The growth of the internet – and the commercial opportunities it presents – is bringing with it an explosion in software application development. Alongside this, comes the ever-present threat from hackers who are quick to find new ways to stay ahead of web-based security controls and wreak havoc.
Clearly cyber security is a serious issue for software application providers as well as end users. While leading software developers such as Unisys and Microsoft are taking steps individually to ensure the end-users of their software solutions enjoy maximum protection, as yet, no mandatory, global industry standard exists. As a result, secure coding is too often an afterthought and rarely an integral part of the software development process.
Until an industry standard for secure coding is established, software developers must take the lead and act to reduce the risk of cyber attacks through code vulnerabilities, leading to malware infection, system disruption and data theft by building security into the development process. They should integrate security rules and technology into the code from the start, and a thorough security test procedure should be an integral part of the tests performed throughout the software development life cycle.
More education is needed
As a rule, security expertise within the industry is relatively low. Most training modules don’t address the topic, so knowledge tends to be limited, learned on the job and confined to the cyber attacks the developer has confronted in the course of his or her career.
This lack of education and expertise is compounded by industry practice. Few companies or government organizations have a secure coding policy or associated training modules. As a result, secure coding tends to be secondary to the delivery of the application and – with developers under pressure to get products to market as quickly as possible – is often a casualty.
Secure coding will become the norm only when there are official quality standards and a quality certificate attesting to the security of application code. Companies and governments will then demand these standards for in development assignments or purchases of existing applications. Education has a key role to play in the schooling of these standards and the spreading of them afterwards.