The landscape of application software development is undergoing rapid transformation. New platforms for server and client, new development tools, new languages, newfound status, and new deployment methodologies mean the already quick pace of change has gotten faster. In the meantime, developers must learn to chart this new course while building in and maintaining secure coding standards.
Despite increased public awareness of the repercussions of delivering insecure software, developers are still trying to reconcile their competing priorities. According to the recent Information Week App Dev Priorities Survey, only 25% of developers report having a corporate policy on secure coding standards that is actually enforced. Additionally, application developers have been taking on the responsibility of security despite this not being their primary expertise. This leads to questions on how development organizations can enable their teams to automate and embed security into their coding practices without negatively impacting productivity and product delivery timelines.
The good news is that there are opportunities for developers to rethink how they develop software and address security. Many respondents in the survey indicated a shift to Agile development – a methodology that promotes incremental improvement, simplified development cycles, and faster turnaround for security fixes. Another growing movement discussed in the survey– DevOps encompasses the concepts of Continuous Integration and Continuous Delivery, which also support the shift to more automated delivery cycles.
Perhaps the one area that poses a challenge to developers is the reliance on open source and other third-party components with varying levels of security. While developers are aiming to speed up the development process, they will need to establish best practices to identify known vulnerabilities in such open source components and frameworks. The fact that 80% of respondents suggested that security is on their radar in some form is good news. However, there is still work to be done for developers to adopt and automate secure coding standards across their organizations while rapidly developing and delivering software applications.