“Science and technology revolutionize our lives, but memory, tradition, and myth frame our response.” – Author Arthur M. Schlesinger
Urban myths rely on their communities of origin to thrive and survive. Perpetuated by offhand anecdotes, sensational news stories, and friend-of-a-friend legends, urban myths about secure coding are no different; as developers share tidbits of information around common struggles and issues in application security, those conundrums quickly become myths that can make secure coding seem daunting.
Schlesinger’s quote is even more important today as so much of the world is powered by modern applications, yet at the same time myths clouding the development community often frame how developers respond to (or avoid) issues with their code. The reality is clear: when you take ownership over your code and rally around your team’s security efforts to squash these myths, your apps carry far less risk than before. And once you recognize these myths for what they are, you have the power to reframe how you approach similar challenges in the future.
Popular myths in programming
So what are some of the common urban myths in software development? They can range from the security of open source code to relying solely on developer tools and why PHP is considered a “dying language” – did you know 80% of all websites built on known programming languages are powered by PHP? Some of today’s heavyweights like Etsy, Facebook, and Wikipedia were built on PHP, and PHP-based publishing platforms like WordPress and Drupal are still extremely popular. It isn’t going anywhere anytime soon.
Maybe you’ve also heard the urban myth that fixing flaws in your open source code is too time-consuming? Myth busted: almost 75 percent of known vulnerabilities in open source code are fixable with a simple library update to patch the exploits. Even better, tools like Veracode Software Composition Analysis provide immediate and actionable guidance to help you remediate flaws in your open source code before they add risk to your organization.
Or, perhaps you’ve seen comments on Reddit that your favorite developer tool is all you need to secure your code, but security features in basic developer tools typically lack the comprehensiveness required for ample coverage. In reality, you need the right testing types in the right places throughout your SDLC, ensuring coverage for your CI/CD pipeline and giving you peace of mind while you work.
We’ve only scratched the surface when it comes to urban myths about secure coding! To learn more about some of these common conundrums (and their realities), download our eBook: 6 Urban Myths About Secure Coding.