Considering how widely used and critical applications have become for businesses in virtually every industry, it is in some ways surprising that application development security remains undervalued by many organizations and professionals. Applications frequently store, leverage or access incredibly sensitive client and company information, and yet many firms continue to be plagued by code vulnerabilities and other flaws.
Two recent reports highlighted the extent of these issues, and added credence to the notion that organizations need to embrace new tools and strategies if they want to ensure that their application development efforts remain secure.
While application development in general is growing in significance, perhaps no area has seen as much growth as the mobile application field. Mobile apps, both internal and external, are now basic business assets for countless firms.
Yet these programs are extremely vulnerable, as Gartner recently reported. The research firm estimated that by the end of next year, three-fourths of all mobile apps will fail the most basic of application security tests, ZDNet reported. This poses a serious threat to organizations.
“Enterprises that embrace mobile computing and bring your own device (BYOD) strategies are vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance,” explained Dionisio Zumerle, principal research analyst at Gartner, the source reported.
Zumerle went on to explain that the majority of companies lack experience in the field of mobile application security. Making matters worse, when developers do engage in security testing, they are frequently more focused on ensuring that the applications function properly. Security is only a secondary concern. Furthermore, according to Zumerle, most existing static application security testing options are not sufficient to ensure that a company’s code is truly protected.
This suggests that companies interested in mobile app development need to look for better static code analysis solutions and make sure that developers actually utilize theses resources. Specifically, business leaders should look for advanced, customizable static analysis tools that can identify defects early in the application lifecycle, before potential vulnerabilities evolve into serious security problems.
With these tools in place, developers worried about app security can focus on features, rather than searching for potential flaws, and still ensure that the code remain safe and reliable. This improves productivity without sacrificing security.
However, simply deploying these tools is not sufficient, in and of itself. Businesses also must make sure that their developers have the knowledge and willingness to actually utilize them.
Unfortunately, as a recent report from Aspect Security revealed, many developers’ knowledge of application security issues is significantly lacking. The study, which included insight from more than 1,400 developers from nearly 700 organizations, asked participants to answer a variety of app security-related questions.
According to the study, 80 percent of respondents incorrectly answered key questions surrounding the protection of sensitive data. Nearly two-thirds of the developers could not accurately answer questions involving Web services security. Lastly, just shy of three-fourths of the participants failed to correctly answer threat modeling and security architecture questions.
These numbers should be alarming for many enterprises. If application developers are not fully aware of the dangers that their companies face, they cannot effectively protect their code from the threats posed by hackers and other opportunistic cybercriminals.
This means that in addition to deploying in new, better application security tools, companies should also consider investing in security training for their developers. Such educational efforts can ensure that IT staff are able and willing to take full advantage of the static code analysis and other security tools that are at their disposal.