We fought on the security frontline at Apple for about ten years. Our mission was simple: to attack products using any means necessary and then work on the fixes with development teams when applicable. We discovered hundreds of vulnerabilities and often had to deal with the usual Developers Vs Security conflict.

The unfortunate reality with application security is that most vulnerabilities discovered cannot be fixed on time, and vulnerable code is often released before developers have a chance to fix it. Fair decision, but releasing vulnerable products is not something that you can feel comfortable about. These experiences highlight the current limitation of manual security assessments with continuous development.

We’ve often heard developers should write secure code. Security bugs are just a subset of common bugs, and we all agree that writing reliable code is always better than writing buggy code. Fair enough, but who writes code without any bug?

Security experts and developers have almost no intersection and often have misaligned priorities. The approach, the vision, and the respective skills rarely overlap. One of the most important thing to understand is: not all developers love software security. Just hang out in meetups and ask. This is quite an unfortunate statement for security addicts like us.

Everyone has good reasons to ignore application security [pick up yours]:

“I am running out of time.” “… And anyway, my app framework is secure enough.” “… And what sort of attackers would target me btw?” “… Anyway, don’t worry, I run a security assessment every year!”

Exposure to attacks is generally related to the success of your company. Most people who experienced security issues have probably raised one or two of these objections in the past.

Developers embed various technologies into their applications to enhance reliability: performance monitoring, exceptions handling, logging facilities. What about security?

Why developers hate security

Developers are running out of time to build their own features, and most of them just don’t consider spending hours on invisible things that won’t directly benefit to their customers. Writing reliable, maintainable, and fast code is already a challenge. Security is a pretty thankless task that is often left behind. Let’s check some of the symptoms: