I’ve been a part of several development organizations, and, for several of those teams, security was an afterthought to the development process. We’d secure databases and even implement field level encryption but we rarely had to consider many attack vectors as we were building internal apps for enterprises and the risks were there, but not as great.
Fast forward to the Mobile First world we live in and that lazy attitude is no longer acceptable. S&R teams have real concerns and actively work to protect their computing environments – both internal-facing and external-facing. Development teams work the other side of that and implement secure code as part of their daily activities (right?). With an appropriate level of trust between the two organizations, many use code scanning utilities to verify delivered code and hunt for vulnerabilities. There are many sources of vulnerabilities; it could come from code written by the company’s developers, code pasted in from Stack Overflow or even added through some third-party or open source library. In my experience, static code scanning tools are effective and can catch a lot of potential vulnerabilities but, from a developer behavior standpoint, what the ultimately do is simply teach developers how to get their code to pass the scans, not actually deliver more secure code.Read more