Your code is powerful, clever, and elegant—but is it secure?
More than ever, code makes the world go 'round. From smart home thermostats to critical infrastructure to integrated clinical environments in hospitals, code runs so much of what touches our lives every day. Sometimes we are explicitly aware that we are interacting with software but increasingly we are not—code runs quietly amid the people, objects, and experiences that shape our lives and the broader world we share.
Your code is powerful and so are you: the quality and security of the code that you put out into the world ripples out to affect individuals, organizations, nations. When you consider the reach of your code it is clear that to deliver quality code you must deliver secure code.
As the pressure to deliver software to the market quickly has increased so too have the scope and severity of the risks posed by insecure applications. For example, 85% of all applications we scanned in a recent 12-month period had at least one vulnerability in them, and more than 13% had a critical severity flaw. The most common flaws found are some of the most easily exploited: SQL injection flaws are present in nearly one in three applications and cross-site scripting vulnerabilities are present in nearly half of applications tested.
It’s not all gloom and doom, we promise. Here’s some sunshine for you: writing secure code does not take longer than writing insecure code. Sit with that idea for a few seconds. This assertion might seem counterintuitive as you consider the pressure to ship code more and more quickly, but taking the time to address security early and often in the development process will get you to shipping quality code faster. A minor flaw left unaddressed early in the software development lifecycle becomes a tangled mess the longer it persists. Unraveling that tangle is neither simple nor quickly done. Finding and fixing flaws early on is an easier path for teams working hard to deliver functional, high quality code to the market.
But where to start? If writing secure code seems like a steep climb, you are not alone. Many developers—most developers in fact—are not introduced to secure coding principles while they are learning to build software.
More good news: developers of all stripes, whenever and however they started coding, have this in common: intellectual curiosity. You are the tinkerers, problem-solvers, and lifelong learners who started with your first line of code and have never stopped wondering, perfecting, and learning. Coding is a craft and your years of coding have all been about mastering something new and then doing that again and again and again—across new languages, frameworks, and approaches to development.
For many developers writing secure code is brand new and yet it has undeniably become part of the process of mastering your craft. A first step is educating yourself on basic secure coding principles and beginning to put these principles into practice every day. In doing so you join developers the world over who are tinkering, learning, and growing—united by their shared commitment to put the best possible code out into the world. As you find and fix flaws, you will be learning as you go and writing more and more secure code. Along the way you will notice that you are introducing fewer and fewer flaws into your code to begin with. Fewer messy tangles to pull apart later on. And your team will benefit too. As you build your security knowledge, you will be helping your peers by spotting flaws during code reviews when they are easier to fix. You will be measurably shifting the security of your applications just by starting where you are.
So wherever you are in your own learning process, we offer this toolkit of resources to help you and your team along your path to writing amazing code.
Secure Coding Best Practices Handbook
What Developers Don’t Know About Security But Should
5 Principles for Securing DevOps
Vulnerability Decoder Infosheets:
Improper Error Handling
Broken Access Controls
Insecure Open Source Components
Out of our close work with developers over many years has grown a range of developer-focused resources for learning to code more securely. Beyond the secure coding toolkit, we offer many learning resources—developer training, remediation coaching, the Veracode Community, and Greenlight, Veracode’s IDE- or CI-integrated continuous flaw feedback and secure coding education solution.