5 problems with securing applications
The question is not whether vulnerabilities exist in your application — they do. The real question is simply which happens first: will attackers exploit them, or will you fix them?
However, doing that can sometimes be easier said than done. For many companies, getting started on securing their application is riddled with logistical and practical challenges.
Download Ted's free ebook, "How to secure your software faster and better."
#1: Developers juggle many priorities
The first problem you might encounter relates to your developers’ priorities. Your developers juggle many priorities, and security is just one. Yet, usually, the top levels of leadership determine which priorities to emphasize. Nevertheless, developers are expected to keep things secure, even if it’s not made a top priority for them. That’s a lot to deal with!
When leadership doesn’t understand or prioritize security, your developers simply can’t allocate sufficient time to it. As a leader, it’s up to you to make sure your developers are empowered to prioritize security and devote a sufficient amount of time to its implementation. Otherwise, they won’t have enough bandwidth to protect your applications.
The best way to deal with this is to ensure that the top levels of leadership at the company understand the core principles of security. A good way to do that is to make sure that the right type of security testing is being done in order to give the appropriate information to leaders so they can make good decisions.
#2: Security usually isn’t a developer’s specialty
Your developers might understand the importance of security, but for most developers, security isn’t the primary focus of their training.
Developers are usually brilliant people trying to build clean, efficient, effective code. However, they’re not always thinking about how to break it. By contrast, attackers spend every waking minute studying how to break that clean, efficient, effective code.
The best way to deal with this is to hire security specialists internally or externally (or ideally, both) to lead your security effort in partnership with your developers.
#3: Deadline pressure causes security to be postponed
Another problem companies often face is the clash between security and deadlines. Companies tend to believe that security slows down development, while at the same time there’s tremendous pressure to hit release dates. Security is often seen as something that causes delays in hitting release milestones and overall makes lives harder for developers. It’s often also seen as something that can be deferred to later.
As a result, security tends to get postponed. However, this just causes regressions and rework later. It makes things harder and more expensive in the long run.
It’s a lot easier than most people realize to build security into the development process. For every development action, there is a security action too. Take it. You already have the right people in the right room, having the right conversations, just expand those conversations to include security as well. The more involved aspects (such as security testing) are done by your security partner anyways, so they don’t drag on your own engineering resources.
#4: Security talent is scarce
Another problem you might face is the scarcity of security talent. There simply aren’t enough skilled security professionals to meet the extreme demand for them.
Why the shortage? Security requires a highly specialized skill set, and formal education is not yet optimized to train enough workers with the necessary skills. Most programs treat security as an area of interest, rather than a core discipline. Also, security requires extensive, real-world experience that cannot be found in the classroom.
To deal with this problem, partner with an external security consulting firm while you gradually grow your in-house team. Eventually you want to have both in-house and external security expertise, and by partnering first, you can overcome the talent shortage simply by hiring an external firm.
#5: Security is never done
Lastly, many companies treat security like a short-term annoyance to deal with before getting back to other things. However, the truth is that security is never done — it’s an ongoing process and an investment in your company.
Change is the only constant. As technology shifts, so too does the security model. Software development itself is changing.
To succeed with your security efforts, acknowledge that security is a permanent part of your operating processes and expenses. Treat (and fund) it like an investment to maximize, rather than a tax to minimize. Deal with change through regular security assessments of your software system. The right cadence for most companies is every 3-6 months (rather than the every 1-2 years that most people do).
Overcome security challenges
As a leader of ethical hackers, I’ve been in the trenches with many people battling these same challenges: misplaced priorities, capabilities limitations, shortage of talent, deadlines and relentless change. I understand why you might think security is a headache, but in reality, security is your best friend.
Investing in security is not just the right thing to do; it also delivers a competitive advantage for your business. Proving that you’re secure in the face of unknown threats is exactly how you earn the trust of your customers. That leads to more sales, more customers and more market share. It’s how you become a leader in your field.
Security requires time, attention and money to do right, but if you can overcome the inherent problems that most people face, you’ll build better, more secure software systems and obtain a competitive advantage.
Learn how to secure systems with 11 courses from Infosec Skills instructor and #1 best-selling author Ted Harrington.
- Hack your system
- Establish your threat model
- Spend wisely
- And more
In this Series
- 5 problems with securing applications
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
- Introduction to the OWASP API Top Ten
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security