The Current State of Application Security
Despite applications being one of the most common attack vectors for hackers, a recent report has revealed that only a small percentage of security managers actually trust the safety of their company’s own applications.
It is estimated that the application layer is responsible for 90% of all security vulnerabilities, yet more than 80% of IT security spending continues to be at the network and endpoint layer. Likewise, while the majority of company executives are expressing confidence in their organisation’s security procedures, the technicians themselves are far more skeptical.
The main concern leans towards the current lack of root cause analysis that should follow vulnerability testing. Critics note that time, money and resources are being used on treating symptoms rather than addressing underlying causes, thus keeping application security stuck in a rut rather than progressing forwards.
Whilst it is considered that vulnerabilities are an inevitable part of the development process, research is showing that many businesses are failing to reinvest the information acquired through rigorous security testing, back into the earliest stages of software development.
Another problem voiced by professionals is the level of standards and education of technicians and developers employed by many companies. Automated scanners make identifying a potential problem far easier, yet fixing it requires and understanding of how the system functions and access to the source code.
Meanwhile, the programmers who write the codes are working in a separate field to the penetration testing experts, with the two rarely cross training due to such high study demands. The result is similar to the lack of root cause analysis, with problems often being glossed over rather than prevented in the beginning. The solution would be to encourage the two professions to join forces so as to really push things in the right direction.
The same can be said for the executives who hold such differing opinions on their companies’ application security, than the technicians who work at ground level and witness the truth in its raw state.
This is not to say that the system is doomed however. All it may take is open channels of communication and a simple admittance to the problems at hand, by all parties, from the bottom to the top. IT security is a perpetually changing sphere that will continually throw up new challenges. It is therefore important for action to be taken sooner rather than later, investing in working on prevention, not cure, in order to really take application development to the next level.