Security in software development: How to protect...

The Threat Situation in Numbers

Short: More than 2,200 cyber attacks occur every day.

More than 2,200 cyber attacks occur every day. A data breach costs companies more than EUR 4 million on average. Preventive security measures cost a fraction of that.

Security built into development from the start is more effective and cheaper than patching vulnerabilities after deployment.

Security by Design: Build It In From the Start

Short: Security by Design means integrating protective measures across the development process.

Security by Design means integrating protective measures across the development process. It is not an afterthought. It is an architectural principle.

Core Principles

• Least Privilege — Components receive only the permissions they need
• Defense in Depth — Multiple security layers protect against different attack types
• Fail Secure — Systems default to a safe state when something goes wrong
• Input Validation — All data inputs are validated and sanitized before processing
• Secure Defaults — Standard configurations prioritize safety over ease of access

The OWASP Top 10: The Most Common Security Risks

Short: The Open Web Application Security Project maintains a list of the most critical vulnerabilities.

The Open Web Application Security Project maintains a list of the most critical vulnerabilities. Every development team should know these:

1. Injection Attacks (SQL, NoSQL, OS) — Malicious code inserted through input fields. Mitigated through parameterized statements and strict input validation.
2. Broken Authentication — Weak authentication enables unauthorized access. Addressed with multi-factor authentication and secure session management.
3. Sensitive Data Exposure — Inadequate data protection exposes personal or financial data. Controlled through encryption in transit and at rest, plus secure key management.
4. XML External Entities (XXE) — Parser-based attacks exploit XML processing. Prevented by disabling external entity processing in XML parsers.
5. Broken Access Control — Insufficient authorization allows users to access data or functions beyond their permissions. Remedied through role-based access control and server-side validation.

Security Measures in Practice

Encryption

• TLS/HTTPS for all data in transit
• Database encryption for sensitive stored data
• Password hashing using bcrypt or argon2 — never plain MD5 or SHA1

Authentication and Authorization

• OAuth 2.0 and OpenID Connect for modern authentication flows
• JWT (JSON Web Tokens) for stateless token-based security
• Multi-factor authentication for accounts with elevated access rights

Code Security

• SAST (Static Application Security Testing) — Automated analysis of source code before deployment
• DAST (Dynamic Application Security Testing) — Runtime vulnerability detection against a running application
• Mandatory code reviews for all security-relevant changes

Patch and Dependency Management

• Track all third-party libraries and their known vulnerabilities
• Use tools like Snyk or Dependabot for automated dependency scanning
• Apply security patches within defined SLAs — critical vulnerabilities within 24–72 hours

What Mid-Sized Companies Should Require From Their Development Partners

Short: When selecting a software development partner, ask:

When selecting a software development partner, ask:

• Is Security by Design part of their standard process — or an add-on?
• Do they perform SAST/DAST scans as part of the build pipeline?
• How do they handle discovered vulnerabilities after delivery?
• Do they provide a Software Bill of Materials (SBOM) for your project?

Security is not a feature that can be added at the end. It must be embedded from the first sprint.

"Good software is not an accident — it comes from a structured development process with clear quality standards." — Björn Groenewold, Managing Director, Groenewold IT Solutions