Why your developers are still creating insecure appsTuesday, January 3, 2017
The majority of developers and DevOps managers report growing pressures on security testing, while processes also need optimisation.
Although the collaborative nature of DevOps has smoothed out many delivery ripples in software projects for those companies that have implemented it, security remains a real challenge according to a new survey.
Developers are under increasing time pressure, and delays caused by application security testing are a particular issue, with 52.2 per cent of developers stating that this challenge is contributing to their woes. That figure rises to 54.3 per cent of DevOps managers, who are clearly feeling the impact even more acutely, according to a wide-reaching survey by Veracode.
In fact, developers rated the security vs timeliness challenge as the biggest they face on a regular basis, with the issue of difficulty of legacy application security processes adding complexity and slowing time-to-market being reported as a top challenge by 46 per cent of developers and 44 per cent of DevOps managers.
Interestingly, many organisations are failing to optimise their application security design process, with nearly 10 per cent of organizations integrating security in operations and 5.6 per cent are doing so in testing. In better news, 39.9 per cent integrate security at the programming stage, and a small percentage are addressing security in the design stage, where potential issues can be identified and fixed where it is least costly to do so. Large enterprises (25.7 per cent) are moving application security into the design stage faster than their smaller counterparts, and the education (28 per cent) and healthcare (28.9 per cent) industries are slightly ahead here as well. A small percentage of organizations are shifting security considerations into the requirements and analysis stages.
There’s no question that good intentions are there - in Germany and the UK, 40.5 per cent of developers said that stopping cyberattacks and breaches is their top concern, versus 37.6 per cent of development managers. The only industry where developers ranked another concern higher than stopping cyberattacks and breaches is healthcare, where meeting customer and/or regulatory compliance is an even greater concern (34.2 percent vs 28.9 percent).
Of the whole gamut of application vulnerabilities, developers scored sensitive data exposure as the most important by far, with 52.5 per cent, while broken authentication and session management, named by 37.2 per cent of developers as a top concern. Missing function-level access control, Cross-Site Scripting and injection were all cited as top concerns by around 33 per cent of developers. Unfortunately, the survey didn’t cover DevOps manager concerns over common web application weaknesses, which would have been revealing.
Interestingly, although a large share of developers say their organizations are securing applications during development, web application firewalls (WAF) remain the most common form of protection for applications, with 55.8 per cent of organizations use a WAF, with slightly higher volumes in financial services (60.8 per cent) and engineering industries (60.3 per cent) using a WAF.
Unfortunately, as High-Tech Bridge research has found in the past, blanket WAF deployment is rarely much more than a sticking plaster at best - on average, web applications protected with a WAF contain 20 per cent more vulnerabilities on average than unprotected ones. In addition, many customers abandon WAF integration with automated scanning tools due to a high rate of false-positives. Ilia Kolochenko, High-Tech Bridge CEO said: “Web Application Firewalls don’t work in isolation from other security technologies anymore. Web application security requires a comprehensive approach, including Secure Software Development Lifecycle (S-SDLC), continuous monitoring, and regular manual or hybrid web security testing to complement automated vulnerability scanning.”
In a recent report, Forrester found that 88 per cent of developers feel increased pressure to produce more frequent releases, and that intense pressure to shorten development timelines is unlikely to reduce through 2017. On the brighter side, given that applications were the main source of data exfiltration in 2016 (according to Gartner), at least a significant number of organisations are moving in the right direction...