It has long been common for developers to operate with tunnel vision: Driven by the demand to get their products to market first, security has traditionally been either tacked on at the end or not considered at all.
This lack of a security mandate in the development process has given rise to the recognized need for application security. Some have questioned whether institutionalized security is in order to reshape the software development culture.
While there is some legislation and governance around data loss accountability and liability as a result of a breach, these existing laws are typically regionalized, says Dan Kuykendall, senior director of application security at Rapid7. As a result, they are neither prescriptive nor effectively enforced.
"They also do nothing to promote the idea of building security into the software development culture or incentivize businesses to mandate a security-first approach," Kuykendall says. "Providing prescriptive guidelines and principles on how to build security into the software development culture and institutionalizing these practices would place everyone on equal footing when it comes to releasing software safely with regard to both liability and innovation."
Stunted Creativity: Myth or Reality?Many have bought into the idea that secure software development stymies innovation. Kuykendall agrees that certain security approaches can slow innovation — "particularly if an organization has adopted a continuous integration/continuous deployment [CI/CD] software development process but is unwilling to invest in and adopt security approaches and tools to keep up with the speed of delivery."
Howe ..
Support the originator by clicking the read the rest link below.
