- Programmers aren’t graduating with security basics. Computer science students are required to learn the fundamentals of computer science, object-oriented programming, data structures, and algorithms. Unfortunately, secure coding isn’t a requirement for graduation.
- Appsec pros can’t fix security flaws alone. Contrary to popular belief, security does not have a magic wand to wave away vulnerabilities or fend off incessant attackers, nor does security have the training and skill set of a full-stack developer or the business context to write and fix the code. This leaves us in a pickle.
- New architectures, programming languages, and deployment option releases are relentless. Development teams are eager to take advantage of the new — especially when the newly released tech solves a problem that they have. While some advances in technology may strengthen built-in security measures, all change the threat landscape. Take functions as a service for an example, as they are easy to code, easy to deploy, don’t have infrastructure maintenance or patching, and are virtually hassle-free, except … those small ephemeral stateless functions designed to do one job need a lot of supporting services to make a working application, which creates a different kind of risk.
Who is responsible for the security of an application? How do we inject secure coding practices into the software development lifecycle without slowing down development? What do new technologies like serverless bring to the threat landscape? I will be exploring these topics and what your organization can do to strengthen your application security in my session, “Show, Don’t Tell, Your Developers How To Secure Serverless,” at Forrester’s Technology & Innovation APAC Forum on October 31–November 1, 2023, in Sydney. Come join us either in person or digitally!
(written with Danielle Chittem, research associate)