A good practice is to have your applications run past an application security specialist. Before it goes into production, the appsec person can break it every way they know how, and the developer can then fix those issues. In this method, the developer is learning with every bit of code they submit, and hopefully will not make the same mistakes again. That's where the role of "security expert" comes in as it relates to the community at HN. HN is developer-oriented, and having a dedicated appsec person fulfills that role that is so often forgotten.
In my role as security engineer for my company (as opposed to being a developer), it's nice finding possible exploits and passing them to our appsec guy for review. Being the guy who both finds (or develops) and also exploits/documents/patches the security flaws leads to a feedback loop far too often. Being a security conscious developer doesn't preclude the need for an application security engineer.
In my role as security engineer for my company (as opposed to being a developer), it's nice finding possible exploits and passing them to our appsec guy for review. Being the guy who both finds (or develops) and also exploits/documents/patches the security flaws leads to a feedback loop far too often. Being a security conscious developer doesn't preclude the need for an application security engineer.