So, it’s a wonder how, in light of this, software security is still not a top priority for software companies – nor is it being taught in computer science courses, as a recent study found. Ask the recent computer science graduates, ISTQB certified QA testers or senior fellow developers at work you know if they’ve been introduced to software security during their education or through work. Chances are, they’ve had little to no security training.
The answer has to do with the outdated point of view on software development education and underestimating the need for security training for thorough application security. Software security, as we’ve learned, is a practical matter that affects everyone.
But software education mostly neglects even basic security concepts. The main concern during software programming education is teaching the importance of code that works. While testing code is being taught more often, it usually skips over security testing. As awareness surrounding software testing becomes more common, there should be an equal push for awareness of software security concerns.
As mentioned earlier, there is an urgent need to place software security courses as a top priority in computer science curriculums, as well as in the professional programming and quality assurance training given at software companies. There is a great need to provide on-site security training for employees and incorporate security considerations in the SDLC from the start.
Dynamic testing, penetration testing and static code analysis must also become an essential part of any company that intends to survive in this age of insecurity. Security tools that can be integrated with organizations’ current tools and processes are best suited for a scalable and agile application security program.
To summarize, as software development and application usage have skyrocketed in recent years, the number of security breaches in those applications has followed the same trajectory. As a result, security must be taken very seriously and become an integral part of software design and development, testing and maintenance. This way we’ll be able to make this world a cyber secure place gradually one step at a time.
Take care – and secure your code.
This blog is the first of our “Checkmarx Professionals Blogger” series. This series introduces additional points of view for application security from the perspective of the professionals on the ground who are building, testing and analyzing software on a daily basis. The series will include blogs written by Checkmarx teams such as security researchers, Developers, QA engineers, and even business representatives.
The first post is written by Andrei Cheremskoy, a Checkmarx QA Engineer.
By day, Andrei is a testing engineer and by night he ‘tests’ popular science books and articles on computing and creativity.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.