Recent reports highlight the challenge faced by developers in securing code as attacks against web applications increase, while security budgets for developers remain low, according to Checkmarx.
As highlighted by the Data Breach Investigation Report 2016, attacks against web applications have seen a dramatic rise in the last year. Attacks against every business sector rose significantly with financial particularly hard hit with a 51% increase in the number of reported incidents. The report also suggests that CVEs are not being addressed quickly enough by developers with the top 10 vulnerabilities accounting for 85% of successful exploited traffic.
Developers and security testing
However, collating data from the recent ‘SANS institute 2016 State of Application Security: Skills, Configurations and Components’ report highlights that developer awareness regarding security controls is increasing. Although, the report suggests the development community is not getting enough support with a lack of application security skills, tools and methods ranked as being in the top three challenges to implementing application security by 38% of respondents, followed by lack of funding or management buy-in (37%).
The SANS report also shows that security testing schedules are diverse but heading towards a more continual approach with 60% indicating that they test applications continuously, with 27% using continuous assessment in their Agile development processes. However, 53% of respondents still test applications when they are initially launched into production.
This test cycle is showing benefits. The largest group (57%) said they find one to 25 vulnerabilities per month and the survey found the largest number (24%) said that over half of critical vulnerabilities they found were related to code bugs rather than to misconfigurations.
The most disappointing area was in remediation where the survey found less than 30% are achieving a 75%–99% level of satisfaction with the speed it takes to repair their vulnerabilities. The speed at which patches are applied is comparable to last year’s survey, with 26% of vulnerabilities being patched within two to seven days, and another 26% within eight to 30 days.
The reasons are varied but lack of funding or management buy-in is a major issue with nearly a third (29%) of developers saying that saying that their organisations spend 1% or less of IT budgets on information security.
In Ashbel’s view, even with slim budgets organisations need to think about the long term value of early detection of vulnerabilities. “Investing in developer AppSec education programs and white box testing tools can have a massive return on investment compared to the cost of breaches and urgent remediation work after an app has gone live.”
What organizations can do
Ashbel suggests three areas where organisations can help counter this issue.
1. Education is key and has a long term rolling positive effect. Once you have been able to build a small team of developers who know Application Security and can practice secure coding best practices, you have created a healthy basis which can easily be positioned as a position for others to strive for. Give eager and motivated developers a chance to grow within the company and take leadership of application security concerns within development. At the end of the day, all deliveries start from the developer and security should be no different. Education and knowledge also helps bridging the gap between the Dev teams and the Security teams. Cooperation between these teams is key for AppSec success.
2. Make application security a top priority and build the correct processes to help developers make secure coding practices part of their daily routine. Integrate static application security testing solutions within the SDLC and make sure developer work flow is not negatively impacted. Of course, when looking for the right solution, make sure your developers are part of the evaluation process. Otherwise you might end up with very expensive shelfware.