Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //

Developers Lack Confidence in Application Security

A new survey says that developers aren't confident that their applications are secure - but they find solace in obscurity.

We like to say that security begins in the application development process, but a recent survey shows that most developers are less than confident in the security of the code they're turning out.

The survey, jointly conducted by NodeSource and Sqreen, a Node.js runtime component and web application company, respectively, found that 60% of developers lack confidence in their applications, with roughly one third confident that their code is free from vulnerabilities.

This admission come in spite of nearly three quarters of the survey respondents saying that security is an important part of their organization. The disconnect between an organization's attitude toward security and the ability to deliver on the attitude is one of the major impediments to application security and may well be counted as a root cause of a great number of vulnerabilities.

One of the reasons that developers continue to work with their low level of security confidence is that they are optimistic about their organization's chances of actually being attacked. On a scale of one to ten, with the likelihood of attack going up with the number, the average response was 3.44 for a large-scale attack in the next six months. Vulnerabilities, it seems, are not quite so scary if you don't think anyone will find and use them.

When it comes to the developers finding their own vulnerabilities, old-school tools and methods seem to rule. Asked how they make sure that their code is free from vulnerabilities, 55% say that they review their code while 46% have a colleague or colleagues work through the code. (The question allowed for more than one answer.) Just over one third use static analysis tools while less than one fifth use dynamic analysis.

Once the code is in use, the question of how it's protected from the vulnerabilities that developers worry about comes into play. Given that the population for the survey was developers, not security professionals, the answers may or may not reflect reality in the organization, but they do reflect the protections that developers assume are in place in front of their applications.

Over half of the developers (56%) say that a web application firewall is in place, while nearly that number (54%) point to DDoS-specific protection on the network. Over forty percent (43%) say that their organization makes use of one ore more security monitoring solution, while roughly one fifth are blissfully unaware of what's going on with security after the application leaves their hands.

Attacks on the enterprise are becoming more sophisticated and complex with each passing week. This survey shows that there is still significant room for improvement in the enterprise if the goal is building security into applications rather than depending solely on protection that is added during deployment.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-37452
PUBLISHED: 2022-08-07
Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.
CVE-2022-26979
PUBLISHED: 2022-08-06
Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow a NULL pointer dereference when this.Span is used for oState of Collab.addStateModel, because this.Span.text can be NULL.
CVE-2022-27944
PUBLISHED: 2022-08-06
Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow an exportXFAData NULL pointer dereference.
CVE-2022-2688
PUBLISHED: 2022-08-06
A vulnerability was found in SourceCodester Expense Management System. It has been rated as critical. This issue affects the function fetch_report_credit of the file report.php of the component POST Parameter Handler. The manipulation of the argument from/to leads to sql injection. The attack may be...
CVE-2022-2689
PUBLISHED: 2022-08-06
A vulnerability classified as problematic has been found in SourceCodester Wedding Hall Booking System. Affected is an unknown function of the file /whbs/?page=contact_us of the component Contact Page. The manipulation of the argument Message leads to cross site scripting. It is possible to launch t...