Tools, skills and budgets can help developers fight rise in Web app cyber attacks
Tel Aviv, Israel – May 18th 2016 – Checkmarx, a global leader in application security today announced that three recent reports highlight the challenge faced by developers in securing code as attacks against web applications increase, while security budgets for developers remain low.
As highlighted by the influential Data Breach Investigation Report 2016, attacks against web applications have seen a dramatic rise in the last year. Attacks against every business sector rose significantly with financial particularly hard hit with a 51% increase in the number of reported incidents. The report also suggests that Common Vulnerabilities and Exposures (CVE’s) are not being addressed quickly enough by developers with the top 10 vulnerabilities accounting for 85% of successful exploited traffic.
“Many of the vulnerabilities that are still regularly exploited are years old which suggests that organisations need to spend more effort actively testing existing code bases and not just assuming that it is just new applications that are at risk,” says Amit Ashbel, Cyber Security Evangelist and Director of Product Marketing for Checkmarx, “This goes for both your in-house developed code and for open source modules and third party apps that are incorporated into applications, often without full vulnerability scanning which creates vulnerabilities, but little accountability to a specific developer.”
However, collating data from the recent ‘SANS institute 2016 State of Application Security: Skills, Configurations and Components’ report highlights that developer awareness regarding security controls is increasing. Although, the report suggests the development community is not getting enough support with a lack of application security skills, tools and methods ranked as being in the top three challenges to implementing AppSec by 38% of respondents, followed by lack of funding or management buy-in (37%).
The SANS report also shows that security testing schedules are diverse but heading towards a more continual approach with 60% indicating that they test applications continuously, with 27% using continuous assessment in their Agile development processes. However, 53% of respondents still test applications when they are initially launched into production.
This test cycle is showing benefits. The largest group (57%) said they find one to 25 vulnerabilities per month and the survey found the largest number (24%) said that over half of critical vulnerabilities they found were related to code bugs rather than to misconfigurations.
However, the most disappointing area was in remediation where the survey found less than 30% are achieving a 75%–99% level of satisfaction with the speed it takes to repair their vulnerabilities. The speed at which patches are applied is comparable to last year’s survey, with 26% of vulnerabilities being patched within two to seven days, and another 26% within eight to 30 days.
The reasons are varied but lack of funding or management buy-in is a major issue with nearly a third (29%) of developers saying that saying that their organisations spend 1% or less of IT budgets on information security.
In Ashbel’s view, even with slim budgets organisations need to think about the long term value of early detection of vulnerabilities. “Investing in developer AppSec education programs and white box testing tools can have a massive return on investment compared to the cost of breaches and urgent remediation work after an app has gone live.”
Ashbel suggests three areas where organisations can help counter this issue.
- Education is key and has a long term rolling positive effect. Once you have been able to build a small team of developers who know Application Security and can practice secure coding best practices, you have created a healthy basis which can easily be positioned as a position for others to strive for. Give eager and motivated developers a chance to grow within the company and take leadership of Application Security concerns within development. At the end of the day, all deliveries start from the developer and security should be no different. Education and knowledge also helps bridging the gap between the Dev teams and the Security teams. Cooperation between these teams is key for AppSec success.
- Make Application Security a top priority and build the correct processes to help developers make secure coding practices part of their daily routine. Integrate Static Application Security Testing solutions within the SDLC and make sure developer work flow is not negatively impacted. Of course, when looking for the right solution, make sure your developers are part of the evaluation process. Otherwise you might end up with very expensive shelfware.
Do NOT wait for the Application release date to start vulnerabilities assessment.
- Developers love Open-Source and rightfully so. No reason to waste time on solving problems that were already solved by someone else. That said, open-source projects are subject to the same security risks and vulnerabilities. Make sure you always have an updated list of the open-source module inventory and ensure they don’t expose your applications to any security risks or legal concerns.
Checkmarx develops solutions used by developers and security professionals to identify and fix vulnerabilities in web and mobile applications early in the development lifecycle. It provides an easy and effective way for organizations to automate security testing within their Software Development Lifecycle (SDLC) which systematically eliminates software risk before applications are released. Amongst the company’s 1,000 customers are 5 of the world’s top 10 software vendors and many Fortune 500 and government organizations, including SAP, Samsung and Salesforce.com. For more information about Checkmarx, visit http://www.checkmarx.com or follow us on twitter: @checkmarx
Media Contacts: Anne Harding The Message Machine (PR for Checkmarx in the UK) firstname.lastname@example.org +44 (0)7887 682943 email@example.com