Applications are one of the most overlooked components of an organization's security posture. While more tools and techniques have emerged in the last few years to help with application security, developer education is still lacking.
Your developers are an integral part of your security system. Applications they create and deploy in your environment are critical assets and primary gateways for exploitation. As such, development staff must understand the security standards and the protection architectures your organization expects them to adhere to.
Organizations that give developers training on security processes and expectations stand a good chance of getting their developers to meet them, assuming they are realistic and manageable. But meeting current standards and best practices is only part of the picture and is likely to only protect your applications against threat vectors that are known today.
My assertion is that organizations must take it a step further. They must actually teach development and application quality staff about information security attacks. These bright folks must get some experience attacking applications, having their applications attacked and being a part of the process. By doing so, they will begin to understand more thoroughly how application attacks work. They will begin to integrate defensive mechanisms into their code. They may even come up with something to help protect against new forms of attack and new vectors that others have not yet identified. That is the real reward, when bright folks move beyond meeting the standards and into creating new and better practices!
We need a lot more of this. Therefore, I urge you to put your development staff through a bit of training. Get them some tools like code scanners, application fuzzers and other attacker/research tools and find a way to integrate them into the development and quality control processes. That may be the key to making all code more secure.
