A new research study into web application, has found serious security concerns with the applications produced by web developers, including multimillion pound security breaches and a complete lack of security in the underlying code.
The survey, of 240 North American and European software development influencers from companies that develop web applications sponsored by development testing business Coverity and conducted by analysts Forrester found over half (51%) of all developers had at least one web application security incident in the last 18 months resulting in loses in the millions – with two businesses admitting to losses of over £6 million.
Among those reporting incidents, 18 per cent put their losses at more than £308,000 while another eight per cent saw losses in excess of £0.6 million.
Nearly three-quarters (71%) of those who experienced a breach said they lack the right security technologies suitable for development, and their security can't keep up with the volume of code they produce (79%), and that they lack the funding to invest in security (71%).
Just over a third (42%) of respondents said they follow secure coding guidelines, and only 28 per cent use a library of approved or banned functions and barely a quarter utilise threat modelling, a most surprisingly only 17 per cent said they test code during the development cycle.
The bad news for businesses is that those involved with security and the developers can't decide on who is to blame for this situation. According to the developers surveyed, the top three challenges to working with current web application security tools include; the lack of integration with their current development environment, the need for too much security expertise and high false positives. By comparison, some security practitioners agreed that integration was a primary challenge, but none believed security tools were complex or required too much expertise to use
"It's clear that security practitioners and developers aren't speaking the same language when it comes to application security, and this is leading to very costly consequences for companies," said Jennifer Johnson, VP of Marketing at Coverity. "Application security begins and ends with development. Developers need to be part of the solution but the industry won't solve the problem until security is incorporated into the development process with technologies and processes that developers can understand and adopt. Force-feeding development with legacy tools built for security teams just isn't working."