Sometimes it’s a matter of lack of engagement, but more often it’s a lack of knowledge that threatens safety. Unfortunately, this applies to both developers and product managers. Developers need to learn how to flag vulnerabilities, and product managers need increased security skills to give developers the time and space to deal with them.
Furthermore, all companies need product managers who have enough confidence to raise security challenges in meetings with top management and policy makers. It's often a tough fight. Security and integrity take time and doesn’t give the same immediate return on investments as developing new products and services.
Vulnerabilities such as bad authentication and cryptography errors have been on OWASP's top 10 list for many years and are known to many developers. But how many middle and senior managers listen when developers point out such vulnerabilities? Our experience is that not many are taken seriously, and that security remains a footnote in development and design processes.
The number of demands for higher security competence in development teams is on the rise. Wich is good, since this in itself is a big need. But the security challenges will remain unless managers at all levels become aware of the risks, support the developers, and take the risks seriously.
Managers and developers alike need to understand how criminals think. Only then will senior managers take them seriously.
New OWASP top 10 course
With decades in the IT industry, we have seen the consequences of poor communication far too often. That's why Junglemap and Tagore in collaboration have now developed a new role-based course for product and development teams.
Nils Ivar Skaalerud, COO Junglemap and Andreas Hegna, CEO Tagore.