News

Security Study: Developer 'Rush To Release' Increases App Risk

• By David Ramel
• August 23, 2016

The explosive growth of mobile apps and the shift to cloud computing are increasing security risks at the application level, a problem that organizations can overcome by hiring skilled developers and lessening the "rush to release," according to a new report.

That report -- Application Security in the Changing Risk Landscape -- was released yesterday by the Ponemon Institute and F5 Networks Inc., which provides application-level security products and services. It polled 605 IT and IT security pros to glean insights about their approach to protecting mission-critical applications.

"One of the key takeaways of the report is that lack of visibility into the application layer is now the main barrier to achieving a strong application security posture," said F5 exec Mike Convertino in a blog post yesterday.

Compounding that problem is the aforementioned growth in mobile and cloud computing. The survey indicated that about 31 percent of business apps are mobile now, and in the next year that will increase to 38 percent. Meanwhile, 37 percent of such apps are cloud-based, with that percentage expected to grow to 46 percent. And with that increased growth comes increased risk, the report said.

"The growth in mobile and cloud-based applications is seen as significantly affecting application security risk," the report states. "Sixty percent of respondents say mobile apps increase risk (25 percent) or increase risk significantly (35 percent). Fifty-one percent of respondents say cloud-based applications increase risk (25 percent) or increase risk significantly (26 percent)."

The new research augments another earlier Ponemon Institute security study -- this one conducted with IBM -- that focused on mobile exclusively and revealed:

• Large companies spend about $34 million each year to build mobile apps, but only 5.5 percent of that budget is spent on app security.
• 50 percent of companies have zero budget for security apps.
• 40 percent of companies don't scan mobile app code for vulnerabilities.
• The average company security tests less than half of the apps it builds.
• 33 percent of companies never test apps for security.

And that study itself followed on the heels of a threat report from McAfee Labs that blasted mobile developers for ignoring known security flaws.

Indeed, according to the new F5-backed report, app developers are the key to fixing the sorry state of application-level security. The study detailed several findings that highlight the importance of skilled developers, testers and development methodology:

• Hiring and retaining skilled and qualified application developers will improve an organization's security posture. Sixty-nine percent of respondents believe the shortage of skilled and qualified application developers puts their applications at risk. Moreover, 67 percent of respondents say the "rush to release" causes application developers in their organization to neglect secure coding procedures and processes.
• Ensuring developers understand secure coding practices can reduce application security risk. The two main reasons why applications contain vulnerable code are developers not understanding secure coding practices or their poor coding.
• More testing of applications is needed. Almost half of respondents say their organization does not test applications for threats and vulnerabilities (25 percent) or testing is not pre-scheduled (23 percent). Only 14 percent of respondents say applications are tested every time the code changes.
• Currently, respondents have little confidence that application developers in their organization practice secure design, development and testing of applications. Seventy-four percent of respondents say in application development they are only somewhat confident (27 percent) or have no confidence (47 percent) that such practices as input/output validation, defensive programming and appropriate compiler/linker security options are conducted.
• DevOps or continuous integration is believed to improve application security. Thirty-five percent of respondents say their organizations have adopted DevOps or continuous integration practices into the application development lifecycle. Of these respondents, 71 percent say it improves application security and enables them to respond quickly to security issues and vulnerabilities (56 percent of respondents).

Apparently, more companies are recognizing the importance of baking in app security at the initial coding level, as the F5 study said the responsibility for securing applications will shift more toward developers.

"Sixty percent of respondents anticipate the applications developer will assume more responsibility for the security of applications," the study said. "Testing for vulnerabilities should take place in the design and development phase of the system development life cycle (SDLC). Today, most applications are tested in the launch or post-launch phase (61 percent). In the future, the goal is to perform more testing in the design and development phase (63 percent)."

Survey respondents said they would increase secure coding practices over the next two years along the following lines:

• Run applications in a safe environment.
• Use automated scanning tools to test applications for vulnerabilities.
• Perform penetration testing procedures.
• Monitor the runtime behavior of applications to determine if tampering has occurred.
• Conduct tests of open source merged with proprietary applications.
• Conduct security acceptance requirements for outsourced applications
• Use audit/assessment results to improve coding standards.
• Encrypt sensitive data used in the application development and testing process.

F5's Convertino focused on DevOps in his blog post, noting that 71 percent of respondents who have taken up the practice say it has improved security and helped them quickly respond to vulnerabilities. " I believe that DevOps practices can be highly beneficial to application security as long as security testing is embedded into the automated testing we already do in DevOps alongside all the functional tests to ensure that the apps we develop are both functionally robust and secure from the ground up," he said.