Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:30 AM
Jeff Williams
Jeff Williams
Connect Directly
E-Mail vvv

An AppSec Report Card: Developers Barely Passing

A new study reveals that application developers are getting failing grades when it comes to their knowledge of critical security such as how to protect sensitive data, Web services, and threat modeling.

Let me start by recounting an Aesop’s Fable "The Stag at the Pool."

A stag saw his shadow reflected in the water. Although he greatly admired the size of his antlers, he was angry with himself for having such weak feet. While he was contemplating himself, a lion appeared. The stag took flight and kept at a safe distance from the lion, until he entered a wood and became entangled by his horns. The lion quickly came up and caught him. The stag reproached himself: "Woe is me! How have I deceived myself! These feet which would have saved me I despised, and I gloried in these antlers which have proved my destruction."

A decade ago a chief information security officer (CISO) wasn’t in the lexicon. Fast forward ten years and you can find thousands of CISOs serving companies large and small. Some positions are created in response to having sustained a massive breach, like Neiman Marcus. Others are created to try and get a handle on organizational security because hacks and breaches harm profits. Just ask Target. Or Home Depot.

Modern technology is stunningly effective. We can do so many things quickly and efficiently. Open-source libraries are an excellent example of how people across the world can collaborate and produce good products. Despite rapid technological advances and changes, the way in which developers write code has not changed. And if secure coding practices aren’t taught, developers can’t be expected to produce secure code and deploy safe applications.

What developers don’t know about AppSec
In the recent 2014 State of Application Developer Security Knowledge Report, a year-long study by Aspect Security on what 1,425 developers from 695 organizations worldwide know and don’t know about security, we discovered some areas developers understand well, and some critical areas with which they struggle. Our study details the results of a fully randomized test of basic application security knowledge across 65 different areas. Here are a few key findings:

Protecting Sensitive Data: 80% of developers answered incorrectly.
Data breaches are the most common security exploits. Hundreds of millions of account details have been stolen this year alone. Developers must know what your different types of data are and be taught how to properly protect each.

Introduction to Web Services Security: 64% of developers answered incorrectly.
If your organization is moving to service oriented architecture, publishes APIs, has REST interfaces, is using JQuery or Angular, or is building rich clients, then the low scores here should be of particular concern. There are lots of ways to build these APIs insecurely, and your developers need to understand the right way to do things.

Threat Modeling and Security Architecture Review: 74% of developers answered incorrectly.
Developers didn’t do very well when asked about security architecture and security models. Without a plan, framework, and guardrails in place, it’s not surprising that code gets built with architecture-level vulnerabilities in place. Training your team how to communicate and collaborate on security is a smart investment.

What’s in it for me?
While industry reports provide general information, they can’t tell you what your developers know about application security. Are your developers in the camp that scored just 36% on Web Services Authentication and Authorization? Or did they score 81% on Cross Site Request Forgery? Are you able to answer questions like:

• Do you have vulnerabilities you haven’t fixed? (The answer is yes.)
• Do you have vulnerabilities you don’t know about? (The answer is yes.)
• Do your employees have sufficient time to learn about the latest vulnerabilities, the skills to understand secure coding, and the support to put those things into practice? (The answer is: … that’s up to you.)

If you don’t know, that’s OK. You can find out where you fall short by taking a free Secure Coder Analytics quiz (also created by Aspect Security). The results for your organization will be specific and actionable, not industry guidance, antlers of beauty though they are. They’ll point to what you need and get you down to the details that matter. They’ll be the feet that carry you swiftly away from attackers.

Some organizations do quite well in many application security measures. They understand what SQL Injection is and have taught their developers so they don’t create vulnerable code. But what about protecting sensitive data so a data breach doesn’t happen to you? Or using cryptography securely so credential handling and algorithm choice don’t become your undoing? Or authenticating users to manage identity properly so cross site request forgery doesn’t cough up organizational data?

Application security doesn’t happen by chance, it happens by choice; it happens by design. And with the average score for developers sitting at a barely passing 60.77%, clearly there needs to be more application security training by design. We need to value practical application of knowledge.

After all, that’s the moral of "The Stag at the Pool." What is most truly valuable is often underrated, and application security knowledge is certainly underrated. So get down to brass tacks and figure out what your developers know.


A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product that enhances software with the power to defend itself, check itself for vulnerabilities, and join a security command and control ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Robert McDougal
Robert McDougal,
User Rank: Ninja
9/19/2014 | 11:18:23 AM
Colleges are the problem
In my experience, the problem is the computer science curriculum taught in colleges. As a computer science grad myself I saw first-hand that the main priority was teaching programming basics, a handful of algorithms and shove you out the door. It was essentially an education assembly line.

Since my time in school nothing much seems to have changed because the majority of newly graduated CS majors I have worked with have never heard of OWASP or were taught how to prevent even a simple SQL injection vulnerability. Colleges need to change their teaching guidelines or nothing will ever change. However, getting colleges to change is like turning a barge around, it will take time.
<<   <   Page 2 / 2
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.