Application security

5 problems with securing applications

December 29, 2021 by Ted Harrington

The question is not whether vulnerabilities exist in your application — they do. The real question is simply which happens first: will attackers exploit them, or will you fix them?

However, doing that can sometimes be easier said than done. For many companies, getting started on securing their application is riddled with logistical and practical challenges.

Download Ted’s free ebook, “How to secure your software faster and better.”

Get Your Copy

#1: Developers juggle many priorities

The first problem you might encounter relates to your developers’ priorities. Your developers juggle many priorities, and security is just one. Yet, usually, the top levels of leadership determine which priorities to emphasize. Nevertheless, developers are expected to keep things secure, even if it’s not made a top priority for them. That’s a lot to deal with!

When leadership doesn’t understand or prioritize security, your developers simply can’t allocate sufficient time to it. As a leader, it’s up to you to make sure your developers are empowered to prioritize security and devote a sufficient amount of time to its implementation. Otherwise, they won’t have enough bandwidth to protect your applications. 

The best way to deal with this is to ensure that the top levels of leadership at the company understand the core principles of security. A good way to do that is to make sure that the right type of security testing is being done in order to give the appropriate information to leaders so they can make good decisions.

#2: Security usually isn’t a developer’s specialty

Your developers might understand the importance of security, but for most developers, security isn’t the primary focus of their training. 

Developers are usually brilliant people trying to build clean, efficient, effective code. However, they’re not always thinking about how to break it. By contrast, attackers spend every waking minute studying how to break that clean, efficient, effective code.

The best way to deal with this is to hire security specialists internally or externally (or ideally, both) to lead your security effort in partnership with your developers. 

#3: Deadline pressure causes security to be postponed

Another problem companies often face is the clash between security and deadlines. Companies tend to believe that security slows down development, while at the same time there’s tremendous pressure to hit release dates. Security is often seen as something that causes delays in hitting release milestones and overall makes lives harder for developers. It’s often also seen as something that can be deferred to later.

As a result, security tends to get postponed. However, this just causes regressions and rework later. It makes things harder and more expensive in the long run.

It’s a lot easier than most people realize to build security into the development process. For every development action, there is a security action too. Take it. You already have the right people in the right room, having the right conversations, just expand those conversations to include security as well. The more involved aspects (such as security testing) are done by your security partner anyways, so they don’t drag on your own engineering resources. 

#4: Security talent is scarce

Another problem you might face is the scarcity of security talent. There simply aren’t enough skilled security professionals to meet the extreme demand for them. 

Why the shortage? Security requires a highly specialized skill set, and formal education is not yet optimized to train enough workers with the necessary skills. Most programs treat security as an area of interest, rather than a core discipline. Also, security requires extensive, real-world experience that cannot be found in the classroom. 

To deal with this problem, partner with an external security consulting firm while you gradually grow your in-house team. Eventually you want to have both in-house and external security expertise, and by partnering first, you can overcome the talent shortage simply by hiring an external firm.

#5: Security is never done

Lastly, many companies treat security like a short-term annoyance to deal with before getting back to other things. However, the truth is that security is never done — it’s an ongoing process and an investment in your company. 

Change is the only constant. As technology shifts, so too does the security model. Software development itself is changing. 

To succeed with your security efforts, acknowledge that security is a permanent part of your operating processes and expenses. Treat (and fund) it like an investment to maximize, rather than a tax to minimize. Deal with change through regular security assessments of your software system. The right cadence for most companies is every 3-6 months (rather than the every 1-2 years that most people do).

Overcome security challenges

As a leader of ethical hackers, I’ve been in the trenches with many people battling these same challenges: misplaced priorities, capabilities limitations, shortage of talent, deadlines and relentless change. I understand why you might think security is a headache, but in reality, security is your best friend. 

Investing in security is not just the right thing to do; it also delivers a competitive advantage for your business. Proving that you’re secure in the face of unknown threats is exactly how you earn the trust of your customers. That leads to more sales, more customers and more market share. It’s how you become a leader in your field. 

Security requires time, attention and money to do right, but if you can overcome the inherent problems that most people face, you’ll build better, more secure software systems and obtain a competitive advantage.

Posted: December 29, 2021
Author
Ted Harrington
View Profile

Ted Harrington is the #1 best-selling author of "HACKABLE: How to Do Application Security Right," and the Executive Partner at Independent Security Evaluators (ISE), the company of ethical hackers famous for hacking cars, medical devices, web applications, and password managers. He’s helped hundreds of companies fix tens of thousands of security vulnerabilities, including Google, Amazon, and Netflix. Ted has been featured in more than 100 media outlets, including The Wall Street Journal, Financial Times, and Forbes. His team founded and organizes IoT Village, an event whose hacking contest is a three-time DEF CON Black Badge winner. He hosts the Tech Done Different podcast. To get help with security consulting and security assessments, or to book Ted to keynote your next event, visit https://www.tedharrington.com.

Leave a Reply

Your email address will not be published.