Most Developers Do Not Understand Basic Application Security

A new report from security research firm, Aspect Security confirms what we have been saying for years: developers simply do not know how to secure their applications. In a recent study where a group of developers were asked questions on security Aspect found that about 80% of them did not know how to protect sensitive data. This is something that we have found in our experience in dealing with vendors and other application developers.

Now, the question is, why aren’t developers learning or being taught how to secure their apps? One reason is that only basic back-end security is really taught these days. This gives you some protection from SQL injection, click hijacking and a few other app-data source protections. Items like session ID, credential hashes etc are typically ignored when it comes to security planning of an application. The same thing is true of web services, the front end is often left wide open while the connections back into the database might be a little more secure (although not much). To give you a frightening example, back in Windows 98 an attacker could capture your credential hash and reply it into a system in order to authenticate as you. They can still do that in Windows 8.1.

However, being taught to properly build a secure application is only part of the problem. As we have mentioned before deadlines and the push to re-use code that has existing flaws can account for more than a few loop holes that are missed. Just about every application hits the street with bugs and flaws in them. Many of these already have patches and services packs under development when you first install them. These are not rolled into the shipping product because someone decided that they would rather have a flawed product on the market than not have one there at all.

The third part to this is that many developers feel it is the networking guy’s responsibility to secure the app. After all that is what firewalls, IPS, IDS, web filters, Web App Firewalls etc. are for right? I cannot count the number of times I have found vulnerable areas in a vendor’s product only to be told that I would need to secure that somehow. There is no pressure for many vendors due to a lack of any real alternatives. It is also insanely complicated (and expensive) to ditch one vendor and move to another because of security or performance issues. This is why we have said (repeatedly) that vendors and not real security concerns are not driving security policies.

Think about the fact that application developers have very little understanding of security the next time you sign up for that cloud based application, or download that app that is able to sift through your data. In all likelihood it is very open to compromise and to allowing someone to steal information from you because it was designed to be flashy, not secure. We have said this before and we will say it again, until there is a fundamental shift in the way everyone involved thinks about security there will never be an even remotely safe or secure network or application.

tell us what you think

No comments

Leave your comment

In reply to Some User