Why don’t developers have a ‘spellchecker’ for security’?
Despite all the news coverage about successful cyberattacks, developers are still writing code full of security vulnerabilities.
Of course, nobody is perfect. We all make mistakes, and as software projects get more and more complex, it can be easy to mix potential problems.
But that doesn’t explain why so much software is full of the most basic errors.
According to a report released this month by Veracode, 61 percent of all internally-developed applications failed a basic test of compliance with the OWASP Top 10 list on their first pass. And commercially developed software did even worse, with a 75 percent failure rate.
These are basic, well-known problems, like SQL injections and cross-site scripting.