In recent years, the advent of mobile and cloud computing revolution has brought to light a serious issue affecting both organizations and individuals: software security.
Every day, there’s a new story we hear about some website or application being penetrated, releasing sensitive information that is sold, abused, and exploited. As a consequence, companies lose their credibility (along with hefty financial losses) and customers lose their trust in companies’ ability to secure their personal information.
So, it’s a wonder how, in light of this, software security is still not a top priority for software companies – nor is it being taught in computer science courses, as a recent study found. Ask the recent computer science graduates, ISTQB certified QA testers or senior fellow developers at work you know if they’ve been introduced to software security during their education or through work. Chances are, they’ve had little to no security training.
How is this still happening?
The answer has to do with the outdated point of view on software development education and underestimating the need for security training for thorough application security. Software security, as we’ve learned, is a practical matter that affects everyone.
But software education mostly neglects even basic security concepts. The main concern during software programming education is teaching the importance of code that works. While testing code is being taught more often, it usually skips over security testing. As awareness surrounding software testing becomes more common, there should be an equal push for awareness of software security concerns.
How can we change the status quo for software security?
As mentioned earlier, there is an urgent need to place software security courses as a top priority in computer science curriculums, as well as in the professional programming and quality assurance training given at software companies. There is a great need to provide on-site security training for employees and incorporate security considerations in the SDLC from the start.
Dynamic testing, penetration testing and static code analysis must also become an essential part of any company that intends to survive in this age of insecurity. Security tools that can be integrated with organizations’ current tools and processes are best suited for a scalable and agile application security program.
Where do we go from here?
To summarize, as software development and application usage have skyrocketed in recent years, the number of security breaches in those applications has followed the same trajectory. As a result, security must be taken very seriously and become an integral part of software design and development, testing and maintenance. This way we’ll be able to make this world a cyber secure place gradually one step at a time.
Take care – and secure your code.
This blog is the first of our “Checkmarx Professionals Blogger” series. This series introduces additional points of view for application security from the perspective of the professionals on the ground who are building, testing and analyzing software on a daily basis. The series will include blogs written by Checkmarx teams such as security researchers, Developers, QA engineers, and even business representatives.
The first post is written by Andrei Cheremskoy, a Checkmarx QA Engineer.
By day, Andrei is a testing engineer and by night he ‘tests’ popular science books and articles on computing and creativity.