May 22, 2017
Do organisation's need to worry about ensuring that their software is developed securely in the first place, or can they just protect against attacks by employing the latest technology: web application firewalls, application delivery controllers, automated scanners, and so forth?
For those of us who know better, we can of course say that secure development is important.
Yes, it does matter if software is built securely, and yes, organisations do need to worry about it -- even prioritise it.
No amount of software or hardware will protect you from all the possible attacks that can be made against insecurely built applications, although that's not to say the additional software and hardware is pointless.
Building software securely means building security into the software from the earliest stages in the development process. That means the design and requirements phase. The goal of a secure software development lifecycle is to rid each application you build of every possible vulnerability before they ever reach production.
Of course, the reality is that this is impossible. Whilst even implementing the bare minimum of best development practices can protect against 80% of attacks, everyone that works in the security industry knows that it's not possible to build a large, 100% vulnerablility free application.
Developers come into work tired, and slip up occasionally; the framework you use turns out to be vulnerable to a new type of attack; problems in business logic that make it into your code can result in virtually impossible to find vulnerabilities and changes in the environment your software exists in both internally and externally can result in vulnerabilities coming and going.
This is where your next generation firewalls and security software come in. When they're setup properly, they will protect you against some of the inevitable vulnerabilities that make it into your final application. Whilst they won't catch everything -- they do further reduce the risk, and that's what application security is all about. You can never hope to completely secure an application, just further reduce the risk of an attack against it being successful.
So yes -- it does matter if software is built securely. The latest software and hardware is no replacement for a secure software development lifecycle, but that's not to say it should be passed on. Security is all about layers. Imagine your application security like an onion: your securely developed software wraps around the centre containing all your confidential information, and each piece of security software/hardware represents an additional layer. Don't make an attacker's job easy -- build out an appropriate number of security layers for the application in question, and make sure that your developers are suitably trained in security best practices -- because more than you expect will get through the latest software and hardware.