The majority of application developers lack software security knowledge, but they can improve their skills through even brief training processes, according to a recent study presented at AppSec USA 2013. By exposing developers to software security practices early in the development process and using tools such as static analysis software to reinforce lessons on an ongoing basis, companies can ensure software security needs are being met.
Professional services firm Denim Group conducted the study by testing 600 application developers – mostly ones with limited security training – on their familiarity with secure coding practices. On the 15-question quiz, just 27 percent scored above 70 percent, while the average score was 59 percent. The results were the same among developers with more than seven years of experience and those with fewer than three years of experience.
“Most of them understood high-level concepts, such as how to recognize a cross-site scripting vulnerability, but when we asked them how to remediate it, most of them couldn’t answer correctly,” Denim Group CEO John Dickson said in a presentation of the results, according to Dark Reading.
After a secure application development course, the respondents performed much better, with the average score increasing to 74 percent and two-thirds of respondents scoring above 70. Additionally, students reported a 70 percent decrease in application vulnerabilities.
Building in secure development training
The study also found that quality assurance teams tended to score lower than application development teams, despite the fact that the latter rely on the former to catch their errors. Additionally, respondents who worked on in-house development at large companies tended to score the lowest. Several experts commented to Dark Reading that the same application vulnerabilities continue to be a problem year after year, suggesting that a push toward more education could help.
“Security is still not built into the preproduction process,” Bala Venkat, chief marketing officer at application security firm Cenzic, told Dark Reading. “It’s not built into the application development process; it’s not part of the education process at most universities. Until security training becomes a requirement, we will continue to have problems.”
One way companies can educate their developers better is to continue to test and reinforce software security ideas and apply them in the field rather than just a classroom, one development expert told Dark Reading. Companies can easily build this type of education into their development process by using tools such as static analysis software. By running static analysis, developers can see their errors and immediately address them. As opposed to when testing is relegated solely to QA teams that may not reach back to let developers know they are making the same mistakes over and over, this ensures developers actually learn from their errors by confronting them. Static analysis also simply helps catch errors, making the combination of static analysis and security education an effective one-two punch, Jacob West, CTO of Fortify Products, told IT Business Edge Network in a discussion of security practices.
“You really need a comprehensive approach to address software security problems,” West said. “With that broad view, you can get good visibility into a combination of activities that an enterprise might need to address a specific problem like use-after-free.”
By bringing together a variety of tools and approaches including static analysis software use to improve developer education, companies can reduce their software security risk and ensure their teams meet a higher standard.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.