What’s your current approach to preventing data injection into your commands framework? Do you place more focus on secure coding practices, testing, patching, user input validation or something else altogether?

2.1k views1 Upvote3 Comments

Chief Technology Officer in Education, 11 - 50 employees
I don't have any paricular security credentials but will share my approach from a software engineering standpoint.  My simple answer would be "yes" to your second question.  What I mean is that you need all of these approaches and security is really a multi-layered approach.  Security training and secure coding practices is critical (and a requirement for many cloud certifications like SOC2).  Testing and hopefully automated testing is key to this.  You want a broad set of test cases that can be run in an automated fashion.  I could go on and on about different things (static code analysis, dyamic web scans) that can be further leveraged too.  There's a lot more so this isn't all encompassing.

Patching is your last resort.  That means something bad got in the wild.  Think of it that your dev cycle starts with dev on the left and flows into production on the right.  Patching in production is your most expensive endeavor.  The further left in the cycle that you can catch the issue, the cheaper the resolution for your organization.  

With all of this being said, the neat thing is we're in a world where soooo much of this can be automated in a CICD pipeline.  So, it sounds like a lot but if you have a CICD pipeline, these tools can all be plugged in.  Another interesting concept I'd read about around this idea is DevSecOps.

Lots of information but I had to cut myself off too - hope it all helps.
CIO in Retail, 10,001+ employees
More focus on secure coding practices and testing as a primary approach.
Chief Information Security Officer in Healthcare and Biotech, 1,001 - 5,000 employees
We mostly focus on securing code, testing and patching etc. But now have taking few small step especially on the API site for data injection. 

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
38.5k views128 Upvotes316 Comments

We provide company-wide training57%

We only train certain departments/roles32%

We have a targeted individual training approach.9%

I am unsure how we handle security training.3%



Very likely3%


Moderately likely33%

Moderately unlikely10%


Very unlikely3%