Security investigate

Recipe for disaster? Developers pressured into delivering vulnerable code

Software development teams are finding themselves unable to scale security practices to match the volume of code they are expected to produce.

Firms are pushing developers to neglect security and rush out web apps without adequate safeguards to protect against online attacks.

Software development teams are struggling to scale security practices to match the volume of code they are expected to produce, a survey of 240 software development leads and security professionals at US and European companies found.

"In a highly competitive global economy, the ability to deliver products, services, and new engagement models is critical to the success and profitability of businesses," said The Software Security Risk Report by Forrester.

"Prolonging the time-to-market is simply not acceptable for many organizations. As a result, app-dev teams are under intense pressure to increase their delivery speed. Couple this with the fact that today's applications are increasingly more complex, and it is no surprise that organisations can't scale up their application security practices."

Nearly four fifth of those firms that had suffered a breach relating to a web app were also struggling to find a way to scale security to match the pace of development. About half of those surveyed said their firm had suffered a "security incident" related to web apps, with just under one in five saying such an incident had led to losses greater than $500,000.

Developers themselves also feel they are unable to devote sufficient time to addressing security issues.

"The vast majority of developers in our study believe that they should address every security issue," the report said.

"However, if the organization is pushing you to release revenue-generating and customer-facing apps as quickly as possible, it's unrealistic to address every security defect. "

Instead the report, commissioned by development testing firm Coverity, recommends developments teams adopt a "risk-based approach", where defects deemed to be "critical" are addressed.

Security professionals surveyed were generally unsympathetic to the challenge developers face balancing security needs against the demands of their job.

Half of security professionals said developers resist pressure to address security during development and only 24 per cent class developers as "extremely security-aware".

"These results suggest that security professionals clearly don't understand the challenges that application development folks are faced with, such as requiring security expertise to use some of the legacy code analysis tools and the lack of actionable remediation guidance," the report said, recommending that organisations devote time to bridging the gap in understanding between security pros and developers.

The report found that the majority of companies don't follow what it calls "secure development practices", with 58 per cent not using secure coding guidelines, 72 per cent not having libraries of approved and banned functions and three quarters not using threat modelling. Security testing is generally left until the end of the development process, with only 17 per cent of companies testing code during the development cycle.

These security shortcomings mean "that many organisations are still struggling with basic security flaws, such as default passwords, SQL injections, and security misconfigurations," the report said.

Development teams struggling with security should test earlier in the development life cycle, the report recommends, as well as using more automated code analysis testing. When picking security tools firms should choose those suited to developers who aren't security pros, that scale, that provide language and platform support, include IDE and built-script integration needs, have vulnerability coverage, analysis accuracy, risk scoring and integration with remediation systems, it said.

About

Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

0 comments