Development is a passion of mine. I've been involved in the development world nearly all of my professional career. It wasn't until recently that I became aware of the topic of developing secure code. This seems like a topic that all developers should have at the forefront of their mind but I don't think that's the case. Most of the time developers develop to solve a task without taking into consideration secure development techniques. I think this is mostly due to lack of time or lack of knowledge.
When developing applications especially web applications it is imperative that developers are aware of security topics including cross site scripting, SQL injection, and buffer overflows and how the lack of secure development standards can open the door to allowing an attacker to exploit your software using one of those methods. Secure development techniques will become increasingly important as more and more applications move to cloud environments and are accessed by end users via the browser.
So the question becomes how do you protect yourself from attack by not introducing vulnerabilities into your environment? The simpliest answer is to become aware of sub par code. There are multiple methods of doing this and most utilize tools such as Fortify. Using automated build procedures such as a combination of Maven and Jenkins will allow development teams to seamlessly scan their code at build time. The result of these scans are reports identifying the weaknesses in your code. Another method of locating vulnerabilities is to TEST. Many times testing falls through the cracks but it's so incredibly important, not just for identifying logic errors within the code but also for locating vulnerabilities.
No comments:
Post a Comment