We all know that as the internet of things (IoT) and digital transformation make life more convenient and productive, technology also invites wide-ranging cyberthreats for enterprises. From stealing consumers\u2019 bank account or financial data to hacking public utilities or even nuclear power plants, the threats are all around us. As a result, security is an issue for most companies, CTOs, CIOs and software engineers. In fact, the high security requirements of industrial IoT systems represent the No. 1 challenge for 49.1 percent of developers working in that space, according to\u00a0Evans Data\u2019s The Internet of Things Development Survey.\n\u201cIn today\u2019s technology environment, application security testing for vulnerabilities and flaws in software code should be a security best practice, regardless of an organization\u2019s size or industry,\u201d said Chris Wysopal, co-founder and CTO of\u00a0Veracode, a software security company. However, in a September 2016 Veracode survey of IT decision-makers involved in cybersecurity, 83 percent of the respondents said that they released code before testing or resolving security issues involving bugs. And a March 2015 IBM report titled "The State of Mobile Application Insecurity" found that one-third of companies weren\u2019t even testing mobile applications for security vulnerabilities.\nIt\u2019s shocking that, although attacks against corporate assets are on the rise, application and software development security still lags behind as an afterthought.\nDevelopers on the front lines\nWhat\u2019s to stop someone from hacking into an online software system or application and stealing data or access to critical processes? Both the threats and the solutions depend on software, and many software development professionals are well aware of the situation. One wall of defense is secure development with a focus on quality assurance, testing and code review. In fact, software developers \u2014 whether your team is in-house or outsourced \u2014 might be your enterprise\u2019s front line of defense, provided they maintain a security mindset.\nThere are various ways for developers to test and check code. For example, they could use static application security testing tools or dynamic application security testing technologies, or engage in visual testing. Some specialists even battle for greater software security by intentionally playing the role of adversary \u2014 an approach often referred to as white hat testing. These experts hunt for security vulnerabilities used by attackers to circumvent security controls. The\u00a0IBM X-Force Red is one example; this group of security professionals and ethical hackers help businesses discover vulnerabilities in their computer networks, hardware and software applications before cybercriminals do. IBM X-Force Red is led by noted testing expert\u00a0Charles Henderson. \u201cHaving a machine scan your servers and source code is a great step to help prevent data breaches, but the human element of security testing cannot be overlooked,\u201d Henderson says.\nLooking back, software development teams that I worked with in the 1980s and 1990s rarely did code review. Today, it\u2019s expected and a professional must do it \u2014 so much so that software developers have stepped it up, taking on bigger roles in ensuring application security. According to a December 2016\u00a0Veradode survey, 40 percent now incorporate securing testing during programming, and 21 percent during the design stage. Testing early in the development process finds code defects at the point where it\u2019s least costly to fix them.\nA useful resource to check out is\u00a0OWASP \u2014 The Open Web Application Security Project. It\u2019s a not-for-profit organization focused on improving the security of software. OWASP provides impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. One of its many resources is an \u201cApplication Security How-To\u201d section (see\u00a0OWASP.org).\nWhen there\u2019s not enough talent\nWhile it\u2019s key to focus on security during software development, the limited talent pool confounds the situation: There aren\u2019t enough professionals to keep up with the growing threats. Indeed, finding and keeping good software development talent is already challenging enough, let alone retaining talent that\u2019s security-focused.\n\u201cA shortage of people with cybersecurity skills results in direct damage to companies, including the loss of proprietary data and IP,\u201d says James A. Lewis of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS). CSIS recently partnered with Intel Security to release\u00a0a report titled "Hacking the Skills Shortage," which outlines the talent shortage crisis impacting the cybersecurity industry across both companies and nations. \u201cThis is a global problem; a majority of respondents in all countries surveyed could link their workforce shortage to damage to their organization,\u201d says Lewis.\nWhile it can be challenging to find software development professionals \u2014 especially those who are serious about security \u2014 the right kind of software engineering professionals and teams do exist. Outsourcing to an onshore, nearshore or offshore team is a solution. Many world-class, highly trained software development providers are available, and they are cost-effective and have a security mindset.\nWhen you outsource software development, make sure you hire a reputable team that makes security a priority. Avoid developers who don\u2019t take it seriously. They\u2019re a risk you don\u2019t need. Instead, make sure your provider is proficient in security by discussing it early on. Ask potential outsourcing partners to provide examples of how they make security a priority, and find out what code QA and testing methods they use, when in the development process they start testing and whether they use a variety of tests to confirm quality. Also ask them to demonstrate that they are current on the latest testing and QA practices.