Business owners and cybersecurity professionals often think that coders are lazy because they don’t code securely. The truth is, that’s not the case at all. Security in coding isn’t because coders are lazy, the issue is a lack of knowledge. The lack of knowledge is also not due to laziness, it’s not because they didn’t pay attention when they were learning and it’s not because they choose to ignore it. As stated in a previous article, good coders want to do things right the first time because repeating work is not something they are in the habit of doing. So where does this problem stem from? Why is there a lack of security knowledge in coding?
The answer is simple: it is not taught or discussed. Security in coding is not in most computer science curriculums. If it is touched on, it’s usually thought of as someone else’s problem. So most coders don’t actually have a fundamental understanding of how to code securely. They don’t understand how what they’re doing actually contributes to hacking. Most coders legitimately think that security belongs to someone else. Whether it’s the infrastructure team, security team or some other department, coders simply do not understand how they impact the system. They don’t understand how to be in control of security, how to do it correctly and how to be intelligently lazy while doing it, meaning doing it right the first time and never having to touch it again.
While executives and IT teams want to blame coders for security weaknesses thinking these professionals are not doing their job correctly, the fact is that most of the time coders are not informed and simply don’t know that what they are doing is causing a problem. There is no mentality that security in coding is an afterthought or that it doesn’t matter, good coders absolutely want their code to be foundationally solid and structurally sound. If there is a security weakness, it’s not because they don’t care. It’s because they literally don’t know.
In fact, a lot of the time when a coder becomes educated about security and how to incorporate that into their code, they become an advocate for your security team. They understand that making things secure is not really that much more work, it’s just following certain patterns and having the right mentality about code. You may even find that they end up right next to you, fighting against people who want to get a product out as fast as possible.
Think about it, good coders are lazy. Lazy in a good way. They like to find ways to do things that make it so they only have to do it once. If it’s something that needs to be done multiple times, they find a way to automate it. So once they learn about security in coding, they want to very much make it not their problem. They want their code to be secure because they don’t want to get woken up in the middle of the night and they don’t want to get on calls, they don’t want to walk into the office to 50 tickets they have to fix. They’ll say something like, “If you had just told me this from the beginning, I could have done it a different way and it would have been right, it would have been secure.”
One thing to note is there is not a gap between old school coders and new school coders. Old school coders were never taught security in coding either because the internet was just coming about. There wasn’t hacking going on or cyber attacks on a daily basis like we have today. So it doesn’t matter that someone has been in the field for 30 years, their lack of knowledge is still there. Although with new school coders, there is an underlying understanding of how the internet works, where old school coders might not have that understanding.
However, it is a little more common to see old school coders become security advocates once you open their eyes to how what they are doing is contributing to the problem. They will be directly on board with security, and when a higher up wants to go fast and push out a product, the coder will balk. They’ll say, “No, we can’t do that, security said so, because that’s insecure.” And they’ll have the back of the security team. Which is really important to ensuring the security of your business and its assets. Having people with security on their minds who also don’t want to repeat or re-do work that has already been done ensures that whatever code you’re pushing out to prod is secure. It’s functional, it’s sound and it does what it was designed to do.
Understanding that your coders are not lazy, that they aren’t creating problems intentionally, is important. When you learn that your coder simply doesn’t know how to code securely, then you have a starting point for educating them. Show them how that line of code aids hackers and lets them in a back door. Once you do that, you’ll see a big change in how they work, as well as a reduction in security problems. Both of which create greater profit for your business in reduced labor costs and better customer experiences.