The main goal of any software development company is to develop software that meets the functional and quality needs of the end-users within a budget (Agrawal & Chari, 2007). The fast pace of software development often leads to gaps in coding and secure coding. While programmers focus on the speed of application code development, security teams are left with little or no time to check the security of configurations, perform code review and analysis, vulnerability assessments, amongst others. Security in software development is challenging because traditional security methods do not accomplish the requirements and objectives of software programmers, which is to achieve rapid deployment of software into production (Rafi et al., 2020). The root cause of insecure coding revolves around the drive for the product to reach the market quickly and the delays caused by implementing cumbersome security testing and code analysis (static and dynamic) techniques (Zaydi & Nassereddine, 2020). The main objective of many software companies and developers is to create functional code rapidly and deploy it into production. Thus, to developer’s time is of the essence, while injecting security in coding practices come with delays. However, to ensure secure coding, organizations need to strike a balance between developing functional codes and secure, functional codes.
Reducing Errors in Software Development
Errors or bugs are inevitable in the software development process; given that coding is done by human beings who are not perfect, there is always a chance for errors. However, taking appropriate coding measures could significantly reduce the number of bugs within software developed. First, developers should learn to create simple and testable codes to ensure test-driven code development and reduce eminent bugs associated with complex codes (Sachedina, 2019). This test-driven development concept makes the code development process focus on early, continuous testing and quality assurance. All risks identified during code testing must be tracked and managed using a risk register. Incorporating continuous quality control creates awareness to ensure developers are continuously meeting secured coding standards. Secure coding standards help standardize the code development process (OWASP, 2010), thereby reducing the number of bugs in a code. Also, using existing, tested, and approved code libraries saves time and reduces the risk of bugs in the software development process.
The software development process could be secured by implementing relevant security strategies, policies, processes, and tools to uncover bugs, insecure codes, and vulnerabilities, thereby averting cyberattacks (Valani, 2018). Without injecting security in the software development life cycle (SDLC), applications are left vulnerable to common application attacks like SQL injection, code injection, buffer overflow, cache poisoning, cross-site scripting (XSS). These attacks result from application vulnerabilities like broken access control, insecure access design, security misconfiguration, software, and data integrity failures (OWASP, 2021). Secure coding limits security vulnerabilities in applications, thus reducing the attack surface for cybercriminals.
Furthermore, the simplest strategy to limit the production of application software containing defects that might be exploited in cyberattacks is to incorporate DevSecOps into the software development life cycle (SDLC). The DevSecOps methodology centers on effectively incorporating security in development operations (DevOps) from the start of the software development lifecycle (SDLC). An efficient DevSecOps program uses automated security programs and tools to continuously test codes and prevent development processes from being slowed down. As such, DevSecOps solutions, such as SonarQube, Codacy, Acunetix, and GitLab, automatically examine and scan codes to find defects and vulnerabilities, addressing security concerns without slowing down continuous integration and continuous delivery (CI/CD) processes (Deepak & Swarnalatha, 2019). A productive DevOps setting can also be achieved through properly training the DevOps and security teams in the use of DevSecOps technologies and security best practices. Finally, reducing the likelihood of a security breach in the SDLC can be accomplished by adopting preventative administrative, technological, and operational controls to secure the SDLC’s many moving parts, such as code libraries, databases, networks, and physical locations.
Agrawal, M., & Chari, K. (2007). Software Effort, Quality, and Cycle Time: A Study of CMM Level 5 Projects. IEEE Transactions on Software Engineering, 33(3), 145-156. https://doi.org/http://dx.doi.org/10.1109/TSE.2007.29
Deepak, R. D. S., & Swarnalatha, P. (2019). Continuous Integration – Continuous Security – Continuous Deployment Pipeline Automation for Application Software (CI – CS – CD). International Journal of Computer Science and Software Engineering, 8(10), 247-253.
OWASP. (2010). OWASP Secure Coding Practices Quick Reference Guide. https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf
OWASP. (2021). OWASP Top 10 – 2021. https://owasp.org/Top10/
Rafi, S., Yu, W., & Akbar, M. A. (2020). Towards a Hypothetical Framework to Secure DevOps Adoption: Grounded Theory Approach Proceedings of the Evaluation and Assessment in Software Engineering, Trondheim, Norway. https://doi.org/10.1145/3383219.3383285
Sachedina, F. (2019). Quality Begins With Code: 10 Ways to Reduce Software Bugs. https://simpleprogrammer.com/reduce-software-bugs-quality-code/
Valani, A. (2018, 30 Sept.-2 Oct. 2018). Rethinking Secure DevOps Threat Modeling: The Need for a Dual Velocity Approach. 2018 IEEE Cybersecurity Development (SecDev),
Zaydi, M., & Nassereddine, B. (2020). DevSecOps practices for an agile and secure IT service management. Journal of Management Information and Decision Sciences, 23(2), 1-16.