Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/26/2019
03:40 PM
100%
0%

An Alarming Number of Software Teams Are Missing Cybersecurity Expertise

The overwhelming majority of developers worry about security and consider it important, yet many lack a dedicated cybersecurity leader.

Despite concerns over software security, many companies have not assigned a cybersecurity leader to help secure their applications — a problem that will only worsen as demand for technical security experts deepens worldwide.

In data published on Nov. 21, software security firm WhiteHat Security found that three-quarters of developers are worried about the security of their applications, and about seven out of eight consider security to be an important development consideration, but only half of these teams have a dedicated cybersecurity expert. The "Developer Security Sentiment Study," which produced the data, found that about 49% of development teams lack a dedicated cybersecurity leader and 43% prioritize deadlines over secure coding.

"While developers' concerns about securing their code are on an upward trajectory, it's clear the industry has a long way to go," said Joseph Feiman, chief strategy officer for WhiteHat Security, in a statement. "Developers are on the front lines when it comes to protecting their organizations from cyberattacks, and they need the right tools and training to handle this burden."

Holes in software security reflect the impact of companies' shift toward more agile programming methodologies. In the past, most IT dollars were spent by the actual IT organizations, and while that's still true, the budget of non-IT groups, such as DevOps, are growing, says Greg Young, vice president of cybersecurity at security firm Trend Micro. 

In 2020, businesses will be either a "have" or a "have-not" when it comes to security, he says.

"AppSec, cloud security, and securing DevOps are very doable, but they take new models, not just new tools," Young says. "The 'haves' will manage AppSec well, such as building security into DevOps by providing container and workload security automatically and managing cloud security postures even when they are in cloud spaces the company didn't know they owned. The 'have-nots' will continue to try and force DevOps into older security models, rather than adapting themselves, and miss out on innovation opportunities while getting hacked."

Adding to the pressures on companies and their ability to incorporate security into their development and operations is the general shortage of knowledgeable cybersecurity workers. Organizations that integrate security into their development life cycles generally have better security outcomes, but the shortage in workers means they have to pay a high price to do so, says Anthony Bettini, chief technology officer for WhiteHat Security.

"Companies that are able to pay for experienced AppSec people do," he says. "Companies whose budgets do not permit this either assign the role to someone internally or hire more junior folks from outside. The best approach likely depends on the organization based on their budget and time scale for the outcomes they desire to achieve."

Unsurprisingly, more than half of security professionals — 52% — have burned out at their job, according to the WhiteHat report.

Companies also have to worry about newer threats that affect software development, such as locking down their application programming interfaces (APIs) from abuse and security threats. More than a quarter of companies have detected reconnaissance attempts on their API servers, which make data and services available to Web and mobile applications, according to a survey of 100 attendees conducted by CloudVector at the Cyber Security and Cloud Expo. Another 16% do not know whether they have been attacked.

"The reality is likely [that the number of attacks is] much higher given that most organizations lack the capability to detect these threats," said Ravi Balupari, vice president of engineering and threat research at CloudVector, in a blog post. "The lack of visibility into API payloads is a major blind spot."

Developing in-house expertise in these cybersecurity threats does not seem to be a priority either. Only 30% of developers have received some sort of security certifications in their current or previous jobs, according to the WhiteHat survey. 

There is good news, however. The vast majority of development teams — 82% — said they scan their software at least monthly, the survey found.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Home Safe: 20 Cybersecurity Tips for Your Remote Workers."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
CVE-2021-27363
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...
CVE-2021-26294
PUBLISHED: 2021-03-07
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_...