Despite a steady drumbeat from experts who put the responsibility for securing applications on developers, two recent surveys showed that developers still are not doing enough in this regard.
Veracode, a cloud-based application security testing company, used its database of applications collected over the past 18 months to determine what developers are doing in the area of software security. Sam King, vice president of product marketing at Veracode, said that some of the findings came out of the fact that the company raised the level of requirements for software programs to pass the security tests.
CAST, a software analysis and measurement firm, found that there is over US$3.6 million of technical debt (the amount of money it costs a software company to correct high-risk issues that appears in a line of code) across all applications with 1 million lines of code, according to its CAST Report on Application Software Health survey.
Bill Curtis, CAST’s chief scientist, said the survey found that these security vulnerabilities are not limited to one specific type of programming language, although he noted that COBOL-based financial applications did fare better.
Performance in the security tests, he said, was lower in Java applications, which is what King found for mobile applications as well, as many are written in Java. Veracode tested Android and iOS mobile applications, but only released findings for Android applications because it has supported testing them longer.
“We are trying to figure out what the lower performance issues in Java mean,” said Curtis. “It might mean developers are younger and don’t have as much experience dealing with security issues.” Curtis believes that Java developers are younger because it is a newer and more popular language, in his experience.
Neil MacDonald, vice president and distinguished analyst at Gartner, said that because security is not a part of most college curricula, companies should take the time to invest in training their developers.
“The single most important thing a developer can do is filter and whitelist input,” he said. “This doesn’t require an understanding of security vulnerabilities.” He added that it does help defend against cross-site scripting and SQL injection attacks. In order to filter and whitelist input, he said developers should simply require that a particular field gets either numbers, characters or a combination of both, blocking against whatever shouldn’t be included in that particular data field.