In my experience, I have found that almost 95% of application developers lack application security skills and at times, tend to complete their journey without knowing much of the security technologies and related skills. Ask them if they wrote secured code, and almost in 90% of cases, they may say “don’t know” or say, “yes, wrote parameterized queries”.
I talked to some of the developers at different experience levels and found some of the following as their answers:
- Use secured frameworks, so why bother?: Well, frameworks that are used for application development takes care of security aspects. So, we rely upon these frameworks for security concerns and not pay much attention at the time of development.
- I don’t have enough time: Some of them said that they do not get enough time for paying attention to security concerns after writing code for business functionality and unit testing.
- I don’t have enough skills: Some of them said that they are not aware of what does it take to write secured code. More so, they are unaware of when to start planning for security while doing application development? This is primarily attributed to lack of security awareness and related training across the organization.
- That’s not my job: Some of them said that that’s not their job. Their company has hired a set of security officers to conduct application security planning including architecture & design considerations, development best practices, code review and testing.
- Unclear security requirements: Some of them interestingly pointed that they do not come to know about clear security requirements and this is why it goes unaddressed/unnoticed.
- I don’t have hacker’s mindset: Few of them also said that even if they learn the tips & techniques, they do not think they have enough skill & time to think like a hacker and plan for application security.