Tools, skills and budgets can help developers fight rise in Web app cyber attacks

Trio of reports highlights need for more resources to secure JavaScript code across both in-house and open source codebase.

  • Friday, 20th May 2016 Posted 8 years ago in by Phil Alsop
Checkmarx says that three recent reports highlight the challenge faced by developers in securing code as attacks against web applications increase, while security budgets for developers remain low.
As highlighted by the influential Data Breach Investigation Report 2016, attacks against web applications have seen a dramatic rise in the last year.  Attacks against every business sector rose significantly with financial particularly hard hit with a 51% increase in the number of reported incidents. The report also suggests that Common Vulnerabilities and Exposures (CVE’s) are not being addressed quickly enough by developers with the top 10 vulnerabilities accounting for 85% of successful exploited traffic.
“Many of the vulnerabilities that are still regularly exploited are years old which suggests that organisations need to spend more effort actively testing existing code bases and not just assuming that it is just new applications that are at risk,”  says Amit Ashbel, Cyber Security Evangelist and Director of Product Marketing for Checkmarx, “This goes for both your in-house developed code and for open source modules and third party apps that are incorporated into applications, often without full vulnerability scanning which creates vulnerabilities, but little accountability to a specific developer.”
With huge demand, especially for mobile web applications, many developers are gravitating to development in Java based languages and scripts. As highlighted by the annual Stack Overflow survey, confirming that 85% of developers working on full stack applications are using JavaScript with Java in the top two choices for frontend, backend and mobile applications.
However, collating data from the recent ‘SANS institute 2016 State of Application Security: Skills, Configurations and Components’ report highlights that developer awareness regarding security controls is increasing. Although, the report suggests the development community is not getting enough support with a lack of application security skills, tools and methods ranked as being in the top three challenges to implementing AppSec by 38% of respondents, followed by lack of funding or management buy-in (37%).
The SANS report also shows that security testing schedules are diverse but heading towards a more continual approach with 60% indicating that they test applications continuously, with 27% using continuous assessment in their Agile development processes. However, 53% of respondents still test applications when they are initially launched into production.
This test cycle is showing benefits. The largest group (57%) said they find one to 25 vulnerabilities per month and the survey found the largest number (24%) said that over half of critical vulnerabilities they found were related to code bugs rather than to misconfigurations.
However, the most disappointing area was in remediation where the survey found less than 30% are achieving a 75%–99% level of satisfaction with the speed it takes to repair their vulnerabilities. The speed at which patches are applied is comparable to last year’s survey, with 26% of vulnerabilities being patched within two to seven days, and another 26% within eight to 30 days.
The reasons are varied but lack of funding or management buy-in is a major issue with nearly a third (29%) of developers saying that saying that their organisations spend 1% or less of IT budgets on information security.
Looking across all three reports shows an emerging pattern. “Developers are gravitating towards JavaScript, being asked to create more applications by using faster development cycles. Meanwhile, the number of attacks against them grows and information security budgets have remained largely static,” says Amit Ashbel, Cyber Security Evangelist and Director of Product Marketing for Checkmarx, “This is an unenviable position for developers and a situation that needs to be looked at more carefully by budget holders if they want to stop the problem from getting worse.”
In Ashbel’s view, even with slim budgets organisations need to think about the long term value of early detection of vulnerabilities. “Investing in developer AppSec education programs and white box testing tools can have a massive return on investment compared to the cost of breaches and urgent remediation work after an app has gone live.”
Ashbel suggests three areas where organisations can help counter this issue.
1.       Education is key and has a long term rolling positive effect. Once you have been able to build a small team of developers who know Application Security and can practice secure coding best practices, you have created a healthy basis which can easily be positioned as a position for others to strive for. Give eager and motivated developers a chance to grow within the company and take leadership of Application Security concerns within development. At the end of the day, all deliveries start from the developer and security should be no different. Education and knowledge also helps bridging the gap between the Dev teams and the Security teams. Cooperation between these teams is key for AppSec success.
 
2.       Make Application Security a top priority and build the correct processes to help developers make secure coding practices part of their daily routine. Integrate Static Application Security Testing solutions within the SDLC and make sure developer work flow is not negatively impacted. Of course, when looking for the right solution, make sure your developers are part of the evaluation process. Otherwise you might end up with very expensive shelfware.
Do NOT wait for the Application release date to start vulnerabilities assessment.
 
3.       Developers love Open-Source and rightfully so. No reason to waste time on solving problems that were already solved by someone else. That said, open-source projects are subject to the same security risks and vulnerabilities.  Make sure you always have an updated list of the open-source module inventory and ensure they don’t expose your applications to any security risks or legal concerns.