Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/8/2017
07:11 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Developers Lack Confidence in Application Security

A new survey says that developers aren't confident that their applications are secure - but they find solace in obscurity.

We like to say that security begins in the application development process, but a recent survey shows that most developers are less than confident in the security of the code they're turning out.

The survey, jointly conducted by NodeSource and Sqreen, a Node.js runtime component and web application company, respectively, found that 60% of developers lack confidence in their applications, with roughly one third confident that their code is free from vulnerabilities.

This admission come in spite of nearly three quarters of the survey respondents saying that security is an important part of their organization. The disconnect between an organization's attitude toward security and the ability to deliver on the attitude is one of the major impediments to application security and may well be counted as a root cause of a great number of vulnerabilities.

One of the reasons that developers continue to work with their low level of security confidence is that they are optimistic about their organization's chances of actually being attacked. On a scale of one to ten, with the likelihood of attack going up with the number, the average response was 3.44 for a large-scale attack in the next six months. Vulnerabilities, it seems, are not quite so scary if you don't think anyone will find and use them.

When it comes to the developers finding their own vulnerabilities, old-school tools and methods seem to rule. Asked how they make sure that their code is free from vulnerabilities, 55% say that they review their code while 46% have a colleague or colleagues work through the code. (The question allowed for more than one answer.) Just over one third use static analysis tools while less than one fifth use dynamic analysis.

Once the code is in use, the question of how it's protected from the vulnerabilities that developers worry about comes into play. Given that the population for the survey was developers, not security professionals, the answers may or may not reflect reality in the organization, but they do reflect the protections that developers assume are in place in front of their applications.

Over half of the developers (56%) say that a web application firewall is in place, while nearly that number (54%) point to DDoS-specific protection on the network. Over forty percent (43%) say that their organization makes use of one ore more security monitoring solution, while roughly one fifth are blissfully unaware of what's going on with security after the application leaves their hands.

Attacks on the enterprise are becoming more sophisticated and complex with each passing week. This survey shows that there is still significant room for improvement in the enterprise if the goal is building security into applications rather than depending solely on protection that is added during deployment.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...