Your competencies review should keep in mind the salary and experience of each staff member. For example, if your developer has promised or assured security, is the vulnerability an oversight or something they should have known about and been aware of.
Developer’s view of application security
According to GitLab, almost 40% of developers felt that they were on the hook for security and solely responsible. Only one-third of developers say they shared the burden of security with other teams.
According to the GitLab survey, employers don’t look for security qualities in a developer. They are more concerned with having a working product and how easy the project is to pass over. Developers echo this by admitting they feel as though they lack proper guidance.
Developers need to know so many design and programming languages and methodologies that you can’t expect your platform to be flawless unless you have paid for a cybersecurity expert.
On top of that, business owners are responsible for having a BC/DR (Business Continuity and Disaster Recovery) plan which should include a) what would happen in the event of a cybersecurity incident and b) appoint security roles and tasks to specific personnel.
Achieving application security
Web app security is a branch/child of information security, which encompasses everything. Finger-pointing after an incident is pointless. While web app security starts with developers, it is up to each individual to ensure that they and those within their team are both knowledgeable & compliant with the BCDR & security policies.
Primarily a security culture must exist, moving security to the left so that it is in the initial stage of the development process. Taking an approach where security is bolted on at the end is a route towards failure, with successful attacks and data breaches sure to follow.
Application development should include compliance and penetration testing. Pen testing ensures security by testing applications for weaknesses and external vulnerabilities using the same manual and automatic techniques and methodology as attackers.