Getting developers on board with security – once and for all

Making Web application security work is more than simply telling developers they need to write better code. We can scream “Write better code!” and “Integrate security into the application lifecycle!” at developers until end of time but that’s not going to fix the fundamental problems we have with unsecure software. Developers, by and large, know they need to write better code and integrate security into the application lifecycle. It’s like the average person knowing he or she needs to eat less and exercise more. However, just because people understand simple concepts and know certain things to be true doesn’t mean they’re going to do them.
I believe the reason why getting developers on board with security is not so cut and dried is something called the expediency principle. This principle says that people are going to take the fastest and easiest routes to get what they want without regard for the long-term consequences of their actions. Putting the expediency principle into software development terms: developers are going to develop software (the thing they want or have to do) in the quickest and simplest ways possible often ignoring the outcome of their choices (software security flaws that can be exploited for ill-gotten gains).
So what’s to give? If developers are going to take the path of least (continue reading...)