I’m considering offering software security reviews as a business. It’s something I excel in and have extensive training and experience with. I see a need for it because other coders think they know a lot about software security but leave their code open to SQL Injection, which is consistently on the OWASP top 10 for security flaws.
I’ve seen it happen with my own eyes across multiple places of employment. At the time, I didn’t have the confidence to speak up about it and believed the other developers because they were more senior than me. Now that I have more experience under my belt, I know that it’s an incredibly large issue that needs to be addressed. I can safely say that, if you’re writing your own code, you need code security reviews. Some companies I’ve worked for have fancy code scanning tools but no knowledge as to what the scans come back with or how to handle them. They are convinced that the scanning tools are good enough, but I know firsthand that they’re not. They do help but they don’t prevent vulnerable code from being pushed to production.
How would someone start a company like this? Do you see a need for it in your business?
How about a level below an outsourced CISO? As you noted, a lot of companies use static code scanning tools, but those generate a lot of “noise” data. How about you offer to go through that and identify what really is an issue, and mark off the ones that aren’t?
That’s genius, I appreciate that. It sounds like a clearer way to present the idea that may align better with their company goals.