School Is In Session, But AppSec Is Still On Vacation
The pandemic accelerated organizations’ move to digital work, and the market responded to the increased demand. New applications and features were built, deployed, and released at a rate that previously would not have seemed possible. In Forrester’s Developer Survey, 2022, 67% of developers said they release incremental software changes into production at least monthly, and 21% said they do it at least weekly. Speed is great for experimenting with new features, receiving customer feedback, and beating the competition to market. Unfortunately, security is frequently lost in the shuffle. Securing what you sell is critical to your company’s continued success. Why, then, do we still see applications built using insecure coding practices that are a security risk not only for your company but for your customers, as well?
- Are you expecting your developers to be security experts? Unfortunately, developers’ backgrounds don’t usually prepare them to address computer security concerns, much less application security or secure coding. We reviewed the course offerings at the top 50 undergraduate science computer programs as ranked by U.S. News for 2022 and found that none requires a course in code or application security for majors. A look into international schools wasn’t much better.
- Are you using protection tools as a security blanket? Protection tools are only a first layer of defense in mitigating insecure code. Web application firewalls (WAFs) are important to your defense against known vulnerabilities, but determined attackers will hunt for any weakness on your perimeter. When we asked decision-makers with network, data center, app security, or security ops responsibilities who experienced an external attack when their company was breached, 54% noted that the attacker had leveraged a software vulnerability exploit and/or a web application exploit. Secure applications are your best bet at preventing a breach, rather than relying solely on another technology to block the onslaught of attacks against insecure apps.
- Are you looking to low-code platforms as the answer? The popularity of low-code platforms has given new groups of employees the opportunity to develop applications and has changed development processes across the board. Unfortunately, eliminating risk from insecure coding decisions is not one of low-code’s benefits. For example, in August 2021, security researchers disclosed that default configurations in Microsoft’s low-code Power Apps left sensitive personal data open to the public. Thirty-eight million records of government agencies and businesses were exposed.
In our new report, Show, Don’t Tell, Your Developers How To Write Secure Code, we take a deep dive into the current state of developer security education and lay out a multifaceted approach that you can use to mitigate application security risks from insecure coding.
(written with Isabelle Raposo, senior research associate at Forrester)