A full-stack developer must program in HTML/CSS and JavaScript as well as be responsible for back-end development of sever-side processes for data storage and retrieval, business logic tasks, authentication, and integration with third-party APIs in programming languages such as Go, .NET, Java, Rust, and Node.js. In addition, full-stack engineers must be knowledgeable about development and build tools, deployment techniques, cloud provider environments, design patterns, and integration with other business systems. On top of this, full-stack developers are expected to be concerned with accessibility, usability, reliability, scalability, and performance of the application. So where does security fit in? Consider that:

  • Programmers aren’t graduating with security basics. Computer science students are required to learn the fundamentals of computer science, object-oriented programming, data structures, and algorithms. Unfortunately, secure coding isn’t a requirement for graduation.
  • Appsec pros can’t fix security flaws alone. Contrary to popular belief, security does not have a magic wand to wave away vulnerabilities or fend off incessant attackers, nor does security have the training and skill set of a full-stack developer or the business context to write and fix the code. This leaves us in a pickle.
  • New architectures, programming languages, and deployment option releases are relentless. Development teams are eager to take advantage of the new — especially when the newly released tech solves a problem that they have. While some advances in technology may strengthen built-in security measures, all change the threat landscape. Take functions as a service for an example, as they are easy to code, easy to deploy, don’t have infrastructure maintenance or patching, and are virtually hassle-free, except … those small ephemeral stateless functions designed to do one job need a lot of supporting services to make a working application, which creates a different kind of risk.

Who is responsible for the security of an application? How do we inject secure coding practices into the software development lifecycle without slowing down development? What do new technologies like serverless bring to the threat landscape? I will be exploring these topics and what your organization can do to strengthen your application security in my session, “Show, Don’t Tell, Your Developers How To Secure Serverless,” at Forrester’s Technology & Innovation APAC Forum on October 31–November 1, 2023, in Sydney. Come join us either in person or digitally!

(written with Danielle Chittem, research associate)