Please take a look at my latest column for Government Computing News where I describe how you can program security into your applications from the start and avoid the guaranteed epic fail if you try to bolt security onto your applications later on. Just to give you an idea, here is the unedited introduction.
IT security has recently gotten a lot of attention in the mainstream press for all the wrong reasons–like the Target hack that compromised millions of credit card numbers or the Heartbleed bug in OpenSSL that had everyone scrambling. Government IT systems are not immune, but it isn’t hard to see why. With agency budgets already stretched to their limits, bolting security measures on to complex architectures comprised of applications of myriad ages, technologies, and levels of quality is virtually impossible.
One lesson from these failures is that the cost and technical challenge of adding security after the fact are prohibitive. As a software engineer, I believe one thing we can do to begin to address this crisis is to ensure that we build security into all new software applications.
Let’s consider some steps developers and managers can take.