The Importance of Security-Aware App Development
The dependence of many companies with externally-developed software grew to new leaps and bounds for the last decades. Enterprises would like to focus with their core business, and less with developing an in-house team that will create, maintain and decommission a critical application or process. These so-called external 3rd party apps, whether their source is closed or available is a growing concern with regards to the issue of cybersecurity.
Sincere there is no particular team within the company that is duly responsible for the vulnerability guarantees of a 3rd party app, the firms using them are always at the mercy of the responsiveness and sense of urgency of the vendor for patches and fixes. Veracode, a cybersecurity consulting firm has recently released a report, with American and British firms solidly using 3rd party apps that meet the 80% of their organization.
Being a client of a giant software company, firms can demand a thorough audit of the software they are using. 3rd party apps can be taken over by malicious parties, it is one of the easiest faults to exploit as the unknowns can keep the organization very dependent on the software, while not knowing how it operates in the background.
Even 1st-party applications, those developed in-house are not usually developed from the ground-up. Many plugins and toolchains become part of these first-party apps, in order to introduce functionality to them without the developer recreating the wheel. The problem in the nutshell is being statically linked to a 3rd party toolchain or plugin; they are forever at the mercy of the keeping up with the updates of those toolchains/plugins. There are security bugs that have existed for decades and only discovered recently to be patched by its maintainer.
Developers need to understand that security is developed from the ground up and not as an afterthought. Proper documentation of their apps is needed to be maintained, in order for their successors to keep it in working order and security-wise remain reliable even after they have left the organization.