Writing better, more-secure software requires different thinking and different planning. Nevertheless, it’s the only way. A team of four developers working in a garage can create a better, more-secure application that upends an industry.
We’re all learning at the same time. Interestingly, universities are struggling to catch up to the idea that security and software development are inseparable. The analyst firm Forrester observed in an April 2019 report that not one of the top 40 computer science programs in the United States required a security class. We’re still churning out developers that know how to make things work, but don’t know how to make things better and more secure.
In the end, it’s all about risk management. As fast as we build software, criminals move just as fast to learn how to exploit software. The recent plague of ransomware is a good reminder of how far ahead of ourselves we’ve gotten with building things.
Making software better with a secure SDLC lowers risk, but overall risk won’t be lower until the entire ecosystem understands how to build, deploy, operate, and maintain software with security in mind at every step.