A lot of these security auditors(but not all!) are just running automated tools and generating automated reports.
Woah... A professional security auditor actually knows what to look for and would be flexible enough to understand (and manipulate) what your software is doing. If you are paying someone to run a script, you're not getting your money's worth.
Even a dedicated security guy at a large company can't be everywhere and doesn't know everything(or even understand, say, hypervisor security).
True, that's why ideally you'd want a team of people on this, not just one security guy to carry the globe.
I agree though, security needs to be thought out from the beginning and throughout the development process. The later you catch something, the harder it is to fix. But you need a fair amount of experience as a developer to see security issues thoroughly (because you often need to understand the platforms you are building on, not just your domain). So if you don't have that knowledge you can either teach yourself or if you don't have the time, let someone else do it.
Having a thorough understanding of what you are actually doing does take care of most of that. I doubt that's where a startup's priorities are, sadly. For most, speed > solid code
Woah... A professional security auditor actually knows what to look for and would be flexible enough to understand (and manipulate) what your software is doing. If you are paying someone to run a script, you're not getting your money's worth.
Even a dedicated security guy at a large company can't be everywhere and doesn't know everything(or even understand, say, hypervisor security).
True, that's why ideally you'd want a team of people on this, not just one security guy to carry the globe.
I agree though, security needs to be thought out from the beginning and throughout the development process. The later you catch something, the harder it is to fix. But you need a fair amount of experience as a developer to see security issues thoroughly (because you often need to understand the platforms you are building on, not just your domain). So if you don't have that knowledge you can either teach yourself or if you don't have the time, let someone else do it.
Having a thorough understanding of what you are actually doing does take care of most of that. I doubt that's where a startup's priorities are, sadly. For most, speed > solid code