Criminals increasingly breached enterprise networks through mobile, Web and third-party apps last year. The cloud and its inherent multiple environments often left backdoors unintentionally open, which made them even more enticing to criminals.
Because of this, software development managers had to begin testing their apps as thoroughly as IT tests its security infrastructure. Those changes affected the role developers were expected to play in app testing, but their efforts in this area were often deemed lacking.
The year began and ended on roughly the same note, as developers were still being seen as not doing enough to secure their programs. As the year began, it was found that developers were still not doing enough to secure apps, according to two surveys by Veracode and CAST. Veracode, a cloud-based app security company, tested 9,910 apps and found that eight in 10 didn’t pass its security standards (which include a zero-tolerance policy for cross-site scripting and SQL injections). Veracode’s survey found that SQL injection threats were present in 32% of all Web apps tested, and 68% of apps had scripting vulnerabilities. CAST, a software analysis and measurement firm, found that security vulnerabilities are not limited by programming languages.
If you were a developer who would have loved to better incorporate security into your app but felt as though you just weren’t equipped to do so, you weren’t alone. In September, the lack of security tools suitable for developers was cited by Forrester as among the reasons why developers were still not using secure software development practices. Also, developers still needed to better integrate security into their development practices from the earliest stages, according to development testing tool provider Coverity.
To help developers find and fix code defects during development, some vendors came out with tools. In October, Coverity released a new testing tool to help developers with software security issues. The company announced Coverity Test Advisor, a change-impact analysis tool within its newly expanded Coverity Development Testing Platform. The Coverity Test Advisor tool alerts developers to high-risk changes in code that occur during development, and can identify traditionally untestable issues, which the company said is basically anything that can’t be identified through functional or performance testing in QA.
The Bring Your Own Device trend kept growing last year, and brought with it more security concerns for companies. In late February, the RSA Conference, which annually covers IT security issues, had everyone talking about the BYOD trend and externally controlled devices accessing internal networks. The security conference also focused on how companies can protect their networks from the threat of activist reprisals from the Internet hive mind known as “Anonymous,” which tries to take advantage of application vulnerabilities such as SQL injections.
The RSA Conference also covered security appliances and cloud-based security solutions, with software-quality validation vendor Veracode discussing how some companies are using it as a validation service against third-party applications their employees are using on mobile devices. Veracode also discussed how some companies are validating externally created apps that use its secure APIs to ensure security compliance.
In August, Information Security Forum vice president Steve Durbin shared how organizations can protect themselves from cybercrime, and how software development managers can handle security issues. From a software development standpoint, he said managers have to look at whether they’re outsourcing some of their development or whether they’re doing it all in-house. Outsourcing software development demands that they set in place certain checks to make sure that the code that is coming back has been thoroughly tested to their satisfaction.
As a software organization builds its apps, it creates intellectual property (IP). Depending on the company, IP can be items that provide a competitive advantage such as proprietary trade secrets, algorithms in source code, or any unique characteristics of a product. Protecting that IP within the enterprise (as well as in distribution) from being stolen was a growing security-related issue that came into public scrutiny during Microsoft’s IP tussle over Android. Microsoft had given Android device manufacturers two choices: Sign Microsoft licensing agreements or risk being sued for patent infringement. Where some saw Microsoft’s policy as an anti-competitive play against Android, Microsoft’s position was that it was simply protecting its intellectual property.
And finally, in September, software development managers were given advice from a variety of experts on what they could do to keep intruders out of their own company’s code and licenses, which is knowledge that they can take with them well into the new year.