All security vulnerabilities are the result of human error. Most web application vulnerabilities and API security issues are introduced by developers. Therefore, the best approach to building secure applications is to do all that is possible to avoid introducing such errors in the first place instead of fixing them.

You can find several detailed guides on how to create secure code during application development, for example, the one provided by the Open Web Application Security Project (OWASP). They focus on such details as input validation, output encoding, access control, communication security, data protection, cryptographic practices, error handling, the principle of least privilege, etc. Instead, we would like you to look at this software security issue from a strategic point of view.

Principle 1: Spread awareness and educate

In most cases, developers introduce security risks into the source code simply because they are not aware of such risks. While universities often focus on teaching such details as formal verification, many of them do not offer dedicated courses on cybersecurity and don’t even mention topics such as injection attacks or cross-site scripting (XSS). This is especially the case for older developers who have taken such courses several years ago when there was no hype about security yet.

Universities also teach a limited number of programming languages so developers are in most cases self-taught, and some security problems are very specific to the programming language. For example, you won’t find a risk of buffer overflows in Java or C#. Even if the course teaches a language in detail, it rarely focuses on coding best practices related to application security in that language.

To make sure that your software development teams don’t make mistakes due to lack of awareness, understanding, or gaps in education, you must approach the issue strategically:

• Your development managers must not only be aware of security risks but they must be the driving force behind security. A developer with no security awareness can be educated but a development manager who does not realize the importance of security will never become the security leader.
• Don’t make any assumptions as to developer knowledge. Validate it first and if it’s not sufficient, provide in-house or external training sessions dedicated strictly to secure coding standards. It’s not the best idea to absolutely demand security knowledge from new hires because this will limit your recruitment capabilities greatly and developers can easily learn as they progress.
• Do realize that no matter how well your developers understand security, new techniques and attacks appear very often due to the speed with …….

  Source: https://securityboulevard.com/2021/11/secure-coding-practices-the-three-key-principles/