Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //

Developers Lack Confidence in Application Security

A new survey says that developers aren't confident that their applications are secure - but they find solace in obscurity.

We like to say that security begins in the application development process, but a recent survey shows that most developers are less than confident in the security of the code they're turning out.

The survey, jointly conducted by NodeSource and Sqreen, a Node.js runtime component and web application company, respectively, found that 60% of developers lack confidence in their applications, with roughly one third confident that their code is free from vulnerabilities.

This admission come in spite of nearly three quarters of the survey respondents saying that security is an important part of their organization. The disconnect between an organization's attitude toward security and the ability to deliver on the attitude is one of the major impediments to application security and may well be counted as a root cause of a great number of vulnerabilities.

One of the reasons that developers continue to work with their low level of security confidence is that they are optimistic about their organization's chances of actually being attacked. On a scale of one to ten, with the likelihood of attack going up with the number, the average response was 3.44 for a large-scale attack in the next six months. Vulnerabilities, it seems, are not quite so scary if you don't think anyone will find and use them.

When it comes to the developers finding their own vulnerabilities, old-school tools and methods seem to rule. Asked how they make sure that their code is free from vulnerabilities, 55% say that they review their code while 46% have a colleague or colleagues work through the code. (The question allowed for more than one answer.) Just over one third use static analysis tools while less than one fifth use dynamic analysis.

Once the code is in use, the question of how it's protected from the vulnerabilities that developers worry about comes into play. Given that the population for the survey was developers, not security professionals, the answers may or may not reflect reality in the organization, but they do reflect the protections that developers assume are in place in front of their applications.

Over half of the developers (56%) say that a web application firewall is in place, while nearly that number (54%) point to DDoS-specific protection on the network. Over forty percent (43%) say that their organization makes use of one ore more security monitoring solution, while roughly one fifth are blissfully unaware of what's going on with security after the application leaves their hands.

Attacks on the enterprise are becoming more sophisticated and complex with each passing week. This survey shows that there is still significant room for improvement in the enterprise if the goal is building security into applications rather than depending solely on protection that is added during deployment.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Practical Network Security Approaches for a Multicloud, Hybrid IT World
The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-30333
PUBLISHED: 2022-05-09
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
CVE-2022-23066
PUBLISHED: 2022-05-09
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to tra...
CVE-2022-28463
PUBLISHED: 2022-05-08
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
CVE-2022-28470
PUBLISHED: 2022-05-08
marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
CVE-2022-1620
PUBLISHED: 2022-05-08
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.