Software Engineers x Security

I continue to find this take controversial for certain people. Some feel that security is too much of a hassle to worry about. I personal think that software engineers are fully responsible for ensuring they create a safe and secure application. Imagine you had an electrician do some wiring in your house and he said that he’s not responsible for covering up any life wires or doing earthing. How would you feel?

I’d love to hear everyone’s take on this subject.

1 Like

This is a a point that really shouldn’t be controversial. We live in a time when organisations and individuals are under constant threat of attack, so as developers, we should be incorporating at least basic security principles into our application design and implementation, because as we all know, security can’t be bolted on after the fact.

But the reality is that security isn’t currently a first-class citizen in the syllabus of most software dev pathways, so it’s not something that many developers are trained to take into account.

1 Like

That is a sad reality to be honest. It would have been nice if this was regulated, like a standardisation for trainings courses​:thinking:. Of course, it can only do so much given that the internet is porous and there’s lots of free content put up by practically anyone. But it might be a step in the right direction??:thinking:

What do you think might help counter this problem?

I don’t think there’s a singular solution, but there has to be more effort from academic institutions and training organisations to make security be seen as a more fundamental part of the development process. Existing employers could invest more in cybersecurity training and validation, while as individual developers, we can learn more about secure programming alongside other principles like testing, decoupling, etc.

1 Like

I think increased pressure on companies at the Board level will drive a “Shift-Left” mentality when it comes to application security. Bigger fines and harsher punishments from various industry regulators, insurance firms and from Governments will force business leaders to demand that security is built into products.
Until then software teams will continue to prioritise shipping features without as much care for security.

1 Like

Actually a very good point — and I guess that is starting to happen already. But when we see high-profile incidents like the recent supply chain attacks on Solarwinds and Kaseya, these must undoubtedly be prompting action on the part of industry stakeholders, right?

It is starting to happen but not as quickly as it should IMO.

The current fines and penalties are not big enough or severe enough to prompt said business owners to prioritise app-sec. With most traditional businesses, the decision is risk based on “Cost of Breach” vs “Cost of Fine” in most cases the cost of the fine is far less than cost of clean up.

The era of “Digital Transformation” plus a lot more “Digitally Savvy” clientele is slowly bringing about a shift in this mentality. The “cost of breach” now includes losing customers and the real potential of a business going under due to negative perceptions in the market.
From my experience, high profile incidents only cause short term panic and then it’s back to normal for most businesses. It’s always goes back to that “cost of breach” vs “fines”.

I do like how the governments world wide are starting to look at private business CyberSecurity as part of National Security. Lets see what impact this has on shifting security left.

1 Like

Definitely resonate with this! My company really only started paying attention to security because of client requirements and compliance reasons.

Every now and then i get the: “Lets definitely make sure we are secure but lets do the most minimal thing we can possibly do”. Most companies are like this, once they’ve ticked the boxes on compliance, they just hard-press the breaks.

I’m definitely looking to see how governments will begin to impact this mentality.

On a side note, is it just me or do compliance assessments often seem to easy to pass? I’m saying this having sat through ISO27001 audit sessions as well as listened to experiences.