Gap in App Security Remains

Wednesday, August 26, 2015 @ 03:08 PM gHale

There is a gap between developers and protectors of applications, but it starting to close a little, a new survey said.

Because the industry is experiencing so many high-profile application security breaches that result in the compromise of personally identifiable information (PII), builders and their managers are becoming more aware of how important — and how hard — it is to write secure software.

Manufacturing a Top Tor Target
Looking to Fill Tor Network Holes
Security Alarms Sounding with Smartwatches
Average DDoS Attack Size on Rise

Closing the gap is the topic of the SANS 2015 State of Application Security Survey. In this year’s survey, 435 respondents answered application security questions from two different perspectives: Builders, the developers and development organizations, who represent 35 percent of the respondents and the defenders, the security and operations teams responsible for securing applications and running secure systems, who account for 65 percent of qualified respondents. These two groups need to climb out of their silos and work more closely together if there are going to be more reliable and more secure systems.

Application security experts are starting to reach out to builders and as a result, builders are more aware of risks inherent in the same applications that defenders have concerns with. The most popular application development languages (including Java and .NET) are also the highest sources of security risk among both groups.

While a closer alignment bodes well for the future of applications, results also show continued gaps between the groups, such as builders putting security off on “someone else” and defenders trying to force security through compliance reviews and penetration testing rather than working with builders to design and build in security from the start.

The top three challenges for defenders directly reflect problems security professionals have in engaging with builders:
• Identifying all of the applications in the application portfolio, which is information that builders could easily provide
• Fear of modifying production code and potentially breaking an app
• Organizational and communications silos between security, application development and the rest of the organization

The top challenges for builders are completely different, and so are their priorities:
• Need to focus on delivering features and on time to market
• Lack of skills or knowledge to build secure software
• Lack of management buy-in or funding

This survey looked at the challenges and how they end up more complicated by the rapidly accelerating pace of development and lack of control over applications hosted in the cloud.

Although results indicate defenders and builders of applications are moving closer, it remains clear the two areas aren’t always on the same page.

Many information security engineers don’t understand software development and most software developers don’t understand security.

Builders and defenders have fundamentally different drivers. Builders and their managers focus on delivering features and meeting time-to-market expectations, rather than on making sure software is secure. So to them, security is “someone else’s job.”

Only a small amount of security testing ends up conducted by developers or quality assurance personnel (builders), the survey said.

On the other hand, fear of breaking the app and making it unavailable for business use are the top challenges for defenders.

These divergent challenges reveal the training gap on the builders’ side, while defenders remain challenged with just knowing what apps they have in production. Because defenders are also doing most of the training and evangelizing, it follows that silos would be a concern for them rather than for builders, who still think of security as someone else’s job, the survey said.

The top challenges highlight the problems that builders and defenders have in working together effectively:
• The groups have different priorities.
• Understanding what applications end up used and what the risk profiles are is a critical first step in securing any system.
• Defenders and builders, together, don’t have confidence in their ability to patch vulnerabilities correctly, test and re-deploy the system without making mistakes. Because builders don’t understand security and defenders don’t understand software, neither group is able to make fixes correctly.
• Organizational and communications silos between security, development and the rest of the organization make communication of risks and threats, training and secure application development more difficult to achieve.

Click here for the entire report.