(no title)

We have a team dedicated to performing security reviews for most code changes. Your change can't go to Production until it has been assessed by someone from the secure code team. They can request rework if they think you have introduced a vulnerability.

We have regular pen-testing performed.

There are various vulnerability scanners running against the code repos and blocking builds if a dependency is identified to contain a new CVE.

The project I mainly work on has been in active development for decades. It has well defined frameworks for many common actions. Most of the time we are working within those frameworks, which have been already been vetted thoroughly. Ironically, it is rare that we would need to touch code in a way that could introduce a vulnerability.

In a previous role I worked on desktop applications for engineering simulation. There was no requirement for secure coding for those projects as there was no central database. All the models were file based.

So it depends on the project and the risk and consequence of an malicious actor finding a vulnerability and exploiting it. The health and finance sectors have to take secure coding seriously. From experience, many Oil and Gas companies are also super strict on controlling data access and will often request proof that a software application has been security reviewed and pen-tested.