An AppSec Report Card: Developers Barely PassingA new study reveals that application developers are getting failing grades when it comes to their knowledge of critical security such as how to protect sensitive data, Web services, and threat modeling.
Let me start by recounting an Aesop’s Fable "The Stag at the Pool."
A stag saw his shadow reflected in the water. Although he greatly admired the size of his antlers, he was angry with himself for having such weak feet. While he was contemplating himself, a lion appeared. The stag took flight and kept at a safe distance from the lion, until he entered a wood and became entangled by his horns. The lion quickly came up and caught him. The stag reproached himself: "Woe is me! How have I deceived myself! These feet which would have saved me I despised, and I gloried in these antlers which have proved my destruction."
A decade ago a chief information security officer (CISO) wasn’t in the lexicon. Fast forward ten years and you can find thousands of CISOs serving companies large and small. Some positions are created in response to having sustained a massive breach, like Neiman Marcus. Others are created to try and get a handle on organizational security because hacks and breaches harm profits. Just ask Target. Or Home Depot.
Modern technology is stunningly effective. We can do so many things quickly and efficiently. Open-source libraries are an excellent example of how people across the world can collaborate and produce good products. Despite rapid technological advances and changes, the way in which developers write code has not changed. And if secure coding practices aren’t taught, developers can’t be expected to produce secure code and deploy safe applications.
What developers don’t know about AppSec
In the recent 2014 State of Application Developer Security Knowledge Report, a year-long study by Aspect Security on what 1,425 developers from 695 organizations worldwide know and don’t know about security, we discovered some areas developers understand well, and some critical areas with which they struggle. Our study details the results of a fully randomized test of basic application security knowledge across 65 different areas. Here are a few key findings:
Protecting Sensitive Data: 80% of developers answered incorrectly.
Data breaches are the most common security exploits. Hundreds of millions of account details have been stolen this year alone. Developers must know what your different types of data are and be taught how to properly protect each.
Introduction to Web Services Security: 64% of developers answered incorrectly.
If your organization is moving to service oriented architecture, publishes APIs, has REST interfaces, is using JQuery or Angular, or is building rich clients, then the low scores here should be of particular concern. There are lots of ways to build these APIs insecurely, and your developers need to understand the right way to do things.
Threat Modeling and Security Architecture Review: 74% of developers answered incorrectly.
Developers didn’t do very well when asked about security architecture and security models. Without a plan, framework, and guardrails in place, it’s not surprising that code gets built with architecture-level vulnerabilities in place. Training your team how to communicate and collaborate on security is a smart investment.
What’s in it for me?
While industry reports provide general information, they can’t tell you what your developers know about application security. Are your developers in the camp that scored just 36% on Web Services Authentication and Authorization? Or did they score 81% on Cross Site Request Forgery? Are you able to answer questions like:
• Do you have vulnerabilities you haven’t fixed? (The answer is yes.)
• Do you have vulnerabilities you don’t know about? (The answer is yes.)
• Do your employees have sufficient time to learn about the latest vulnerabilities, the skills to understand secure coding, and the support to put those things into practice? (The answer is: … that’s up to you.)
If you don’t know, that’s OK. You can find out where you fall short by taking a free Secure Coder Analytics quiz (also created by Aspect Security). The results for your organization will be specific and actionable, not industry guidance, antlers of beauty though they are. They’ll point to what you need and get you down to the details that matter. They’ll be the feet that carry you swiftly away from attackers.
Some organizations do quite well in many application security measures. They understand what SQL Injection is and have taught their developers so they don’t create vulnerable code. But what about protecting sensitive data so a data breach doesn’t happen to you? Or using cryptography securely so credential handling and algorithm choice don’t become your undoing? Or authenticating users to manage identity properly so cross site request forgery doesn’t cough up organizational data?
Application security doesn’t happen by chance, it happens by choice; it happens by design. And with the average score for developers sitting at a barely passing 60.77%, clearly there needs to be more application security training by design. We need to value practical application of knowledge.
After all, that’s the moral of "The Stag at the Pool." What is most truly valuable is often underrated, and application security knowledge is certainly underrated. So get down to brass tacks and figure out what your developers know.
A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product that enhances software with the power to defend itself, check itself for vulnerabilities, and join a security command and control ... View Full Bio