The U.S. Department of Homeland Security (DHS) states that 90 percent of security incidents result from exploits against defects in software. That's a big statement - and it implies that poor software development may be the biggest cyber threat of all.
You have to wonder if that's an isolated finding in the context of DHS's own experience - or do CISOs, IT security professionals, researchers and analysts, software developers, and application vendors agree?
The "Forrester Wave: Application Security Report", which evaluates vendors for security and risk professionals, says many firms have rushed to bring applications online, building out consumer-facing websites, buying commercial off-the-shelf (COTS) products, and developing mobile applications to enable and engage with their customers and partners without thinking about the security of the application itself. As a consequence, businesses are exposing their most sensitive corporate and customer data to possible external threats and breaches.
Is the cyber industry over-focused on network security, while applications are the real weak spot?
"Many organizations have significant network security in place but it's not enough as 84 percent of all cyber-attacks are happening on the application layer" said Tim Clark, Head of Brand Journalism at SAP, in a recent Forbes blog. SAP, headquartered in Walldorf, Germany and U.S. operations in Newtown Square, Pa. is one of the world's largest application security vendors.
Intruders are increasingly targeting the application stack for exploitation, according to the "Cisco 2015 Annual Security Report". Cisco says the rise of cloud apps and the ubiquity of do-it-yourself (DIY) open-source content management systems (CMS) has created a landscape of vulnerable websites and SaaS offerings. Underlying systems/networking layers managed by IT operations may withstand malicious attacks, but application-level components built by developers are often riddled with vulnerabilities.
What's the disconnect between software development and security?
"The SANS Institute 2015 State of Application Security Report" states that many information security engineers don't understand software development-and most software developers don't understand security. Developers and their managers are focused on delivering features and meeting time-to-market expectations, rather than on making sure that software is secure. SANS indicates only a small amount of security testing is done by the development team (21.6 percent) or quality assurance personnel (22.percent) - while the internal security team accounts for most (83.2 percent) of the testing.
Exactly what type of poor software development practices are going on? CNET recently reported that programmers are copying security flaws in to your software. Programmers don't write all of their code. They routinely borrow code from others, and they're not checking the code for security flaws. This widespread practice opens the door for hackers to have broad impact with just a few exploits.
Sign up for Computerworld eNewsletters.