What software developers need to know about cybersecurity

In 2024, cyber criminals didn’t just knock on the front door—they walked right in. High-profile breaches hit widely used apps from tech giants and consumer platforms alike, including Snowflake, Ticketmaster, AT&T, 23andMe, Trello, and Life360. Meanwhile, a massive, coordinated attack targeting Dropbox, LinkedIn, and X (formerly Twitter) compromised a staggering 26 billion records.

These aren’t isolated incidents—they’re a wake-up call. If reducing software vulnerabilities isn’t already at the top of your development priority list, it should be. The first step? Empower your developers with secure coding best practices. It’s not just about writing code that works—it’s about writing code that holds up under fire.

Start with the known

Before developers can defend against sophisticated zero-day attacks, they need to master the fundamentals—starting with known vulnerabilities. These trusted industry resources provide essential frameworks and up-to-date guidance to help teams code more securely from day one:

• OWASP Top 10: The Open Worldwide Application Security Project (OWASP) curates regularly updated Top 10 lists that highlight the most critical security risks across web, mobile, generative AI, API, and smart contract applications. These are must-know threats for every developer.
• MITRE: MITRE offers an arsenal of tools to help development teams stay ahead of evolving threats. The MITRE ATT&CK framework details adversary tactics and techniques while CWE (Common Weakness Enumeration) catalogs common coding flaws with serious security implications. MITRE also maintains the CVE Program, an authoritative source for publicly disclosed cybersecurity vulnerabilities.
• NIST NVD: The National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database (NVD), a repository of security checklist references, vulnerability metrics, software flaws, and impacted product data. 

Training your developers to engage with these resources isn’t just the best practice, it’s your first line of defense.

Standardize on secure coding techniques

Training developers to write secure code shouldn’t be looked at as a one-time assignment. It requires a cultural shift. Start by making secure coding techniques are the standard practice across your team. Two of the most critical (yet frequently overlooked) practices are input validation and input sanitization.

Input validation ensures incoming data is appropriate and safe for its intended use, reducing the risk of logic errors and downstream failures. Input sanitization removes or neutralizes potentially malicious content—like script injections—to prevent exploits like cross-site scripting (XSS).

Get access control right

Authentication and authorization aren’t just security check boxes—they define who can access what and how. This includes access to code bases, development tools, libraries, APIs, and other assets. This includes defining how entities can access sensitive information and view or modify data. Best practices dictate employing a least-privilege approach to access, providing only the permissions necessary for users to perform required tasks. 

Don’t forget your APIs

APIs may be less visible, but they form the connective tissue of modern applications. APIs are now a primary attack vector, with API attacks growing 1,025% in 2024 alone. The top security risks? Broken authentication, broken authorization, and lax access controls. Make sure security is baked into API design from the start, not bolted on later.

Assume sensitive data will be under attack

Sensitive data consists of more than personally identifiable information (PII) and payment information. It also includes everything from two-factor authentication (2FA) codes and session cookies to internal system identifiers. If exposed, this data becomes a direct line to the internal workings of an application and opens the door to attackers. Application design should consider data protection before coding starts and sensitive data must be encrypted at rest and in transit, with strong, current, up-to-date algorithms. Questions developers should ask: What data is necessary? Could data be exposed during logging, autocompletion, or transmission? 

Log and monitor applications

Application logging and monitoring are essential for detecting threats, ensuring compliance, and responding promptly to security incidents and policy violations. Logging is more than a check-the-box activity—for developers, logging can be a critical line of defense. Application logs should:

• Capture user context to identify suspicious or anomalous activity,
• Ensure log data is properly encoded to guard against injection attacks, and
• Include an audit trail for all critical transactions.

Logging and monitoring aren’t limited to the application. They should span the entire software development life cycle (SDLC) and include real-time alerting, incident response plans, and recovery procedures.

Integrate security in every phase

You don’t have to compromise security for speed. When effective security practices are baked in across the development process—from planning and architecture to coding, deployment, and maintenance—vulnerabilities can be identified early to ensure a smooth release. Training developers to think like defenders while they build can accelerate delivery while reducing the risk of costly rework later in the cycle and result in more resilient software.

Build on secure foundations

While secure code is important, it’s only part of the equation. The entire SDLC has its own attack surface to manage and defend. Every API, cloud server, container, and microservice adds complexity and provides opportunities for attackers.

In fact, one-third of the most significant application breaches of 2024 resulted from attacks on cloud infrastructure while the rest were traced back to compromised APIs and weak access controls.

Worse still, attackers aren’t waiting until software is in production. The 2025 State of Application Risk report from Legit Security found that every organization surveyed had high or critical risks lurking in their development environments. The same report found that these organizations also had exposed secrets, with over one-third found outside of source code—in tickets, logs, and artifacts. What can you do? To reduce risk, develop a strategy to prioritize visibility and control across development environments, because attackers can strike during any phase.   

Manage third-party risk

So, you’ve implemented best practices across your development environment, but what about your supply chain vendors? Applications are only as secure as their weakest links. Software ecosystems today are interconnected and complex. Third-party libraries, frameworks, cloud services, and open-source components all represent prime entry points for attackers.

A software bill of materials (SBOM) can help you understand what’s under the hood, providing a detailed inventory of application components and libraries to identify potential vulnerabilities. But that’s just the beginning, because development practices can also introduce supply chain risk.

To reduce third-party risk:

• Validate software as artifacts move through build pipelines to make sure it hasn’t been compromised.
• Use version-specific containers for open-source components to support traceability.
• Ensure pipelines validate code and packages before use, especially from third-party repositories.

Securing the software supply chain means assuming every dependency could be compromised.

Commit to continuous monitoring

Application security is a moving target. Tools, threats, dependencies, and even the structure of your teams evolve. Your security posture should evolve with them. To keep pace, organizations need an ongoing monitoring and improvement program that includes:

• Regular reviews and updates to secure development practices,
• Role-specific training for everyone across the SDLC,
• Routine audits of code reviews, access controls, and remediation workflows, and
• Penetration testing and red teaming, wherever appropriate.

Security maturity isn’t about perfection—it’s about progress, visibility, and discipline. Your development organization should never stop asking the question, “What’s changed, and how does it impact our risk?”

Security is no longer optional, but a core competency for modern developers. Invest in training, standardize your practices, and make secure coding second nature. Your applications—and your users—will thank you.

Jose Lazu is associate director of product at CMD+CTRL Security.

—

New Tech Forum provides a venue for technology leaders—including vendors and other outside contributors—to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to doug_dineley@foundryco.com.