Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/8/2017
07:11 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Developers Lack Confidence in Application Security

A new survey says that developers aren't confident that their applications are secure - but they find solace in obscurity.

We like to say that security begins in the application development process, but a recent survey shows that most developers are less than confident in the security of the code they're turning out.

The survey, jointly conducted by NodeSource and Sqreen, a Node.js runtime component and web application company, respectively, found that 60% of developers lack confidence in their applications, with roughly one third confident that their code is free from vulnerabilities.

This admission come in spite of nearly three quarters of the survey respondents saying that security is an important part of their organization. The disconnect between an organization's attitude toward security and the ability to deliver on the attitude is one of the major impediments to application security and may well be counted as a root cause of a great number of vulnerabilities.

One of the reasons that developers continue to work with their low level of security confidence is that they are optimistic about their organization's chances of actually being attacked. On a scale of one to ten, with the likelihood of attack going up with the number, the average response was 3.44 for a large-scale attack in the next six months. Vulnerabilities, it seems, are not quite so scary if you don't think anyone will find and use them.

When it comes to the developers finding their own vulnerabilities, old-school tools and methods seem to rule. Asked how they make sure that their code is free from vulnerabilities, 55% say that they review their code while 46% have a colleague or colleagues work through the code. (The question allowed for more than one answer.) Just over one third use static analysis tools while less than one fifth use dynamic analysis.

Once the code is in use, the question of how it's protected from the vulnerabilities that developers worry about comes into play. Given that the population for the survey was developers, not security professionals, the answers may or may not reflect reality in the organization, but they do reflect the protections that developers assume are in place in front of their applications.

Over half of the developers (56%) say that a web application firewall is in place, while nearly that number (54%) point to DDoS-specific protection on the network. Over forty percent (43%) say that their organization makes use of one ore more security monitoring solution, while roughly one fifth are blissfully unaware of what's going on with security after the application leaves their hands.

Attacks on the enterprise are becoming more sophisticated and complex with each passing week. This survey shows that there is still significant room for improvement in the enterprise if the goal is building security into applications rather than depending solely on protection that is added during deployment.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26244
PUBLISHED: 2020-12-02
Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expecte...
CVE-2020-28206
PUBLISHED: 2020-12-02
An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An "User enumeration and Improper Restriction of Excessive Authentication Attempts" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also ...
CVE-2017-14451
PUBLISHED: 2020-12-02
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send m...
CVE-2017-2910
PUBLISHED: 2020-12-02
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.
CVE-2020-13493
PUBLISHED: 2020-12-02
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. A specially crafted USDC file format path jumps decompression heap overflow in a way path jumps are processed. To trigger this vulnerability, the victim needs to open an atta...