Metaphorically looking over the shoulder of the developer making “Tut,tut” noises isn’t the way to do this. The ‘cost’ of writing non-secure code needs to go up for developers. Security reviews should be built in to the development cycle and developers encouraged to make the review process as frictionless as possible by getting it right first time. I’m a fan of threat modelling as a way of getting devs and security to work together…:
According to a survey: “68% of the security professionals surveyed believe it’s a programmer’s job to write secure code, but they also think less than half of developers can spot security holes.” And that’s a problem.
Nearly half of security pros surveyed, 49%, said they struggle to get developers to make remediation of vulnerabilities a priority. Worse still, 68% of security professionals feel fewer than half of developers can spot security vulnerabilities later in the life cycle. Roughly half of security professionals said they most often found bugs after code is merged in a test environment.
At the same time, nearly 70% of developers said that while they are expected to write secure code, they get little guidance or help. One disgruntled programmer said, “It’s a mess, no standardization, most of my work has never had a security scan.”
Another problem is it seems many companies don’t take security seriously enough. Nearly 44% of those surveyed reported that they’re not judged on their security vulnerabilities.