Many applications are not secure. It's an issue we have seen for years. In the 2014 Trustwave Global Security Report we found that of the 691 data breach investigations we conducted in 2013, 96 percent of applications harboured one or more serious vulnerability. The flaws we typically see in applications are not new either; they are the same vulnerabilities that have been around for more than a decade. So why are we stuck in a cycle of developing un-secure applications?
Let's begin with the developers. With the best will in the world, many application developers aren't able to produce a completely secure app. They are also often under significant pressure to get the job done quickly and efficiently whilst trying to keep the costs to their organisation to a minimum. Many organisations don't tend to send their developers to security training workshops and don't have dedicated security staff to review and test applications in addition to performing code reviews. Quite simply, developers aren't trained in security; it's not their core competency, which is why organisations should not put the responsibility for security vulnerabilities solely in their laps.
The business behind the app needs to step up
Organisations that develop applications are running a business and the goal of any business is to be profitable. One of the main issues with security in organisations is that it costs a lot of extra time and money and therefore tends to be an afterthought for many businesses. Many apps do not even go through security testing, if at all, until a week before they are due to be launched – a timeframe that can be too short to really analyse and remediate all vulnerabilities. This leaves businesses with their hands tied due to existing business commitments, meaning that apps can and do hit the market which aren't fully security tested.
Security testing must be done from the beginning of the application design phase. It needs to be baked into the fabric of the app, long before it will ever be released for commercial purposes. And, there is a cost-effective way to help ensure all of a business's applications are secure from the get-go – automated vulnerability scanning. If businesses have a large pool of applications in production, they can automatically scan those apps to identify vulnerabilities. Then, for their most critical apps, they should perform in-depth penetration so that all vulnerabilities are identified and remediated before the app hits the market. But, it doesn't stop there. Businesses should continue this process even after the application is available for consumer use. That way they are continuously identifying and remediating vulnerabilities that may pop up before criminals can exploit them.