough for development to have implemented secure coding requirements or even to have secured coding guidelines, in addition to having built a test infrastructure.
The creation of a secure code cannot be based only on the observance of some principles put forward as coding rules.
A safe code is also the result of a change in mentality and culture and, therefore, the best result will be achieved when the development team understands that thinking about security is also their responsibility.
Developers and their teams should not only feel that they are required to follow a set of rules or guidelines, they must primarily have a legit interest in creating secure code.
Many teams assume that tests will be carried out, that other teams will be looking at the code for errors and / or flaws and therefore do not have to worry about developing the code safely.
These teams need to understand that there is a process and that each of the steps directly or indirectly influences the others and this has an impact.
Assigning responsibilities can and should be assessed by managers.
This does not mean that we are going to punish developers, but it makes them more and more responsible for their code, and this is achieved by making them the owners of the code, they have to understand and think as their final product.
Don’t just rely on policies
After all we’ve put here, we want you to realize that basing your code’s security on security policies alone won’t be the best possible solution, even if they are necessary.
Security starts with the right thinking when building applications.