We like to say that security begins in the application development process, but a recent survey shows that most developers are less than confident in the security of the code they're turning out.
The survey, jointly conducted by NodeSource and Sqreen, a Node.js runtime component and web application company, respectively, found that 60% of developers lack confidence in their applications, with roughly one third confident that their code is free from vulnerabilities.
This admission come in spite of nearly three quarters of the survey respondents saying that security is an important part of their organization. The disconnect between an organization's attitude toward security and the ability to deliver on the attitude is one of the major impediments to application security and may well be counted as a root cause of a great number of vulnerabilities.
One of the reasons that developers continue to work with their low level of security confidence is that they are optimistic about their organization's chances of actually being attacked. On a scale of one to ten, with the likelihood of attack going up with the number, the average response was 3.44 for a large-scale attack in the next six months. Vulnerabilities, it seems, are not quite so scary if you don't think anyone will find and use them.
When it comes to the developers finding their own vulnerabilities, old-school tools and methods seem to rule. Asked how they make sure that their code is free from vulnerabilities, 55% say that they review their code while 46% have a colleague or colleagues work through the code. (The question allowed for more than one answer.) Just over one third use static analysis tools while less than one fifth use dynamic analysis.
Once the code is in use, the question of how it's protected from the vulnerabilities that developers worry about comes into play. Given that the population for the survey was developers, not security professionals, the answers may or may not reflect reality in the organization, but they do reflect the protections that developers assume are in place in front of their applications.
Over half of the developers (56%) say that a web application firewall is in place, while nearly that number (54%) point to DDoS-specific protection on the network. Over forty percent (43%) say that their organization makes use of one ore more security monitoring solution, while roughly one fifth are blissfully unaware of what's going on with security after the application leaves their hands.
Attacks on the enterprise are becoming more sophisticated and complex with each passing week. This survey shows that there is still significant room for improvement in the enterprise if the goal is building security into applications rather than depending solely on protection that is added during deployment.
— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.