What this report says to me is that there are still a lot of development teams that don’t take security seriously enough when releasing applications to the web.  I thought it was very telling when the mySQL.com website was brought down by a SQL injection attack this past weekend.  Without the inclusion of a security mindset during all phases of a development project you are leaving yourself open to vulnerabilities. 

A Forrester Consulting report commissioned by Microsoft in November of 2010 showed that “most companies choose to transfer risk from development to operations, where remediation cost for vulnerabilities are the highest.”  The report went on to show that almost half of companies do not perform any type of security testing on third party code.

We, as developers, must help change those numbers and show the importance of security in the SDLC.  We have to educate ourselves first, then bring our arguments to the business owners to show the positive impact taking a little bit of time up front will bring to the organization.  Compliance shouldn’t, and can’t, be the only reason to pay attention to software security.

There are resources out there that I would recommend every developer to familiarize yourself with:

http://www.owasp.org – Open Web Application Security Project, an open source community focused on the security of application software. 

http://www.isc2.org - A leader in educating and certifying security professionals (I have my CSSLP through this organization)

http://www.microsoft.com/security/sdl/ - Yes, even Microsoft has a Security SDL for us .NET developers that need to make sure our software is secure.

Know of any more?  Leave a comment and discuss…

With this first step complete, I will now focus my efforts on continuing to refine and grow our PMO, methodologies, and project management team.  We have a great team already, and I can see great things in the future for everyone on it.

Over the years, though, I have become more and more of a believer in formal Project Management. I am amazed at how many years I spent floundering on projects without a project manager assigned, and it astounds me that many companies are still in that situation. A good project management group within an organization more than pays for itself in reduced costs, errors, rework, and frustration. A common theme with candidates that apply here is that they are tired of working in an environment where there is little to no direction, no real plan, and the chaos that is created when you try to make a group of stubborn programmers work together without someone showing them the path.

So, as a proponent of project management, I have decided to put my money where my mouth is and pursue my PMP, with the ultimate goal of getting my PgMP in a couple of years. The past month of studying the PMBOK guide and talking with the project managers at Pearl Technology have opened my eyes further to the impact that a good project manager can have in all aspects of an organization.

I’ll keep you all informed of my progress. In the mean time, know that Pearl Technology takes project management very seriously and has a staff of highly trained, qualified project managers that we bring into our projects to help ensure their total success.

For example, I memorized a few books and got my Microsoft Certified Systems Engineer (MCSE) certification a few years ago.  This required me passing a test in MS Exchange when I was working for a company using Lotus Notes and never having used Exchange (or Outlook) before.  I don’t put much weight in that certification and don’t even have it on my resume. 

However, I see some of the certifications members of our company have and am blown away.  Whether it is the PMP certification (requries 4500 hours of project management experience), MCPD (Microsoft Certified Professional Developer) or our security team’s multiple (ISC)2 certifications, they all show that the person holding the certification has put in the time and energy to not only memorize the book, but also to become a specialist in their field.

My belief is that we are all *hopefully* working in our career of choice, and when you achieve the highest level of certification in that career you are showing that you are someone who wants to be the best in that field.  You aren’t simply passing the days getting your paycheck, but are putting in that extra effort to hit your personal goals and build your “ego wall”.

What will your ego wall say about you when you retire?  Will it say that you did what you needed to in order to stay employed?  Or will it show that you always strove to improve, be the best and that you ultimately conquered your career?

Things were rolling according to plan until I received an unsolicited offer from a Fortune 50 company to manage their service delivery to another Fortune 50 company. Having worked in the SMB field my entire career I decided to see how life was in a large enterprise environment. The company was great to work for, but it didn’t take long for me to miss the camaraderie and challenges that I had left at Pearl. I was fortunate to stay close to the business and was invited back as the Vice President of Application Development in August of this year.

I am excited for the opportunities that exist for our development team. Though I was only gone for little more than a year the landscape has changed drastically. We are creating a more focused strategy that will allow Pearl Technology to grow in our position as the premier development team in Central Illinois and beyond.

Plans for the fourth quarter of 2010 include building our Mobile Application and SharePoint practices while continuing to grow our custom development offerings. As we move into 2011 and beyond expect to see some exciting and educational posts in this blog that center around those areas. I will also be updating the blog regularly on market trends and how Pearl Technology is adapting to the world around us.