Security Awareness and Education

Education is the best investment in application security. Developers and project leads must be mindful of security issues and have an understanding of secure coding practices. Training must include an in depth explanation of the potential risks as well as features of the development and deployment platforms that help mitigate exploits.

The most important design principle for application security is to implement security by design and by default. Secure coding guidelines should be made available, adhered to and enforced in all development organizations, irrespective of the tools and platforms used.

A good example for security by default is the expectation we all have for how elevators should behave in case of a power outage. In such a scenario, we expect elevators to apply the breaks for the safety of the passengers in the cabin. Elevator brakes are closed by default and use an electrical mechanism to hold them open. The approach is not to apply the brakes in case of a power failure, but to require electricity to unlock the brakes that are otherwise closed.

This illustrates the concept of security by default. Before thinking about how to prevent external attacks, it makes sense to identify secure defaults for an application internally. This, however, requires training and awareness.