Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/26/2019
03:40 PM
100%
0%

An Alarming Number of Software Teams Are Missing Cybersecurity Expertise

The overwhelming majority of developers worry about security and consider it important, yet many lack a dedicated cybersecurity leader.

Despite concerns over software security, many companies have not assigned a cybersecurity leader to help secure their applications — a problem that will only worsen as demand for technical security experts deepens worldwide.

In data published on Nov. 21, software security firm WhiteHat Security found that three-quarters of developers are worried about the security of their applications, and about seven out of eight consider security to be an important development consideration, but only half of these teams have a dedicated cybersecurity expert. The "Developer Security Sentiment Study," which produced the data, found that about 49% of development teams lack a dedicated cybersecurity leader and 43% prioritize deadlines over secure coding.

"While developers' concerns about securing their code are on an upward trajectory, it's clear the industry has a long way to go," said Joseph Feiman, chief strategy officer for WhiteHat Security, in a statement. "Developers are on the front lines when it comes to protecting their organizations from cyberattacks, and they need the right tools and training to handle this burden."

Holes in software security reflect the impact of companies' shift toward more agile programming methodologies. In the past, most IT dollars were spent by the actual IT organizations, and while that's still true, the budget of non-IT groups, such as DevOps, are growing, says Greg Young, vice president of cybersecurity at security firm Trend Micro. 

In 2020, businesses will be either a "have" or a "have-not" when it comes to security, he says.

"AppSec, cloud security, and securing DevOps are very doable, but they take new models, not just new tools," Young says. "The 'haves' will manage AppSec well, such as building security into DevOps by providing container and workload security automatically and managing cloud security postures even when they are in cloud spaces the company didn't know they owned. The 'have-nots' will continue to try and force DevOps into older security models, rather than adapting themselves, and miss out on innovation opportunities while getting hacked."

Adding to the pressures on companies and their ability to incorporate security into their development and operations is the general shortage of knowledgeable cybersecurity workers. Organizations that integrate security into their development life cycles generally have better security outcomes, but the shortage in workers means they have to pay a high price to do so, says Anthony Bettini, chief technology officer for WhiteHat Security.

"Companies that are able to pay for experienced AppSec people do," he says. "Companies whose budgets do not permit this either assign the role to someone internally or hire more junior folks from outside. The best approach likely depends on the organization based on their budget and time scale for the outcomes they desire to achieve."

Unsurprisingly, more than half of security professionals — 52% — have burned out at their job, according to the WhiteHat report.

Companies also have to worry about newer threats that affect software development, such as locking down their application programming interfaces (APIs) from abuse and security threats. More than a quarter of companies have detected reconnaissance attempts on their API servers, which make data and services available to Web and mobile applications, according to a survey of 100 attendees conducted by CloudVector at the Cyber Security and Cloud Expo. Another 16% do not know whether they have been attacked.

"The reality is likely [that the number of attacks is] much higher given that most organizations lack the capability to detect these threats," said Ravi Balupari, vice president of engineering and threat research at CloudVector, in a blog post. "The lack of visibility into API payloads is a major blind spot."

Developing in-house expertise in these cybersecurity threats does not seem to be a priority either. Only 30% of developers have received some sort of security certifications in their current or previous jobs, according to the WhiteHat survey. 

There is good news, however. The vast majority of development teams — 82% — said they scan their software at least monthly, the survey found.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Home Safe: 20 Cybersecurity Tips for Your Remote Workers."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
CVE-2019-19709
PUBLISHED: 2019-12-11
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.